domma-cms 0.6.16 → 0.6.21

package/plugins/todo/admin/views/todo.js

@@ -0,0 +1,328 @@
+// ============================================================
+// Todo plugin admin view
+// Uses auth-aware api() helper for all API calls (Bearer token from S.get('auth_token'))
+// Uses $container.find() for all DOM queries
+// Note: innerHTML usage below escapes all user-supplied text via escapeHtml()
+// ============================================================
+
+const STATUS = {
+    NOT_STARTED: 'not-started',
+    IN_PROGRESS: 'in-progress',
+    COMPLETED: 'completed'
+};
+
+const PRIORITY = {
+    HIGHEST: 'highest',
+    HIGH: 'high',
+    MEDIUM: 'medium',
+    LOW: 'low',
+    LOWEST: 'lowest'
+};
+
+function formatStatus(status) {
+    return status.split('-').map((w) => w.charAt(0).toUpperCase() + w.slice(1)).join(' ');
+}
+
+function formatPriority(priority) {
+    return priority.charAt(0).toUpperCase() + priority.slice(1);
+}
+
+/** Escape user-supplied text before inserting into HTML markup */
+function escapeHtml(str) {
+    return String(str ?? '')
+        .replace(/&/g, '&')
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;')
+        .replace(/"/g, '&quot;')
+        .replace(/'/g, '&#39;');
+}
+
+async function api(url, method = 'GET', body) {
+    const opts = {method, headers: {'Authorization': 'Bearer ' + (S.get('auth_token') || '')}};
+    if (body !== undefined) {
+        opts.headers['Content-Type'] = 'application/json';
+        opts.body = JSON.stringify(body);
+    }
+    const res = await fetch(url, opts);
+    if (!res.ok) {
+        const err = await res.json().catch(() => ({error: res.statusText}));
+        throw new Error(err.error || res.statusText);
+    }
+    const text = await res.text();
+    return text ? JSON.parse(text) : {};
+}
+
+export const todoView = {
+    templateUrl: '/plugins/todo/admin/templates/todo.html',
+
+    async onMount($container) {
+        // ---- State ----
+        let todos = [];
+        let activeFilter = 'all';
+
+        // ---- Fetch ----
+        async function loadTodos() {
+            try {
+                const res = await api('/api/plugins/todo/items');
+                todos = Array.isArray(res) ? res : (res.data ?? []);
+            } catch (err) {
+                E.toast('Failed to load todos', { type: 'error' });
+                todos = [];
+            }
+        }
+
+        // ---- Render ----
+        function render() {
+            const listEl = $container.find('#todo-list').get(0);
+            const emptyEl = $container.find('#empty-state').get(0);
+
+            const filtered = activeFilter === 'all'
+                ? todos
+                : todos.filter((t) => t.status === activeFilter);
+
+            if (filtered.length === 0) {
+                // Safe: no user content, only static markup
+                listEl.textContent = '';
+                emptyEl.style.display = 'block';
+                return;
+            }
+
+            emptyEl.style.display = 'none';
+
+            // Build markup — all user values run through escapeHtml()
+            const rows = filtered.map((todo) => {
+                const isCompleted = todo.status === STATUS.COMPLETED;
+                const safeText = escapeHtml(todo.text);
+                const safeId   = escapeHtml(todo.id);
+
+                const statusClass = `status-pill-${escapeHtml(todo.status)}`;
+                const priorityClass = `priority-pill-${escapeHtml(todo.priority)}`;
+
+                let dueBadge = '';
+                if (todo.dueAt) {
+                    const due = new Date(todo.dueAt);
+                    const today = new Date();
+                    today.setHours(0, 0, 0, 0);
+                    const overdue = !isCompleted && due < today;
+                    const dueLabel = D(todo.dueAt).format('D MMM');
+                    dueBadge = `<span class="badge ${overdue ? 'badge-danger' : 'badge-outline'}" style="font-size:0.68rem;padding:1px 6px;flex-shrink:0;" title="Due ${escapeHtml(dueLabel)}">${overdue ? '⚠ ' : ''}${escapeHtml(dueLabel)}</span>`;
+                }
+
+                return `<li class="todo-item${isCompleted ? ' completed' : ''}" data-id="${safeId}">
+                    <input type="checkbox" class="form-check-input todo-checkbox" ${isCompleted ? 'checked' : ''} />
+                    <span class="todo-text">${safeText}${dueBadge ? ' ' + dueBadge : ''}</span>
+                    <div class="todo-selects">
+                        <select class="todo-select-pill status-select ${statusClass}" data-id="${safeId}" title="Status">
