xinyu-pro 0.21.0

package/app/api/plugins/export/route.ts

@@ -0,0 +1,122 @@
+// app/api/plugins/export/route.ts - 插件导出 API
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getDbPool } from '@/lib/db';
+import { ensureDb } from '@/lib/db-init';
+import { readPluginCode } from '@/lib/plugin-files';
+
+/** 解析 JSON 字段 */
+function parseJsonField<T>(value: unknown): T {
+  if (typeof value === 'string') {
+    try { return JSON.parse(value) as T; } catch { return value as unknown as T; }
+  }
+  return value as T;
+}
+
+/** 解析权限字段（兼容旧格式数组和当前结构化对象） */
+function parsePermissions(value: unknown): {
+  commonPermissions?: string[];
+  exclusivePermissions?: string[];
+  requiredPermissions?: string[];
+} {
+  const raw = parseJsonField<unknown>(value);
+  if (Array.isArray(raw)) {
+    return { commonPermissions: raw };
+  }
+  if (raw && typeof raw === 'object') {
+    const perms = raw as Record<string, unknown>;
+    return {
+      commonPermissions: (perms.commonPermissions as string[]) || [],
+      exclusivePermissions: (perms.exclusivePermissions as string[]) || [],
+      requiredPermissions: (perms.requiredPermissions as string[]) || [],
+    };
+  }
+  return {};
+}
+
+/** 将数据库行转换为插件对象（导出格式，不含 code，需异步填充） */
+function rowToPlugin(row: Record<string, unknown>) {
+  const perms = parsePermissions(row.ui_permissions);
+  return {
+    id: row.id,
+    name: row.name,
+    version: row.version,
+    description: row.description,
+    author: row.author,
+    type: row.type,
+    icon: row.icon,
+    minAppVersion: row.min_app_version,
+    code: '', // 将由 fillPluginCode 异步填充
+    configSchema: parseJsonField(row.config_schema),
+    uiSlots: parseJsonField(row.ui_slots),
+    ...perms,
+    publicExports: parseJsonField(row.public_exports),
+    dependencies: parseJsonField(row.dependencies),
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+/** 异步填充插件代码 */
+async function fillPluginCode(plugin: ReturnType<typeof rowToPlugin>): Promise<typeof plugin> {
+  try {
+    plugin.code = await readPluginCode(plugin.id as string);
+  } catch {
+    plugin.code = '';
+  }
+  return plugin;
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('id');
+
+    if (pluginId) {
+      // 导出单个插件（直接返回插件对象，不带 format 包裹）
+      const [rows] = await db.execute(
+        'SELECT * FROM extensions WHERE id = ?',
+        [pluginId]
+      ) as [Record<string, unknown>[], unknown];
+
+      if (rows.length === 0) {
+        return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+      }
+
+      const plugin = await fillPluginCode(rowToPlugin(rows[0]));
+
+      return new NextResponse(JSON.stringify(plugin, null, 2), {
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Disposition': `attachment; filename="${pluginId}.json"`,
+        },
+      });
+    }
+
+    // 导出全部插件（多插件包格式）
+    const [rows] = await db.execute(
+      'SELECT * FROM extensions ORDER BY updated_at DESC'
+    ) as [Record<string, unknown>[], unknown];
+
+    const plugins = await Promise.all(rows.map(r => fillPluginCode(rowToPlugin(r))));
+
+    const exportData = {
+      format: 'xinyu-extension-v1',
+      exportedAt: new Date().toISOString(),
+      plugins,
+    };
+
+    return new NextResponse(JSON.stringify(exportData, null, 2), {
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Disposition': `attachment; filename="xinyu-plugins-${Date.now()}.json"`,
+      },
+    });
+  } catch (e) {
+    console.error('导出插件失败:', e);
+    return NextResponse.json({ error: '导出插件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/export-xye/route.ts

@@ -0,0 +1,156 @@
+// app/api/plugins/export-xye/route.ts - 导出插件为 .xye 包（ZIP 格式）
