domma-cms 0.9.10 → 0.12.0

package/server/routes/api/plugin-marketplace.js

@@ -0,0 +1,75 @@
+/**
+ * Plugin Marketplace API
+ * GET    /api/plugins/marketplace         — fetch catalogue from manager (requires MANAGER_URL)
+ * POST   /api/plugins/marketplace/install — download + install a plugin bundle
+ * DELETE /api/plugins/marketplace/:slug   — uninstall an installed plugin
+ *
+ * All routes require authentication + admin role.
+ */
+import {authenticate, requireAdmin} from '../../middleware/auth.js';
+import {fetchCatalogue, fetchPluginBundle} from '../../services/managerClient.js';
+import {installPlugin, uninstallPlugin} from '../../services/pluginInstaller.js';
+
+export async function pluginMarketplaceRoutes(fastify) {
+    const adminOnly = { preHandler: [authenticate, requireAdmin] };
+
+    // GET /plugins/marketplace
+    fastify.get('/plugins/marketplace', adminOnly, async (_request, reply) => {
+        if (!process.env.MANAGER_URL) {
+            return reply.send({ available: false, catalogue: [] });
+        }
+
+        const licenceToken = process.env.LICENCE_TOKEN;
+        const catalogue = await fetchCatalogue(licenceToken);
+        return reply.send({ available: true, catalogue });
+    });
+
+    // POST /plugins/marketplace/install
+    fastify.post('/plugins/marketplace/install', adminOnly, async (request, reply) => {
+        const { slug, version } = request.body || {};
+
+        if (!slug || !/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+            return reply.code(400).send({ error: 'Invalid plugin slug.' });
+        }
+        if (!version || !/^\d+\.\d+\.\d+$/.test(version)) {
+            return reply.code(400).send({ error: 'Invalid version format. Expected semver (e.g. 1.0.0).' });
+        }
+
+        const licenceToken = process.env.LICENCE_TOKEN;
+        const bundle = await fetchPluginBundle(slug, version, licenceToken);
+
+        if (!bundle) {
+            return reply.code(503).send({ error: 'Manager unavailable' });
+        }
+
+        try {
+            await installPlugin(slug, bundle);
+        } catch (err) {
+            fastify.log.error({ err }, '[marketplace] install failed');
+            // Known safe error messages from pluginInstaller (for admin clarity)
+            const safeMessages = ['Plugin already installed', 'Plugin signature invalid', 'Unknown public key', 'Invalid plugin slug'];
+            const safe = safeMessages.some(m => err.message.startsWith(m));
+            return reply.code(400).send({ error: safe ? err.message : 'Installation failed.' });
+        }
+
+        return reply.send({ success: true });
+    });
+
+    // DELETE /plugins/marketplace/:slug
+    fastify.delete('/plugins/marketplace/:slug', adminOnly, async (request, reply) => {
+        const { slug } = request.params;
+
+        if (!slug || !/^[a-z0-9][a-z0-9-_]{0,63}$/.test(slug)) {
+            return reply.code(400).send({ error: 'Invalid plugin slug.' });
+        }
+
+        try {
+            await uninstallPlugin(slug);
+        } catch (err) {
+            fastify.log.error({ err }, '[marketplace] uninstall failed');
+            return reply.code(400).send({ error: 'Uninstall failed.' });
+        }
+
+        return reply.send({ success: true });
+    });
+}

package/server/routes/api/users.js

@@ -54,7 +54,7 @@ export async function usersRoutes(fastify) {
             return reply.status(400).send({ error: 'Password must be at least 8 characters' });
         }
 
