flarecms 0.1.2 → 0.2.1

package/dist/server/index.js

@@ -12683,10 +12683,28 @@ async function down2(db) {
   await db.schema.dropTable("fc_device_codes").ifExists().execute();
 }
 
+// src/db/migrations/003_plugins.ts
+var exports_003_plugins = {};
+__export(exports_003_plugins, {
+  up: () => up3,
+  down: () => down3
+});
+async function up3(db) {
+  await db.schema.createTable("fc_plugins").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("plugin_id", "text", (col) => col.notNull().unique()).addColumn("version", "text", (col) => col.notNull()).addColumn("status", "text", (col) => col.notNull().defaultTo("inactive")).addColumn("capabilities", "text").addColumn("allowed_hosts", "text").addColumn("storage_config", "text").addColumn("manifest", "text").addColumn("backend_code", "text").addColumn("installed_at", "text", (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`)).addColumn("activated_at", "text").execute();
+  await db.schema.createTable("_fc_plugin_storage").ifNotExists().addColumn("plugin_id", "text", (col) => col.notNull()).addColumn("collection", "text", (col) => col.notNull()).addColumn("id", "text", (col) => col.notNull()).addColumn("data", "text", (col) => col.notNull()).addColumn("updated_at", "text", (col) => col.defaultTo(sql`CURRENT_TIMESTAMP`)).addPrimaryKeyConstraint("pk_plugin_storage", ["plugin_id", "collection", "id"]).execute();
+  await db.schema.createTable("_fc_cron_tasks").ifNotExists().addColumn("id", "text", (col) => col.primaryKey()).addColumn("plugin_id", "text", (col) => col.notNull()).addColumn("schedule", "text", (col) => col.notNull()).addColumn("last_run_at", "text").addColumn("next_run_at", "text").addColumn("enabled", "integer", (col) => col.defaultTo(1)).execute();
+}
+async function down3(db) {
+  await db.schema.dropTable("fc_plugins").ifExists().execute();
+  await db.schema.dropTable("_fc_plugin_storage").ifExists().execute();
+  await db.schema.dropTable("_fc_cron_tasks").ifExists().execute();
+}
+
 // src/db/migrator.ts
 var STATIC_MIGRATIONS = {
   "001_initial_schema": exports_001_initial_schema,
-  "002_auth_tables": exports_002_auth_tables
+  "002_auth_tables": exports_002_auth_tables,
+  "003_plugins": exports_003_plugins
 };
 async function runMigrations(db) {
   await sql`
@@ -12725,7 +12743,7 @@ var createDb = (d1) => {
 };
 
 // src/server/index.ts
-import { Hono as Hono11 } from "hono";
+import { Hono as Hono12 } from "hono";
 
 // src/api/middlewares/cors.ts
 import { cors } from "hono/cors";
@@ -12752,6 +12770,8 @@ var authMiddleware = async (c, next) => {
     c.set("scopes", ["*"]);
     return next();
   }
+  if (!c.env?.DB)
+    return await next();
   const db = createDb(c.env.DB);
   if (authHeader?.startsWith("Bearer ec_pat_")) {
     const rawToken = authHeader.split(" ")[1];
@@ -12817,6 +12837,8 @@ var setupMiddleware = async (c, next) => {
   const path = c.req.path;
   if (path.includes("/setup"))
     return next();
+  if (!c.env?.DB)
+    return await next();
   try {
     const db = createDb(c.env.DB);
     const setupComplete = await db.selectFrom("options").select("value").where("name", "=", "flare:setup_complete").executeTakeFirst();
@@ -42599,15 +42621,22 @@ contentRoutes.post("/:collection", async (c) => {
   const baseSlug = data.slug || data.title?.toLowerCase().replace(/[^a-z0-9]+/g, "-") || id;
   const slug = await ensureUniqueSlug(db, collectionName, baseSlug);
   const status = data.status || "draft";
-  const doc2 = {
+  let doc2 = {
     ...data,
     id,
     slug,
     status
   };
+  const pluginManager = c.get("pluginManager");
