domma-cms 0.3.0 → 0.5.2

package/{plugins/form-builder/plugin.js → server/routes/api/forms.js}

@@ -1,505 +1,491 @@
-/**
- * Form Builder Plugin — Server
- * Handles form CRUD, public submission, submissions management, and SMTP settings.
- *
- * Endpoints (prefix: /api/plugins/form-builder):
- *   GET    /forms                         — admin: list all forms
- *   POST   /forms                         — admin: create new form
- *   GET    /forms/:slug                   — admin: get form definition
- *   GET    /forms/:slug/public            — public: get form (no actions block)
- *   PUT    /forms/:slug                   — admin: update form definition
- *   DELETE /forms/:slug                   — admin: delete form + submissions
- *   GET    /forms/:slug/submissions       — admin: list submissions (newest first)
- *   GET    /forms/:slug/submissions/export — admin: CSV export
- *   DELETE /forms/:slug/submissions       — admin: clear all submissions
- *   DELETE /forms/:slug/submissions/:id   — admin: delete one submission
- *   POST   /submit/:slug                  — public: accept submission
- *   GET    /settings                      — admin: read global settings
- *   PUT    /settings                      — admin: save global settings
- *   POST   /test-email                    — admin: send test email
- */
-import fs from 'fs/promises';
-import path from 'path';
-import crypto from 'crypto';
-import {fileURLToPath} from 'url';
-import {createRequire} from 'module';
-import {getPluginSettings, savePluginState} from '../../server/services/plugins.js';
-import {getConfig} from '../../server/config.js';
-import {createTransport, sendFormEmail} from './email.js';
-import {createEntry, getCollection} from '../../server/services/collections.js';
-
-// Load shared logic engine (UMD/CJS) from browser-compatible public file
-const _require = createRequire(import.meta.url);
-const FormLogicEngine = _require('./public/form-logic-engine.js');
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const FORMS_DIR       = path.join(__dirname, 'data', 'forms');
-const SUBMISSIONS_DIR = path.join(__dirname, 'data', 'submissions');
-
-// Per-slug rate limit store: slug → Map<ip, timestamp[]>
-const rateLimitMap = new Map();
-
-// ---------------------------------------------------------------------------
-// File helpers
-// ---------------------------------------------------------------------------
-
-async function readForm(slug) {
-    const file = path.join(FORMS_DIR, `${slug}.json`);
-    return JSON.parse(await fs.readFile(file, 'utf8'));
-}
-
-async function writeForm(slug, data) {
-    const file = path.join(FORMS_DIR, `${slug}.json`);
-    await fs.writeFile(file, JSON.stringify(data, null, 4) + '\n', 'utf8');
-}
-
-async function listForms() {
-    let entries;
-    try {
-        entries = await fs.readdir(FORMS_DIR);
-    } catch {
-        return [];
-    }
-    const forms = [];
-    for (const entry of entries.filter(e => e.endsWith('.json'))) {
-        try {
-            const data = JSON.parse(await fs.readFile(path.join(FORMS_DIR, entry), 'utf8'));
-            forms.push(data);
-        } catch {
-            // skip malformed
-        }
-    }
-    return forms;
-}
-
-async function readSubmissions(slug) {
-    try {
-        return JSON.parse(await fs.readFile(path.join(SUBMISSIONS_DIR, `${slug}.json`), 'utf8'));
-    } catch {
-        return [];
-    }
-}
-
-async function writeSubmissions(slug, submissions) {
-    await fs.mkdir(SUBMISSIONS_DIR, { recursive: true });
-    await fs.writeFile(
-        path.join(SUBMISSIONS_DIR, `${slug}.json`),
-        JSON.stringify(submissions, null, 2) + '\n',
-        'utf8'
-    );
-}
-
-function isRateLimited(slug, ip, limitPerMinute) {
-    const now       = Date.now();
-    const windowMs  = 60 * 1000;
-    if (!rateLimitMap.has(slug)) rateLimitMap.set(slug, new Map());
-    const slugMap   = rateLimitMap.get(slug);
-    const timestamps = (slugMap.get(ip) || []).filter(t => now - t < windowMs);
-    if (timestamps.length >= limitPerMinute) return true;
-    timestamps.push(now);
-    slugMap.set(ip, timestamps);
-    return false;
-}
-
-function slugify(str) {
-    return str.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-|-$/g, '');
-}
-
-function submissionsToCSV(form, submissions) {
-    const fields = form.fields || [];
-    const headers = [...fields.map(f => `"${f.label || f.name}"`), '"Date"'];
-    const rows = submissions.map(s => {
-        const cols = fields.map(f => {
-            const val = String(s.data?.[f.name] ?? '').replace(/"/g, '""');
-            return `"${val}"`;
-        });
-        cols.push(`"${s.meta?.createdAt || ''}"`);
-        return cols.join(',');
-    });
-    return [headers.join(','), ...rows].join('\n');
-}
-
-// ---------------------------------------------------------------------------
-// Plugin registration
-// ---------------------------------------------------------------------------
-
-export default async function formBuilderPlugin(fastify, options) {
-    const { authenticate, requireAdmin } = options.auth;
-
-    // Ensure data dirs exist
-    await fs.mkdir(FORMS_DIR, { recursive: true });
-    await fs.mkdir(SUBMISSIONS_DIR, { recursive: true });