-        const targetRole = role || 'editor';
+        const targetRole = role || 'user';
         if (!canManageUser(request.user.role, targetRole)) {
             return reply.code(403).send({ error: 'You cannot create a user with that role' });
         }

package/server/routes/api/views.js

@@ -125,7 +125,7 @@ export async function viewsRoutes(fastify) {
             }
 
             const user          = request.user;
-            const allowedRoles  = view.access?.roles || ['admin'];
+            const allowedRoles  = view.access?.roles || ['admin', 'super-admin'];
             const userLevel     = getRoleLevel(user?.role);
             const minAllowed    = Math.min(...allowedRoles.map(r => getRoleLevel(r)));
 

package/server/routes/public.js

@@ -6,7 +6,7 @@
  */
 import {getPage} from '../services/content.js';
 import {renderPage} from '../services/renderer.js';
-import {getRoleLevel} from '../services/roles.js';
+import {checkVisibility} from '../middleware/auth.js';
 import {hooks} from '../services/hooks.js';
 
 /**
@@ -69,15 +69,10 @@ export async function publicRoutes(fastify) {
             let userRole = null;
             try {
                 const decoded = await request.jwtVerify();
-                userRole = decoded.role;
-            } catch { /* no token — treat as unauthenticated */
-            }
-
-            const userLevel = getRoleLevel(userRole);
-            const visibilityLevel = getRoleLevel(page.visibility);
-            const requiredLevel = visibilityLevel === Infinity ? 0 : visibilityLevel;
+                if (decoded.type === 'access') userRole = decoded.role;
+            } catch { /* no token — treat as unauthenticated */ }
 
-            if (userLevel > requiredLevel) {
+            if (!checkVisibility(userRole, page.visibility)) {
                 reply.status(403);
                 return reply.type('text/html').send(accessDeniedHtml(urlPath));
             }

package/server/server.js

@@ -17,7 +17,7 @@ import fs from 'fs/promises';
 import {fileURLToPath} from 'url';
 import {createRequire} from 'module';
 import {config, getConfig} from './config.js';
-import {registerPlugins} from './services/plugins.js';
+import {getLoadedPlugins, getPluginSettings, registerPlugins} from './services/plugins.js';
 import {load as loadRoles, seed as seedRoles} from './services/roles.js';
 import {ensureAllProfiles, seed as seedUserProfiles} from './services/userProfiles.js';
 import {seedAll as seedPresetCollections} from './services/presetCollections.js';
@@ -44,6 +44,13 @@ if (!JWT_SECRET || JWT_SECRET === 'CHANGE_ME' || JWT_SECRET.length < 32) {
     process.exit(1);
 }
 
+// MANAGER_SECRET is optional — only needed when domma-cms-manager pushes notifications.
+// Warn if set but insecure; silently accept if absent (manager push is disabled).
+const MANAGER_SECRET = process.env.MANAGER_SECRET;
+if (MANAGER_SECRET && MANAGER_SECRET.length < 32) {
+    console.warn('  WARNING: MANAGER_SECRET is set but too short (minimum 32 characters). Manager notifications disabled until fixed.');
+}
+
 const app = Fastify({
     logger: {level: process.env.NODE_ENV === 'development' ? 'info' : 'warn'},
     // When running behind a reverse proxy (e.g. domma-cms-manager), trust the
@@ -227,7 +234,8 @@ const { layoutsRoutes }    = await import('./routes/api/layouts.js');
 const { navigationRoutes } = await import('./routes/api/navigation.js');
 const { mediaRoutes }      = await import('./routes/api/media.js');
 const { usersRoutes }      = await import('./routes/api/users.js');
-const { pluginsRoutes }     = await import('./routes/api/plugins.js');
+const { pluginsRoutes }            = await import('./routes/api/plugins.js');
+const { pluginMarketplaceRoutes }  = await import('./routes/api/plugin-marketplace.js');
 const { collectionsRoutes } = await import('./routes/api/collections.js');
 const { formsRoutes }       = await import('./routes/api/forms.js');
 const { viewsRoutes }       = await import('./routes/api/views.js');
@@ -242,7 +250,8 @@ await app.register(layoutsRoutes,     { prefix: '/api' });
 await app.register(navigationRoutes,  { prefix: '/api' });
 await app.register(mediaRoutes,       { prefix: '/api' });
 await app.register(usersRoutes,       { prefix: '/api' });
-await app.register(pluginsRoutes,     { prefix: '/api' });
+await app.register(pluginsRoutes,            { prefix: '/api' });
+await app.register(pluginMarketplaceRoutes,  { prefix: '/api' });
 await app.register(collectionsRoutes, { prefix: '/api' });
 await app.register(formsRoutes,       { prefix: '/api' });
 await app.register(viewsRoutes,       { prefix: '/api' });
@@ -257,6 +266,26 @@ await app.register(effectsRoutes, {prefix: '/api'});
 
 await registerPlugins(app);
 
