xinyu-pro 0.21.0

package/app/api/plugins/files-write/route.ts

@@ -0,0 +1,272 @@
+// app/api/plugins/files-write/route.ts - 插件文件写入/删除/新建/重命名
+
+import { NextRequest, NextResponse } from 'next/server';
+import { ensureDb } from '@/lib/db-init';
+import { getDbPool } from '@/lib/db';
+import { writePluginResource, getPluginDir } from '@/lib/plugin-files';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+function isSafePath(filePath: string): boolean {
+  const normalized = path.normalize(filePath);
+  return !normalized.includes('..') && !path.isAbsolute(normalized) && normalized !== '';
+}
+
+/** 验证插件存在 */
+async function verifyPlugin(pluginId: string) {
+  await ensureDb();
+  const db = getDbPool();
+  const [rows] = await db.execute(
+    'SELECT id FROM extensions WHERE id = ?',
+    [pluginId]
+  ) as [Array<{ id: string }>, unknown];
+  if (rows.length === 0) {
+    return null;
+  }
+  return db;
+}
+
+/** 同步 manifest.json 到数据库 */
+async function syncManifestToDb(db: ReturnType<typeof getDbPool>, pluginId: string, content: string) {
+  try {
+    const manifest = JSON.parse(content);
+    const updates: string[] = [];
+    const params: (string | null)[] = [];
+
+    if (manifest.name) { updates.push('name = ?'); params.push(String(manifest.name)); }
+    if (manifest.version) { updates.push('version = ?'); params.push(String(manifest.version)); }
+    if (manifest.description !== undefined) { updates.push('description = ?'); params.push(String(manifest.description || '')); }
+    if (manifest.author !== undefined) { updates.push('author = ?'); params.push(String(manifest.author || '')); }
+    if (manifest.type) { updates.push('type = ?'); params.push(String(manifest.type)); }
+    if (manifest.icon !== undefined) { updates.push('icon = ?'); params.push(String(manifest.icon || '')); }
+    if (manifest.minAppVersion !== undefined) { updates.push('min_app_version = ?'); params.push(String(manifest.minAppVersion || '')); }
+    if (manifest.configSchema) { updates.push('config_schema = ?'); params.push(JSON.stringify(manifest.configSchema)); }
+    if (manifest.commonPermissions || manifest.exclusivePermissions || manifest.requiredPermissions) {
+      updates.push('ui_permissions = ?');
+      params.push(JSON.stringify({
+        commonPermissions: manifest.commonPermissions || [],
+        exclusivePermissions: manifest.exclusivePermissions || [],
+        requiredPermissions: manifest.requiredPermissions || [],
+      }));
+    }
+    if (manifest.publicExports !== undefined) { updates.push('public_exports = ?'); params.push(JSON.stringify(manifest.publicExports)); }
+    if (manifest.dependencies !== undefined) { updates.push('dependencies = ?'); params.push(JSON.stringify(manifest.dependencies)); }
+
+    if (updates.length > 0) {
+      params.push(pluginId);
+      await db.execute(`UPDATE extensions SET ${updates.join(', ')} WHERE id = ?`, params);
+    }
+  } catch (e) {
+    console.error('同步 manifest 到数据库失败:', e);
+  }
+}
+
+// ==================== PUT: 写入文件内容 ====================
+
+export async function PUT(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const filePath = searchParams.get('path');
+
+    if (!pluginId || !filePath) {
+      return NextResponse.json({ error: '缺少 pluginId 或 path 参数' }, { status: 400 });
+    }
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+    if (!isSafePath(filePath)) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+    }
+
+    const db = await verifyPlugin(pluginId);
+    if (!db) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    const body = await request.json();
+    const content = body.content;
+
+    if (typeof content !== 'string') {
+      return NextResponse.json({ error: 'content 必须是字符串' }, { status: 400 });
+    }
+
+    await writePluginResource(pluginId, filePath, content);
+
+    if (filePath === 'manifest.json') {
+      await syncManifestToDb(db, pluginId, content);
+    }
+
+    return NextResponse.json({ success: true, path: filePath });
+  } catch (e) {