-
-    // -----------------------------------------------------------------------
-    // GET /forms — list all form definitions
-    // -----------------------------------------------------------------------
-    fastify.get('/forms', { preHandler: [authenticate, requireAdmin] }, async () => {
-        const forms = await listForms();
-        // Attach submission count to each form
-        const result = await Promise.all(forms.map(async form => {
-            const subs = await readSubmissions(form.slug);
-            return { ...form, submissionCount: subs.length };
-        }));
-        return result;
-    });
-
-    // -----------------------------------------------------------------------
-    // POST /forms — create new form
-    // -----------------------------------------------------------------------
-    fastify.post('/forms', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { title, slug: rawSlug } = request.body || {};
-        if (!title?.trim()) {
-            return reply.status(400).send({ error: 'Title is required.' });
-        }
-        const slug = rawSlug ? slugify(rawSlug) : slugify(title);
-        if (!slug) {
-            return reply.status(400).send({ error: 'Could not generate a valid slug.' });
-        }
-
-        // Check for existing form with same slug
-        try {
-            await fs.access(path.join(FORMS_DIR, `${slug}.json`));
-            return reply.status(409).send({ error: `A form with slug "${slug}" already exists.` });
-        } catch {
-            // Does not exist — good
-        }
-
-        const now  = new Date().toISOString();
-        const form = {
-            slug,
-            title: title.trim(),
-            description: '',
-            fields: [],
-            settings: {
-                submitText: 'Submit',
-                successMessage: 'Thank you for your submission.',
-                layout: 'stacked',
-                honeypot: true,
-                rateLimitPerMinute: 3
-            },
-            actions: {
-                email:   { enabled: false, recipients: '', subjectPrefix: `[${title.trim()}]` },
-                webhook: { enabled: false, url: '', method: 'POST' }
-            },
-            createdAt: now,
-            updatedAt: now
-        };
-
-        await writeForm(slug, form);
-        await writeSubmissions(slug, []);
-        return reply.status(201).send(form);
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /forms/:slug — get single form (admin, includes actions)
-    // -----------------------------------------------------------------------
-    fastify.get('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        try {
-            return await readForm(request.params.slug);
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /forms/:slug/public — get form for public rendering (no actions)
-    // -----------------------------------------------------------------------
-    fastify.get('/forms/:slug/public', async (request, reply) => {
-        try {
-            const form = await readForm(request.params.slug);
-            // Strip sensitive actions block before returning to browser
-            const { actions: _actions, ...safe } = form;
-            return safe;
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-    });
-
-    // -----------------------------------------------------------------------
-    // PUT /forms/:slug — update form definition
-    // -----------------------------------------------------------------------
-    fastify.put('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { slug } = request.params;
-        let existing;
-        try {
-            existing = await readForm(slug);
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-
-        const body = request.body || {};
-        const updated = {
-            ...existing,
-            ...body,
-            slug,                                      // slug is immutable via this route
-            createdAt: existing.createdAt,
-            updatedAt: new Date().toISOString()
-        };
-        await writeForm(slug, updated);
-        return updated;
-    });
-
-    // -----------------------------------------------------------------------
-    // DELETE /forms/:slug — delete form and its submissions
-    // -----------------------------------------------------------------------
-    fastify.delete('/forms/:slug', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { slug } = request.params;
-        try {
-            await fs.unlink(path.join(FORMS_DIR, `${slug}.json`));
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-        try {
-            await fs.unlink(path.join(SUBMISSIONS_DIR, `${slug}.json`));
-        } catch {
-            // Submissions file may not exist — not an error
-        }
-        return { ok: true };
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /forms/:slug/submissions — list submissions (newest first)
-    // -----------------------------------------------------------------------
-    fastify.get('/forms/:slug/submissions', { preHandler: [authenticate, requireAdmin] }, async (request) => {
-        const submissions = await readSubmissions(request.params.slug);
