npm - wiki-plugin-salon - Versions diffs - 0.0.1 - Mend

wiki-plugin-salon 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/server/server.js ADDED Viewed

@@ -0,0 +1,1469 @@
+(function() {
+'use strict';
+const fs     = require('fs');
+const path   = require('path');
+const crypto = require('crypto');
+// ── Storage paths ─────────────────────────────────────────────────────────────
+const SALON_DIR    = path.join(process.env.HOME || '/root', '.salon');
+const CONFIG_FILE  = path.join(SALON_DIR, 'config.json');
+const TENANTS_FILE = path.join(SALON_DIR, 'tenants.json');
+const EVENTS_FILE  = path.join(SALON_DIR, 'events.json');
+const MAX_EVENTS = 500;
+// ── Config ────────────────────────────────────────────────────────────────────
+const DEFAULT_CONFIG = {
+  registrationMode: 'open',   // 'open' | 'closed' | 'grant'
+  title: 'The Salon',
+  description: 'A community gathering space on this wiki.',
+  fromEmail:   'salon@planetnine.app',
+  minnieHost:  'localhost',
+  minniePort:  2525,
+  joanUrl:     'https://dev.allyabase.com/plugin/allyabase/joan'
+};
+function loadConfig() {
+  try {
+    if (fs.existsSync(CONFIG_FILE)) {
+      return { ...DEFAULT_CONFIG, ...JSON.parse(fs.readFileSync(CONFIG_FILE, 'utf8')) };
+    }
+  } catch {}
+  return { ...DEFAULT_CONFIG };
+}
+function saveConfig(config) {
+  ensureDir();
+  fs.writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2));
+}
+// ── Tenants ───────────────────────────────────────────────────────────────────
+function loadTenants() {
+  try {
+    if (fs.existsSync(TENANTS_FILE)) return JSON.parse(fs.readFileSync(TENANTS_FILE, 'utf8'));
+  } catch {}
+  return {};
+}
+function saveTenants(tenants) {
+  ensureDir();
+  fs.writeFileSync(TENANTS_FILE, JSON.stringify(tenants, null, 2));
+}
+// ── Events ────────────────────────────────────────────────────────────────────
+function loadEvents() {
+  try {
+    if (fs.existsSync(EVENTS_FILE)) return JSON.parse(fs.readFileSync(EVENTS_FILE, 'utf8'));
+  } catch {}
+  return [];
+}
+function appendEvent(event) {
+  ensureDir();
+  const events = loadEvents();
+  events.unshift({ ...event, receivedAt: Date.now() });
+  if (events.length > MAX_EVENTS) events.length = MAX_EVENTS;
+  fs.writeFileSync(EVENTS_FILE, JSON.stringify(events, null, 2));
+  // Fire-and-forget email notifications to all active members
+  const config = loadConfig();
+  const eventDetail = event.data && event.data.title ? ` — ${event.data.title}` : '';
+  const subject = `[${config.title}] ${event.source}: ${event.event}${eventDetail}`;
+  const text = buildEventEmail(config, event, eventDetail);
+  notifyMembers(config, subject, text).catch(() => {});
+}
+function buildEventEmail(config, event, detail) {
+  return [
+    `New activity in ${config.title}:`,
+    ``,
+    `${event.source}: ${event.event}${detail}`,
+    ``,
+    `Visit the salon: /plugin/salon`,
+    ``,
+    `—`,
+    `To manage your membership visit /plugin/salon/recover`
+  ].join('\n');
+}
+// ── Email ─────────────────────────────────────────────────────────────────────
+function createTransporter(config) {
+  const nodemailer = require('nodemailer');
+  return nodemailer.createTransport({
+    host: config.minnieHost || 'localhost',
+    port: parseInt(config.minniePort) || 2525,
+    secure: false,
+    tls: { rejectUnauthorized: false }
+  });
+}
+async function notifyMembers(config, subject, text) {
+  const tenants    = loadTenants();
+  const recipients = Object.values(tenants).filter(t => t.status === 'active' && t.email);
+  if (recipients.length === 0) return;
+  const transporter = createTransporter(config);
+  const from = `"${config.title}" <${config.fromEmail || 'salon@planetnine.app'}>`;
+  for (const tenant of recipients) {
+    try {
+      await transporter.sendMail({ from, to: tenant.email, subject, text });
+    } catch (err) {
+      console.error(`salon: email failed for ${tenant.email}:`, err.message);
+    }
+  }
+}
+// ── Joan OTP ──────────────────────────────────────────────────────────────────
+function joanPost(joanUrl, pathname, body) {
+  return new Promise((resolve, reject) => {
+    const u       = new URL(pathname, joanUrl);
+    const payload = JSON.stringify(body);
+    const lib     = u.protocol === 'https:' ? require('https') : require('http');
+    const req = lib.request({
+      hostname: u.hostname,
+      port:     u.port || (u.protocol === 'https:' ? 443 : 80),
+      path:     u.pathname,
+      method:   'POST',
+      headers: {
+        'Content-Type':   'application/json',
+        'Content-Length': Buffer.byteLength(payload)
+      }
+    }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try { resolve({ status: res.statusCode, body: JSON.parse(data) }); }
+        catch { reject(new Error('Invalid JSON from Joan')); }
+      });
+    });
+    req.on('error', reject);
+    req.write(payload);
+    req.end();
+  });
+}
+// ── Helpers ───────────────────────────────────────────────────────────────────
+function ensureDir() {
+  if (!fs.existsSync(SALON_DIR)) fs.mkdirSync(SALON_DIR, { recursive: true });
+}
+function generateId() {
+  return crypto.randomBytes(8).toString('hex');
+}
+function hashEmail(email) {
+  return crypto.createHash('sha256').update(email.toLowerCase().trim()).digest('hex');
+}
+function findTenantByEmailHash(tenants, hash) {
+  return Object.values(tenants).find(t => t.emailHash === hash) || null;
+}
+function esc(str) {
+  return String(str)
+    .replace(/&/g, '&amp;').replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}
+function timeAgo(ms) {
+  const s = Math.floor((Date.now() - ms) / 1000);
+  if (s < 60)   return `${s}s ago`;
+  if (s < 3600)  return `${Math.floor(s / 60)}m ago`;
+  if (s < 86400) return `${Math.floor(s / 3600)}h ago`;
+  return `${Math.floor(s / 86400)}d ago`;
+}
+// ── HTML pages ────────────────────────────────────────────────────────────────
+const STYLE = `
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    body { font-family: system-ui, sans-serif; background: #0f0f12; color: #e8e8ea; min-height: 100vh; }
+    .topbar { background: rgba(255,255,255,0.04); border-bottom: 1px solid rgba(255,255,255,0.08); padding: 14px 24px; display: flex; align-items: center; justify-content: space-between; }
+    .topbar-title { font-size: 1.1rem; font-weight: 700; color: #c4b5fd; }
+    .topbar-links a { color: #888; text-decoration: none; font-size: 0.85rem; margin-left: 16px; }
+    .topbar-links a:hover { color: #c4b5fd; }
+    .container { max-width: 860px; margin: 0 auto; padding: 40px 24px; }
+    h1 { font-size: 2rem; font-weight: 800; color: #c4b5fd; margin-bottom: 8px; }
+    .subtitle { color: #888; margin-bottom: 32px; font-size: 0.95rem; line-height: 1.5; }