+  if (pluginManager) {
+    doc2 = await pluginManager.runContentBeforeSave(doc2, collectionName, true);
+  }
   try {
     await db.insertInto(`ec_${collectionName}`).values(doc2).execute();
-    return apiResponse.created(c, { id, slug });
+    if (pluginManager) {
+      c.executionCtx.waitUntil(pluginManager.runContentAfterSave(doc2, collectionName, true));
+    }
+    return apiResponse.created(c, { id, slug: doc2.slug });
   } catch (e) {
     return apiResponse.error(c, `Failed query: ${e.message}`);
   }
@@ -42627,12 +42656,20 @@ contentRoutes.put("/:collection/:id", async (c) => {
     const uniqueSlug = await ensureUniqueSlug(db, collectionName, data.slug, id);
     finalData.slug = uniqueSlug;
   }
+  const pluginManager = c.get("pluginManager");
+  let docToSave = {
+    ...finalData,
+    updated_at: sql`CURRENT_TIMESTAMP`
+  };
+  if (pluginManager) {
+    docToSave = await pluginManager.runContentBeforeSave(docToSave, collectionName, false);
+  }
   try {
-    await db.updateTable(`ec_${collectionName}`).set({
-      ...finalData,
-      updated_at: sql`CURRENT_TIMESTAMP`
-    }).where("id", "=", id).execute();
-    return apiResponse.ok(c, { id, success: true, slug: finalData.slug });
+    await db.updateTable(`ec_${collectionName}`).set(docToSave).where("id", "=", id).execute();
+    if (pluginManager) {
+      c.executionCtx.waitUntil(pluginManager.runContentAfterSave(docToSave, collectionName, false));
+    }
+    return apiResponse.ok(c, { id, success: true, slug: docToSave.slug });
   } catch (e) {
     return apiResponse.error(c, e.message);
   }
@@ -42641,8 +42678,17 @@ contentRoutes.delete("/:collection/:id", async (c) => {
   const collectionName = c.req.param("collection");
   const id = c.req.param("id");
   const db = createDb(c.env.DB);
+  const pluginManager = c.get("pluginManager");
+  if (pluginManager) {
+    const allowed = await pluginManager.runContentBeforeDelete(id, collectionName);
+    if (!allowed)
+      return apiResponse.error(c, "Deletion prevented by plugin", 403);
+  }
   try {
     await db.deleteFrom(`ec_${collectionName}`).where("id", "=", id).execute();
+    if (pluginManager) {
+      c.executionCtx.waitUntil(pluginManager.runContentAfterDelete(id, collectionName));
+    }
     return apiResponse.ok(c, { success: true });
   } catch (e) {
     return apiResponse.error(c, e.message);
@@ -43133,15 +43179,23 @@ mcpRoutes.post("/execute", async (c) => {
       const baseSlug = docData.slug || docData.title?.toLowerCase().replace(/[^a-z0-9]+/g, "-") || id;
       const slug = await ensureUniqueSlug(db, collectionName, baseSlug);
       const status = docData.status || "draft";
-      const doc2 = {
+      let doc2 = {
         ...docData,
         id,
         slug,
         status
       };
+      const pluginManager = c.get("pluginManager");
+      if (pluginManager) {
+        const result = await pluginManager.runContentBeforeSave(doc2, collectionName, true);
+        doc2 = { ...result, id, slug: result.slug || slug, status: result.status || status };
+      }
       await db.insertInto(`ec_${collectionName}`).values(doc2).execute();
+      if (pluginManager) {
+        c.executionCtx.waitUntil(pluginManager.runContentAfterSave(doc2, collectionName, true));
+      }
       return c.json({
-        content: [{ type: "text", text: `Success: Document created with ID ${id} and slug ${slug}` }]
+        content: [{ type: "text", text: `Success: Document created with ID ${id} and slug ${doc2.slug}` }]
       });
     }
