domma-cms 0.9.1 → 0.9.6

package/server/server.js

@@ -1,285 +1,288 @@
-/**
- * Domma CMS - Fastify Server
- * Serves the admin SPA, public site, REST API, and static assets.
- * Domma dist files are served directly from node_modules/domma-js/public/dist.
- * Updated: blobs + z-index fixes.
- */
-import 'dotenv/config';
-import Fastify from 'fastify';
-import jwt from '@fastify/jwt';
-import staticPlugin from '@fastify/static';
-import cors from '@fastify/cors';
-import multipart from '@fastify/multipart';
-import rateLimit from '@fastify/rate-limit';
-import helmet from '@fastify/helmet';
-import path from 'path';
-import fs from 'fs/promises';
-import {fileURLToPath} from 'url';
-import {createRequire} from 'module';
-import {config, getConfig} from './config.js';
-import {registerPlugins} from './services/plugins.js';
-import {load as loadRoles, seed as seedRoles} from './services/roles.js';
-import {ensureAllProfiles, seed as seedUserProfiles} from './services/userProfiles.js';
-import {seedAll as seedPresetCollections} from './services/presetCollections.js';
-import {seedDefaultBlocks} from './services/blocks.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const ROOT = path.resolve(__dirname, '..');
-
-// Resolve domma-js package location via require resolution
-const require = createRequire(import.meta.url);
-const dommaPackageDir = path.dirname(require.resolve('domma-js/package.json'));
-const DOMMA_DIST = path.join(dommaPackageDir, 'public', 'dist');
-
-const { server: serverConfig, auth: authConfig } = config;
-
-// Validate JWT_SECRET before starting — prevents silent auth failures
-const JWT_SECRET = process.env.JWT_SECRET;
-if (!JWT_SECRET || JWT_SECRET === 'CHANGE_ME' || JWT_SECRET.length < 32) {
-    console.error('');
-    console.error('  ERROR: JWT_SECRET is not set or is insecure.');
-    console.error('  Run `npm run setup` or set a secure JWT_SECRET in .env');
-    console.error('  (minimum 32 characters, not "CHANGE_ME")');
-    console.error('');
-    process.exit(1);
-}
-
-const app = Fastify({
-    logger: {level: process.env.NODE_ENV === 'development' ? 'info' : 'warn'},
-    // When running behind a reverse proxy (e.g. domma-cms-manager), trust the
-    // X-Forwarded-For header so @fastify/rate-limit keys on the real client IP
-    // rather than the proxy's loopback address.
-    trustProxy: !!process.env.TRUST_PROXY,
-});
-
-// Register process error handlers immediately so startup errors are captured
-process.on('uncaughtException', (err) => {
-    app.log.error({ err }, 'Uncaught exception');
-    process.exit(1);
-});
-
-process.on('unhandledRejection', (reason) => {
-    app.log.error({ reason }, 'Unhandled rejection');
-    process.exit(1);
-});
-
-// ---------------------------------------------------------------------------
-// Core Plugins
-// ---------------------------------------------------------------------------
-
-await app.register(helmet, {
-    contentSecurityPolicy: {
-        directives: {
-            defaultSrc: ["'self'"],
-            scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
-            styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net', 'https://fonts.googleapis.com'],
-            imgSrc: ["'self'", 'data:', 'blob:'],
-            fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com'],
-            connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
-            upgradeInsecureRequests: null, // prevent browsers forcing HTTPS on HTTP deployments
-        }
-    },
-    crossOriginEmbedderPolicy: false, // allow embedding images/resources
-    hsts: false, // disable HSTS — server runs HTTP only; HSTS would force browser to https
-});
-
-await app.register(jwt, { secret: process.env.JWT_SECRET });
-await app.register(cors, serverConfig.cors);
-await app.register(multipart, { limits: { fileSize: serverConfig.uploads.maxFileSize } });
-await app.register(rateLimit, {
-    global: true, // apply default limit to all routes; stricter per-route limits override this
-    max: 500,
-    timeWindow: '1 minute',
-    // Loopback is always exempt — local admin use should never be rate-limited.
-    // When behind a reverse proxy (TRUST_PROXY), the proxy's loopback is also exempt.