+    .section { margin-bottom: 40px; }
+    .section-heading { font-size: 0.75rem; font-weight: 700; color: #888; text-transform: uppercase; letter-spacing: 1px; margin-bottom: 16px; }
+    .card { background: rgba(255,255,255,0.04); border: 1px solid rgba(255,255,255,0.08); border-radius: 12px; padding: 20px; margin-bottom: 12px; }
+    .card:hover { border-color: rgba(196,181,253,0.3); }
+    .card-name { font-size: 1rem; font-weight: 600; color: #e8e8ea; margin-bottom: 4px; }
+    .card-desc { font-size: 0.85rem; color: #888; line-height: 1.4; }
+    .card-meta { font-size: 0.78rem; color: #555; margin-top: 8px; }
+    .badge { display: inline-block; font-size: 0.75rem; font-weight: 600; padding: 3px 10px; border-radius: 20px; }
+    .badge-open   { background: rgba(16,185,129,0.15); color: #10b981; border: 1px solid rgba(16,185,129,0.3); }
+    .badge-closed { background: rgba(239,68,68,0.15);  color: #ef4444; border: 1px solid rgba(239,68,68,0.3); }
+    .badge-grant  { background: rgba(251,191,36,0.15); color: #fbbf24; border: 1px solid rgba(251,191,36,0.3); }
+    .badge-pending { background: rgba(251,191,36,0.15); color: #fbbf24; border: 1px solid rgba(251,191,36,0.3); }
+    .badge-active  { background: rgba(16,185,129,0.15); color: #10b981; border: 1px solid rgba(16,185,129,0.3); }
+    .badge-denied  { background: rgba(239,68,68,0.15);  color: #ef4444; border: 1px solid rgba(239,68,68,0.3); }
+    .btn { display: inline-block; padding: 10px 24px; border-radius: 8px; font-size: 0.9rem; font-weight: 600; cursor: pointer; border: none; text-decoration: none; transition: opacity 0.15s; }
+    .btn:hover { opacity: 0.85; }
+    .btn-primary { background: #7c3aed; color: white; }
+    .btn-secondary { background: rgba(255,255,255,0.08); color: #e8e8ea; border: 1px solid rgba(255,255,255,0.12); }
+    .btn-danger { background: rgba(239,68,68,0.15); color: #ef4444; border: 1px solid rgba(239,68,68,0.3); }
+    .btn-sm { padding: 5px 12px; font-size: 0.8rem; border-radius: 6px; }
+    label { display: block; font-size: 0.82rem; color: #999; margin-bottom: 4px; margin-top: 14px; }
+    input, textarea, select { width: 100%; background: rgba(255,255,255,0.06); border: 1px solid rgba(255,255,255,0.12); border-radius: 8px; color: #e8e8ea; padding: 10px 12px; font-size: 0.9rem; outline: none; font-family: inherit; transition: border-color 0.2s; }
+    input:focus, textarea:focus, select:focus { border-color: #7c3aed; }
+    textarea { resize: vertical; }
+    .form-hint { font-size: 0.78rem; color: #666; margin-top: 4px; }
+    .result { margin-top: 16px; padding: 12px 16px; border-radius: 8px; font-size: 0.9rem; display: none; }
+    .result.ok  { background: rgba(16,185,129,0.1);  border: 1px solid rgba(16,185,129,0.3);  color: #10b981; }
+    .result.err { background: rgba(239,68,68,0.1);   border: 1px solid rgba(239,68,68,0.3);   color: #ef4444; }
+    .empty { text-align: center; padding: 48px 0; color: #555; font-size: 0.9rem; }
+    .event-row { display: flex; align-items: flex-start; gap: 12px; padding: 12px 0; border-bottom: 1px solid rgba(255,255,255,0.05); }
+    .event-source { font-size: 0.75rem; font-weight: 700; color: #c4b5fd; background: rgba(196,181,253,0.1); border-radius: 4px; padding: 2px 7px; white-space: nowrap; flex-shrink: 0; }
+    .event-body { flex: 1; min-width: 0; }
+    .event-name { font-size: 0.88rem; color: #e8e8ea; }
+    .event-time { font-size: 0.75rem; color: #555; margin-top: 2px; }
+    .grid-2 { display: grid; grid-template-columns: 1fr 1fr; gap: 12px; }
+    @media (max-width: 600px) { .grid-2 { grid-template-columns: 1fr; } }
+    .divider { border: none; border-top: 1px solid rgba(255,255,255,0.07); margin: 24px 0; }
+  </style>`;
+function generateSalonPage(config, tenants, events) {
+  const modeLabel = { open: 'Open', closed: 'Closed', grant: 'By Application' }[config.registrationMode] || config.registrationMode;
+  const canRegister = config.registrationMode !== 'closed';
+  const tenantsHtml = tenants.length === 0
+    ? '<div class="empty">No members yet. Be the first to join!</div>'
+    : tenants.map(t => `
+      <a href="/plugin/salon/tenant/${esc(t.uuid)}" style="text-decoration:none;display:block;">
+        <div class="card" style="cursor:pointer;">
+          <div class="card-name">${esc(t.name)}</div>
+          ${t.description ? `<div class="card-desc">${esc(t.description)}</div>` : ''}
+          <div class="card-meta">Joined ${timeAgo(t.registeredAt)}</div>
+        </div>
+      </a>`).join('');
+  const eventsHtml = events.length === 0
+    ? '<div class="empty">No events yet.</div>'
+    : events.slice(0, 20).map(e => `
+      <div class="event-row">
+        <span class="event-source">${esc(e.source)}</span>
+        <div class="event-body">
+          <div class="event-name">${esc(e.event)}${e.data && e.data.title ? ` — ${esc(e.data.title)}` : ''}</div>
+          <div class="event-time">${timeAgo(e.receivedAt)}</div>
+        </div>
+      </div>`).join('');
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>${esc(config.title)}</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ ${esc(config.title)}</span>
+    <div class="topbar-links">
+      <span class="badge badge-${config.registrationMode}">${modeLabel}</span>
+      ${canRegister ? '<a href="/plugin/salon/register">Register</a>' : ''}
+      <a href="/plugin/salon/recover">My Account</a>
+      <a href="/plugin/salon/feed.json">Feed</a>
+    </div>
+  </div>
+  <div class="container">
+    <h1>${esc(config.title)}</h1>
+    <p class="subtitle">${esc(config.description)}</p>
+    <div class="grid-2">
+      <div>
+        <div class="section">
+          <div class="section-heading">Members (${tenants.length})</div>
+          ${tenantsHtml}
+          ${canRegister ? `<div style="margin-top:16px;"><a href="/plugin/salon/register" class="btn btn-primary">Join the Salon</a></div>` : ''}
+        </div>
+      </div>
+      <div>
+        <div class="section">
+          <div class="section-heading">Recent Activity</div>
+          ${eventsHtml}
+        </div>
+      </div>
+    </div>
+  </div>
+</body></html>`;
+}
+function generateRegisterPage(config) {
+  const isGrant = config.registrationMode === 'grant';
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>Join ${esc(config.title)}</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ ${esc(config.title)}</span>
+    <div class="topbar-links"><a href="/plugin/salon">← Back to salon</a></div>
+  </div>
+  <div class="container" style="max-width:520px;">
+    <h1>Join the Salon</h1>
+    <p class="subtitle">${isGrant
+      ? 'Registration is by application. The wiki owner will review your request.'