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getDbPool } from '@/lib/db';
+import { ensureDb } from '@/lib/db-init';
+import { getPluginDir, readPluginCode } from '@/lib/plugin-files';
+import { listPluginFiles } from '@/lib/plugin-files';
+import AdmZip from 'adm-zip';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+/** 解析 JSON 字段 */
+function parseJsonField<T>(value: unknown): T {
+  if (typeof value === 'string') {
+    try { return JSON.parse(value) as T; } catch { return value as unknown as T; }
+  }
+  return value as T;
+}
+
+/** 解析权限字段 */
+function parsePermissions(value: unknown): {
+  commonPermissions?: string[];
+  exclusivePermissions?: string[];
+  requiredPermissions?: string[];
+} {
+  const raw = parseJsonField<unknown>(value);
+  if (Array.isArray(raw)) {
+    return { commonPermissions: raw };
+  }
+  if (raw && typeof raw === 'object') {
+    const perms = raw as Record<string, unknown>;
+    return {
+      commonPermissions: (perms.commonPermissions as string[]) || [],
+      exclusivePermissions: (perms.exclusivePermissions as string[]) || [],
+      requiredPermissions: (perms.requiredPermissions as string[]) || [],
+    };
+  }
+  return {};
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('id');
+
+    if (!pluginId) {
+      return NextResponse.json({ error: '缺少 id 参数' }, { status: 400 });
+    }
+
+    const [rows] = await db.execute(
+      'SELECT * FROM extensions WHERE id = ?',
+      [pluginId]
+    ) as [Record<string, unknown>[], unknown];
+
+    if (rows.length === 0) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    const row = rows[0];
+    const perms = parsePermissions(row.ui_permissions);
+    const pluginDir = getPluginDir(pluginId);
+
+    // 检查是否已有 manifest.json（.xye 格式插件）
+    const manifestPath = path.join(pluginDir, 'manifest.json');
+    let hasManifest = false;
+    try {
+      await fs.access(manifestPath);
+      hasManifest = true;
+    } catch { /* 不存在 */ }
+
+    const zip = new AdmZip();
+
+    if (hasManifest) {
+      // 已有 manifest.json：直接打包所有文件
+      const files = await listPluginFiles(pluginId);
+      for (const filePath of files) {
+        const fullPath = path.join(pluginDir, filePath);
+        try {
+          const stat = await fs.stat(fullPath);
+          if (stat.isFile()) {
+            const content = await fs.readFile(fullPath);
+            zip.addFile(filePath, content);
+          }
+        } catch { /* skip */ }
+      }
+    } else {
+      // 单 JS 插件：生成 manifest.json + 打包代码
+      let code = '';
+      try {
+        code = await readPluginCode(pluginId);
+      } catch { /* empty */ }
+
+      // 从 code_path 提取入口文件名
+      const codePath = row.code_path as string || '';
+      const entryName = codePath ? codePath.split('/').pop() || 'plugin.js' : 'plugin.js';
+
+      // 生成 manifest.json
+      const manifest: Record<string, unknown> = {
+        pluginEntry: entryName,
+        id: row.id,
+        name: row.name,
+        version: row.version,
+        type: row.type,
+      };
+      if (row.description) manifest.description = row.description;
+      if (row.author) manifest.author = row.author;
+      if (row.icon) manifest.icon = row.icon;
+      if (row.min_app_version) manifest.minAppVersion = row.min_app_version;
+      const configSchema = parseJsonField(row.config_schema);
+      if (Array.isArray(configSchema) && configSchema.length > 0) manifest.configSchema = configSchema;
+      if (perms.commonPermissions?.length) manifest.commonPermissions = perms.commonPermissions;