-    allowList: ['127.0.0.1', '::1', '::ffff:127.0.0.1'],
-});
-
-// ---------------------------------------------------------------------------
-// Static Assets
-// ---------------------------------------------------------------------------
-
-// Serve Domma dist files from npm package (shared by admin + public)
-await app.register(staticPlugin, {
-    root: DOMMA_DIST,
-    prefix: '/dist/domma/',
-    decorateReply: false
-});
-
-// Serve public site assets (CSS, JS, images, etc.)
-await app.register(staticPlugin, {
-    root: path.join(ROOT, 'public'),
-    prefix: '/public/',
-    decorateReply: false
-});
-
-// Serve admin panel assets — no-cache so JS/CSS changes are always picked up
-await app.register(staticPlugin, {
-    root: path.join(ROOT, 'admin'),
-    prefix: '/admin/',
-    decorateReply: false,
-    setHeaders: (res) => {
-        res.setHeader('Cache-Control', 'no-cache');
-    }
-});
-
-// Ensure required directories exist
-const mediaDir       = path.join(ROOT, config.content.mediaDir);
-const usersDir       = path.join(ROOT, config.content.usersDir);
-const collectionsDir = path.join(ROOT, config.content.collectionsDir);
-const pluginsDir     = path.join(ROOT, 'plugins');
-const blocksDir = path.join(ROOT, 'content', 'blocks');
-await fs.mkdir(mediaDir,       { recursive: true });
-await fs.mkdir(usersDir,       { recursive: true });
-await fs.mkdir(collectionsDir, { recursive: true });
-await fs.mkdir(pluginsDir,     { recursive: true });
-await fs.mkdir(blocksDir, {recursive: true});
-
-// ---------------------------------------------------------------------------
-// Pro feature — optional MongoDB connections
-// ---------------------------------------------------------------------------
-
-try {
-    const connections = getConfig('connections');
-    if (connections && Object.keys(connections).length > 0) {
-        const { initialise, shutdown } = await import('./services/connectionManager.js');
-        await initialise(connections);
-        app.addHook('onClose', shutdown);
-    }
-} catch {
-    // No connections.json or empty — pure file-based mode (free version).
-}
-
-// ---------------------------------------------------------------------------
-// Roles — seed preset collection + load into cache
-// ---------------------------------------------------------------------------
-
-await seedRoles();
-await loadRoles();
-await seedUserProfiles();
-await ensureAllProfiles();
-await seedPresetCollections();
-await seedDefaultBlocks();
-
-// Serve uploaded media files
-await app.register(staticPlugin, {
-    root: mediaDir,
-    prefix: '/media/',
-    decorateReply: false
-});
-
-// Serve plugin admin/ and public/ subdirs only — block plugin.js, config.js, data/, etc.
-await app.register(async function pluginStaticScope(instance) {
-  instance.addHook('onRequest', (request, reply, done) => {
-    const relative = request.url.replace(/^\/plugins\//, '').split('?')[0];
-    const segments = relative.split('/');
-
-    if (relative.includes('..')) {
-      reply.code(403).send({error: 'Forbidden'});
-      return;
-    }
-    // Must be: {pluginName}/{admin|public}/{file...}
-    if (segments.length < 3 || !['admin', 'public'].includes(segments[1])) {
-      reply.code(404).send({error: 'Not found'});
-      return;
-    }
-    done();
-  });
-
-  await instance.register(staticPlugin, {
-    root: pluginsDir,
-    prefix: '/plugins/',
-    decorateReply: false
-  });
-});
-
-// ---------------------------------------------------------------------------
-// Global error handler — prevents stack trace leaks in production
-// ---------------------------------------------------------------------------
-
-app.setErrorHandler((error, request, reply) => {
-    app.log.error({ err: error, url: request.url }, 'Request error');
-    const statusCode = error.statusCode || 500;
-    // Don't leak stack traces in production
-    const message = process.env.NODE_ENV === 'production' && statusCode === 500
-        ? 'Internal server error'
-        : error.message;