+      : 'Register to become a member of this salon community.'}</p>
+    <form id="reg-form" style="margin-top:8px;">
+      <label>Display name *</label>
+      <input name="name" type="text" placeholder="Your name" required maxlength="80">
+      <label>Email address *</label>
+      <input name="email" type="email" placeholder="you@example.com" required>
+      <div class="form-hint">Used to send you updates from the salon. Never shared publicly.</div>
+      <label>About you</label>
+      <textarea name="description" rows="3" placeholder="A short bio or description (optional)" maxlength="500"></textarea>
+      <label>Public key (optional)</label>
+      <input name="pubKey" type="text" placeholder="secp256k1 public key for verified identity" maxlength="130">
+      <div class="form-hint">If you have a Planet Nine wallet, paste your public key here.</div>
+      <div style="margin-top:24px;">
+        <button type="submit" class="btn btn-primary">${isGrant ? 'Apply to Join' : 'Join Now'}</button>
+      </div>
+      <div class="result" id="result"></div>
+    </form>
+  </div>
+  <script>
+    document.getElementById('reg-form').addEventListener('submit', async e => {
+      e.preventDefault();
+      const btn = e.target.querySelector('button[type=submit]');
+      const resultEl = document.getElementById('result');
+      btn.disabled = true; btn.textContent = 'Submitting…';
+      const data = Object.fromEntries(new FormData(e.target));
+      try {
+        const res = await fetch('/plugin/salon/register', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(data)
+        });
+        const json = await res.json();
+        resultEl.className = 'result ' + (json.success ? 'ok' : 'err');
+        resultEl.style.display = 'block';
+        if (json.success) {
+          resultEl.innerHTML = json.status === 'pending'
+            ? '✓ Application submitted! The wiki owner will review your request.'
+            : \`✓ Welcome! You're now a member. <a href="/plugin/salon/tenant/\${json.uuid}" style="color:#10b981;">View your profile →</a>\`;
+          e.target.querySelector('button[type=submit]').style.display = 'none';
+        } else {
+          resultEl.textContent = json.error || 'Registration failed';
+          btn.disabled = false; btn.textContent = '${isGrant ? 'Apply to Join' : 'Join Now'}';
+        }
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+        btn.disabled = false; btn.textContent = '${isGrant ? 'Apply to Join' : 'Join Now'}';
+      }
+    });
+  </script>
+</body></html>`;
+}
+function generateClosedPage(config) {
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>${esc(config.title)}</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ ${esc(config.title)}</span>
+    <div class="topbar-links"><a href="/plugin/salon">← Back to salon</a></div>
+  </div>
+  <div class="container" style="max-width:520px; text-align:center; padding-top: 80px;">
+    <div style="font-size:3rem;margin-bottom:16px;">🔒</div>
+    <h1 style="font-size:1.5rem;">Registration Closed</h1>
+    <p class="subtitle" style="margin-top:8px;">This salon is not currently accepting new members.</p>
+    <div style="margin-top:24px;"><a href="/plugin/salon" class="btn btn-secondary">Visit the Salon</a></div>
+  </div>
+</body></html>`;
+}
+function generateTenantPage(tenant) {
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>${esc(tenant.name)} — Salon</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ Salon</span>
+    <div class="topbar-links"><a href="/plugin/salon">← Back to salon</a></div>
+  </div>
+  <div class="container" style="max-width:600px;">
+    <div style="margin-bottom:8px;"><span class="badge badge-active">Active Member</span></div>
+    <h1>${esc(tenant.name)}</h1>
+    ${tenant.description ? `<p class="subtitle">${esc(tenant.description)}</p>` : ''}
+    <div class="card" style="margin-top:24px;">
+      <div class="card-meta" style="color:#666;font-size:0.82rem;">
+        Member since ${new Date(tenant.registeredAt).toLocaleDateString('en-US', { year: 'numeric', month: 'long', day: 'numeric' })}
+        ${tenant.pubKey ? `<br><span style="font-family:monospace;word-break:break-all;">${esc(tenant.pubKey.slice(0,24))}…</span>` : ''}
+      </div>
+    </div>
+    <div style="margin-top:16px;"><a href="/plugin/salon/recover" class="btn btn-secondary btn-sm">Manage my membership</a></div>
+  </div>
+</body></html>`;
+}
+function generateRecoverPage(config, message) {
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>My Account — ${esc(config.title)}</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ ${esc(config.title)}</span>
+    <div class="topbar-links"><a href="/plugin/salon">← Back to salon</a></div>
+  </div>
+  <div class="container" style="max-width:480px;">
+    <h1>My Account</h1>
+    <p class="subtitle">Enter your email address to receive a one-time code to manage your membership.</p>
+    ${message ? `<div class="result err" style="display:block;margin-bottom:16px;">${esc(message)}</div>` : ''}
+    <form id="recover-form">
+      <label>Email address</label>
+      <input name="email" type="email" placeholder="you@example.com" required autofocus>
+      <div style="margin-top:20px;">
+        <button type="submit" class="btn btn-primary">Send Code</button>
+      </div>
+      <div class="result" id="result"></div>
+    </form>
+  </div>
+  <script>
+    document.getElementById('recover-form').addEventListener('submit', async e => {
+      e.preventDefault();
+      const btn = e.target.querySelector('button[type=submit]');
+      const resultEl = document.getElementById('result');
+      btn.disabled = true; btn.textContent = 'Sending…';
+      const data = Object.fromEntries(new FormData(e.target));
+      try {
+        const res = await fetch('/plugin/salon/recover/send', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(data)
+        });
+        const json = await res.json();
+        resultEl.className = 'result ' + (json.success ? 'ok' : 'err');
+        resultEl.style.display = 'block';
+        if (json.success) {
+          resultEl.innerHTML = '✓ Check your inbox — a code has been sent to <strong>' + data.email + '</strong>.';
+          e.target.innerHTML = \`
+            <label style="margin-top:16px;">Enter the code from your email</label>
+            <input id="otp-code" type="text" inputmode="numeric" pattern="[0-9]{6}" maxlength="6" placeholder="123456" autofocus style="letter-spacing:0.2em;font-size:1.5rem;text-align:center;">
+            <div style="margin-top:16px;">
+              <button type="button" id="verify-btn" class="btn btn-primary">Verify</button>
+            </div>
+            <div class="result" id="verify-result"></div>
+          \`;
+          document.getElementById('verify-btn').addEventListener('click', async () => {
+            const code = document.getElementById('otp-code').value.trim();
+            const vbtn = document.getElementById('verify-btn');
+            const vresult = document.getElementById('verify-result');
+            vbtn.disabled = true; vbtn.textContent = 'Verifying…';
+            const vres = await fetch('/plugin/salon/recover/verify', {
+              method: 'POST', headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({ email: data.email, code })
+            });
+            const vjson = await vres.json();
+            if (vjson.success) {
+              window.location.href = '/plugin/salon/member/' + vjson.emailHash;
+            } else {
+              vresult.className = 'result err'; vresult.style.display = 'block';
+              vresult.textContent = vjson.error || 'Verification failed';
+              vbtn.disabled = false; vbtn.textContent = 'Verify';