+      if (perms.exclusivePermissions?.length) manifest.exclusivePermissions = perms.exclusivePermissions;
+      if (perms.requiredPermissions?.length) manifest.requiredPermissions = perms.requiredPermissions;
+      const publicExports = parseJsonField(row.public_exports);
+      if (publicExports) manifest.publicExports = publicExports;
+      const dependencies = parseJsonField(row.dependencies);
+      if (dependencies) manifest.dependencies = dependencies;
+
+      zip.addFile('manifest.json', Buffer.from(JSON.stringify(manifest, null, 2), 'utf-8'));
+      zip.addFile(entryName, Buffer.from(code, 'utf-8'));
+
+      // 打包其他资源文件（如果有）
+      try {
+        const files = await listPluginFiles(pluginId);
+        for (const filePath of files) {
+          if (filePath === entryName) continue; // 跳过入口文件（已添加）
+          const fullPath = path.join(pluginDir, filePath);
+          try {
+            const stat = await fs.stat(fullPath);
+            if (stat.isFile()) {
+              const content = await fs.readFile(fullPath);
+              zip.addFile(filePath, content);
+            }
+          } catch { /* skip */ }
+        }
+      } catch { /* 无额外文件 */ }
+    }
+
+    const zipBuffer = zip.toBuffer();
+    const fileName = `${pluginId}.xye`;
+
+    return new NextResponse(zipBuffer, {
+      headers: {
+        'Content-Type': 'application/octet-stream',
+        'Content-Disposition': `attachment; filename="${fileName}"`,
+        'Content-Length': String(zipBuffer.length),
+      },
+    });
+  } catch (e) {
+    console.error('导出 .xye 失败:', e);
+    return NextResponse.json({ error: '导出失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/files/route.ts

@@ -0,0 +1,146 @@
+// app/api/plugins/files/route.ts - 插件文件操作 API
+
+import { NextRequest, NextResponse } from 'next/server';
+import { promises as fs } from 'fs';
+import path from 'path';
+
+/** 插件私有数据文件根目录 */
+const PLUGIN_FILES_ROOT = path.join(process.cwd(), 'data', 'plugins');
+
+/** 验证 pluginId 格式（防止路径遍历攻击） */
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+/** 验证文件名格式（防止路径遍历） */
+function isValidFileName(name: string): boolean {
+  // 禁止路径分隔符、.. 和空名称
+  return typeof name === 'string' &&
+    name.length > 0 &&
+    name.length <= 255 &&
+    !name.includes('..') &&
+    !name.includes('/') &&
+    !name.includes('\\') &&
+    !name.includes('\0');
+}
+
+/** 获取插件的私有数据目录路径（resources 子目录） */
+function getPluginDir(pluginId: string): string {
+  return path.join(PLUGIN_FILES_ROOT, pluginId, 'resources');
+}
+
+/** 确保目录存在 */
+async function ensureDir(dir: string): Promise<void> {
+  await fs.mkdir(dir, { recursive: true });
+}
+
+// GET /api/plugins/files?pluginId=xxx&fileName=yyy — 读取文件
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const fileName = searchParams.get('fileName');
+
+    if (!pluginId || !isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '无效的插件 ID' }, { status: 400 });
+    }
+
+    if (fileName) {
+      // 读取单个文件
+      if (!isValidFileName(fileName)) {
+        return NextResponse.json({ error: '无效的文件名' }, { status: 400 });
+      }
+      const filePath = path.join(getPluginDir(pluginId), fileName);
+      // 安全检查：确保解析后的路径仍在插件目录内
+      if (!filePath.startsWith(getPluginDir(pluginId))) {
+        return NextResponse.json({ error: '路径越界' }, { status: 403 });
+      }
+      try {
+        const content = await fs.readFile(filePath, 'utf-8');
+        return NextResponse.json({ success: true, content });
+      } catch {
+        return NextResponse.json({ success: true, content: null });
+      }
+    } else {
+      // 列出所有文件
+      const dir = getPluginDir(pluginId);
+      await ensureDir(dir);