-    return reply.code(statusCode).send({ error: message });
-});
-
-// ---------------------------------------------------------------------------
-// Auth API Routes (no authentication required on these endpoints themselves)
-// ---------------------------------------------------------------------------
-
-const { authRoutes } = await import('./routes/api/auth.js');
-await app.register(authRoutes, { prefix: '/api' });
-
-// ---------------------------------------------------------------------------
-// Protected API Routes
-// ---------------------------------------------------------------------------
-
-const { pagesRoutes }      = await import('./routes/api/pages.js');
-const { settingsRoutes }   = await import('./routes/api/settings.js');
-const { layoutsRoutes }    = await import('./routes/api/layouts.js');
-const { navigationRoutes } = await import('./routes/api/navigation.js');
-const { mediaRoutes }      = await import('./routes/api/media.js');
-const { usersRoutes }      = await import('./routes/api/users.js');
-const { pluginsRoutes }     = await import('./routes/api/plugins.js');
-const { collectionsRoutes } = await import('./routes/api/collections.js');
-const { formsRoutes }       = await import('./routes/api/forms.js');
-const { viewsRoutes }       = await import('./routes/api/views.js');
-const { actionsRoutes }     = await import('./routes/api/actions.js');
-const {blocksRoutes} = await import('./routes/api/blocks.js');
-const {versionsRoutes} = await import('./routes/api/versions.js');
-const {effectsRoutes} = await import('./routes/api/effects.js');
-
-await app.register(pagesRoutes,       { prefix: '/api' });
-await app.register(settingsRoutes,    { prefix: '/api' });
-await app.register(layoutsRoutes,     { prefix: '/api' });
-await app.register(navigationRoutes,  { prefix: '/api' });
-await app.register(mediaRoutes,       { prefix: '/api' });
-await app.register(usersRoutes,       { prefix: '/api' });
-await app.register(pluginsRoutes,     { prefix: '/api' });
-await app.register(collectionsRoutes, { prefix: '/api' });
-await app.register(formsRoutes,       { prefix: '/api' });
-await app.register(viewsRoutes,       { prefix: '/api' });
-await app.register(actionsRoutes,     { prefix: '/api' });
-await app.register(blocksRoutes, {prefix: '/api'});
-await app.register(versionsRoutes, {prefix: '/api'});
-await app.register(effectsRoutes, {prefix: '/api'});
-
-// ---------------------------------------------------------------------------
-// CMS Plugins (server-side Fastify plugins from plugins/ directory)
-// ---------------------------------------------------------------------------
-
-await registerPlugins(app);
-
-// ---------------------------------------------------------------------------
-// Public Site (catch-all — must be last)
-// ---------------------------------------------------------------------------
-
-const { publicRoutes } = await import('./routes/public.js');
-await app.register(publicRoutes);
-
-// ---------------------------------------------------------------------------
-// Graceful shutdown and unhandled error guards
-// ---------------------------------------------------------------------------
-
-const shutdown = async (signal) => {
-    app.log.info(`Received ${signal}, shutting down gracefully...`);
-    await app.close();
-    process.exit(0);
-};
-
-process.on('SIGTERM', () => shutdown('SIGTERM'));
-process.on('SIGINT',  () => shutdown('SIGINT'));
-
-try {
-    await app.listen({ port: serverConfig.port, host: serverConfig.host });
-    console.log(`Domma CMS running at http://localhost:${serverConfig.port}`);
-    console.log(`  Admin:  http://localhost:${serverConfig.port}/admin/`);
-    console.log(`  Public: http://localhost:${serverConfig.port}/`);
-} catch (err) {
-    app.log.error(err);
-    process.exit(1);
-}
+/**
+ * Domma CMS - Fastify Server
+ * Serves the admin SPA, public site, REST API, and static assets.
+ * Domma dist files are served directly from node_modules/domma-js/public/dist.
+ * Updated: blobs + z-index fixes.