+    console.error('写入插件文件失败:', e);
+    return NextResponse.json({ error: '写入文件失败' }, { status: 500 });
+  }
+}
+
+// ==================== POST: 新建文件或文件夹 ====================
+
+export async function POST(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+
+    if (!pluginId) {
+      return NextResponse.json({ error: '缺少 pluginId 参数' }, { status: 400 });
+    }
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+
+    const db = await verifyPlugin(pluginId);
+    if (!db) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    const body = await request.json();
+    const { path: filePath, type, content } = body;
+
+    if (!filePath || typeof filePath !== 'string') {
+      return NextResponse.json({ error: '缺少 path 参数' }, { status: 400 });
+    }
+    if (!isSafePath(filePath)) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+    }
+
+    const pluginDir = getPluginDir(pluginId);
+    const fullPath = path.join(pluginDir, filePath);
+
+    if (type === 'dir') {
+      await fs.mkdir(fullPath, { recursive: true });
+    } else {
+      await fs.mkdir(path.dirname(fullPath), { recursive: true });
+      await fs.writeFile(fullPath, content || '', 'utf-8');
+    }
+
+    return NextResponse.json({ success: true, path: filePath, type: type || 'file' });
+  } catch (e) {
+    console.error('新建文件失败:', e);
+    return NextResponse.json({ error: '新建文件失败' }, { status: 500 });
+  }
+}
+
+// ==================== DELETE: 删除文件或文件夹 ====================
+
+export async function DELETE(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const filePath = searchParams.get('path');
+
+    if (!pluginId || !filePath) {
+      return NextResponse.json({ error: '缺少 pluginId 或 path 参数' }, { status: 400 });
+    }
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+    if (!isSafePath(filePath)) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+    }
+
+    // 禁止删除关键文件：manifest.json、入口文件、resources 目录本身
+    if (filePath === 'manifest.json') {
+      return NextResponse.json({ error: '不能删除 manifest.json' }, { status: 400 });
+    }
+    if (filePath === 'resources') {
+      return NextResponse.json({ error: '不能删除 resources 目录（资源文件目录，仅支持删除其中的文件）' }, { status: 400 });
+    }
+
+    const db = await verifyPlugin(pluginId);
+    if (!db) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    // 从数据库读取 code_path，提取入口文件名，禁止删除入口文件
+    const [rows] = await db.execute(
+      'SELECT code_path FROM extensions WHERE id = ?',
+      [pluginId]
+    ) as [Array<{ code_path: string }>, unknown];
+    if (rows.length > 0 && rows[0].code_path) {
+      const entryFile = rows[0].code_path.split('/').pop();
+      if (entryFile && filePath === entryFile) {
+        return NextResponse.json({ error: `不能删除入口文件 ${entryFile}` }, { status: 400 });
+      }
+    }
+
+    const pluginDir = getPluginDir(pluginId);
+    const fullPath = path.join(pluginDir, filePath);
+
+    try {
+      const stat = await fs.stat(fullPath);
+      if (stat.isDirectory()) {
+        await fs.rm(fullPath, { recursive: true, force: true });
+      } else {
+        await fs.unlink(fullPath);
+      }
+    } catch {
+      return NextResponse.json({ error: '文件不存在' }, { status: 404 });
+    }
+
+    return NextResponse.json({ success: true, path: filePath });
+  } catch (e) {
+    console.error('删除文件失败:', e);
+    return NextResponse.json({ error: '删除文件失败' }, { status: 500 });
+  }
+}
+
+// ==================== PATCH: 重命名/移动文件 ====================
+
+export async function PATCH(request: NextRequest) {
+  try {
+    const { searchParams } = new URL(request.url);
+    const pluginId = searchParams.get('pluginId');
+    const filePath = searchParams.get('path');
+
+    if (!pluginId || !filePath) {
+      return NextResponse.json({ error: '缺少 pluginId 或 path 参数' }, { status: 400 });
+    }
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: '非法插件 ID' }, { status: 400 });
+    }
+    if (!isSafePath(filePath)) {
+      return NextResponse.json({ error: '非法文件路径' }, { status: 400 });
+    }
+
+    const db = await verifyPlugin(pluginId);