+                            <option value="not-started"${todo.status === 'not-started' ? ' selected' : ''}>Not Started</option>
+                            <option value="in-progress"${todo.status === 'in-progress' ? ' selected' : ''}>In Progress</option>
+                            <option value="completed"${todo.status === 'completed' ? ' selected' : ''}>Completed</option>
+                        </select>
+                        <select class="todo-select-pill priority-select ${priorityClass}" data-id="${safeId}" title="Priority">
+                            <option value="highest"${todo.priority === 'highest' ? ' selected' : ''}>Highest</option>
+                            <option value="high"${todo.priority === 'high' ? ' selected' : ''}>High</option>
+                            <option value="medium"${todo.priority === 'medium' ? ' selected' : ''}>Medium</option>
+                            <option value="low"${todo.priority === 'low' ? ' selected' : ''}>Low</option>
+                            <option value="lowest"${todo.priority === 'lowest' ? ' selected' : ''}>Lowest</option>
+                        </select>
+                    </div>
+                    <div class="todo-actions">
+                        <button class="btn btn-sm btn-ghost edit-todo" data-id="${safeId}" title="Edit">
+                            <span data-icon="edit" data-icon-size="13"></span>
+                        </button>
+                        <button class="btn btn-sm btn-danger delete-todo" data-id="${safeId}" title="Delete">
+                            <span data-icon="trash" data-icon-size="13"></span>
+                        </button>
+                    </div>
+                </li>`;
+            }).join('');
+
+            listEl.innerHTML = rows;
+            Domma.icons.scan(listEl);
+        }
+
+        // ---- Add todo ----
+        async function addTodo() {
+            const $input    = $container.find('#todo-input');
+            const $priority = $container.find('#priority-input');
+            const $due = $container.find('#due-date-input');
+            const text      = $input.get(0).value.trim();
+            const priority  = $priority.get(0).value;
+            const dueAt = $due.get(0)?.value || null;
+
+            if (!text) {
+                E.toast('Please enter a task', { type: 'warning' });
+                return;
+            }
+
+            try {
+                const item = await api('/api/plugins/todo/items', 'POST', {
+                    text,
+                    priority,
+                    status: STATUS.NOT_STARTED,
+                    dueAt
+                });
+                todos.push(item);
+                $input.get(0).value    = '';
+                $priority.get(0).value = PRIORITY.MEDIUM;
+                if ($due.get(0)) $due.get(0).value = '';
+                render();
+                E.toast('Task added', { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to add task', { type: 'error' });
+            }
+        }
+
+        // ---- Toggle (checkbox) ----
+        async function toggleTodo(id) {
+            const todo = todos.find((t) => t.id === id);
+            if (!todo) return;
+
+            const newStatus = todo.status === STATUS.COMPLETED ? STATUS.NOT_STARTED : STATUS.COMPLETED;
+            try {
+                const updated = await api(`/api/plugins/todo/items/${id}`, 'PUT', {status: newStatus});
+                Object.assign(todo, updated);
+                render();
+                E.toast(newStatus === STATUS.COMPLETED ? 'Task completed' : 'Task reopened', { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to update task', { type: 'error' });
+            }
+        }
+
+        // ---- Edit todo text ----
+        async function editTodo(id) {
+            const todo = todos.find((t) => t.id === id);
+            if (!todo) return;
+
+            const newText = await E.prompt('Edit your task:', { inputValue: todo.text });
+            if (!newText || !newText.trim()) return;
+
+            try {
+                const updated = await api(`/api/plugins/todo/items/${id}`, 'PUT', {text: newText.trim()});
+                Object.assign(todo, updated);
+                render();
+                E.toast('Task updated', { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to update task', { type: 'error' });
+            }
+        }
+
+        // ---- Delete single ----
+        async function deleteTodo(id) {
+            const confirmed = await E.confirm('Delete this task?');
+            if (!confirmed) return;
+
+            try {