+            }
+          });
+        } else {
+          resultEl.textContent = json.error || 'Could not send code';
+          btn.disabled = false; btn.textContent = 'Send Code';
+        }
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+        btn.disabled = false; btn.textContent = 'Send Code';
+      }
+    });
+  </script>
+</body></html>`;
+}
+function generateMemberPage(config, tenant) {
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>My Membership — ${esc(config.title)}</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ ${esc(config.title)}</span>
+    <div class="topbar-links"><a href="/plugin/salon">← Back to salon</a></div>
+  </div>
+  <div class="container" style="max-width:520px;">
+    <div style="margin-bottom:8px;"><span class="badge badge-${tenant.status}">${tenant.status}</span></div>
+    <h1>My Membership</h1>
+    <p class="subtitle">Update your profile or leave the salon.</p>
+    <div class="card" style="margin-bottom:24px;">
+      <form id="update-form">
+        <input type="hidden" name="emailHash" value="${esc(tenant.emailHash)}">
+        <label>Display name</label>
+        <input name="name" type="text" value="${esc(tenant.name)}" maxlength="80" required>
+        <label>About you</label>
+        <textarea name="description" rows="3" maxlength="500">${esc(tenant.description || '')}</textarea>
+        <div style="margin-top:16px;">
+          <button type="submit" class="btn btn-primary btn-sm">Save Changes</button>
+        </div>
+        <div class="result" id="update-result"></div>
+      </form>
+    </div>
+    <hr class="divider">
+    <div style="margin-top:16px;">
+      <p style="color:#888;font-size:0.85rem;margin-bottom:12px;">Leave the salon to remove yourself from the member list and stop receiving updates.</p>
+      <button class="btn btn-danger btn-sm" id="leave-btn">Leave the Salon</button>
+      <div class="result" id="leave-result"></div>
+    </div>
+  </div>
+  <script>
+    document.getElementById('update-form').addEventListener('submit', async e => {
+      e.preventDefault();
+      const btn = e.target.querySelector('button[type=submit]');
+      const resultEl = document.getElementById('update-result');
+      btn.disabled = true; btn.textContent = 'Saving…';
+      const data = Object.fromEntries(new FormData(e.target));
+      try {
+        const res = await fetch('/plugin/salon/member/update', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(data)
+        });
+        const json = await res.json();
+        resultEl.className = 'result ' + (json.success ? 'ok' : 'err');
+        resultEl.style.display = 'block';
+        resultEl.textContent = json.success ? 'Profile updated.' : (json.error || 'Error');
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+      }
+      btn.disabled = false; btn.textContent = 'Save Changes';
+    });
+    document.getElementById('leave-btn').addEventListener('click', async () => {
+      if (!confirm('Leave the salon? You can re-register at any time.')) return;
+      const btn = document.getElementById('leave-btn');
+      const resultEl = document.getElementById('leave-result');
+      btn.disabled = true; btn.textContent = 'Leaving…';
+      try {
+        const res = await fetch('/plugin/salon/member/leave', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify({ emailHash: '${esc(tenant.emailHash)}' })
+        });
+        const json = await res.json();
+        if (json.success) {
+          window.location.href = '/plugin/salon';
+        } else {
+          resultEl.className = 'result err'; resultEl.style.display = 'block';
+          resultEl.textContent = json.error || 'Error';
+          btn.disabled = false; btn.textContent = 'Leave the Salon';
+        }
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+        btn.disabled = false; btn.textContent = 'Leave the Salon';
+      }
+    });
+  </script>
+</body></html>`;
+}
+function generateAdminPage(config, tenants) {
+  const all    = Object.values(tenants);
+  const pending = all.filter(t => t.status === 'pending');
+  const active  = all.filter(t => t.status === 'active');
+  const denied  = all.filter(t => t.status === 'denied');
+  const pendingHtml = pending.length === 0
+    ? '<div class="empty" style="padding:20px 0;">No pending applications.</div>'
+    : pending.map(t => `
+      <div class="card" style="display:flex;align-items:flex-start;gap:12px;">
+        <div style="flex:1;min-width:0;">
+          <div class="card-name">${esc(t.name)}</div>
+          ${t.description ? `<div class="card-desc">${esc(t.description)}</div>` : ''}
+          ${t.email ? `<div class="card-meta">${esc(t.email)}</div>` : ''}
+          <div class="card-meta">Applied ${timeAgo(t.registeredAt)}</div>
+        </div>
+        <div style="display:flex;gap:8px;flex-shrink:0;">
+          <button class="btn btn-sm btn-primary" onclick="grantTenant('${esc(t.uuid)}', this)">Grant</button>
+          <button class="btn btn-sm btn-danger"  onclick="denyTenant('${esc(t.uuid)}', this)">Deny</button>
+        </div>
+      </div>`).join('');
+  const activeHtml = active.length === 0
+    ? '<div class="empty" style="padding:20px 0;">No active members.</div>'
+    : active.map(t => `
+      <div class="card" style="display:flex;align-items:center;gap:12px;">
+        <div style="flex:1;min-width:0;">
+          <div class="card-name">${esc(t.name)}</div>
+          ${t.description ? `<div class="card-desc">${esc(t.description)}</div>` : ''}
+          ${t.email ? `<div class="card-meta">${esc(t.email)}</div>` : ''}
+          <div class="card-meta">Since ${timeAgo(t.registeredAt)}</div>
+        </div>
+        <button class="btn btn-sm btn-danger" onclick="removeTenant('${esc(t.uuid)}', this)">Remove</button>
+      </div>`).join('');
+  return `<!DOCTYPE html><html lang="en"><head>${STYLE}<title>Salon Admin</title></head><body>
+  <div class="topbar">
+    <span class="topbar-title">✦ Salon Admin</span>
+    <div class="topbar-links"><a href="/plugin/salon">View salon</a></div>
+  </div>
+  <div class="container">
+    <h1>Salon Admin</h1>
+    <div class="section">
+      <div class="section-heading">Settings</div>
+      <div class="card">
+        <form id="config-form">
+          <label>Registration mode</label>
+          <select name="registrationMode">
+            <option value="open"   ${config.registrationMode === 'open'   ? 'selected' : ''}>Open — anyone can join</option>
+            <option value="grant"  ${config.registrationMode === 'grant'  ? 'selected' : ''}>By Application — owner approves each member</option>
+            <option value="closed" ${config.registrationMode === 'closed' ? 'selected' : ''}>Closed — no new registrations</option>
+          </select>
+          <label>Salon title</label>
+          <input name="title" value="${esc(config.title)}" placeholder="The Salon">
+          <label>Description</label>
+          <textarea name="description" rows="2">${esc(config.description)}</textarea>
+          <hr class="divider">
+          <div class="section-heading" style="margin-top:8px;">Email (Minnie + Joan)</div>
+          <label>From address</label>
+          <input name="fromEmail" value="${esc(config.fromEmail || 'salon@planetnine.app')}" placeholder="salon@planetnine.app">
+          <label>Minnie host</label>
+          <input name="minnieHost" value="${esc(String(config.minnieHost || 'localhost'))}" placeholder="localhost">
+          <label>Minnie port</label>
+          <input name="minniePort" type="number" value="${esc(String(config.minniePort || 2525))}" placeholder="2525">
+          <label>Joan URL</label>