-        return submissions.slice().reverse();
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /forms/:slug/submissions/export — CSV download
-    // -----------------------------------------------------------------------
-    fastify.get('/forms/:slug/submissions/export', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { slug } = request.params;
-        let form;
-        try {
-            form = await readForm(slug);
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-        const submissions = await readSubmissions(slug);
-        const csv = submissionsToCSV(form, submissions);
-        reply
-            .header('Content-Type', 'text/csv; charset=utf-8')
-            .header('Content-Disposition', `attachment; filename="${slug}-submissions.csv"`);
-        return csv;
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /forms/:slug/submissions/export/json — JSON download
-    // -----------------------------------------------------------------------
-    fastify.get('/forms/:slug/submissions/export/json', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { slug } = request.params;
-        try {
-            await readForm(slug);
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-        const submissions = await readSubmissions(slug);
-        reply
-            .header('Content-Type', 'application/json; charset=utf-8')
-            .header('Content-Disposition', `attachment; filename="${slug}-submissions.json"`);
-        return JSON.stringify(submissions, null, 2);
-    });
-
-    // -----------------------------------------------------------------------
-    // DELETE /forms/:slug/submissions — clear all submissions
-    // -----------------------------------------------------------------------
-    fastify.delete('/forms/:slug/submissions', { preHandler: [authenticate, requireAdmin] }, async (request) => {
-        await writeSubmissions(request.params.slug, []);
-        return { ok: true };
-    });
-
-    // -----------------------------------------------------------------------
-    // DELETE /forms/:slug/submissions/:id — delete one submission
-    // -----------------------------------------------------------------------
-    fastify.delete('/forms/:slug/submissions/:id', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const { slug, id } = request.params;
-        const submissions = await readSubmissions(slug);
-        const filtered    = submissions.filter(s => s.id !== id);
-        if (filtered.length === submissions.length) {
-            return reply.status(404).send({ error: 'Submission not found.' });
-        }
-        await writeSubmissions(slug, filtered);
-        return { ok: true };
-    });
-
-    // -----------------------------------------------------------------------
-    // POST /submit/:slug — public form submission
-    // -----------------------------------------------------------------------
-    fastify.post('/submit/:slug', async (request, reply) => {
-        const { slug } = request.params;
-        let form;
-        try {
-            form = await readForm(slug);
-        } catch {
-            return reply.status(404).send({ error: 'Form not found.' });
-        }
-
-        const body     = request.body || {};
-        const settings = form.settings || {};
-
-        // Honeypot check — silently accept if filled (bot detected)
-        if (settings.honeypot && body._hp) {
-            return { ok: true, message: settings.successMessage };
-        }
-
-        // Build form values for engine evaluation (trim strings, default to '')
-        const formValues = {};
-        for (const field of form.fields || []) {
-          if (field.type === 'page-break' || field.type === 'spacer') continue;
-            const val = body[field.name];
-            formValues[field.name] = val !== undefined ? (typeof val === 'string' ? val.trim() : val) : '';
-        }
-
-        // Evaluate conditional logic — visibility, requirement, validation
-        const missingFields    = [];
-        const validationErrors = [];
-        const visibleFieldNames = new Set();
-
-        for (const field of form.fields || []) {
-          if (field.type === 'page-break' || field.type === 'spacer') continue;
-            const vis = FormLogicEngine.evaluateFieldVisibility(field, formValues);
-            if (vis === 'hidden') continue;
-            visibleFieldNames.add(field.name);
-
-            const value   = formValues[field.name];
-            const isEmpty = !value?.toString().trim();
-            const required = FormLogicEngine.evaluateFieldRequirement(field, formValues);
-            if (required && isEmpty) {
-                missingFields.push(field.label || field.name);
-            }
-            if (!isEmpty) {
-                const errors = FormLogicEngine.validateField(field, value, formValues);
-                if (errors.length) validationErrors.push(errors[0].message);
-            }
-        }
-
-        if (missingFields.length || validationErrors.length) {
-            const parts = [];
-            if (missingFields.length) parts.push(`Required fields missing: ${missingFields.join(', ')}`);
-            if (validationErrors.length) parts.push(validationErrors.join('; '));