     if (tool === "update_document") {
@@ -43154,14 +43208,22 @@ mcpRoutes.post("/execute", async (c) => {
       const parsed = dynamicContentSchema.safeParse(data);
       if (!parsed.success)
         return c.json({ error: parsed.error.format() }, 400);
-      let finalData = { ...parsed.data };
-      if (finalData.slug) {
-        finalData.slug = await ensureUniqueSlug(db, collectionName, finalData.slug, id);
-      }
-      await db.updateTable(`ec_${collectionName}`).set({
-        ...finalData,
+      const pluginManager = c.get("pluginManager");
+      let docToSave = {
+        ...parsed.data,
         updated_at: sql`CURRENT_TIMESTAMP`
-      }).where("id", "=", id).execute();
+      };
+      if (docToSave.slug) {
+        docToSave.slug = await ensureUniqueSlug(db, collectionName, docToSave.slug, id);
+      }
+      if (pluginManager) {
+        const result = await pluginManager.runContentBeforeSave(docToSave, collectionName, false);
+        docToSave = { ...result, updated_at: result.updated_at || docToSave.updated_at };
+      }
+      await db.updateTable(`ec_${collectionName}`).set(docToSave).where("id", "=", id).execute();
+      if (pluginManager) {
+        c.executionCtx.waitUntil(pluginManager.runContentAfterSave(docToSave, collectionName, false));
+      }
       return c.json({
         content: [{ type: "text", text: `Success: Document ${id} updated.` }]
       });
@@ -43239,11 +43301,541 @@ mcpRoutes.post("/execute", async (c) => {
   }
 });
 
+// src/api/routes/plugins.ts
+import { Hono as Hono11 } from "hono";
+var pluginRoutes = new Hono11;
+pluginRoutes.get("/", async (c) => {
+  const manager = c.get("pluginManager");
+  if (!manager)
+    return apiResponse.error(c, "Plugin system not initialized");
+  const plugins = manager.getActivePlugins();
+  return apiResponse.ok(c, plugins.map((p) => ({
+    id: p.id,
+    name: p.name,
+    version: p.version,
+    capabilities: p.capabilities,
+    routes: manager.getRoutes?.(p.id) ?? [],
+    adminPages: p.adminPages ?? [],
+    adminWidgets: p.adminWidgets ?? []
+  })));
+});
+pluginRoutes.post("/:id/admin", async (c) => {
+  const manager = c.get("pluginManager");
+  if (!manager)
+    return apiResponse.error(c, "Plugin system not initialized");
+  const pluginId = c.req.param("id");
+  const interaction = await c.req.json().catch(() => ({}));
+  try {
+    const result = await manager.invokeAdmin(pluginId, interaction);
+    return apiResponse.ok(c, result);
+  } catch (err) {
+    return apiResponse.error(c, err.message, 400);
+  }
+});
+pluginRoutes.post("/:id/routes/:name", async (c) => {
+  const manager = c.get("pluginManager");
+  if (!manager)
+    return apiResponse.error(c, "Plugin system not initialized");
+  const pluginId = c.req.param("id");
+  const routeName = c.req.param("name");
+  const input = await c.req.json().catch(() => ({}));
+  const serializedReq = {
+    url: c.req.url,
+    method: c.req.method,
+    headers: Object.fromEntries(c.req.raw.headers.entries()),
+    meta: {
+      ip: c.req.header("x-real-ip") || c.req.header("cf-connecting-ip") || null,
+      userAgent: c.req.header("user-agent") || null,
+      referer: c.req.header("referer") || null
+    }
+  };
+  try {
+    const result = await manager.invokeRoute(pluginId, routeName, {
+      input,
+      request: serializedReq
+    });
+    return apiResponse.ok(c, result);
+  } catch (err) {
+    return apiResponse.error(c, err.message, 400);
+  }
+});
+
+// src/plugins/context.ts
+function createPluginContext(options) {