+                await api(`/api/plugins/todo/items/${id}`, 'DELETE');
+                todos = todos.filter((t) => t.id !== id);
+                render();
+                E.toast('Task deleted', { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to delete task', { type: 'error' });
+            }
+        }
+
+        // ---- Update status ----
+        async function updateStatus(id, status) {
+            const todo = todos.find((t) => t.id === id);
+            if (!todo) return;
+
+            try {
+                const updated = await api(`/api/plugins/todo/items/${id}`, 'PUT', {status});
+                Object.assign(todo, updated);
+                render();
+                E.toast(`Status: ${formatStatus(status)}`, { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to update status', { type: 'error' });
+            }
+        }
+
+        // ---- Update priority ----
+        async function updatePriority(id, priority) {
+            const todo = todos.find((t) => t.id === id);
+            if (!todo) return;
+
+            try {
+                const updated = await api(`/api/plugins/todo/items/${id}`, 'PUT', {priority});
+                Object.assign(todo, updated);
+                render();
+                E.toast(`Priority: ${formatPriority(priority)}`, { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to update priority', { type: 'error' });
+            }
+        }
+
+        // ---- Clear completed ----
+        async function clearCompleted() {
+            const hasCompleted = todos.some((t) => t.status === STATUS.COMPLETED);
+            if (!hasCompleted) {
+                E.toast('No completed tasks to clear', { type: 'warning' });
+                return;
+            }
+
+            const confirmed = await E.confirm('Clear all completed tasks?');
+            if (!confirmed) return;
+
+            try {
+                await api('/api/plugins/todo/completed', 'DELETE');
+                todos = todos.filter((t) => t.status !== STATUS.COMPLETED);
+                render();
+                E.toast('Completed tasks cleared', { type: 'success' });
+            } catch (err) {
+                E.toast('Failed to clear completed tasks', { type: 'error' });
+            }
+        }
+
+        // ---- Event bindings ----
+
+        $container.find('#add-todo-btn').get(0).addEventListener('click', addTodo);
+
+        $container.find('#todo-input').get(0).addEventListener('keydown', (e) => {
+            if (e.key === 'Enter') addTodo();
+        });
+
+        $container.find('#clear-completed-btn').get(0).addEventListener('click', clearCompleted);
+
+        // Filter buttons — direct addEventListener to avoid namespaced delegation issues
+        $container.find('#filter-bar').get(0).querySelectorAll('.filter-btn').forEach((btn) => {
+            btn.addEventListener('click', () => {
+                activeFilter = btn.dataset.filter;
+                $container.find('#filter-bar').get(0).querySelectorAll('.filter-btn').forEach((b) => b.classList.remove('active'));
+                btn.classList.add('active');
+                render();
+            });
+        });
+
+        // Todo list — native event delegation on the list element
+        const listEl = $container.find('#todo-list').get(0);
+
+        listEl.addEventListener('change', (e) => {
+            const target = e.target;
+            const id = target.dataset.id ?? target.closest('.todo-item')?.dataset.id;
+            if (!id) return;
+
+            if (target.classList.contains('todo-checkbox')) {
+                toggleTodo(id);
+            } else if (target.classList.contains('status-select')) {
+                // Update pill colour immediately
+                target.className = target.className.replace(/status-pill-\S+/, `status-pill-${target.value}`);
+                updateStatus(id, target.value);
+            } else if (target.classList.contains('priority-select')) {
+                target.className = target.className.replace(/priority-pill-\S+/, `priority-pill-${target.value}`);
+                updatePriority(id, target.value);
+            }
+        });
+
+        listEl.addEventListener('click', (e) => {
+            const editBtn   = e.target.closest('.edit-todo');
+            const deleteBtn = e.target.closest('.delete-todo');
+
+            if (editBtn)   editTodo(editBtn.dataset.id);
+            if (deleteBtn) deleteTodo(deleteBtn.dataset.id);
+        });
+
+        // ---- Initial load ----
+        await loadTodos();
+        render();
+        Domma.icons.scan($container.get(0));
+    }
+};