-            return reply.status(400).send({ error: `${parts.join('. ')}.` });
-        }
-
-        // Rate limit by IP
-        const ip    = request.ip || request.socket?.remoteAddress || 'unknown';
-        const limit = settings.rateLimitPerMinute || 3;
-        if (isRateLimited(slug, ip, limit)) {
-            return reply.status(429).send({ error: 'Too many submissions. Please try again later.' });
-        }
-
-        // Build submission data — only include visible fields
-        const data = {};
-        for (const field of form.fields || []) {
-          if (field.type === 'page-break' || field.type === 'spacer') continue;
-            if (!visibleFieldNames.has(field.name)) continue;
-            const val = body[field.name];
-            if (val !== undefined) {
-                data[field.name] = typeof val === 'string' ? val.trim() : val;
-            }
-        }
-
-        const submission = {
-            id:   crypto.randomUUID(),
-            data,
-            meta: { ip, createdAt: new Date().toISOString() }
-        };
-
-        const submissions = await readSubmissions(slug);
-        submissions.push(submission);
-        await writeSubmissions(slug, submissions);
-
-        // Email action
-        const emailAction = form.actions?.email;
-        if (emailAction?.enabled && emailAction.recipients) {
-            try {
-                const smtp      = getConfig('site').smtp || {};
-                const transport = await createTransport(smtp);
-                await sendFormEmail(transport, {
-                    from:      smtp.fromAddress,
-                    fromName:  smtp.fromName,
-                    to:        emailAction.recipients,
-                    subject:   `${emailAction.subjectPrefix || `[${form.title}]`} New submission`,
-                    formTitle: form.title,
-                    fields:    form.fields,
-                    data
-                });
-            } catch (err) {
-                fastify.log.warn(`[form-builder] Email send failed for "${slug}": ${err.message}`);
-            }
-        }
-
-        // Webhook action
-        const webhookAction = form.actions?.webhook;
-        if (webhookAction?.enabled && webhookAction.url) {
-            try {
-                await fetch(webhookAction.url, {
-                    method:  webhookAction.method || 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body:    JSON.stringify({ form: slug, submission })
-                });
-            } catch (err) {
-                fastify.log.warn(`[form-builder] Webhook failed for "${slug}": ${err.message}`);
-            }
-        }
-
-        // Collection action
-        const collectionAction = form.actions?.collection;
-        if (collectionAction?.enabled && collectionAction.slug) {
-            try {
-                const col = await getCollection(collectionAction.slug);
-                if (col) {
-                    await createEntry(collectionAction.slug, data, { source: `form:${slug}` });
-                }
-            } catch (err) {
-                fastify.log.warn(`[form-builder] Collection write failed for "${slug}": ${err.message}`);
-            }
-        }
-
-        return { ok: true, message: settings.successMessage || 'Thank you for your submission.' };
-    });
-
-    // -----------------------------------------------------------------------
-    // GET /settings — global plugin settings (SMTP)
-    // -----------------------------------------------------------------------
-    fastify.get('/settings', { preHandler: [authenticate, requireAdmin] }, async () => {
-        return getPluginSettings('form-builder');
-    });
-
-    // -----------------------------------------------------------------------
-    // PUT /settings — save global settings
-    // -----------------------------------------------------------------------
-    fastify.put('/settings', { preHandler: [authenticate, requireAdmin] }, async (request) => {
-        savePluginState('form-builder', { settings: request.body || {} });
-        return { ok: true };
-    });
-
-    // -----------------------------------------------------------------------
-    // POST /test-email — send a test email
-    // -----------------------------------------------------------------------
-    fastify.post('/test-email', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
-        const smtp = getConfig('site').smtp || {};
-        const to   = (request.body?.to) || smtp.fromAddress || 'test@ethereal.email';
-        try {
-            const transport = await createTransport(smtp);
-            await sendFormEmail(transport, {
-                from:      smtp.fromAddress,
-                fromName:  smtp.fromName,
-                to,
-                subject:   '[Form Builder] Test Email',
-                formTitle: 'Test Form',
-                fields:    [
-                    { name: 'name',    label: 'Name' },
-                    { name: 'message', label: 'Message' }
-                ],
-                data: {
-                    name:    'Test Sender',
-                    message: 'This is a test email from your Domma CMS Form Builder plugin. If you received this, your SMTP settings are working correctly.'