+          <input name="joanUrl" value="${esc(config.joanUrl || 'http://localhost:3008')}" placeholder="http://localhost:3008">
+          <div class="form-hint">Used to send OTP codes for member account recovery.</div>
+          <div style="margin-top:16px;">
+            <button type="submit" class="btn btn-primary btn-sm">Save Settings</button>
+          </div>
+          <div class="result" id="config-result"></div>
+        </form>
+      </div>
+    </div>
+    <div class="section">
+      <div class="section-heading">Announce to All Members (${active.filter(t => t.email).length} with email)</div>
+      <div class="card">
+        <form id="announce-form">
+          <label>Subject</label>
+          <input name="subject" type="text" placeholder="Subject line" required maxlength="200">
+          <label>Message</label>
+          <textarea name="message" rows="5" placeholder="Your message to all members…" required maxlength="5000"></textarea>
+          <div style="margin-top:16px;">
+            <button type="submit" class="btn btn-secondary btn-sm">Send Announcement</button>
+          </div>
+          <div class="result" id="announce-result"></div>
+        </form>
+      </div>
+    </div>
+    ${config.registrationMode === 'grant' || pending.length > 0 ? `
+    <div class="section">
+      <div class="section-heading">Pending Applications (${pending.length})</div>
+      ${pendingHtml}
+    </div>` : ''}
+    <div class="section">
+      <div class="section-heading">Active Members (${active.length})</div>
+      ${activeHtml}
+    </div>
+    ${denied.length > 0 ? `
+    <div class="section">
+      <div class="section-heading">Denied (${denied.length})</div>
+      ${denied.map(t => `
+        <div class="card" style="display:flex;align-items:center;gap:12px;opacity:0.6;">
+          <div style="flex:1;"><div class="card-name">${esc(t.name)}</div></div>
+          <button class="btn btn-sm btn-primary" onclick="grantTenant('${esc(t.uuid)}', this)">Grant</button>
+        </div>`).join('')}
+    </div>` : ''}
+  </div>
+  <script>
+    document.getElementById('config-form').addEventListener('submit', async e => {
+      e.preventDefault();
+      const btn = e.target.querySelector('button[type=submit]');
+      const resultEl = document.getElementById('config-result');
+      btn.disabled = true;
+      const data = Object.fromEntries(new FormData(e.target));
+      try {
+        const res = await fetch('/plugin/salon/config', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(data)
+        });
+        const json = await res.json();
+        resultEl.className = 'result ' + (json.success ? 'ok' : 'err');
+        resultEl.style.display = 'block';
+        resultEl.textContent = json.success ? 'Settings saved.' : (json.error || 'Error');
+        if (json.success) setTimeout(() => location.reload(), 800);
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+      }
+      btn.disabled = false;
+    });
+    document.getElementById('announce-form').addEventListener('submit', async e => {
+      e.preventDefault();
+      const btn = e.target.querySelector('button[type=submit]');
+      const resultEl = document.getElementById('announce-result');
+      btn.disabled = true; btn.textContent = 'Sending…';
+      const data = Object.fromEntries(new FormData(e.target));
+      try {
+        const res = await fetch('/plugin/salon/admin/announce', {
+          method: 'POST', headers: { 'Content-Type': 'application/json' },
+          body: JSON.stringify(data)
+        });
+        const json = await res.json();
+        resultEl.className = 'result ' + (json.success ? 'ok' : 'err');
+        resultEl.style.display = 'block';
+        resultEl.textContent = json.success
+          ? \`Sent to \${json.sent} member\${json.sent === 1 ? '' : 's'}.\`
+          : (json.error || 'Error');
+      } catch (err) {
+        resultEl.className = 'result err'; resultEl.style.display = 'block';
+        resultEl.textContent = err.message;
+      }
+      btn.disabled = false; btn.textContent = 'Send Announcement';
+    });
+    async function grantTenant(uuid, btn) {
+      btn.disabled = true; btn.textContent = '…';
+      const res = await fetch('/plugin/salon/admin/grant/' + uuid, { method: 'POST' });
+      const json = await res.json();
+      if (json.success) location.reload(); else { btn.disabled = false; btn.textContent = 'Grant'; alert(json.error); }
+    }
+    async function denyTenant(uuid, btn) {
+      btn.disabled = true; btn.textContent = '…';
+      const res = await fetch('/plugin/salon/admin/deny/' + uuid, { method: 'POST' });
+      const json = await res.json();
+      if (json.success) location.reload(); else { btn.disabled = false; btn.textContent = 'Deny'; alert(json.error); }
+    }
+    async function removeTenant(uuid, btn) {
+      if (!confirm('Remove this member?')) return;
+      btn.disabled = true; btn.textContent = '…';
+      const res = await fetch('/plugin/salon/admin/tenant/' + uuid, { method: 'DELETE' });
+      const json = await res.json();
+      if (json.success) location.reload(); else { btn.disabled = false; btn.textContent = 'Remove'; alert(json.error); }
+    }
+  </script>
+</body></html>`;
+}
+// ── Freyja federation page ────────────────────────────────────────────────────
+function generateFederationPage(currentId) {
+  const PLUGINS = {
+    agora:       { id: 'agora',       color: '#00cc00', icon: '🛍️', name: 'Agora',       tagline: 'Digital marketplace',      desc: 'A federated marketplace for independent creators. Buy and sell books, music, posts, and more — commerce the way it was supposed to work.', path: '/plugin/agora/directory',  ping: '/plugin/agora/directory',       fed: '/plugin/agora/federation' },
+    lucille:     { id: 'lucille',     color: '#ee22ee', icon: '🎬', name: 'Lucille',     tagline: 'P2P video hosting',         desc: 'Upload and stream video peer-to-peer. No corporate infrastructure, no surveillance — your wiki hosts your content directly.',               path: '/plugin/lucille/setup',     ping: '/plugin/lucille/setup/status',  fed: '/plugin/lucille/federation' },
+    linkitylink: { id: 'linkitylink', color: '#9922cc', icon: '🔗', name: 'Linkitylink', tagline: 'Privacy-first link pages',  desc: 'Create beautiful tapestries of links. No tracking, no algorithms — just your links, shared your way, on your terms.',                        path: '/plugin/linkitylink',       ping: '/plugin/linkitylink/config',    fed: '/plugin/linkitylink/federation' },
+    salon:       { id: 'salon',       color: '#ffdd00', icon: '🏛️', name: 'Salon',       tagline: 'Community gathering space', desc: 'A gathering place for your wiki community. Members register, connect, and receive updates from the wider Freyja ecosystem.',                 path: '/plugin/salon',             ping: '/plugin/salon/config',          fed: '/plugin/salon/federation' },
+  };
+  const current = PLUGINS[currentId];
+  const others  = Object.values(PLUGINS).filter(p => p.id !== currentId);
+  const navDotsHtml = Object.values(PLUGINS).map(p => `
+      <a href="${p.fed}" class="fnav-dot" style="--dot-color:${p.color};" title="${p.name}">
+        <span class="fnav-dot-inner"></span>
+      </a>`).join('');
+  const cardsHtml = others.map(p => `
+      <a href="${p.fed}" class="fed-card" style="--card-color:${p.color};">
+        <div class="fed-card-top">
+          <span class="fed-card-icon">${p.icon}</span>
+          <div class="fed-card-meta">
+            <div class="fed-card-name">
+              <span class="fed-status-dot" id="dot-${p.id}"></span>
+              ${p.name}
+            </div>
+            <div class="fed-card-tagline">${p.tagline}</div>
+          </div>