package/plugins/todo/config.js

@@ -0,0 +1,7 @@
+export default {
+    scope: 'user',
+    defaultPriority: 'medium',
+    maxPerUser: 500,
+    // storage.adapter: 'mongodb' uses config/connections.json; 'file' uses local JSON
+    storage: {adapter: 'mongodb', connection: 'default'}
+};

package/plugins/todo/data/todos.json

@@ -0,0 +1 @@
+[]

package/plugins/todo/plugin.js

@@ -0,0 +1,155 @@
+import defaultConfig from './config.js';
+import {
+    listEntries,
+    createEntry,
+    updateEntry,
+    deleteEntry,
+    getEntry,
+    getCollection,
+    createCollection
+} from '../../server/services/collections.js';
+
+const SLUG = 'todos';
+const STORAGE = defaultConfig.storage ?? {adapter: 'file'};
+
+const FIELDS = [
+    {name: 'text', label: 'Task', type: 'text', required: true},
+    {name: 'status', label: 'Status', type: 'text', required: false},
+    {name: 'priority', label: 'Priority', type: 'text', required: false},
+    {name: 'dueAt', label: 'Due Date', type: 'text', required: false},
+    {name: 'userId', label: 'User ID', type: 'text', required: false}
+];
+
+/**
+ * Lifecycle: create the todos collection (MongoDB-backed) on plugin enable.
+ */
+export async function onEnable({services: {collections}}) {
+    const existing = await collections.getCollection(SLUG).catch(() => null);
+    if (existing) return;
+    await collections.createCollection({
+        title: 'Todos',
+        slug: SLUG,
+        description: 'Todo items managed by the Todo plugin.',
+        fields: FIELDS,
+        storage: STORAGE
+    });
+}
+
+/**
+ * Lifecycle: remove the todos collection on plugin disable.
+ */
+export async function onDisable({services: {collections}}) {
+    await collections.deleteCollection(SLUG).catch(() => {
+    });
+}
+
+/** Flatten a collection entry into the shape the admin view expects. */
+function toTodo(entry) {
+    return {
+        id: entry.id,
+        ...entry.data,
+        createdAt: entry.meta.createdAt,
+        updatedAt: entry.meta.updatedAt
+    };
+}
+
+export default async function todoPlugin(fastify, options) {
+    const { authenticate } = options.auth;
+    const config = {...defaultConfig, ...(options.settings || {})};
+    const scope = config.scope ?? 'user';
+    const storage = config.storage ?? STORAGE;
+
+    // Auto-create the collection if it doesn't exist yet.
+    const existing = await getCollection(SLUG).catch(() => null);
+    if (!existing) {
+        await createCollection({
+            title: 'Todos',
+            slug: SLUG,
+            description: 'Todo items managed by the Todo plugin.',
+            fields: FIELDS,
+            storage
+        }).catch(err => fastify.log.warn(`[todo] Collection setup: ${err.message}`));
+    }
+
+    function userId(request) {
+        return scope === 'user' ? (request.user?.id ?? request.user?.sub ?? null) : null;
+    }
+
+    async function loadAll(uid) {
+        const {entries} = await listEntries(SLUG, {limit: 10000, sort: 'createdAt', order: 'asc'});
+        let items = entries.map(toTodo);
+        if (uid) items = items.filter(t => t.userId === uid);
+        return items;
+    }
+
+    /** GET /api/plugins/todo/items */
+    fastify.get('/items', { preHandler: [authenticate] }, async (request, reply) => {
+        const uid = userId(request);
+        const { status } = request.query;
+        let items = await loadAll(uid);
+        if (status) items = items.filter(t => t.status === status);
+        return reply.send(items);
+    });
+
+    /** POST /api/plugins/todo/items */
+    fastify.post('/items', { preHandler: [authenticate] }, async (request, reply) => {
+        const uid = userId(request);
+        const { text, priority, status } = request.body ?? {};
+
+        if (!text || typeof text !== 'string' || !text.trim()) {
+            return reply.code(400).send({ error: 'text is required' });
+        }
+
+        const {dueAt} = request.body ?? {};
+        const entry = await createEntry(SLUG, {
+            text: text.trim(),
+            status: status ?? 'not-started',
+            priority: priority ?? config.defaultPriority ?? 'medium',
+            dueAt: dueAt ?? null,
+            userId: uid ?? null
+        }, {createdBy: uid, source: 'admin'});
+
+        return reply.code(201).send(toTodo(entry));
+    });
+
+    /** PUT /api/plugins/todo/items/:id */
+    fastify.put('/items/:id', { preHandler: [authenticate] }, async (request, reply) => {
+        const uid = userId(request);
+        const { id } = request.params;
+        const patch = request.body ?? {};
+
+        const entry = await getEntry(SLUG, id);
+        if (!entry) return reply.code(404).send({error: 'Todo not found'});
+        if (uid && entry.data.userId !== uid) return reply.code(404).send({error: 'Todo not found'});
+
+        const merged = {...entry.data};
+        for (const key of ['text', 'status', 'priority', 'dueAt']) {
+            if (key in patch) merged[key] = key === 'text' ? String(patch[key]).trim() : patch[key];
+        }
+
+        const updated = await updateEntry(SLUG, id, merged);
+        return reply.send(toTodo(updated));
+    });
+
+    /** DELETE /api/plugins/todo/completed — must be registered before /:id */
+    fastify.delete('/completed', {preHandler: [authenticate]}, async (request, reply) => {
+        const uid = userId(request);
+        const all = await loadAll(uid);
+        const completed = all.filter(t => t.status === 'completed');
+        await Promise.all(completed.map(t => deleteEntry(SLUG, t.id)));
+        return reply.send({success: true, removed: completed.length});
+    });
+
+    /** DELETE /api/plugins/todo/items/:id */
+    fastify.delete('/items/:id', { preHandler: [authenticate] }, async (request, reply) => {
+        const uid = userId(request);
+        const { id } = request.params;
+
+        const entry = await getEntry(SLUG, id);
+        if (!entry) return reply.code(404).send({error: 'Todo not found'});
+        if (uid && entry.data.userId !== uid) return reply.code(404).send({error: 'Todo not found'});
+
+        await deleteEntry(SLUG, id);
+        return reply.send({ success: true });
+    });
+}