-                }
-            });
-            return { ok: true, message: `Test email sent to ${to}` };
-        } catch (err) {
-            return reply.status(500).send({ error: `Failed to send test email: ${err.message}` });
-        }
-    });
-}
+/**
+ * Core Forms API Routes
+ * REST endpoints for form CRUD, public rendering, and submission handling.
+ * Submissions are stored exclusively in Collections (no dual-storage).
+ *
+ * Endpoints (prefix: /api):
+ *   GET    /forms                          — admin: list all forms
+ *   POST   /forms                          — admin: create new form
+ *   GET    /forms/:slug                    — admin: get form definition
+ *   GET    /forms/:slug/public             — public: get form (no actions block)
+ *   PUT    /forms/:slug                    — admin: update form definition
+ *   DELETE /forms/:slug                    — admin: delete form
+ *   GET    /forms/:slug/submissions        — admin: list submissions from collection
+ *   GET    /forms/:slug/submissions/export — admin: CSV export from collection
+ *   DELETE /forms/:slug/submissions        — admin: clear all submissions
+ *   DELETE /forms/:slug/submissions/:id    — admin: delete one submission
+ *   POST   /forms/submit/:slug             — public: accept submission
+ *   POST   /forms/test-email               — admin: send test email
+ */
+import {createRequire} from 'module';
+import {fileURLToPath} from 'url';
+import path from 'path';
+import {deleteForm, ensureFormsDir, listForms, readForm, slugify, writeForm} from '../../services/forms.js';
+import {executeAction} from '../../services/actions.js';
+import {createTransport, sendFormEmail} from '../../services/email.js';
+import {
+    clearEntries,
+    createCollection,
+    createEntry,
+    deleteEntry,
+    getCollection,
+    listEntries
+} from '../../services/collections.js';
+import {getConfig} from '../../config.js';
+import {authenticate, requireAdmin, requirePermission} from '../../middleware/auth.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(__dirname, '..', '..', '..');
+
+// Load shared logic engine (UMD/CJS) from core public assets
+const _require = createRequire(import.meta.url);
+const FormLogicEngine = _require('../../../public/js/form-logic-engine.js');
+
+// Per-slug rate limit store: slug → Map<ip, timestamp[]>
+const rateLimitMap = new Map();
+
+function isRateLimited(slug, ip, limitPerMinute) {
+    const now      = Date.now();
+    const windowMs = 60 * 1000;
+    if (!rateLimitMap.has(slug)) rateLimitMap.set(slug, new Map());
+    const slugMap    = rateLimitMap.get(slug);
+    const timestamps = (slugMap.get(ip) || []).filter(t => now - t < windowMs);
+    if (timestamps.length >= limitPerMinute) return true;
+    timestamps.push(now);
+    slugMap.set(ip, timestamps);
+    return false;
+}
+
+function submissionsToCSV(form, entries) {
+    const fields  = (form.fields || []).filter(f => f.type !== 'page-break' && f.type !== 'spacer');
+    const headers = [...fields.map(f => `"${f.label || f.name}"`), '"Date"'];
+    const rows    = entries.map(e => {
+        const cols = fields.map(f => {
+            const raw = e.data?.[f.name] ?? '';
+            const str = Array.isArray(raw) ? raw.join('; ') : String(raw);
+            const val = str.replace(/"/g, '""');
+            return `"${val}"`;
+        });
+        cols.push(`"${e.meta?.createdAt || ''}"`);
+        return cols.join(',');
+    });
+    return [headers.join(','), ...rows].join('\n');
+}
+
+export async function formsRoutes(fastify) {
+    await ensureFormsDir();
+
+    const canRead   = { preHandler: [authenticate, requirePermission('collections', 'read')]   };
+    const canCreate = { preHandler: [authenticate, requirePermission('collections', 'create')] };
+    const canUpdate = { preHandler: [authenticate, requirePermission('collections', 'update')] };
+    const canDelete = { preHandler: [authenticate, requirePermission('collections', 'delete')] };
+
+    // -----------------------------------------------------------------------
+    // GET /forms — list all form definitions with submission counts
+    // -----------------------------------------------------------------------
+    fastify.get('/forms', canRead, async () => {
+        const forms = await listForms();
+        const result = await Promise.all(forms.map(async form => {
+            let submissionCount = 0;
+            try {
+                const entries = await listEntries(form.slug);
+                submissionCount = entries.length;
+            } catch {
+                // collection may not exist yet
+            }
+            return { ...form, submissionCount };
+        }));
+        return result;
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /forms — create new form
+    // -----------------------------------------------------------------------
+    fastify.post('/forms', canCreate, async (request, reply) => {