+    if (!db) {
+      return NextResponse.json({ error: '插件不存在' }, { status: 404 });
+    }
+
+    const body = await request.json();
+    const newPath = body.newPath;
+
+    if (!newPath || typeof newPath !== 'string') {
+      return NextResponse.json({ error: '缺少 newPath 参数' }, { status: 400 });
+    }
+    if (!isSafePath(newPath)) {
+      return NextResponse.json({ error: '非法目标路径' }, { status: 400 });
+    }
+
+    const pluginDir = getPluginDir(pluginId);
+    const oldFullPath = path.join(pluginDir, filePath);
+    const newFullPath = path.join(pluginDir, newPath);
+
+    try {
+      await fs.stat(oldFullPath);
+    } catch {
+      return NextResponse.json({ error: '源文件不存在' }, { status: 404 });
+    }
+
+    await fs.mkdir(path.dirname(newFullPath), { recursive: true });
+    await fs.rename(oldFullPath, newFullPath);
+
+    return NextResponse.json({ success: true, from: filePath, to: newPath });
+  } catch (e) {
+    console.error('重命名文件失败:', e);
+    return NextResponse.json({ error: '重命名文件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/import/route.ts

@@ -0,0 +1,140 @@
+// app/api/plugins/import/route.ts - 插件导入 API
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getDbPool } from '@/lib/db';
+import { ensureDb } from '@/lib/db-init';
+import { parseManifestFromCode } from '@/lib/manifest-parser';
+import { writePluginCode } from '@/lib/plugin-files';
+
+/** 校验插件 ID 合法性（只允许字母、数字、连字符、下划线、点） */
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200;
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+    const body = await request.json();
+
+    // 支持两种格式：完整导出格式 或 直接传入插件数组
+    let plugins: Array<Record<string, unknown>> = [];
+
+    if (body.format === 'xinyu-extension-v1' && Array.isArray(body.plugins)) {
+      plugins = body.plugins;
+    } else if (Array.isArray(body)) {
+      plugins = body;
+    } else if (body.id && body.code) {
+      // 单个插件
+      plugins = [body];
+    } else {
+      return NextResponse.json({ error: '无效的导入格式' }, { status: 400 });
+    }
+
+    let imported = 0;
+    let skipped = 0;
+
+    // 使用事务保证原子性：要么全部成功，要么全部回滚
+    const conn = await db.getConnection();
+    try {
+      await conn.beginTransaction();
+
+      for (const plugin of plugins) {
+        const pId = String(plugin.id || '');
+        const pName = String(plugin.name || '');
+        const pVersion = String(plugin.version || '');
+        const pDescription = String(plugin.description || '');
+        const pAuthor = String(plugin.author || '');
+        const pType = String(plugin.type || '');
+        const pIcon = String(plugin.icon || '');
+        const pMinAppVersion = String(plugin.minAppVersion || '');
+        const pCode = String(plugin.code || '');
+        const pConfigSchema = JSON.stringify(plugin.configSchema || []);
+        const pUiSlots = JSON.stringify(plugin.uiSlots || []);
+
+        // 权限：优先使用 JSON 中的三个独立字段，兼容旧 uiPermissions 数组格式，最后兜底从代码注释解析
+        let commonPerms = Array.isArray(plugin.commonPermissions) ? plugin.commonPermissions : [];
+        const exclusivePerms = Array.isArray(plugin.exclusivePermissions) ? plugin.exclusivePermissions : [];
+        const requiredPerms = Array.isArray(plugin.requiredPermissions) ? plugin.requiredPermissions : [];
+
+        // 兼容旧格式：uiPermissions 数组 → 映射为 commonPermissions
+        if (commonPerms.length === 0 && exclusivePerms.length === 0 && requiredPerms.length === 0) {
+          const legacyPerms = plugin.uiPermissions;
+          if (Array.isArray(legacyPerms) && legacyPerms.length > 0) {
+            commonPerms = legacyPerms;
+          }
+        }
+
+        // 兜底：从代码注释解析权限
+        if (commonPerms.length === 0 && exclusivePerms.length === 0 && requiredPerms.length === 0) {
+          const parsed = parseManifestFromCode(pCode);
+          if (parsed.permissions && parsed.permissions.length > 0) {
+            commonPerms = parsed.permissions;
+          }
+        }
+
+        const pUiPermissions = (commonPerms.length > 0 || exclusivePerms.length > 0 || requiredPerms.length > 0)