+ */
+import 'dotenv/config';
+import Fastify from 'fastify';
+import jwt from '@fastify/jwt';
+import staticPlugin from '@fastify/static';
+import cors from '@fastify/cors';
+import multipart from '@fastify/multipart';
+import rateLimit from '@fastify/rate-limit';
+import helmet from '@fastify/helmet';
+import path from 'path';
+import fs from 'fs/promises';
+import {fileURLToPath} from 'url';
+import {createRequire} from 'module';
+import {config, getConfig} from './config.js';
+import {registerPlugins} from './services/plugins.js';
+import {load as loadRoles, seed as seedRoles} from './services/roles.js';
+import {ensureAllProfiles, seed as seedUserProfiles} from './services/userProfiles.js';
+import {seedAll as seedPresetCollections} from './services/presetCollections.js';
+import {seedDefaultBlocks} from './services/blocks.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const ROOT = path.resolve(__dirname, '..');
+
+// Resolve domma-js package location via require resolution
+const require = createRequire(import.meta.url);
+const dommaPackageDir = path.dirname(require.resolve('domma-js/package.json'));
+const DOMMA_DIST = path.join(dommaPackageDir, 'public', 'dist');
+
+const { server: serverConfig, auth: authConfig } = config;
+
+// Validate JWT_SECRET before starting — prevents silent auth failures
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET || JWT_SECRET === 'CHANGE_ME' || JWT_SECRET.length < 32) {
+    console.error('');
+    console.error('  ERROR: JWT_SECRET is not set or is insecure.');
+    console.error('  Run `npm run setup` or set a secure JWT_SECRET in .env');
+    console.error('  (minimum 32 characters, not "CHANGE_ME")');
+    console.error('');
+    process.exit(1);
+}
+
+const app = Fastify({
+    logger: {level: process.env.NODE_ENV === 'development' ? 'info' : 'warn'},
+    // When running behind a reverse proxy (e.g. domma-cms-manager), trust the
+    // X-Forwarded-For header so @fastify/rate-limit keys on the real client IP
+    // rather than the proxy's loopback address.
+    trustProxy: !!process.env.TRUST_PROXY,
+});
+
+// Register process error handlers immediately so startup errors are captured
+process.on('uncaughtException', (err) => {
+    app.log.error({ err }, 'Uncaught exception');
+    process.exit(1);
+});
+
+process.on('unhandledRejection', (reason) => {
+    app.log.error({ reason }, 'Unhandled rejection');
+    process.exit(1);
+});
+
+// ---------------------------------------------------------------------------
+// Core Plugins
+// ---------------------------------------------------------------------------
+
+await app.register(helmet, {
+    contentSecurityPolicy: {
+        directives: {
+            defaultSrc: ["'self'"],
+            scriptSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net'],
+            styleSrc: ["'self'", "'unsafe-inline'", 'https://cdn.jsdelivr.net', 'https://fonts.googleapis.com'],
+            imgSrc: ["'self'", 'data:', 'blob:'],
+            fontSrc: ["'self'", 'data:', 'https://fonts.gstatic.com'],
+            connectSrc: ["'self'", 'https://cdn.jsdelivr.net'],
+            upgradeInsecureRequests: null, // prevent browsers forcing HTTPS on HTTP deployments
+        }
+    },
+    crossOriginEmbedderPolicy: false, // allow embedding images/resources
+    hsts: false, // disable HSTS — server runs HTTP only; HSTS would force browser to https
+});
+
+await app.register(jwt, { secret: process.env.JWT_SECRET });
+await app.register(cors, serverConfig.cors);
+await app.register(multipart, { limits: { fileSize: serverConfig.uploads.maxFileSize } });
+await app.register(rateLimit, {
+    global: true, // apply default limit to all routes; stricter per-route limits override this
+    max: 500,
+    timeWindow: '1 minute',
+    // Loopback is always exempt — local admin use should never be rate-limited.
+    // When behind a reverse proxy (TRUST_PROXY), the proxy's loopback is also exempt.
+    allowList: ['127.0.0.1', '::1', '::ffff:127.0.0.1'],
+});
+
+// ---------------------------------------------------------------------------
+// Static Assets
+// ---------------------------------------------------------------------------
+
+// Serve Domma dist files from npm package (shared by admin + public)
+await app.register(staticPlugin, {
+    root: DOMMA_DIST,
+    prefix: '/dist/domma/',
+    decorateReply: false
+});
+
+// Serve public site assets (CSS, JS, images, etc.)
+await app.register(staticPlugin, {
+    root: path.join(ROOT, 'public'),
+    prefix: '/public/',
+    decorateReply: false
+});
+
+// Serve admin panel assets — no-cache so JS/CSS changes are always picked up
+await app.register(staticPlugin, {
+    root: path.join(ROOT, 'admin'),
+    prefix: '/admin/',
+    decorateReply: false,
+    setHeaders: (res) => {
+        res.setHeader('Cache-Control', 'no-cache');
+    }
+});
+
+// Ensure required directories exist
+const mediaDir       = path.join(ROOT, config.content.mediaDir);
+const usersDir       = path.join(ROOT, config.content.usersDir);
+const collectionsDir = path.join(ROOT, config.content.collectionsDir);
+const pluginsDir     = path.join(ROOT, 'plugins');
+const blocksDir = path.join(ROOT, 'content', 'blocks');
+await fs.mkdir(mediaDir,       { recursive: true });
+await fs.mkdir(usersDir,       { recursive: true });
+await fs.mkdir(collectionsDir, { recursive: true });
+await fs.mkdir(pluginsDir,     { recursive: true });
+await fs.mkdir(blocksDir, {recursive: true});
+
+// ---------------------------------------------------------------------------
+// Pro feature — optional MongoDB connections
+// ---------------------------------------------------------------------------
+
+try {
+    const connections = getConfig('connections');
+    if (connections && Object.keys(connections).length > 0) {
+        const { initialise, shutdown } = await import('./services/connectionManager.js');
+        await initialise(connections);
+        app.addHook('onClose', shutdown);
+    }
+} catch {
+    // No connections.json or empty — pure file-based mode (free version).