+  const { pluginId, version: version2, capabilities, allowedHosts, storageCollections, db, siteInfo } = options;
+  const hasCap = (cap) => capabilities.includes(cap);
+  const log3 = {
+    debug: (msg, data) => console.debug(`[${pluginId}] DEBUG: ${msg}`, data ?? ""),
+    info: (msg, data) => console.info(`[${pluginId}] INFO: ${msg}`, data ?? ""),
+    warn: (msg, data) => console.warn(`[${pluginId}] WARN: ${msg}`, data ?? ""),
+    error: (msg, data) => console.error(`[${pluginId}] ERROR: ${msg}`, data ?? "")
+  };
+  const kv = {
+    get: async (key) => {
+      const res = await db.selectFrom("_fc_plugin_storage").select("data").where("plugin_id", "=", pluginId).where("collection", "=", "_kv").where("id", "=", key).executeTakeFirst();
+      return res ? JSON.parse(res.data) : null;
+    },
+    set: async (key, value) => {
+      await sql`
+				INSERT INTO _fc_plugin_storage (plugin_id, collection, id, data)
+				VALUES (${pluginId}, '_kv', ${key}, ${JSON.stringify(value)})
+				ON CONFLICT(plugin_id, collection, id) DO UPDATE SET
+					data = excluded.data,
+					updated_at = CURRENT_TIMESTAMP
+			`.execute(db);
+    },
+    delete: async (key) => {
+      const res = await db.deleteFrom("_fc_plugin_storage").where("plugin_id", "=", pluginId).where("collection", "=", "_kv").where("id", "=", key).executeTakeFirst();
+      return !!res;
+    },
+    list: async (prefix) => {
+      let query = db.selectFrom("_fc_plugin_storage").select(["id", "data"]).where("plugin_id", "=", pluginId).where("collection", "=", "_kv");
+      if (prefix) {
+        query = query.where("id", "like", `${prefix}%`);
+      }
+      const results = await query.execute();
+      return results.map((r) => ({
+        key: r.id,
+        value: JSON.parse(r.data)
+      }));
+    }
+  };
+  const storage = new Proxy({}, {
+    get: (_, collection) => {
+      if (!storageCollections.includes(collection)) {
+        throw new Error(`Plugin "${pluginId}" attempted to access undeclared storage collection "${collection}".`);
+      }
+      return {
+        get: async (id) => {
+          const res = await db.selectFrom("_fc_plugin_storage").select("data").where("plugin_id", "=", pluginId).where("collection", "=", collection).where("id", "=", id).executeTakeFirst();
+          return res ? JSON.parse(res.data) : null;
+        },
+        put: async (id, data) => {
+          await sql`
+							INSERT INTO _fc_plugin_storage (plugin_id, collection, id, data)
+							VALUES (${pluginId}, ${collection}, ${id}, ${JSON.stringify(data)})
+							ON CONFLICT(plugin_id, collection, id) DO UPDATE SET
+								data = excluded.data,
+								updated_at = CURRENT_TIMESTAMP
+						`.execute(db);
+        },
+        delete: async (id) => {
+          const res = await db.deleteFrom("_fc_plugin_storage").where("plugin_id", "=", pluginId).where("collection", "=", collection).where("id", "=", id).executeTakeFirst();
+          return !!res;
+        },
+        query: async (opts) => {
+          const limit = opts?.limit ?? 20;
+          let query = db.selectFrom("_fc_plugin_storage").select(["id", "data"]).where("plugin_id", "=", pluginId).where("collection", "=", collection).limit(limit);
+          const results = await query.execute();
+          return {
+            items: results.map((r) => JSON.parse(r.data)),
+            hasMore: results.length === limit
+          };
+        },
+        count: async () => {
+          const res = await db.selectFrom("_fc_plugin_storage").select(db.fn.count("id").as("count")).where("plugin_id", "=", pluginId).where("collection", "=", collection).executeTakeFirst();