+          ? JSON.stringify({ commonPermissions: commonPerms, exclusivePermissions: exclusivePerms, requiredPermissions: requiredPerms })
+          : null;
+
+        const pPublicExports = plugin.publicExports !== undefined ? JSON.stringify(plugin.publicExports) : null;
+        const pDependencies = plugin.dependencies !== undefined ? JSON.stringify(plugin.dependencies) : null;
+
+        // 校验必填字段和 ID 合法性
+        if (!pId || !pName || !pVersion || !pType || !pCode) {
+          skipped++;
+          continue;
+        }
+        if (!isValidPluginId(pId)) {
+          console.warn(`[导入] 跳过非法 ID 的插件: ${pId}`);
+          skipped++;
+          continue;
+        }
+
+        // 将代码写入文件
+        const codePath = await writePluginCode(pId, pCode);
+
+        const sql = `INSERT INTO extensions (id, name, version, description, author, type, icon, min_app_version, code_path, config_schema, ui_slots, ui_permissions, public_exports, dependencies) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ON DUPLICATE KEY UPDATE name = VALUES(name), version = VALUES(version), description = VALUES(description), author = VALUES(author), type = VALUES(type), icon = VALUES(icon), min_app_version = VALUES(min_app_version), code_path = VALUES(code_path), config_schema = VALUES(config_schema), ui_slots = VALUES(ui_slots), ui_permissions = VALUES(ui_permissions), public_exports = VALUES(public_exports), dependencies = VALUES(dependencies)`;
+        await conn.execute(sql, [pId, pName, pVersion, pDescription, pAuthor, pType, pIcon, pMinAppVersion, codePath, pConfigSchema, pUiSlots, pUiPermissions, pPublicExports, pDependencies]);
+
+        // 自动创建全局绑定，config 从 configSchema 的 defaultValue 填充
+        let defaultConfig: Record<string, unknown> = {};
+        try {
+          const schema = plugin.configSchema;
+          if (Array.isArray(schema) && schema.length > 0) {
+            for (const field of schema) {
+              if (field && typeof field === 'object' && 'key' in field && 'defaultValue' in field) {
+                defaultConfig[field.key as string] = field.defaultValue;
+              }
+            }
+          }
+        } catch { /* 解析失败时使用空对象 */ }
+        const configJson = Object.keys(defaultConfig).length > 0 ? JSON.stringify(defaultConfig) : '{}';
+
+        await conn.execute(
+          `INSERT INTO extension_bindings (extension_id, scope, world_id, enabled, config, sort_order) VALUES (?, 'global', '', TRUE, ?, 0) ON DUPLICATE KEY UPDATE enabled = VALUES(enabled)`,
+          [pId, configJson]
+        );
+
+        imported++;
+      }
+
+      await conn.commit();
+    } catch (e) {
+      try { await conn.rollback(); } catch { /* rollback 也失败时忽略 */ }
+      // 出错时销毁连接，防止错误状态的连接被放回连接池污染后续请求
+      conn.destroy();
+      throw e;
+    } finally {
+      // destroy 后 release 是空操作，正常路径走 release 归还连接
+      if (conn && typeof conn.release === 'function') {
+        try { conn.release(); } catch { /* ignore */ }
+      }
+    }
+
+    return NextResponse.json({ success: true, imported, skipped, total: plugins.length });
+  } catch (e) {
+    console.error('导入插件失败:', e);
+    return NextResponse.json({ error: '导入插件失败' }, { status: 500 });
+  }
+}

package/app/api/plugins/import-package/route.ts

@@ -0,0 +1,231 @@
+// app/api/plugins/import-package/route.ts - .xye 插件包导入 API
+
+import { NextRequest, NextResponse } from 'next/server';
+import { getDbPool } from '@/lib/db';
+import { ensureDb } from '@/lib/db-init';
+import { parseManifestFromCode } from '@/lib/manifest-parser';
+import { getPluginDir } from '@/lib/plugin-files';
+import AdmZip from 'adm-zip';
+import path from 'path';
+import { promises as fs } from 'fs';
+
+/** 校验插件 ID 合法性 */
+function isValidPluginId(id: string): boolean {
+  return /^[a-zA-Z0-9._-]+$/.test(id) && id.length <= 200 && !id.includes('..');
+}
+
+/** 校验文件路径安全性（防止路径遍历） */
+function isSafePath(filePath: string): boolean {
+  const normalized = path.normalize(filePath);
+  return !normalized.includes('..') && !path.isAbsolute(normalized);