+      const files = await fs.readdir(dir);
+      return NextResponse.json({ success: true, files });
+    }
+  } catch (e) {
+    console.error('[PluginFiles] GET error:', e);
+    return NextResponse.json({ error: '读取文件失败' }, { status: 500 });
+  }
+}
+
+// PUT /api/plugins/files — 写入文件
+export async function PUT(request: NextRequest) {
+  try {
+    const body = await request.json();
+    const { pluginId, fileName, content } = body;
+
+    if (!pluginId || !isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '无效的插件 ID' }, { status: 400 });
+    }
+    if (!isValidFileName(fileName)) {
+      return NextResponse.json({ error: '无效的文件名' }, { status: 400 });
+    }
+
+    const dir = getPluginDir(pluginId);
+    await ensureDir(dir);
+    const filePath = path.join(dir, fileName);
+
+    // 安全检查
+    if (!filePath.startsWith(dir)) {
+      return NextResponse.json({ error: '路径越界' }, { status: 403 });
+    }
+
+    await fs.writeFile(filePath, typeof content === 'string' ? content : JSON.stringify(content), 'utf-8');
+    return NextResponse.json({ success: true });
+  } catch (e) {
+    console.error('[PluginFiles] PUT error:', e);
+    return NextResponse.json({ error: '写入文件失败' }, { status: 500 });
+  }
+}
+
+// DELETE /api/plugins/files?pluginId=xxx&fileName=yyy — 删除文件
+export async function DELETE(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const fileName = searchParams.get('fileName');
+
+    if (!pluginId || !isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '无效的插件 ID' }, { status: 400 });
+    }
+
+    if (fileName) {
+      if (!isValidFileName(fileName)) {
+        return NextResponse.json({ error: '无效的文件名' }, { status: 400 });
+      }
+      const filePath = path.join(getPluginDir(pluginId), fileName);
+      if (!filePath.startsWith(getPluginDir(pluginId))) {
+        return NextResponse.json({ error: '路径越界' }, { status: 403 });
+      }
+      try {
+        await fs.unlink(filePath);
+      } catch {
+        // 文件不存在，忽略
+      }
+    } else {
+      // 删除整个插件目录
+      const dir = getPluginDir(pluginId);
+      try {
+        await fs.rm(dir, { recursive: true, force: true });
+      } catch {
+        // 目录不存在，忽略
+      }
+    }
+
+    return NextResponse.json({ success: true });
+  } catch (e) {
+    console.error('[PluginFiles] DELETE error:', e);
+    return NextResponse.json({ error: '删除文件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/files-list/route.ts

@@ -0,0 +1,168 @@
+// app/api/plugins/files-list/route.ts - 列出插件目录文件 + 读取文件内容
+
+import { NextRequest, NextResponse } from 'next/server';
+import { ensureDb } from '@/lib/db-init';
+import { getDbPool } from '@/lib/db';
+import { listPluginFiles, readPluginResourceText } from '@/lib/plugin-files';
+import path from 'path';
+
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+function isSafePath(filePath: string): boolean {
+  const normalized = path.normalize(filePath);
+  return !normalized.includes('..') && !path.isAbsolute(normalized) && normalized !== '';
+}
+
+/** 获取文件图标 */
+function getFileIcon(fileName: string): string {
+  const ext = path.extname(fileName).toLowerCase();
+  const icons: Record<string, string> = {
+    '.js': 'fa-brands fa-js', '.json': 'fa-solid fa-file-code', '.css': 'fa-brands fa-css3-alt',
+    '.html': 'fa-brands fa-html5', '.md': 'fa-brands fa-markdown', '.svg': 'fa-solid fa-bezier-curve',
+    '.png': 'fa-solid fa-image', '.jpg': 'fa-solid fa-image', '.jpeg': 'fa-solid fa-image',
+    '.gif': 'fa-solid fa-image', '.webp': 'fa-solid fa-image',
+    '.mp3': 'fa-solid fa-music', '.wav': 'fa-solid fa-wave-square', '.ogg': 'fa-solid fa-music',