+        </div>
+        <div class="fed-card-desc">${p.desc}</div>
+        <div class="fed-card-cta">Explore ${p.name} →</div>
+      </a>`).join('');
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>Freyja — ${current.name}</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Orbitron:wght@400;600;700;900&family=Inter:wght@300;400;500;600&display=swap" rel="stylesheet">
+  <style>
+    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+    :root {
+      --bg: #04040f;
+      --surface: rgba(12, 12, 30, 0.75);
+      --border: rgba(100, 120, 200, 0.18);
+      --text: #ffffff;
+      --text-muted: rgba(220, 225, 255, 0.88);
+      --text-dim: rgba(200, 210, 255, 0.65);
+      --radius-card: 1.25rem;
+      --radius-pill: 9999px;
+      --ease: cubic-bezier(0.16, 1, 0.3, 1);
+      --current-color: ${current.color};
+    }
+    html, body { height: 100%; }
+    body {
+      font-family: 'Inter', system-ui, sans-serif;
+      font-weight: 300;
+      background: var(--bg);
+      color: var(--text-muted);
+      min-height: 100vh;
+      overflow-x: hidden;
+    }
+    #starfield {
+      position: fixed;
+      inset: 0;
+      z-index: 0;
+      pointer-events: none;
+    }
+    .fnav {
+      position: fixed;
+      top: 0; left: 0; right: 0;
+      z-index: 100;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      padding: 0 2rem;
+      height: 56px;
+      background: rgba(4, 4, 15, 0.8);
+      backdrop-filter: blur(16px);
+      border-bottom: 1px solid var(--border);
+    }
+    .fnav-brand {
+      font-family: 'Orbitron', sans-serif;
+      font-weight: 700;
+      font-size: 1rem;
+      color: var(--current-color);
+      text-decoration: none;
+      filter: drop-shadow(0 0 8px var(--current-color));
+      letter-spacing: 0.06em;
+    }
+    .fnav-dots { display: flex; align-items: center; gap: 0.75rem; }
+    .fnav-dot {
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      width: 28px;
+      height: 28px;
+      border-radius: 50%;
+      text-decoration: none;
+      transition: transform 0.2s var(--ease);
+    }
+    .fnav-dot:hover { transform: scale(1.25); }
+    .fnav-dot-inner {
+      width: 12px;
+      height: 12px;
+      border-radius: 50%;
+      background: var(--dot-color);
+      filter: drop-shadow(0 0 6px var(--dot-color));
+    }
+    .page { position: relative; z-index: 1; }
+    .hero {
+      min-height: 100vh;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      justify-content: center;
+      text-align: center;
+      padding: 7rem 2rem 4rem;
+      gap: 1.25rem;
+      opacity: 0;
+      transform: translateY(24px);
+      transition: opacity 0.8s var(--ease), transform 0.8s var(--ease);
+    }
+    .hero.visible { opacity: 1; transform: none; }
+    .hero-eyebrow {
+      font-family: 'Orbitron', sans-serif;
+      font-size: 0.7rem;
+      font-weight: 600;
+      letter-spacing: 0.2em;
+      text-transform: uppercase;
+      color: var(--current-color);
+    }
+    .hero-icon {
+      font-size: 5rem;
+      line-height: 1;
+      filter: drop-shadow(0 0 24px ${current.color});
+    }
+    .hero-title {
+      font-family: 'Orbitron', sans-serif;
+      font-size: clamp(3rem, 10vw, 6rem);
+      font-weight: 900;
+      color: var(--current-color);
+      filter: drop-shadow(0 0 30px var(--current-color));
+      line-height: 1;
+      letter-spacing: -0.02em;
+    }
+    .hero-tagline {
+      font-family: 'Orbitron', sans-serif;
+      font-size: 0.75rem;
+      font-weight: 400;
+      letter-spacing: 0.18em;
+      text-transform: uppercase;
+      color: var(--text-dim);
+    }
+    .hero-desc {
+      max-width: 520px;
+      font-size: 1rem;
+      font-weight: 300;
+      color: var(--text-muted);
+      line-height: 1.7;
+    }
+    .hero-btn {
+      display: inline-block;
+      margin-top: 0.5rem;
+      padding: 0.75rem 2rem;
+      border-radius: var(--radius-pill);
+      background: var(--current-color);
+      color: #000;
+      font-family: 'Inter', sans-serif;
+      font-weight: 600;
+      font-size: 0.9rem;
+      text-decoration: none;
+      transition: transform 0.2s var(--ease), filter 0.2s;
+    }
+    .hero-btn:hover { transform: scale(1.04); filter: brightness(1.15); }
+    .cards-section {
+      max-width: 1000px;
+      margin: 0 auto;
+      padding: 4rem 2rem 6rem;
+      opacity: 0;
+      transform: translateY(32px);
+      transition: opacity 0.8s var(--ease) 0.15s, transform 0.8s var(--ease) 0.15s;
+    }
+    .cards-section.visible { opacity: 1; transform: none; }
+    .section-label {
+      font-family: 'Orbitron', sans-serif;
+      font-size: 0.65rem;
+      font-weight: 600;
+      letter-spacing: 0.22em;
+      text-transform: uppercase;
+      color: var(--text-dim);
+      margin-bottom: 1.5rem;
+    }
+    .fed-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fill, minmax(280px, 1fr));
+      gap: 1.25rem;
+    }
+    .fed-card {
+      --card-color: #ffffff;
+      background: var(--surface);
+      backdrop-filter: blur(10px);
+      border: 1px solid var(--border);
+      border-radius: var(--radius-card);
+      padding: 1.5rem;
+      display: flex;
+      flex-direction: column;
+      gap: 1rem;
+      text-decoration: none;
+      color: var(--text-muted);
+      transition: border-color 0.25s var(--ease), filter 0.25s var(--ease), transform 0.25s var(--ease);
+    }
+    .fed-card:hover {
+      border-color: var(--card-color);
+      filter: drop-shadow(0 0 14px var(--card-color));
+      transform: translateY(-4px);
+    }
+    .fed-card-top { display: flex; align-items: flex-start; gap: 1rem; }
+    .fed-card-icon { font-size: 2rem; line-height: 1; flex-shrink: 0; }
+    .fed-card-meta { flex: 1; }
+    .fed-card-name {
+      font-family: 'Orbitron', sans-serif;
+      font-size: 0.9rem;
+      font-weight: 600;
+      color: var(--text);
+      display: flex;
+      align-items: center;
+      gap: 0.5rem;
+      margin-bottom: 0.25rem;
+    }
+    .fed-status-dot {
+      width: 8px;
+      height: 8px;
+      border-radius: 50%;
+      background: rgba(200, 210, 255, 0.3);
+      flex-shrink: 0;
+      transition: background 0.4s, filter 0.4s;
+    }
+    .fed-card-tagline { font-size: 0.75rem; color: var(--card-color); font-weight: 500; }
+    .fed-card-desc { font-size: 0.85rem; line-height: 1.6; color: var(--text-dim); flex: 1; }
+    .fed-card-cta { font-size: 0.8rem; font-weight: 600; color: var(--card-color); align-self: flex-start; }
+    .fed-footer {
+      text-align: center;
+      padding: 2rem;
+      font-size: 0.78rem;
+      color: var(--text-dim);
+      border-top: 1px solid var(--border);
+      position: relative;
+      z-index: 1;
+    }
+    .fed-footer strong { font-family: 'Orbitron', sans-serif; color: var(--text-muted); }
+  </style>
+</head>
+<body>
+  <canvas id="starfield"></canvas>
+  <nav class="fnav">
+    <a href="${current.fed}" class="fnav-brand">✦ FREYJA</a>
+    <div class="fnav-dots">${navDotsHtml}
+    </div>
+  </nav>
+  <div class="page">
+    <section class="hero" id="hero">
+      <div class="hero-eyebrow">Freyja Ecosystem</div>
+      <div class="hero-icon">${current.icon}</div>
+      <div class="hero-title">${current.name}</div>
+      <div class="hero-tagline">${current.tagline}</div>
+      <div class="hero-desc">${current.desc}</div>
+      <a href="${current.path}" class="hero-btn">Open ${current.name} →</a>
+    </section>
+    <section class="cards-section" id="cards">
+      <div class="section-label">Also on this wiki</div>
+      <div class="fed-grid">${cardsHtml}
+      </div>
+    </section>
+    <footer class="fed-footer">
+      <strong>Freyja</strong> — open, federated, and owned by you.