+          return Number(res?.count ?? 0);
+        }
+      };
+    }
+  });
+  let content;
+  if (hasCap("read:content")) {
+    content = {
+      get: async (col, id) => {
+        const res = await db.selectFrom(`ec_${col}`).selectAll().where("id", "=", id).executeTakeFirst();
+        return res || null;
+      },
+      list: async (col, opts) => {
+        const limit = opts?.limit ?? 20;
+        const res = await db.selectFrom(`ec_${col}`).selectAll().where("status", "!=", "deleted").limit(limit).execute();
+        return { items: res, hasMore: res.length === limit };
+      },
+      create: async (col, data) => {
+        if (!hasCap("write:content"))
+          throw new Error("Capability write:content required");
+        return await db.insertInto(`ec_${col}`).values(data).execute();
+      },
+      update: async (col, id, data) => {
+        if (!hasCap("write:content"))
+          throw new Error("Capability write:content required");
+        return await db.updateTable(`ec_${col}`).set(data).where("id", "=", id).execute();
+      },
+      delete: async (col, id) => {
+        if (!hasCap("write:content"))
+          throw new Error("Capability write:content required");
+        return !!await db.deleteFrom(`ec_${col}`).where("id", "=", id).execute();
+      }
+    };
+  }
+  let http;
+  if (hasCap("network:fetch")) {
+    http = {
+      fetch: async (url2, init) => {
+        const target2 = new URL(url2);
+        if (!hasCap("network:fetch:any") && !allowedHosts.includes(target2.hostname)) {
+          throw new Error(`Host "${target2.hostname}" is not in the allowedHosts list for plugin "${pluginId}".`);
+        }
+        const response = await fetch(url2, init);
+        return {
+          status: response.status,
+          ok: response.ok,
+          headers: response.headers,
+          text: () => response.text(),
+          json: () => response.json()
+        };
+      }
+    };
+  }
+  let users;
+  if (hasCap("read:users")) {
+    users = {
+      get: async (id) => db.selectFrom("fc_users").selectAll().where("id", "=", id).executeTakeFirst(),
+      list: async (opts) => {
+        const items = await db.selectFrom("fc_users").selectAll().limit(opts?.limit ?? 20).execute();
+        return { items };
+      }
+    };
+  }
+  let crypto3;
+  if (hasCap("crypto:encrypt")) {
+    crypto3 = {
+      encrypt: async (text) => {
+        if (!options.encryptionSecret)
+          throw new Error("Encryption secret not configured");
+        return await encryptText(text, options.encryptionSecret);
+      },
+      decrypt: async (ciphertext) => {
+        if (!options.encryptionSecret)
+          throw new Error("Encryption secret not configured");
+        return await decryptText(ciphertext, options.encryptionSecret);
+      }
+    };
+  }
+  return {
+    plugin: { id: pluginId, version: version2 },
+    kv,
+    storage,
+    content,
+    media: undefined,
+    http,
+    log: log3,
+    site: siteInfo,
+    users,
+    email: undefined,
+    crypto: crypto3
+  };
+}
+async function encryptText(text, secret) {
+  const enc = new TextEncoder;
+  const key = await globalThis.crypto.subtle.importKey("raw", enc.encode(secret.padEnd(32, "0").slice(0, 32)), { name: "AES-GCM" }, false, ["encrypt"]);
+  const iv = globalThis.crypto.getRandomValues(new Uint8Array(12));
+  const encrypted = await globalThis.crypto.subtle.encrypt({ name: "AES-GCM", iv }, key, enc.encode(text));
+  const combined = new Uint8Array(iv.length + encrypted.byteLength);