+}
+
+// ---------------------------------------------------------------------------
+// Roles — seed preset collection + load into cache
+// ---------------------------------------------------------------------------
+
+await seedRoles();
+await loadRoles();
+await seedUserProfiles();
+await ensureAllProfiles();
+await seedPresetCollections();
+await seedDefaultBlocks();
+
+// Serve uploaded media files — nosniff prevents browsers rendering spoofed content types
+await app.register(staticPlugin, {
+    root: mediaDir,
+    prefix: '/media/',
+    decorateReply: false,
+    setHeaders: (res) => {
+        res.setHeader('X-Content-Type-Options', 'nosniff');
+    }
+});
+
+// Serve plugin admin/ and public/ subdirs only — block plugin.js, config.js, data/, etc.
+await app.register(async function pluginStaticScope(instance) {
+  instance.addHook('onRequest', (request, reply, done) => {
+    const relative = request.url.replace(/^\/plugins\//, '').split('?')[0];
+    const segments = relative.split('/');
+
+    if (relative.includes('..')) {
+      reply.code(403).send({error: 'Forbidden'});
+      return;
+    }
+    // Must be: {pluginName}/{admin|public}/{file...}
+    if (segments.length < 3 || !['admin', 'public'].includes(segments[1])) {
+      reply.code(404).send({error: 'Not found'});
+      return;
+    }
+    done();
+  });
+
+  await instance.register(staticPlugin, {
+    root: pluginsDir,
+    prefix: '/plugins/',
+    decorateReply: false
+  });
+});
+
+// ---------------------------------------------------------------------------
+// Global error handler — prevents stack trace leaks in production
+// ---------------------------------------------------------------------------
+
+app.setErrorHandler((error, request, reply) => {
+    app.log.error({ err: error, url: request.url }, 'Request error');
+    const statusCode = error.statusCode || 500;
+    // Don't leak stack traces in production
+    const message = process.env.NODE_ENV === 'production' && statusCode === 500
+        ? 'Internal server error'
+        : error.message;
+    return reply.code(statusCode).send({ error: message });
+});
+
+// ---------------------------------------------------------------------------
+// Auth API Routes (no authentication required on these endpoints themselves)
+// ---------------------------------------------------------------------------
+
+const { authRoutes } = await import('./routes/api/auth.js');
+await app.register(authRoutes, { prefix: '/api' });
+
+// ---------------------------------------------------------------------------
+// Protected API Routes
+// ---------------------------------------------------------------------------
+
+const { pagesRoutes }      = await import('./routes/api/pages.js');
+const { settingsRoutes }   = await import('./routes/api/settings.js');
+const { layoutsRoutes }    = await import('./routes/api/layouts.js');
+const { navigationRoutes } = await import('./routes/api/navigation.js');
+const { mediaRoutes }      = await import('./routes/api/media.js');
+const { usersRoutes }      = await import('./routes/api/users.js');
+const { pluginsRoutes }     = await import('./routes/api/plugins.js');
+const { collectionsRoutes } = await import('./routes/api/collections.js');
+const { formsRoutes }       = await import('./routes/api/forms.js');
+const { viewsRoutes }       = await import('./routes/api/views.js');
+const { actionsRoutes }     = await import('./routes/api/actions.js');
+const {blocksRoutes} = await import('./routes/api/blocks.js');
+const {versionsRoutes} = await import('./routes/api/versions.js');
+const {effectsRoutes} = await import('./routes/api/effects.js');
+
+await app.register(pagesRoutes,       { prefix: '/api' });
+await app.register(settingsRoutes,    { prefix: '/api' });
+await app.register(layoutsRoutes,     { prefix: '/api' });
+await app.register(navigationRoutes,  { prefix: '/api' });
+await app.register(mediaRoutes,       { prefix: '/api' });
+await app.register(usersRoutes,       { prefix: '/api' });
+await app.register(pluginsRoutes,     { prefix: '/api' });