+    </footer>
+  </div>
+  <script>
+  (function() {
+    var canvas = document.getElementById('starfield');
+    var ctx = canvas.getContext('2d');
+    var stars = [];
+    function resize() { canvas.width = window.innerWidth; canvas.height = window.innerHeight; }
+    resize();
+    window.addEventListener('resize', resize);
+    for (var i = 0; i < 180; i++) {
+      stars.push({ x: Math.random(), y: Math.random(), r: Math.random() * 1.2 + 0.2, a: Math.random(), da: (Math.random() - 0.5) * 0.008 });
+    }
+    function drawStars() {
+      ctx.clearRect(0, 0, canvas.width, canvas.height);
+      for (var i = 0; i < stars.length; i++) {
+        var s = stars[i];
+        s.a += s.da;
+        if (s.a <= 0 || s.a >= 1) s.da = -s.da;
+        ctx.beginPath();
+        ctx.arc(s.x * canvas.width, s.y * canvas.height, s.r, 0, Math.PI * 2);
+        ctx.fillStyle = 'rgba(200,210,255,' + s.a.toFixed(2) + ')';
+        ctx.fill();
+      }
+      requestAnimationFrame(drawStars);
+    }
+    drawStars();
+    var obs = new IntersectionObserver(function(entries) {
+      entries.forEach(function(e) { if (e.isIntersecting) e.target.classList.add('visible'); });
+    }, { threshold: 0.1 });
+    obs.observe(document.getElementById('hero'));
+    obs.observe(document.getElementById('cards'));
+    var pluginColors = { agora: '#00cc00', lucille: '#ee22ee', linkitylink: '#9922cc', salon: '#ffdd00' };
+    var pings = [
+      { id: 'agora',       url: '/plugin/agora/directory' },
+      { id: 'lucille',     url: '/plugin/lucille/setup/status' },
+      { id: 'linkitylink', url: '/plugin/linkitylink/config' },
+      { id: 'salon',       url: '/plugin/salon/config' }
+    ];
+    pings.forEach(function(p) {
+      fetch(p.url, { signal: AbortSignal.timeout(3000) })
+        .then(function(r) {
+          var d = document.getElementById('dot-' + p.id);
+          if (d) {
+            d.style.background = r.ok ? pluginColors[p.id] : 'rgba(200,210,255,0.3)';
+            if (r.ok) d.style.filter = 'drop-shadow(0 0 5px ' + pluginColors[p.id] + ')';
+          }
+        })
+        .catch(function() {});
+    });
+  })();
+  </script>
+</body>
+</html>`;
+}
+// ── startServer ───────────────────────────────────────────────────────────────
+function startServer(params) {
+  const app = params.app;
+  ensureDir();
+  // ── Owner auth ──────────────────────────────────────────────────────────────
+  const owner = (req, res, next) => {
+    if (app.securityhandler && app.securityhandler.isAuthorized(req)) return next();
+    return res.status(403).json({ error: 'Owner only' });
+  };
+  // JSON body parser for salon routes
+  const json = require('express').json({ limit: '1mb' });
+  // ── Public: salon page ──────────────────────────────────────────────────────
+  app.get('/plugin/salon', (req, res) => {
+    const config  = loadConfig();
+    const tenants = loadTenants();
+    const events  = loadEvents();
+    const active  = Object.values(tenants).filter(t => t.status === 'active')
+      .sort((a, b) => b.registeredAt - a.registeredAt);
+    res.send(generateSalonPage(config, active, events));
+  });
+  // ── Public: config (for wiki item) ─────────────────────────────────────────
+  app.get('/plugin/salon/config', (req, res) => {
+    const config = loadConfig();
+    const { registrationMode, title, description } = config;
+    const tenants = loadTenants();
+    const pendingCount = Object.values(tenants).filter(t => t.status === 'pending').length;
+    const activeCount  = Object.values(tenants).filter(t => t.status === 'active').length;
+    const isOwnerReq   = !!(app.securityhandler && app.securityhandler.isAuthorized(req));
+    const allyabaseUrl = config.allyabaseUrl ||
+      (config.joanUrl ? config.joanUrl.replace(/\/plugin\/allyabase\/joan$/, '') : '');
+    res.json({
+      registrationMode, title, description, pendingCount, activeCount,
+      isOwner: isOwnerReq,
+      ...(isOwnerReq && { allyabaseUrl })
+    });
+  });
+  // ── Owner: update config ────────────────────────────────────────────────────
+  app.post('/plugin/salon/config', owner, json, (req, res) => {
+    const config = loadConfig();
+    const { registrationMode, title, description, fromEmail, minnieHost, minniePort, joanUrl, allyabaseUrl } = req.body;
+    const modes = ['open', 'closed', 'grant'];
+    if (registrationMode && modes.includes(registrationMode)) config.registrationMode = registrationMode;
+    if (title && title.trim()) config.title = title.trim();
+    if (description !== undefined) config.description = description.trim();
+    if (fromEmail   !== undefined) config.fromEmail   = fromEmail.trim();
+    if (minnieHost  !== undefined) config.minnieHost  = minnieHost.trim();
+    if (minniePort  !== undefined) config.minniePort  = parseInt(minniePort) || 2525;
+    if (joanUrl     !== undefined) config.joanUrl     = joanUrl.trim();
+    if (allyabaseUrl !== undefined) {
+      config.allyabaseUrl = allyabaseUrl.trim();
+      config.joanUrl = allyabaseUrl.trim().replace(/\/$/, '') + '/plugin/allyabase/joan';
+    }
+    saveConfig(config);
+    const derivedAllyabaseUrl = config.allyabaseUrl ||
+      (config.joanUrl ? config.joanUrl.replace(/\/plugin\/allyabase\/joan$/, '') : '');
+    res.json({ success: true, allyabaseUrl: derivedAllyabaseUrl });
+  });
+  // ── Public: registration form ───────────────────────────────────────────────
+  app.get('/plugin/salon/register', (req, res) => {
+    const config = loadConfig();
+    if (config.registrationMode === 'closed') return res.send(generateClosedPage(config));
+    res.send(generateRegisterPage(config));
+  });
+  app.post('/plugin/salon/register', json, (req, res) => {
+    const config = loadConfig();
+    if (config.registrationMode === 'closed') {
+      return res.status(403).json({ error: 'Registration is closed' });
+    }
+    const { name = '', email = '', description = '', pubKey = '' } = req.body;
+    if (!name || name.trim().length < 2) {
+      return res.status(400).json({ error: 'Name is required (at least 2 characters)' });
+    }
+    if (name.trim().length > 80) {
+      return res.status(400).json({ error: 'Name too long (max 80 characters)' });
+    }
+    if (!email || !email.includes('@')) {
+      return res.status(400).json({ error: 'A valid email address is required' });
+    }
+    const tenants = loadTenants();
+    // Prevent duplicate email registrations
+    const eHash = hashEmail(email);
+    const existing = findTenantByEmailHash(tenants, eHash);
+    if (existing && existing.status !== 'denied') {
+      return res.status(409).json({ error: 'This email is already registered. Visit /plugin/salon/recover to manage your membership.' });
+    }
+    const uuid   = generateId();
+    const status = config.registrationMode === 'grant' ? 'pending' : 'active';
+    tenants[uuid] = {
+      uuid,
+      name:         name.trim(),
+      email:        email.toLowerCase().trim(),
+      emailHash:    eHash,
+      description:  description.trim().slice(0, 500),
+      pubKey:       pubKey.trim().slice(0, 130),
+      registeredAt: Date.now(),
+      status
+    };
+    saveTenants(tenants);
+    if (status === 'active') {
+      appendEvent({ source: 'salon', event: 'member_joined', data: { name: name.trim(), uuid } });
+    }
+    res.json({
+      success: true,
+      uuid,
+      status,
+      message: status === 'pending'
+        ? 'Application submitted — the wiki owner will review your request.'
+        : 'Welcome to the salon!'