+        const { title, slug: rawSlug } = request.body || {};
+        if (!title?.trim()) {
+            return reply.status(400).send({ error: 'Title is required.' });
+        }
+        const slug = rawSlug ? slugify(rawSlug) : slugify(title);
+        if (!slug) {
+            return reply.status(400).send({ error: 'Could not generate a valid slug.' });
+        }
+
+        // Check for existing form with same slug
+        try {
+            await readForm(slug);
+            return reply.status(409).send({ error: `A form with slug "${slug}" already exists.` });
+        } catch {
+            // Does not exist — good
+        }
+
+        const now  = new Date().toISOString();
+        const body = request.body || {};
+        const form = {
+            slug,
+            title: title.trim(),
+            description: body.description || '',
+            fields: Array.isArray(body.fields) ? body.fields : [],
+            settings: {
+                submitText: 'Submit',
+                successMessage: 'Thank you for your submission.',
+                layout: 'stacked',
+                honeypot: true,
+                rateLimitPerMinute: 3,
+                ...(body.settings || {})
+            },
+            actions: {
+                email:      { enabled: false, recipients: '', subjectPrefix: `[${title.trim()}]` },
+                webhook:    { enabled: false, url: '', method: 'POST' },
+                collection: {enabled: true, slug},
+                ...(body.actions || {})
+            },
+            createdAt: now,
+            updatedAt: now
+        };
+
+        await writeForm(slug, form);
+
+        // Auto-create a matching collection for this form (skip if one already exists)
+        try {
+            await createCollection({
+                slug,
+                title: title.trim(),
+                description: `Submissions from the ${title.trim()} form.`,
+                fields: [],
+                api: {
+                    create: { enabled: false, access: 'admin' },
+                    read:   { enabled: true,  access: 'admin' },
+                    update: { enabled: false, access: 'admin' },
+                    delete: { enabled: false, access: 'admin' }
+                }
+            });
+        } catch (err) {
+            fastify.log.warn(`[forms] Could not auto-create collection "${slug}": ${err.message}`);
+        }
+
+        return reply.status(201).send(form);
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug — get single form (admin, includes actions)
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug', canRead, async (request, reply) => {
+        try {
+            return await readForm(request.params.slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/public — get form for public rendering (no actions)
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/public', async (request, reply) => {
+        try {
+            const form = await readForm(request.params.slug);
+            const { actions: _actions, ...safe } = form;
+            return safe;
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // PUT /forms/:slug — update form definition
+    // -----------------------------------------------------------------------
+    fastify.put('/forms/:slug', canUpdate, async (request, reply) => {
+        const { slug } = request.params;
+        let existing;
+        try {
+            existing = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+
+        const body    = request.body || {};
+        const updated = {
+            ...existing,
+            ...body,
+            slug,
+            createdAt: existing.createdAt,
+            updatedAt: new Date().toISOString()
+        };
+        await writeForm(slug, updated);
+        return updated;
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug — delete form
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug', canDelete, async (request, reply) => {
+        const { slug } = request.params;
+        try {
+            await deleteForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions — list submissions from collection
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions', canRead, async (request, reply) => {
+        const { slug } = request.params;
+        try {
+            const entries = await listEntries(slug);
+            return entries.slice().reverse();
+        } catch {
+            return reply.status(404).send({ error: 'Collection not found for this form.' });
+        }
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions/export — CSV download from collection
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions/export', canRead, async (request, reply) => {
+        const { slug } = request.params;
+        let form;
+        try {
+            form = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        let entries = [];
+        try {