+await app.register(collectionsRoutes, { prefix: '/api' });
+await app.register(formsRoutes,       { prefix: '/api' });
+await app.register(viewsRoutes,       { prefix: '/api' });
+await app.register(actionsRoutes,     { prefix: '/api' });
+await app.register(blocksRoutes, {prefix: '/api'});
+await app.register(versionsRoutes, {prefix: '/api'});
+await app.register(effectsRoutes, {prefix: '/api'});
+
+// ---------------------------------------------------------------------------
+// CMS Plugins (server-side Fastify plugins from plugins/ directory)
+// ---------------------------------------------------------------------------
+
+await registerPlugins(app);
+
+// ---------------------------------------------------------------------------
+// Public Site (catch-all — must be last)
+// ---------------------------------------------------------------------------
+
+const { publicRoutes } = await import('./routes/public.js');
+await app.register(publicRoutes);
+
+// ---------------------------------------------------------------------------
+// Graceful shutdown and unhandled error guards
+// ---------------------------------------------------------------------------
+
+const shutdown = async (signal) => {
+    app.log.info(`Received ${signal}, shutting down gracefully...`);
+    await app.close();
+    process.exit(0);
+};
+
+process.on('SIGTERM', () => shutdown('SIGTERM'));
+process.on('SIGINT',  () => shutdown('SIGINT'));
+
+try {
+    await app.listen({ port: serverConfig.port, host: serverConfig.host });
+    console.log(`Domma CMS running at http://localhost:${serverConfig.port}`);
+    console.log(`  Admin:  http://localhost:${serverConfig.port}/admin/`);
+    console.log(`  Public: http://localhost:${serverConfig.port}/`);
+} catch (err) {
+    app.log.error(err);
+    process.exit(1);
+}

package/server/services/collections.js

@@ -37,7 +37,6 @@ function slugify(str) {
 async function readSchema(slug) {
     const raw = await fs.readFile(schemaPath(slug), 'utf8');
     const schema = JSON.parse(raw);
-    // Normalise legacy 'preset' flag — both mean "bundled with fresh installs"
     if (schema.preset && !schema.bundled) {
         schema.bundled = true;
         delete schema.preset;
@@ -139,11 +138,11 @@ export async function createCollection({title, slug, description = '', fields =
         slug: finalSlug,
         title: title.trim(),
         description: description.trim(),
-        ...(bundled ? {bundled: true} : {}),
-        ...(plugin ? {plugin} : {}),
         fields,
         api: { ...defaultApiAccess(), ...api },
         storage: storage || {adapter: 'file'},
+        ...(bundled ? {bundled: true} : {}),
+        ...(plugin ? {plugin} : {}),
         createdAt: now,
         updatedAt: now
     };
@@ -165,20 +164,28 @@ export async function updateCollection(slug, updates) {
     const schema = await getCollection(slug);
     if (!schema) throw new Error(`Collection "${slug}" not found`);
 
-    const { slug: _ignore, createdAt, plugin: _plugin, bundled: _bundled, ...rest } = updates;
+    const {slug: _ignore, createdAt, plugin: _stripPlugin, ...rest} = updates;
     const updated = {
         ...schema,
         ...rest,
-        // bundled is user-editable — set from update, omit if falsy
-        ...(updates.bundled ? {bundled: true} : {}),
-        // plugin is ownership metadata — never overwrite from updates
-        ...(schema.plugin ? {plugin: schema.plugin} : {}),
         slug,
         createdAt: schema.createdAt,
         updatedAt: new Date().toISOString()
     };
-    // Clear bundled from schema if it was unchecked (schema spread may have preserved old value)
-    if (!updates.bundled) delete updated.bundled;
+
+    // Preserve the original plugin field (never overwrite)
+    if (schema.plugin) {
+        updated.plugin = schema.plugin;
+    } else {
+        delete updated.plugin;
+    }
+
+    // Allow bundled to be set or cleared
+    if (updates.bundled) {
+        updated.bundled = true;
+    } else {
+        delete updated.bundled;
+    }
 
     await writeSchema(updated);