+    });
+  });
+  // ── Public: tenant profile ──────────────────────────────────────────────────
+  app.get('/plugin/salon/tenant/:uuid', (req, res) => {
+    const tenants = loadTenants();
+    const tenant  = tenants[req.params.uuid];
+    if (!tenant || tenant.status !== 'active') return res.status(404).send(generateClosedPage(loadConfig()));
+    res.send(generateTenantPage(tenant));
+  });
+  // ── Public: event feed ──────────────────────────────────────────────────────
+  app.get('/plugin/salon/feed', (req, res) => {
+    const events  = loadEvents();
+    const limit   = Math.min(parseInt(req.query.limit) || 50, 200);
+    const source  = req.query.source;
+    const filtered = source ? events.filter(e => e.source === source) : events;
+    res.json(filtered.slice(0, limit));
+  });
+  app.get('/plugin/salon/feed.json', (req, res) => {
+    res.json(loadEvents().slice(0, 50));
+  });
+  // ── Public: notify (agora, lucille, etc. POST events here) ─────────────────
+  app.post('/plugin/salon/notify', json, (req, res) => {
+    const { source, event, tenantId, data = {} } = req.body;
+    if (!source || typeof source !== 'string' || source.length > 50) {
+      return res.status(400).json({ error: 'source required (string, max 50 chars)' });
+    }
+    if (!event || typeof event !== 'string' || event.length > 100) {
+      return res.status(400).json({ error: 'event required (string, max 100 chars)' });
+    }
+    appendEvent({
+      source:   source.slice(0, 50),
+      event:    event.slice(0, 100),
+      tenantId: tenantId || null,
+      data:     typeof data === 'object' ? data : {}
+    });
+    res.json({ success: true });
+  });
+  // ── Account recovery: send OTP via Joan ────────────────────────────────────
+  app.get('/plugin/salon/recover', (req, res) => {
+    res.send(generateRecoverPage(loadConfig()));
+  });
+  app.post('/plugin/salon/recover/send', json, async (req, res) => {
+    const { email } = req.body;
+    if (!email || !email.includes('@')) {
+      return res.status(400).json({ error: 'Valid email required' });
+    }
+    // Make sure this email is actually registered
+    const tenants = loadTenants();
+    const eHash   = hashEmail(email);
+    const tenant  = findTenantByEmailHash(tenants, eHash);
+    if (!tenant) {
+      // Don't reveal whether the email exists — just say "if registered, you'll get a code"
+      return res.json({ success: true });
+    }
+    const config = loadConfig();
+    try {
+      const result = await joanPost(config.joanUrl || 'http://localhost:3008', '/auth/email/send-otp', { email });
+      if (result.body && result.body.success) {
+        res.json({ success: true });
+      } else {
+        res.status(502).json({ error: 'Could not send code. Is Joan running?' });
+      }
+    } catch (err) {
+      console.error('salon: Joan OTP send error:', err.message);
+      res.status(502).json({ error: 'Could not reach Joan service' });
+    }
+  });
+  app.post('/plugin/salon/recover/verify', json, async (req, res) => {
+    const { email, code } = req.body;
+    if (!email || !code) {
+      return res.status(400).json({ error: 'Email and code required' });
+    }
+    const config = loadConfig();
+    try {
+      const result = await joanPost(config.joanUrl || 'http://localhost:3008', '/auth/email/verify-otp', { email, code });
+      if (result.body && result.body.valid) {
+        const eHash = result.body.emailHash || hashEmail(email);
+        res.json({ success: true, emailHash: eHash });
+      } else {
+        res.status(401).json({ error: result.body && result.body.error || 'Invalid or expired code' });
+      }
+    } catch (err) {
+      console.error('salon: Joan OTP verify error:', err.message);
+      res.status(502).json({ error: 'Could not reach Joan service' });
+    }
+  });
+  // ── Member self-service (authenticated by emailHash from Joan OTP) ──────────
+  app.get('/plugin/salon/member/:emailHash', (req, res) => {
+    const tenants = loadTenants();
+    const tenant  = findTenantByEmailHash(tenants, req.params.emailHash);
+    if (!tenant) return res.status(404).json({ error: 'Member not found' });
+    res.send(generateMemberPage(loadConfig(), tenant));
+  });
+  app.post('/plugin/salon/member/update', json, (req, res) => {
+    const { emailHash, name, description } = req.body;
+    if (!emailHash) return res.status(400).json({ error: 'emailHash required' });
+    const tenants = loadTenants();
+    const tenant  = findTenantByEmailHash(tenants, emailHash);
+    if (!tenant) return res.status(404).json({ error: 'Member not found' });
+    if (name && name.trim().length >= 2) tenant.name = name.trim().slice(0, 80);
+    if (description !== undefined) tenant.description = description.trim().slice(0, 500);
+    saveTenants(tenants);
+    res.json({ success: true });
+  });
+  app.post('/plugin/salon/member/leave', json, (req, res) => {
+    const { emailHash } = req.body;
+    if (!emailHash) return res.status(400).json({ error: 'emailHash required' });
+    const tenants = loadTenants();
+    const tenant  = findTenantByEmailHash(tenants, emailHash);
+    if (!tenant) return res.status(404).json({ error: 'Member not found' });
+    delete tenants[tenant.uuid];
+    saveTenants(tenants);
+    appendEvent({ source: 'salon', event: 'member_left', data: { name: tenant.name } });
+    res.json({ success: true });
+  });
+  // ── Owner: admin page ───────────────────────────────────────────────────────
+  app.get('/plugin/salon/admin', owner, (req, res) => {
+    res.send(generateAdminPage(loadConfig(), loadTenants()));
+  });
+  app.post('/plugin/salon/admin/grant/:uuid', owner, (req, res) => {
+    const tenants = loadTenants();
+    const t = tenants[req.params.uuid];
+    if (!t) return res.status(404).json({ error: 'Tenant not found' });
+    t.status = 'active';
+    saveTenants(tenants);
+    appendEvent({ source: 'salon', event: 'member_joined', data: { name: t.name, uuid: t.uuid } });
+    res.json({ success: true });
+  });
+  app.post('/plugin/salon/admin/deny/:uuid', owner, (req, res) => {
+    const tenants = loadTenants();
+    if (!tenants[req.params.uuid]) return res.status(404).json({ error: 'Tenant not found' });
+    tenants[req.params.uuid].status = 'denied';
+    saveTenants(tenants);
+    res.json({ success: true });
+  });
+  app.delete('/plugin/salon/admin/tenant/:uuid', owner, (req, res) => {
+    const tenants = loadTenants();
+    if (!tenants[req.params.uuid]) return res.status(404).json({ error: 'Tenant not found' });
+    delete tenants[req.params.uuid];
+    saveTenants(tenants);
+    res.json({ success: true });
+  });
+  // ── Owner: blast-email all active members ───────────────────────────────────
+  app.post('/plugin/salon/admin/announce', owner, json, async (req, res) => {
+    const { subject, message } = req.body;
+    if (!subject || !message) {
+      return res.status(400).json({ error: 'subject and message required' });
+    }
+    const config     = loadConfig();
+    const tenants    = loadTenants();
+    const recipients = Object.values(tenants).filter(t => t.status === 'active' && t.email);
+    if (recipients.length === 0) {
+      return res.json({ success: true, sent: 0 });
+    }
+    const transporter = createTransporter(config);
+    const from = `"${config.title}" <${config.fromEmail || 'salon@planetnine.app'}>`;
+    let sent = 0;
+    for (const tenant of recipients) {
+      try {
+        await transporter.sendMail({
+          from,
+          to: tenant.email,
+          subject: subject.slice(0, 200),
+          text: `${message}\n\n—\nManage your membership: /plugin/salon/recover`
+        });
+        sent++;
+      } catch (err) {
+        console.error(`salon: announce email failed for ${tenant.email}:`, err.message);
+      }
+    }
+    res.json({ success: true, sent });
+  });
+  // ── Freyja federation page ──────────────────────────────────────────────────
+  app.get('/plugin/salon/federation', (req, res) => {
+    res.send(generateFederationPage('salon'));
+  });
+  console.log('✅ wiki-plugin-salon ready');
+  console.log('   /plugin/salon          → public salon page');
+  console.log('   /plugin/salon/register → self-registration');
+  console.log('   /plugin/salon/recover  → account recovery (Joan OTP)');
+  console.log('   /plugin/salon/admin    → owner admin (requires owner auth)');
+  console.log('   /plugin/salon/notify   → event intake from agora, lucille, etc.');
+}
+module.exports = { startServer };
+}).call(this);