+// ---------------------------------------------------------------------------
+// Public Plugin Routes (root-level, before catch-all)
+// ---------------------------------------------------------------------------
+
+const { authenticate: _authenticate, requireAdmin: _requireAdmin, requireVisibility: _requireVisibility } = await import('./middleware/auth.js');
+for (const [name, plugin] of Object.entries(getLoadedPlugins())) {
+    if (!plugin.enabled || !plugin.publicEntry) continue;
+    try {
+        const { default: publicPlugin } = await import(plugin.publicEntry);
+        const settings = await getPluginSettings(name);
+        await app.register(publicPlugin, {
+            settings,
+            auth: { authenticate: _authenticate, requireAdmin: _requireAdmin, requireVisibility: _requireVisibility },
+            config: getConfig()
+        });
+    } catch (err) {
+        app.log.error(`[plugins] Failed to register public plugin ${name}: ${err.message}`);
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Public Site (catch-all — must be last)
 // ---------------------------------------------------------------------------

package/server/services/actions.js

@@ -265,7 +265,7 @@ export async function createAction(data, userId = null) {
         },
         steps,
         access: {
-            roles: access?.roles || ['admin'],
+            roles: access?.roles || ['admin', 'super-admin'],
             rowLevel: access?.rowLevel || null
         },
         meta: { createdAt: now, updatedAt: now, createdBy: userId }