+  combined.set(iv);
+  combined.set(new Uint8Array(encrypted), iv.length);
+  return btoa(String.fromCharCode(...combined));
+}
+async function decryptText(ciphertext, secret) {
+  const enc = new TextEncoder;
+  const combined = new Uint8Array(atob(ciphertext).split("").map((c) => c.charCodeAt(0)));
+  const iv = combined.slice(0, 12);
+  const data = combined.slice(12);
+  const key = await globalThis.crypto.subtle.importKey("raw", enc.encode(secret.padEnd(32, "0").slice(0, 32)), { name: "AES-GCM" }, false, ["decrypt"]);
+  const decrypted = await globalThis.crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, data);
+  return new TextDecoder().decode(decrypted);
+}
+
+// src/plugins/hooks.ts
+class HookPipeline {
+  hooks = {};
+  plugins = [];
+  db;
+  siteInfo;
+  constructor(plugins, db, siteInfo) {
+    this.plugins = plugins;
+    this.db = db;
+    this.siteInfo = siteInfo;
+    for (const plugin of plugins) {
+      for (const [name2, hook] of Object.entries(plugin.hooks)) {
+        if (!this.hooks[name2])
+          this.hooks[name2] = [];
+        this.hooks[name2].push(hook);
+      }
+    }
+    for (const name2 of Object.keys(this.hooks)) {
+      this.hooks[name2]?.sort((a, b) => a.priority - b.priority);
+    }
+  }
+  async runChain(hookName, initialData) {
+    const hooks = this.hooks[hookName];
+    if (!hooks || hooks.length === 0)
+      return initialData;
+    let currentData = initialData;
+    for (const hook of hooks) {
+      const ctx = this.createContextForHook(hook);
+      currentData = await this.executeWithTimeout(() => hook.handler(currentData, ctx), hook.timeout, hook.pluginId, hookName);
+    }
+    return currentData;
+  }
+  async runParallel(hookName, event) {
+    const hooks = this.hooks[hookName];
+    if (!hooks || hooks.length === 0)
+      return;
+    const promises = hooks.map(async (hook) => {
+      const ctx = this.createContextForHook(hook);
+      try {
+        await this.executeWithTimeout(() => hook.handler(event, ctx), hook.timeout, hook.pluginId, hookName);
+      } catch (err) {
+        console.error(`Hook "${hookName}" failed for plugin "${hook.pluginId}":`, err);
+      }
+    });
+    await Promise.allSettled(promises);
+  }
+  async runVeto(hookName, event) {
+    const hooks = this.hooks[hookName];
+    if (!hooks || hooks.length === 0)
+      return true;
+    for (const hook of hooks) {
+      const ctx = this.createContextForHook(hook);
+      const result = await this.executeWithTimeout(() => hook.handler(event, ctx), hook.timeout, hook.pluginId, hookName);
+      if (result === false)
+        return false;
+    }
+    return true;
+  }
+  async runContentBeforeSave(content, collection, isNew) {
+    return this.runChain("content:beforeSave", { content, collection, isNew }).then((res) => {
+      const data = res;
+      return data.content || res;
+    });
+  }
+  async runContentAfterSave(content, collection, isNew) {
+    return this.runParallel("content:afterSave", { content, collection, isNew });
+  }
+  async runContentBeforeDelete(id, collection) {
+    return this.runVeto("content:beforeDelete", { id, collection });
+  }
+  async runContentAfterDelete(id, collection) {
+    return this.runParallel("content:afterDelete", { id, collection });
+  }
+  createContextForHook(hook) {
+    const plugin = this.plugins.find((p) => p.id === hook.pluginId);
+    return createPluginContext({
+      pluginId: hook.pluginId,
+      version: plugin?.version || "0.0.0",
+      capabilities: plugin?.capabilities || [],