+    '.mp4': 'fa-solid fa-film', '.webm': 'fa-solid fa-film',
+    '.txt': 'fa-solid fa-file-lines', '.ts': 'fa-brands fa-js', '.tsx': 'fa-brands fa-react',
+    '.jsx': 'fa-brands fa-react',
+    '.ttf': 'fa-solid fa-font', '.woff': 'fa-solid fa-font', '.woff2': 'fa-solid fa-font',
+    '.zip': 'fa-solid fa-file-zipper', '.xye': 'fa-solid fa-file-zipper',
+    '.pdf': 'fa-solid fa-file-pdf',
+  };
+  return icons[ext] || 'fa-solid fa-file';
+}
+
+/** 判断文件是否可编辑（文本文件） */
+function isEditableFile(fileName: string): boolean {
+  const ext = path.extname(fileName).toLowerCase();
+  return ['.js', '.json', '.css', '.html', '.md', '.txt', '.svg', '.ts', '.jsx', '.tsx'].includes(ext);
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const filePath = searchParams.get('path');
+
+    if (!pluginId) {
+      return NextResponse.json({ error: '缺少 pluginId 参数' }, { status: 400 });
+    }
+
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+
+    // 验证插件存在
+    await ensureDb();
+    const db = getDbPool();
+    const [rows] = await db.execute(
+      'SELECT id FROM extensions WHERE id = ?',
+      [pluginId]
+    ) as [Array<{ id: string }>, unknown];
+
+    if (rows.length === 0) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    // 如果指定了 path，读取文件内容
+    if (filePath) {
+      if (!isSafePath(filePath)) {
+        return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+      }
+      try {
+        const content = await readPluginResourceText(pluginId, filePath);
+        return NextResponse.json({
+          path: filePath,
+          content,
+          editable: isEditableFile(filePath),
+        });
+      } catch {
+        return NextResponse.json({ error: '文件不存在' }, { status: 404 });
+      }
+    }
+
+    // 否则列出所有文件
+    const files = await listPluginFiles(pluginId);
+
+    // 构建文件树
+    const tree: Array<{ name: string; path: string; icon: string; editable: boolean; type: 'file' | 'dir'; children?: typeof tree }> = [];
+    const dirMap = new Map<string, typeof tree>();
+
+    for (const filePath of files) {
+      // 统一路径分隔符为正斜杠
+      const normalizedPath = filePath.replace(/\\/g, '/');
+
+      // 以 / 结尾的是空目录
+      if (normalizedPath.endsWith('/')) {
+        const dirPath = normalizedPath.slice(0, -1);
+        const parts = dirPath.split('/');
+        let currentDir = tree;
+        for (let i = 0; i < parts.length; i++) {
+          const part = parts[i];
+          const fullPath = parts.slice(0, i + 1).join('/');
+          if (!dirMap.has(fullPath)) {
+            const dir: typeof tree[0] & { children: typeof tree } = {
+              name: part,
+              path: fullPath,
+              icon: 'fa-solid fa-folder',
+              editable: false,
+              type: 'dir',
+              children: [],
+            };
+            dirMap.set(fullPath, dir.children);
+            currentDir.push(dir);
+          }
+          currentDir = dirMap.get(fullPath)!;
+        }
+        continue;
+      }
+
+      const parts = normalizedPath.split('/');
+      let currentDir = tree;
+
+      for (let i = 0; i < parts.length; i++) {
+        const part = parts[i];
+        const isFile = i === parts.length - 1;
+        const fullPath = parts.slice(0, i + 1).join('/');
+
+        if (isFile) {
+          currentDir.push({
+            name: part,
+            path: fullPath,
+            icon: getFileIcon(part),
+            editable: isEditableFile(part),
+            type: 'file',
+          });
+        } else {
+          if (!dirMap.has(fullPath)) {
+            const dir: typeof tree[0] & { children: typeof tree } = {