+}
+
+export async function POST(request: NextRequest) {
+  try {
+    await ensureDb();
+    const db = getDbPool();
+
+    const formData = await request.formData();
+    const file = formData.get('file') as File | null;
+
+    if (!file) {
+      return NextResponse.json({ error: '未上传文件' }, { status: 400 });
+    }
+
+    if (!file.name.endsWith('.xye')) {
+      return NextResponse.json({ error: '仅支持 .xye 格式的插件包' }, { status: 400 });
+    }
+
+    // 读取文件到 Buffer
+    const buffer = Buffer.from(await file.arrayBuffer());
+
+    // 解压 ZIP
+    let zip: AdmZip;
+    try {
+      zip = new AdmZip(buffer);
+    } catch {
+      return NextResponse.json({ error: '无法解压插件包，文件可能已损坏' }, { status: 400 });
+    }
+
+    const entries = zip.getEntries();
+
+    // 查找 manifest.json
+    const manifestEntry = entries.find(e =>
+      e.entryName === 'manifest.json' || e.entryName.endsWith('/manifest.json')
+    );
+
+    if (!manifestEntry) {
+      return NextResponse.json({ error: '插件包中未找到 manifest.json' }, { status: 400 });
+    }
+
+    let manifest: Record<string, unknown>;
+    try {
+      manifest = JSON.parse(manifestEntry.getData().toString('utf-8'));
+    } catch {
+      return NextResponse.json({ error: 'manifest.json 格式错误' }, { status: 400 });
+    }
+
+    // 验证必填字段
+    const pluginId = String(manifest.id || '');
+    const pluginEntry = String(manifest.pluginEntry || manifest['plugin-entry'] || '');
+    const pluginName = String(manifest.name || '');
+    const pluginVersion = String(manifest.version || '');
+    const pluginType = String(manifest.type || '');
+
+    if (!pluginId || !pluginName || !pluginVersion || !pluginType) {
+      return NextResponse.json({ error: 'manifest.json 缺少必填字段 (id, name, version, type)' }, { status: 400 });
+    }
+
+    if (!isValidPluginId(pluginId)) {
+      return NextResponse.json({ error: `非法插件 ID: ${pluginId}` }, { status: 400 });
+    }
+
+    if (!pluginEntry) {
+      return NextResponse.json({ error: 'manifest.json 缺少 pluginEntry 字段（指定入口 JS 文件）' }, { status: 400 });
+    }
+
+    // 查找入口文件
+    const entryPath = pluginEntry.startsWith('/') ? pluginEntry.slice(1) : pluginEntry;
+    const codeEntry = entries.find(e => e.entryName === entryPath || e.entryName === `/${entryPath}`);
+
+    if (!codeEntry) {
+      return NextResponse.json({ error: `入口文件不存在: ${pluginEntry}` }, { status: 400 });
+    }
+
+    const pluginCode = codeEntry.getData().toString('utf-8');
+
+    // 确定包的根目录前缀（如果有子目录）
+    const manifestDir = manifestEntry.entryName === 'manifest.json'
+      ? ''
+      : manifestEntry.entryName.replace(/manifest\.json$/, '');
+
+    // 解析权限
+    let commonPerms = Array.isArray(manifest.commonPermissions) ? manifest.commonPermissions : [];
+    const exclusivePerms = Array.isArray(manifest.exclusivePermissions) ? manifest.exclusivePermissions : [];
+    const requiredPerms = Array.isArray(manifest.requiredPermissions) ? manifest.requiredPermissions : [];
+
+    // 兼容旧格式
+    if (commonPerms.length === 0 && exclusivePerms.length === 0 && requiredPerms.length === 0) {
+      const legacyPerms = manifest.uiPermissions;
+      if (Array.isArray(legacyPerms) && legacyPerms.length > 0) {
+        commonPerms = legacyPerms;
+      }
+    }
+
+    // 兜底从代码注释解析
+    if (commonPerms.length === 0 && exclusivePerms.length === 0 && requiredPerms.length === 0) {
+      const parsed = parseManifestFromCode(pluginCode);
+      if (parsed.permissions && parsed.permissions.length > 0) {
+        commonPerms = parsed.permissions;
+      }
+    }
+
+    const pUiPermissions = (commonPerms.length > 0 || exclusivePerms.length > 0 || requiredPerms.length > 0)
+      ? JSON.stringify({ commonPermissions: commonPerms, exclusivePermissions: exclusivePerms, requiredPermissions: requiredPerms })
+      : null;
+
+    const pConfigSchema = JSON.stringify(manifest.configSchema || []);
+    const pUiSlots = JSON.stringify(manifest.uiSlots || []);
+    const pPublicExports = manifest.publicExports !== undefined ? JSON.stringify(manifest.publicExports) : null;