+      allowedHosts: plugin?.allowedHosts || [],
+      storageCollections: plugin ? Object.keys(plugin.storage) : [],
+      db: this.db,
+      siteInfo: this.siteInfo
+    });
+  }
+  async executeWithTimeout(fn, timeoutMs, pluginId, hookName) {
+    return Promise.race([
+      fn(),
+      new Promise((_, reject) => setTimeout(() => reject(new Error(`Hook "${hookName}" from plugin "${pluginId}" timed out after ${timeoutMs}ms`)), timeoutMs))
+    ]);
+  }
+}
+
+// src/plugins/routes.ts
+class PluginRouteRegistry {
+  plugins = new Map;
+  db;
+  siteInfo;
+  encryptionSecret;
+  constructor(db, siteInfo, encryptionSecret) {
+    this.db = db;
+    this.siteInfo = siteInfo;
+    this.encryptionSecret = encryptionSecret;
+  }
+  register(plugin) {
+    this.plugins.set(plugin.id, plugin);
+  }
+  async invoke(pluginId, routeName, options) {
+    const plugin = this.plugins.get(pluginId);
+    if (!plugin) {
+      throw new Error(`Plugin "${pluginId}" not found or has no routes registered.`);
+    }
+    const route = plugin.routes[routeName];
+    if (!route) {
+      throw new Error(`Route "${routeName}" not found in plugin "${pluginId}".`);
+    }
+    const ctx = createPluginContext({
+      pluginId,
+      version: plugin.version,
+      capabilities: plugin.capabilities,
+      allowedHosts: plugin.allowedHosts,
+      storageCollections: Object.keys(plugin.storage),
+      db: this.db,
+      siteInfo: this.siteInfo,
+      encryptionSecret: this.encryptionSecret
+    });
+    const routeCtx = {
+      input: options.input,
+      request: options.request,
+      requestMeta: options.request.meta
+    };
+    return await route.handler(routeCtx, ctx);
+  }
+  getRoutes(pluginId) {
+    const plugin = this.plugins.get(pluginId);
+    return plugin ? Object.keys(plugin.routes) : [];
+  }
+}
+
+// src/plugins/manager.ts
+class PluginManager {
+  plugins;
+  db;
+  siteInfo;
+  encryptionSecret;
+  hookPipeline;
+  routeRegistry;
+  constructor(plugins, db, siteInfo, encryptionSecret) {
+    this.plugins = plugins;
+    this.db = db;
+    this.siteInfo = siteInfo;
+    this.encryptionSecret = encryptionSecret;
+    this.hookPipeline = new HookPipeline(plugins, db, siteInfo);
+    this.routeRegistry = new PluginRouteRegistry(db, siteInfo, encryptionSecret);
+    for (const plugin of plugins) {
+      this.routeRegistry.register(plugin);
+    }
+  }
+  async runContentBeforeSave(content, collection, isNew) {
+    return this.hookPipeline.runContentBeforeSave(content, collection, isNew);
+  }
+  async runContentAfterSave(content, collection, isNew) {
+    return this.hookPipeline.runContentAfterSave(content, collection, isNew);
+  }
+  async runContentBeforeDelete(id, collection) {
+    return this.hookPipeline.runContentBeforeDelete(id, collection);
+  }
+  async runContentAfterDelete(id, collection) {
+    return this.hookPipeline.runContentAfterDelete(id, collection);
+  }
+  async invokeRoute(pluginId, routeName, options) {
+    return this.routeRegistry.invoke(pluginId, routeName, options);
+  }
+  async invokeAdmin(pluginId, interaction) {
+    const plugin = this.plugins.find((p) => p.id === pluginId);
+    if (!plugin)
+      throw new Error(`Plugin "${pluginId}" not found.`);
+    if (!plugin.admin)
+      throw new Error(`Plugin "${pluginId}" does not support admin interactions.`);
+    const ctx = createPluginContext({
+      pluginId: plugin.id,
+      version: plugin.version,
+      capabilities: plugin.capabilities,
+      allowedHosts: plugin.allowedHosts,
+      storageCollections: Object.keys(plugin.storage),