+            entries = await listEntries(slug);
+        } catch {
+            // empty collection
+        }
+        const csv = submissionsToCSV(form, entries);
+        reply.header('Content-Type', 'text/csv');
+        reply.header('Content-Disposition', `attachment; filename="${slug}-submissions.csv"`);
+        return reply.send(csv);
+    });
+
+    // -----------------------------------------------------------------------
+    // GET /forms/:slug/submissions/export/json — JSON export from collection
+    // -----------------------------------------------------------------------
+    fastify.get('/forms/:slug/submissions/export/json', canRead, async (request, reply) => {
+        const { slug } = request.params;
+        let form;
+        try {
+            form = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+        let entries = [];
+        try {
+            entries = await listEntries(slug);
+        } catch {
+            // empty
+        }
+        reply.header('Content-Type', 'application/json');
+        reply.header('Content-Disposition', `attachment; filename="${slug}-submissions.json"`);
+        return reply.send(JSON.stringify(entries, null, 2));
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug/submissions — clear all submissions
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug/submissions', canDelete, async (request, reply) => {
+        const { slug } = request.params;
+        try {
+            await clearEntries(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Collection not found for this form.' });
+        }
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // DELETE /forms/:slug/submissions/:id — delete one submission
+    // -----------------------------------------------------------------------
+    fastify.delete('/forms/:slug/submissions/:id', canDelete, async (request, reply) => {
+        const { slug, id } = request.params;
+        try {
+            await deleteEntry(slug, id);
+        } catch {
+            return reply.status(404).send({ error: 'Submission not found.' });
+        }
+        return { ok: true };
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /forms/submit/:slug — public form submission
+    // -----------------------------------------------------------------------
+    fastify.post('/forms/submit/:slug', async (request, reply) => {
+        const { slug } = request.params;
+        let form;
+        try {
+            form = await readForm(slug);
+        } catch {
+            return reply.status(404).send({ error: 'Form not found.' });
+        }
+
+        const body     = request.body || {};
+        const settings = form.settings || {};
+
+        // Honeypot check — silently accept if filled (bot detected)
+        if (settings.honeypot && body._hp) {
+            return { ok: true, message: settings.successMessage, redirect: settings.successRedirect || null };
+        }
+
+        // Timing check — silently accept if submitted too fast (< 2 s, likely a bot)
+        if (settings.honeypot && body._t) {
+            const elapsed = Date.now() - Number(body._t);
+            if (!Number.isNaN(elapsed) && elapsed < 2000) {
+                return {ok: true, message: settings.successMessage, redirect: settings.successRedirect || null};
+            }
+        }
+
+        // Build form values for engine evaluation
+        const formValues = {};
+        for (const field of form.fields || []) {
+            if (field.type === 'page-break' || field.type === 'spacer') continue;
+            const val = body[field.name];
+            formValues[field.name] = val !== undefined ? (typeof val === 'string' ? val.trim() : val) : '';
+        }
+
+        // Evaluate conditional logic
+        const missingFields    = [];
+        const validationErrors = [];
+        const visibleFieldNames = new Set();
+
+        for (const field of form.fields || []) {
+            if (field.type === 'page-break' || field.type === 'spacer') continue;
+            const vis = FormLogicEngine.evaluateFieldVisibility(field, formValues);
+            if (vis === 'hidden') continue;
+            visibleFieldNames.add(field.name);
+
+            const value   = formValues[field.name];
+            const isEmpty = !value?.toString().trim();
+            const required = FormLogicEngine.evaluateFieldRequirement(field, formValues);
+            if (required && isEmpty) {
+                missingFields.push(field.label || field.name);
+            }
+            if (!isEmpty) {
+                const errors = FormLogicEngine.validateField(field, value, formValues);
+                if (errors.length) validationErrors.push(errors[0].message);
+            }
+        }
+
+        if (missingFields.length || validationErrors.length) {
+            const parts = [];
+            if (missingFields.length) parts.push(`Required fields missing: ${missingFields.join(', ')}`);