package/server/services/managerClient.js

@@ -0,0 +1,182 @@
+/**
+ * Client for outbound calls from domma-cms → domma-cms-manager.
+ * Reads MANAGER_URL and INSTANCE_SECRET from env at call time.
+ * All functions return null/[] gracefully if MANAGER_URL is unset.
+ */
+
+import {createHmac} from 'node:crypto';
+import {readFile} from 'node:fs/promises';
+import {fileURLToPath} from 'node:url';
+import {dirname, join} from 'node:path';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+
+/**
+ * Read the CMS version from the root package.json.
+ * @returns {Promise<string>} The version string, or '0.0.0' on error.
+ */
+async function getCmsVersion() {
+    try {
+        const pkgPath = join(__dirname, '../../package.json');
+        const raw = await readFile(pkgPath, 'utf-8');
+        return JSON.parse(raw).version ?? '0.0.0';
+    } catch {
+        return '0.0.0';
+    }
+}
+
+/**
+ * Register this CMS instance with domma-cms-manager.
+ *
+ * @param {string} fingerprint - Unique instance fingerprint.
+ * @returns {Promise<{licenseToken: string, instanceId: string}|null>}
+ */
+export async function registerInstance(fingerprint) {
+    const MANAGER_URL = process.env.MANAGER_URL;
+    const INSTANCE_SECRET = process.env.INSTANCE_SECRET;
+
+    if (!MANAGER_URL) return null;
+    if (!INSTANCE_SECRET) {
+        console.warn('[managerClient] INSTANCE_SECRET not set — skipping registerInstance');
+        return null;
+    }
+
+    try {
+        const cmsVersion = await getCmsVersion();
+        const hostname = process.env.HOSTNAME ?? 'unknown';
+
+        const token = createHmac('sha256', INSTANCE_SECRET)
+            .update(fingerprint)
+            .digest('hex');
+
+        const res = await fetch(`${MANAGER_URL}/api/instances/register`, {
+            signal: AbortSignal.timeout(10_000),
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'X-Instance-Token': token,
+            },
+            body: JSON.stringify({ fingerprint, cmsVersion, hostname }),
+        });
+
+        if (!res.ok) {
+            console.warn(`[managerClient] registerInstance failed: ${res.status} ${res.statusText}`);
+            return null;
+        }
+
+        return await res.json();
+    } catch (err) {
+        console.warn('[managerClient] registerInstance error:', err.message);
+        return null;
+    }
+}
+
+/**
+ * Fetch the plugin catalogue from domma-cms-manager.
+ *
+ * @param {string} licenseToken - License token obtained from registerInstance.
+ * @returns {Promise<Array<{slug: string, version: string, displayName: string, description: string, price: number, entitled: boolean}>>}
+ */
+export async function fetchCatalogue(licenseToken) {
+    const MANAGER_URL = process.env.MANAGER_URL;
+
+    if (!MANAGER_URL) return [];
+
+    try {
+        const res = await fetch(`${MANAGER_URL}/api/plugins/catalogue`, {
+            signal: AbortSignal.timeout(10_000),
+            headers: {
+                Authorization: `Bearer ${licenseToken}`,
+            },
+        });
+
+        if (!res.ok) {
+            console.warn(`[managerClient] fetchCatalogue failed: ${res.status} ${res.statusText}`);
+            return [];
+        }
+
+        return await res.json();
+    } catch (err) {
+        console.warn('[managerClient] fetchCatalogue error:', err.message);
+        return [];
+    }
+}
+
+/**
+ * Fetch a plugin bundle (tarball + signature) from domma-cms-manager.
+ *
+ * @param {string} slug - Plugin slug.
+ * @param {string} version - Plugin version.
+ * @param {string} licenseToken - License token obtained from registerInstance.
+ * @returns {Promise<{tarball: Buffer, signature: string, publicKeyId: string}|null>}
+ */
+export async function fetchPluginBundle(slug, version, licenseToken) {
+    const MANAGER_URL = process.env.MANAGER_URL;
+
+    if (!MANAGER_URL) return null;
+
+    try {
+        const res = await fetch(`${MANAGER_URL}/api/plugins/install/${slug}/${version}`, {
+            signal: AbortSignal.timeout(10_000),
+            headers: {
+                Authorization: `Bearer ${licenseToken}`,
+            },
+        });
+
+        if (!res.ok) {
+            console.warn(`[managerClient] fetchPluginBundle failed: ${res.status} ${res.statusText}`);
+            return null;
+        }
+
+        const json = await res.json();
+
+        if (typeof json.tarball !== 'string' || json.tarball.length > 100 * 1024 * 1024) {
+            console.warn('[managerClient] fetchPluginBundle: tarball too large or invalid, refusing decode');
+            return null;
+        }
+
+        return {
+            tarball: Buffer.from(json.tarball, 'base64'),
+            signature: json.signature,
+            publicKeyId: json.publicKeyId,
+        };
+    } catch (err) {
+        console.warn('[managerClient] fetchPluginBundle error:', err.message);
+        return null;
+    }
+}
+
+/**
+ * Send a heartbeat to domma-cms-manager with the list of installed plugins.
+ *
+ * @param {string} licenseToken - License token obtained from registerInstance.
+ * @param {string[]} installedSlugs - Array of installed plugin slugs.
+ * @returns {Promise<boolean>} True on success, false on error.
+ */
+export async function heartbeat(licenseToken, installedSlugs) {
+    const MANAGER_URL = process.env.MANAGER_URL;
+
+    if (!MANAGER_URL) return false;
+
+    try {
+        const res = await fetch(`${MANAGER_URL}/api/instances/heartbeat`, {
+            signal: AbortSignal.timeout(10_000),
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Authorization: `Bearer ${licenseToken}`,
+            },
+            body: JSON.stringify({ installedSlugs, versions: {} }),
+        });
+
+        if (!res.ok) {
+            console.warn(`[managerClient] heartbeat failed: ${res.status} ${res.statusText}`);
+            return false;
+        }
+
+        return true;
+    } catch (err) {
+        console.warn('[managerClient] heartbeat error:', err.message);
+        return false;
+    }
+}