+      db: this.db,
+      siteInfo: this.siteInfo,
+      encryptionSecret: this.encryptionSecret
+    });
+    return plugin.admin.handler(interaction, ctx);
+  }
+  getActivePlugins() {
+    return this.plugins;
+  }
+  isActive(pluginId) {
+    return this.plugins.some((p) => p.id === pluginId);
+  }
+}
+
+// src/plugins/adapt-entry.ts
+function resolveHook(hook, pluginId) {
+  if (typeof hook === "function") {
+    return {
+      priority: 100,
+      timeout: 5000,
+      handler: hook,
+      pluginId
+    };
+  }
+  return {
+    priority: hook.priority ?? 100,
+    timeout: hook.timeout ?? 5000,
+    handler: hook.handler,
+    pluginId
+  };
+}
+function resolveRoute(route) {
+  return {
+    input: route.input,
+    public: route.public ?? false,
+    handler: route.handler
+  };
+}
+function adaptEntry(input) {
+  const definition = input;
+  const descriptor = input;
+  const id = descriptor.id;
+  const version2 = descriptor.version;
+  const hooks = {};
+  if (definition.hooks) {
+    for (const [name2, entry] of Object.entries(definition.hooks)) {
+      hooks[name2] = resolveHook(entry, id);
+    }
+  }
+  const routes = {};
+  if (definition.routes) {
+    for (const [name2, entry] of Object.entries(definition.routes)) {
+      routes[name2] = resolveRoute(entry);
+    }
+  }
+  const storage = {};
+  if (descriptor.storage) {
+    for (const [name2, config2] of Object.entries(descriptor.storage)) {
+      storage[name2] = {
+        indexes: config2.indexes ?? []
+      };
+    }
+  }
+  return {
+    id,
+    name: descriptor.name || id,
+    version: version2,
+    capabilities: descriptor.capabilities || definition.capabilities || [],
+    allowedHosts: descriptor.allowedHosts || definition.allowedHosts || [],
+    storage,
+    hooks,
+    routes,
+    admin: definition.admin,
+    adminPages: descriptor.adminPages ?? [],
+    adminWidgets: descriptor.adminWidgets ?? []
+  };
+}
+
+// src/plugins/middleware.ts
+function pluginMiddleware(staticPlugins = []) {
+  return async (c, next) => {
+    const resolvedPlugins = staticPlugins.map((p) => {
+      return adaptEntry(p);
+    });
+    if (!c.env?.DB)
+      return await next();
+    const db = createDb(c.env.DB);
+    const siteInfo = {
+      name: "FlareCMS",
+      url: new URL(c.req.url).origin,
+      locale: "en"
+    };
+    const encryptionSecret = c.env.FLARE_ENCRYPTION_SECRET || c.env.AUTH_SECRET;
+    const manager = new PluginManager(resolvedPlugins, db, siteInfo, encryptionSecret);
+    c.set("pluginManager", manager);
+    await next();
+  };
+}
+
 // src/server/index.ts
 function createFlareAPI(options = {}) {
   const base = options.base || "/admin";
-  const api2 = new Hono11;
+  const api2 = new Hono12;
   api2.use("*", corsMiddleware);
+  api2.use("*", pluginMiddleware(options.plugins));
   api2.use("*", async (c, next) => {
     const adminPrefix = base.replace(/^\//, "") || "admin";
     c.set("reservedSlugs", [
@@ -43260,6 +43852,7 @@ function createFlareAPI(options = {}) {
     ]);
     await next();
   });
+  api2.get("/health", (c) => apiResponse.ok(c, { status: "ok" }));
   api2.use("/*", setupMiddleware);
   api2.use("/*", authMiddleware);
   api2.route("/auth", authRoutes);
@@ -43272,7 +43865,7 @@ function createFlareAPI(options = {}) {
   api2.route("/oauth", oauthRoutes);
   api2.route("/settings", settingsRoutes);
   api2.route("/mcp", mcpRoutes);
-  api2.get("/health", (c) => apiResponse.ok(c, { status: "ok" }));
+  api2.route("/plugins", pluginRoutes);
   return api2;
 }
 export {