package/plugins/todo/plugin.json

@@ -0,0 +1,23 @@
+{
+  "name": "todo",
+  "displayName": "Todo",
+  "version": "1.0.0",
+  "description": "Personal task manager with priorities and status tracking.",
+  "author": "Darryl Waterhouse",
+  "date": "2026-03-24",
+  "icon": "check-square",
+  "admin": {
+    "sidebar": [
+      { "id": "todo", "text": "Todo", "icon": "check-square", "url": "#/plugins/todo", "section": "#/plugins/todo" }
+    ],
+    "routes": [
+      { "path": "/plugins/todo", "view": "plugin-todo", "title": "Todo - Domma CMS" }
+    ],
+    "views": {
+      "plugin-todo": {
+        "entry": "todo/admin/views/todo.js",
+        "exportName": "todoView"
+      }
+    }
+  }
+}

package/server/routes/api/auth.js

@@ -9,6 +9,7 @@
  */
 import crypto from 'node:crypto';
 import {config, getConfig} from '../../config.js';
+import {hooks} from '../../services/hooks.js';
 import {authenticate, getPermissionsForRole} from '../../middleware/auth.js';
 import {GROUP_ORDER, REGISTRY} from '../../services/permissionRegistry.js';
 import {
@@ -93,6 +94,7 @@ export async function authRoutes(fastify) {
         await touchLastLogin(user.id);
 
         const safeUser = { id: user.id, name: user.name, email: user.email, role: user.role };
+        hooks.emit('user:loggedIn', {userId: user.id, email: user.email, role: user.role});
         const { token, refreshToken } = signTokens(fastify, safeUser);
         return { token, refreshToken, user: safeUser };
     });

package/server/routes/api/collections.js

@@ -253,6 +253,61 @@ export async function collectionsRoutes(fastify) {
         }
     });
 