package/server/services/markdown.js

@@ -20,7 +20,7 @@ const BUILTIN_SHORTCODES = new Set([
     'accordion', 'item', 'carousel', 'slide', 'countdown', 'timeline',
     'event', 'spacer', 'center', 'icon', 'form', 'hero', 'table', 'badge',
     'text', 'button', 'link', 'cta', 'grid', 'row', 'col', 'card',
-    'slideover', 'counter', 'celebrate', 'firework', 'fireworks', 'scribe',
+    'banner', 'slideover', 'counter', 'celebrate', 'firework', 'fireworks', 'scribe',
     'reveal', 'breathe', 'pulse', 'shake', 'scramble', 'ripple', 'twinkle',
     'animate', 'ambient', 'list-group',
 ]);
@@ -1473,7 +1473,10 @@ function processTabsBlocks(markdown) {
       const prefix = `dm-tab-${counter}`;
       const attrs = parseShortcodeAttrs(attrStr);
       const pillsClass = attrs.style === 'pills' ? ' tabs-pills' : '';
+        const borderedClass = attrs.style === 'bordered' ? ' tabs--bordered' : '';
+        const fadeClass = 'fade' in attrs ? ' tabs--fade' : '';
         const centeredClass = attrs.align === 'center' ? ' tabs-centered' : '';
+        const rightClass = attrs.align === 'right' ? ' tabs--right' : '';
       const idAttr = attrs.id ? ` id="${escapeAttr(attrs.id)}"` : '';
 
       // Parse inner [tab title="..."] items
@@ -1489,20 +1492,22 @@ function processTabsBlocks(markdown) {
         // that would confuse subsequent scrubCodeRegions calls.
         const restoredBody = restore(tabBody.trim());
         const bodyHtml = marked.parse(processCardBlocks(processGridBlocks(restoredBody)));
-        items.push({title, paneId, bodyHtml, first: tabIdx === 1});
+          const icon = tabAttrs.icon ? tabAttrs.icon.trim() : '';
+          items.push({title, icon, paneId, bodyHtml, first: tabIdx === 1});
       });
 
       if (!items.length) return '';
 
-      const navItems = items.map(t =>
-        `<button class="tab-item${t.first ? ' active' : ''}">${escapeAttr(t.title)}</button>`
-      ).join('\n    ');
+        const navItems = items.map(t => {
+            const iconHtml = t.icon ? `<span data-icon="${escapeAttr(t.icon)}"></span>` : '';
+            return `<button class="tab-item${t.first ? ' active' : ''}">${iconHtml}${escapeAttr(t.title)}</button>`;
+        }).join('\n    ');
       const panes = items.map(t =>
         `<div class="tab-panel${t.first ? ' active' : ''}">${t.bodyHtml}</div>`
       ).join('\n    ');
 
       return (
-          `<div class="tabs${pillsClass}${centeredClass}"${idAttr}>\n` +
+          `<div class="tabs${pillsClass}${borderedClass}${fadeClass}${centeredClass}${rightClass}"${idAttr}>\n` +
         `  <div class="tab-list">\n    ${navItems}\n  </div>\n` +
         `  <div class="tab-content">\n    ${panes}\n  </div>\n` +
         `</div>\n`
@@ -2279,6 +2284,8 @@ function processHeroBlocks(markdown) {
       const cls = attrs.class || '';
       const id = attrs.id || '';
       const bg = attrs.bg || '';
+        const heroColor = attrs.color ? String(attrs.color) : '';
+        const minHeight = attrs['min-height'] ? String(attrs['min-height']) : '';
 
       const twinkle = 'twinkle' in attrs;
       const twinkleCount = attrs['twinkle-count'] || '';
@@ -2299,7 +2306,11 @@ function processHeroBlocks(markdown) {
 
       const styleParts = [];
       if (image) styleParts.push(`background-image:url('${escapeAttr(image)}')`);
-      if (bg) styleParts.push(`background-color:${escapeAttr(bg)}`);
+        const resolvedBg = heroColor || bg;
+        const safeBg = resolvedBg && /^[a-zA-Z0-9#(),.\s%/-]+$/.test(resolvedBg) ? resolvedBg : '';
+        if (safeBg) styleParts.push(`background-color:${safeBg}`);
+        const safeMinHeight = minHeight && /^[0-9]+(?:px|em|rem|vh|vw|%)$/.test(minHeight) ? minHeight : '';
+        if (safeMinHeight) styleParts.push(`min-height:${safeMinHeight}`);
       const style = styleParts.length ? ` style="${styleParts.join(';')}"` : '';
       const idAttr = id ? ` id="${escapeAttr(id)}"` : '';
 