+            if (validationErrors.length) parts.push(validationErrors.join('; '));
+            return reply.status(400).send({ error: `${parts.join('. ')}.` });
+        }
+
+        // Rate limit by IP
+        const ip    = request.ip || request.socket?.remoteAddress || 'unknown';
+        const limit = settings.rateLimitPerMinute || 3;
+        if (isRateLimited(slug, ip, limit)) {
+            return reply.status(429).send({ error: 'Too many submissions. Please try again later.' });
+        }
+
+        // Build submission data — only include visible fields
+        const data = {};
+        for (const field of form.fields || []) {
+            if (field.type === 'page-break' || field.type === 'spacer') continue;
+            if (!visibleFieldNames.has(field.name)) continue;
+            const val = body[field.name];
+            if (val !== undefined) {
+                data[field.name] = typeof val === 'string' ? val.trim() : val;
+            }
+        }
+
+        // Store in collection (sole submission store)
+        const collectionAction = form.actions?.collection;
+        const targetSlug = (collectionAction?.enabled && collectionAction.slug) ? collectionAction.slug : slug;
+        let entry = null;
+        try {
+            const col = await getCollection(targetSlug);
+            if (col) {
+                entry = await createEntry(targetSlug, data, { source: `form:${slug}` });
+            }
+        } catch (err) {
+            fastify.log.warn(`[forms] Collection write failed for "${slug}": ${err.message}`);
+        }
+
+        // Email action
+        const emailAction = form.actions?.email;
+        if (emailAction?.enabled && emailAction.recipients) {
+            try {
+                const smtp      = getConfig('site').smtp || {};
+                const transport = await createTransport(smtp);
+                await sendFormEmail(transport, {
+                    from:      smtp.fromAddress,
+                    fromName:  smtp.fromName,
+                    to:        emailAction.recipients,
+                    subject:   `${emailAction.subjectPrefix || `[${form.title}]`} New submission`,
+                    formTitle: form.title,
+                    fields:    form.fields,
+                    data
+                });
+            } catch (err) {
+                fastify.log.warn(`[forms] Email send failed for "${slug}": ${err.message}`);
+            }
+        }
+
+        // Webhook action
+        const webhookAction = form.actions?.webhook;
+        if (webhookAction?.enabled && webhookAction.url) {
+            try {
+                await fetch(webhookAction.url, {
+                    method:  webhookAction.method || 'POST',
+                    headers: { 'Content-Type': 'application/json' },
+                    body:    JSON.stringify({ form: slug, data })
+                });
+            } catch (err) {
+                fastify.log.warn(`[forms] Webhook failed for "${slug}": ${err.message}`);
+            }
+        }
+
+        // CMS Action trigger
+        const actionSlug = form.settings?.actionSlug;
+        if (actionSlug && entry) {
+            try {
+                await executeAction(actionSlug, entry.id, { user: null });
+            } catch (err) {
+                fastify.log.warn(`[forms] Action "${actionSlug}" failed for form "${slug}": ${err.message}`);
+            }
+        }
+
+        return {
+            ok:       true,
+            message:  settings.successMessage  || 'Thank you for your submission.',
+            redirect: settings.successRedirect || null
+        };
+    });
+
+    // -----------------------------------------------------------------------
+    // POST /forms/test-email — send a test email
+    // -----------------------------------------------------------------------
+    fastify.post('/forms/test-email', { preHandler: [authenticate, requireAdmin] }, async (request, reply) => {
+        const smtp = getConfig('site').smtp || {};
+        const to   = (request.body?.to) || smtp.fromAddress || 'test@ethereal.email';
+        try {
+            const transport = await createTransport(smtp);
+            await sendFormEmail(transport, {
+                from:      smtp.fromAddress,
+                fromName:  smtp.fromName,
+                to,
+                subject:   '[Forms] Test Email',
+                formTitle: 'Test Form',
+                fields:    [
+                    { name: 'name',    label: 'Name' },
+                    { name: 'message', label: 'Message' }
+                ],
+                data: {
+                    name:    'Test Sender',
+                    message: 'This is a test email from your Domma CMS. If you received this, your SMTP settings are working correctly.'
+                }
+            });
+            return { ok: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send test email: ${err.message}` });
+        }
+    });
+}