+    const pDependencies = manifest.dependencies !== undefined ? JSON.stringify(manifest.dependencies) : null;
+
+    // 使用事务保证原子性
+    const conn = await db.getConnection();
+    try {
+      await conn.beginTransaction();
+
+      // 写入入口代码文件（使用原始文件名，如 index.js）
+      const pluginDir = getPluginDir(pluginId);
+      await fs.mkdir(pluginDir, { recursive: true });
+      const codeFilePath = path.join(pluginDir, entryPath);
+      await fs.writeFile(codeFilePath, pluginCode, 'utf-8');
+      const codePath = `data/plugins/${pluginId}/${entryPath}`;
+
+      // 写入数据库
+      await conn.execute(
+        `INSERT INTO extensions (id, name, version, description, author, type, icon, min_app_version, code_path, config_schema, ui_slots, ui_permissions, public_exports, dependencies)
+         VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+         ON DUPLICATE KEY UPDATE
+         name = VALUES(name), version = VALUES(version), description = VALUES(description),
+         author = VALUES(author), type = VALUES(type), icon = VALUES(icon),
+         min_app_version = VALUES(min_app_version), code_path = VALUES(code_path),
+         config_schema = VALUES(config_schema), ui_slots = VALUES(ui_slots),
+         ui_permissions = VALUES(ui_permissions),
+         public_exports = VALUES(public_exports), dependencies = VALUES(dependencies)`,
+        [
+          pluginId, pluginName, pluginVersion,
+          String(manifest.description || ''), String(manifest.author || ''),
+          pluginType, String(manifest.icon || ''), String(manifest.minAppVersion || ''),
+          codePath, pConfigSchema, pUiSlots, pUiPermissions, pPublicExports, pDependencies,
+        ]
+      );
+
+      // 自动创建全局绑定
+      const defaultConfig: Record<string, unknown> = {};
+      try {
+        const schema = manifest.configSchema;
+        if (Array.isArray(schema) && schema.length > 0) {
+          for (const field of schema) {
+            if (field && typeof field === 'object' && 'key' in field && 'defaultValue' in field) {
+              defaultConfig[field.key as string] = field.defaultValue;
+            }
+          }
+        }
+      } catch { /* ignore */ }
+      const configJson = Object.keys(defaultConfig).length > 0 ? JSON.stringify(defaultConfig) : '{}';
+
+      await conn.execute(
+        `INSERT INTO extension_bindings (extension_id, scope, world_id, enabled, config, sort_order)
+         VALUES (?, 'global', '', TRUE, ?, 0)
+         ON DUPLICATE KEY UPDATE enabled = VALUES(enabled)`,
+        [pluginId, configJson]
+      );
+
+      // 解压所有文件到插件目录（跳过已写入的入口文件）
+      for (const entry of entries) {
+        if (entry.isDirectory) continue;
+
+        const relativeName = entry.entryName.startsWith('/')
+          ? entry.entryName.slice(1)
+          : entry.entryName;
+
+        // 如果包有子目录前缀，去掉它
+        const cleanName = manifestDir ? relativeName.replace(manifestDir, '') : relativeName;
+        if (!cleanName || cleanName === entryPath) continue;
+        if (!isSafePath(cleanName)) {
+          console.warn(`[导入 .xye] 跳过不安全路径: ${cleanName}`);
+          continue;
+        }
+
+        const targetPath = path.join(pluginDir, cleanName);
+        await fs.mkdir(path.dirname(targetPath), { recursive: true });
+        await fs.writeFile(targetPath, entry.getData());
+      }
+
+      await conn.commit();
+    } catch (e) {
+      try { await conn.rollback(); } catch { /* ignore */ }
+      conn.destroy();
+      throw e;
+    } finally {
+      if (conn && typeof conn.release === 'function') {
+        try { conn.release(); } catch { /* ignore */ }
+      }
+    }
+
+    return NextResponse.json({
+      success: true,
+      imported: 1,
+      skipped: 0,
+      total: 1,
+      plugin: {
+        id: pluginId,
+        name: pluginName,
+        version: pluginVersion,
+      },
+    });
+  } catch (e) {
+    console.error('导入 .xye 插件包失败:', e);
+    return NextResponse.json({ error: '导入插件包失败' }, { status: 500 });
+  }
+}