@@ -2337,6 +2348,61 @@ function processHeroBlocks(markdown) {
  * @param {string} markdown
  * @returns {string}
  */
+/**
+ * Pre-process [banner] shortcodes before running through marked.
+ *
+ * Syntax:
+ *   [banner type="info" title="Note" icon="info" dismissible]
+ *   Body content (Markdown parsed).
+ *   [/banner]
+ *
+ * Supported attributes:
+ *   type        - info (default) / success / warning / danger / neutral
+ *   title       - optional heading text
+ *   icon        - Domma icon name (renders <span data-icon="...">)
+ *   dismissible - bare flag; adds dismiss button
+ *   class       - extra CSS class on the wrapper
+ *
+ * @param {string} markdown
+ * @returns {string}
+ */
+function processBannerBlocks(markdown) {
+    return markdown.replace(
+        /\[banner([^\]]*)\]([\s\S]*?)\[\/banner\]/gi,
+        (_, attrStr, body) => {
+            const attrs = parseShortcodeAttrs(attrStr);
+            const VALID_BANNER_TYPES = new Set(['info', 'success', 'warning', 'danger', 'neutral']);
+            const type = VALID_BANNER_TYPES.has(attrs.type) ? attrs.type : 'info';
+            const title = attrs.title || '';
+            const icon = attrs.icon || '';
+            const dismissible = 'dismissible' in attrs;
+            const extraClass = attrs.class || '';
+
+            const classes = [`dm-banner`, `dm-banner--${type}`];
+            if (extraClass) classes.push(extraClass);
+
+            const iconHtml = icon
+                ? `<span class="dm-banner__icon" data-icon="${escapeAttr(icon)}"></span>\n  `
+                : '';
+            const titleHtml = title
+                ? `<strong class="dm-banner__title">${escapeAttr(title)}</strong>\n    `
+                : '';
+            const bodyHtml = marked.parse(body.trim());
+            const dismissHtml = dismissible
+                ? `\n  <button class="dm-banner__dismiss" aria-label="Dismiss">×</button>`
+                : '';
+
+            return (
+                `<div class="${classes.join(' ')}">\n` +
+                `  ${iconHtml}<div class="dm-banner__body">\n` +
+                `    ${titleHtml}${bodyHtml}` +
+                `  </div>${dismissHtml}\n` +
+                `</div>\n`
+            );
+        }
+    );
+}
+
 function processSlideoverBlocks(markdown) {
   const {scrubbed, restore} = scrubCodeRegions(markdown);
   let counter = 0;
@@ -2478,7 +2544,8 @@ export async function parseMarkdown(raw) {
     const withCta = processCtaBlocks(withLink);
   const withGrid = processGridBlocks(withCta);
   const withCard = processCardBlocks(withGrid);
-  const withSlideover = processSlideoverBlocks(withCard);
+    const withBanner = processBannerBlocks(withCard);
+    const withSlideover = processSlideoverBlocks(withBanner);
   const rendered = marked.parse(withSlideover);
 
   const sanitized = sanitizeHtml(rendered, {
@@ -2501,7 +2568,7 @@ export async function parseMarkdown(raw) {
       select: ['name', 'required', 'disabled', 'multiple'],
       option: ['value', 'selected', 'disabled'],
       optgroup: ['label', 'disabled'],
-      button: ['type', 'disabled', 'data-action', 'data-entry', 'data-confirm'],
+        button: ['type', 'disabled', 'aria-label', 'data-action', 'data-entry', 'data-confirm'],
       label: ['for'],
       fieldset: ['disabled'],
       ...extensions.attributes