+    // -------------------------------------------------------------------------
+    // Storage migration
+    // -------------------------------------------------------------------------
+
+    fastify.post('/collections/:slug/migrate-storage', canUpdate, async (request, reply) => {
+        const {slug} = request.params;
+        const {storage} = request.body || {};
+
+        if (!storage?.adapter) {
+            return reply.status(400).send({error: 'storage.adapter is required'});
+        }
+
+        const schema = await getCollection(slug);
+        if (!schema) return reply.status(404).send({error: 'Collection not found'});
+
+        const sourceAdapter = schema.storage?.adapter || 'file';
+        if (sourceAdapter === storage.adapter) {
+            return reply.status(400).send({error: 'Source and target adapters are the same'});
+        }
+
+        // Step 1: read all existing entries from current adapter BEFORE schema change
+        const {entries} = await listEntries(slug, {limit: 1000000, sort: 'createdAt', order: 'asc'});
+
+        // Step 2: update schema to new adapter (also invalidates the adapter cache)
+        await updateCollection(slug, {...schema, storage});
+
+        // Step 3: insert all entries into the new adapter
+        let migrated = 0;
+        for (const entry of entries) {
+            try {
+                await createEntry(slug, entry.data, {
+                    createdBy: entry.meta?.createdBy || null,
+                    source: 'migration'
+                });
+                migrated++;
+            } catch (err) {
+                fastify.log.warn(`[migrate-storage] Entry ${entry.id} skipped: ${err.message}`);
+            }
+        }
+
+        // Step 4: if migrating away from file storage, archive the old data.json
+        if (sourceAdapter === 'file') {
+            try {
+                const {rename} = await import('fs/promises');
+                const {join} = await import('path');
+                const dataPath = join(process.cwd(), 'content', 'collections', slug, 'data.json');
+                await rename(dataPath, dataPath + '.bak');
+            } catch {
+                // data.json may not exist or rename already done
+            }
+        }
+
+        return {migrated, total: entries.length};
+    });
+
     // -------------------------------------------------------------------------
     // Export / Import
     // -------------------------------------------------------------------------

package/server/routes/api/forms.js

@@ -33,6 +33,7 @@ import {
 } from '../../services/collections.js';
 import {getConfig} from '../../config.js';
 import {authenticate, requireAdmin, requirePermission} from '../../middleware/auth.js';
+import {hooks} from '../../services/hooks.js';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const ROOT = path.resolve(__dirname, '..', '..', '..');
@@ -453,6 +454,8 @@ export async function formsRoutes(fastify) {
             }
         }
 
+        hooks.emit('form:submitted', {slug, entryId: entry?.id || null, data, formTitle: form.title});
+
         return {
             ok:       true,
             message:  settings.successMessage  || 'Thank you for your submission.',

package/server/routes/api/settings.js

@@ -13,7 +13,8 @@ import {fileURLToPath} from 'url';
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
-const CUSTOM_CSS_MAX  = 100 * 1024; // 100 KB
+const CONNECTIONS_FILE = path.resolve(__dirname, '../../../config/connections.json');
+const CUSTOM_CSS_MAX = 100 * 1024; // 100 KB
 
 export async function settingsRoutes(fastify) {
     const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
@@ -79,6 +80,20 @@ export async function settingsRoutes(fastify) {
         }
     });
 
+    // GET /api/settings/db-status — returns whether MongoDB connections are configured
+    fastify.get('/settings/db-status', canRead, async () => {
+        try {
+            const raw = await fs.readFile(CONNECTIONS_FILE, 'utf8');
+            const connections = JSON.parse(raw);
+            const names = Object.keys(connections).filter(k =>
+                connections[k]?.type === 'mongodb' && connections[k]?.uri
+            );
+            return {configured: names.length > 0, connections: names};
+        } catch {
+            return {configured: false, connections: []};
+        }
+    });
+
     // GET /api/settings/custom-css — return current CSS as JSON
     fastify.get('/settings/custom-css', canUpdate, async () => {
         try {

package/server/routes/public.js

@@ -7,6 +7,7 @@
 import {getPage} from '../services/content.js';
 import {renderPage} from '../services/renderer.js';
 import {getRoleLevel} from '../services/roles.js';
+import {hooks} from '../services/hooks.js';
 
 /**
  * Escape user-controlled strings before interpolating into HTML.
@@ -83,6 +84,7 @@ export async function publicRoutes(fastify) {
         }
 
         const html = await renderPage(page);
+        hooks.emit('content:pageViewed', {urlPath, title: page.title || ''});
         return reply.type('text/html').send(html);
     });
 }