+              name: part,
+              path: fullPath,
+              icon: 'fa-solid fa-folder',
+              editable: false,
+              type: 'dir',
+              children: [],
+            };
+            dirMap.set(fullPath, dir.children);
+            currentDir.push(dir);
+          }
+          currentDir = dirMap.get(fullPath)!;
+        }
+      }
+    }
+
+    // 检查是否为 .xye 格式（目录下有 manifest.json）
+    const isXye = files.includes('manifest.json');
+
+    return NextResponse.json({
+      pluginId,
+      isXye,
+      files: tree,
+    });
+  } catch (e) {
+    console.error('列出插件文件失败:', e);
+    return NextResponse.json({ error: '列出文件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/files-upload/route.ts

@@ -0,0 +1,101 @@
+// app/api/plugins/files-upload/route.ts - 插件资源文件上传
+
+import { NextRequest, NextResponse } from 'next/server';
+import { ensureDb } from '@/lib/db-init';
+import { getDbPool } from '@/lib/db';
+import { getPluginDir } from '@/lib/plugin-files';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+function isSafePath(filePath: string): boolean {
+  const normalized = path.normalize(filePath);
+  return !normalized.includes('..') && !path.isAbsolute(normalized) && normalized !== '';
+}
+
+/** 验证插件存在 */
+async function verifyPlugin(pluginId: string) {
+  await ensureDb();
+  const db = getDbPool();
+  const [rows] = await db.execute(
+    'SELECT id FROM extensions WHERE id = ?',
+    [pluginId]
+  ) as [Array<{ id: string }>, unknown];
+  if (rows.length === 0) {
+    return null;
+  }
+  return db;
+}
+
+// ==================== POST: 上传资源文件 ====================
+
+export async function POST(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const targetDir = searchParams.get('dir') || ''; // 可选：目标子目录
+
+    if (!pluginId) {
+      return NextResponse.json({ error: '缺少 pluginId 参数' }, { status: 400 });
+    }
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+    if (targetDir && !isSafePath(targetDir)) {
+      return NextResponse.json({ error: '非法目标目录' }, { status: 400 });
+    }
+
+    const db = await verifyPlugin(pluginId);
+    if (!db) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    const formData = await request.formData();
+    const files = formData.getAll('files');
+
+    if (!files || files.length === 0) {
+      return NextResponse.json({ error: '没有选择文件' }, { status: 400 });
+    }
+
+    const pluginDir = getPluginDir(pluginId);
+    const uploadDir = targetDir ? path.join(pluginDir, targetDir) : pluginDir;
+
+    // 确保目标目录存在
+    await fs.mkdir(uploadDir, { recursive: true });
+
+    const uploadedFiles: string[] = [];
+
+    for (const file of files) {
+      if (!(file instanceof File)) continue;
+
+      // 安全检查：文件名不能包含路径遍历
+      const fileName = path.basename(file.name);
+      if (!fileName || fileName === '.' || fileName === '..') continue;
+
+      // 限制单个文件大小（10MB）
+      if (file.size > 10 * 1024 * 1024) {
+        return NextResponse.json({ error: `文件 ${fileName} 超过 10MB 限制` }, { status: 400 });
+      }
+
+      const filePath = path.join(uploadDir, fileName);
+      const buffer = Buffer.from(await file.arrayBuffer());
+      await fs.writeFile(filePath, buffer);
+
+      // 返回相对于插件根目录的路径
+      const relativePath = targetDir ? `${targetDir}/${fileName}` : fileName;
+      uploadedFiles.push(relativePath);
+    }
+
+    return NextResponse.json({
+      success: true,
+      files: uploadedFiles,
+      count: uploadedFiles.length,
+    });
+  } catch (e) {
+    console.error('上传文件失败:', e);
+    return NextResponse.json({ error: '上传文件失败' }, { status: 500 });
+  }
+}