v2.19.0

Highlights

✨ New Feature

• Admin code export modal for collections (#831) — Generate ready-to-use TypeScript collection config code directly from the admin UI.

🐛 Bug Fixes

• Fix crash on array fields with media items (#838) — Collections configured as type: 'array' with items: { type: 'media' } no longer break the new-content form with TypeError: url.toLowerCase is not a function.
• Make AuthManager.verifyToken usable from custom Hono routes (#819)
• Use null instead of undefined for SVG D1 inserts (#818)
• create-sonicjs: use MEDIA_BUCKET binding name in starter wrangler.toml (#827)

🧹 Maintenance

• README and wrangler.toml updated for Cloudflare binding options (#824)
• Batch dependabot bumps (#828)

Installation

npm create sonicjs@latest my-app

Or update an existing project:

npm install @sonicjs-cms/core@2.19.0

Full Changelog: v2.18.1...v2.19.0

v2.18.1

Fixes

• Custom user-profile fields surfaced in auth responses (#803, #812) — /auth/me and /auth/otp/verify now include all fields registered via defineUserProfile() (e.g. plan, tier), so apps can gate UI on them without a second roundtrip. The OTP verify response also returns username, first_name, last_name, and created_at, and stops leaking the internal is_active flag.

Installation

npm create sonicjs@latest my-app

Or update an existing project:

npm install @sonicjs-cms/core@2.18.1

v2.18.0

✨ New Features

Configurable OTP Email Branding (#809)

The OTP login email is now fully customizable per deployment, all via the OTP plugin's admin settings page.

• Logo URL — display your own logo at the top of the email
• Logo Width (px) — control the rendered logo size (20–600 px)
• Logo Border Thickness & Color — optional border around the logo with a color picker (defaults: thickness 0, color #ffffff); when both are set, the logo gets a matching border-radius to align with the sign-in button
• Login URL — when set, renders a styled Sign in to {site name} button under the OTP code in the email and as a CTA link in the plain-text version
• Login Button Text — override the default "Sign in to {site name}" with custom copy

All new settings are optional; defaults preserve the previous email rendering. Color values are sanitized server-side before being inlined into the email's CSS to prevent style injection.

The plugin's settings page also gets a live email preview that reflects every change immediately.

Installation

npm create sonicjs@latest my-app

Or update an existing project:

npm install @sonicjs-cms/core@2.18.0

Full changelog: v2.17.2...v2.18.0

v2.17.2

Changes

🛠️ Fixed

• API Filter Bracket Syntax — filter[field][operator]=value on the public content and collections endpoints now correctly applies WHERE conditions instead of silently returning unfiltered data. Previously documented examples like ?filter[title][contains]=lyme were parsed by Hono as flat query keys and dropped on the floor in QueryFilterBuilder.parseFromQuery. (#807)

✨ Added

• starts_with operator — case-insensitive prefix match (field LIKE 'value%')
• ends_with operator — case-insensitive suffix match (field LIKE '%value')

🧰 Governance

• CODEOWNERS — Reduced second-maintainer requirement; project lead now sole code owner across all paths (#808)

Installation

npm create sonicjs@latest my-app

Update existing project:

npm install @sonicjs-cms/core@2.17.2

v2.17.1

Changes

• Allow blank first/last name when editing users in admin (#805)

Installation

npm create sonicjs@latest my-app

Or update existing project:

npm install @sonicjs-cms/core@2.17.1

v2.17.0

Highlights

• Configurable JWT expiration — session TTL is now configurable via JWT_EXPIRES_IN env var (authoritative ceiling) or Admin → Settings → Security. Default is 30 days (previously 24 hours). Resolves issue #800.
• Working /auth/refresh endpoint — accepts valid-or-recently-expired tokens within a configurable grace window (JWT_REFRESH_GRACE_SECONDS, default 7 days), re-verifies HS256 via Web Crypto, re-validates the user against the database, and issues a fresh token. Users no longer forced to re-login daily.
• Admin Session / JWT card — new live card under Admin → Settings → Security for adjusting JWT TTL and refresh grace without editing env vars.
• Documentation updates — docs/authentication.md, OTP plugin README, and the doc site authentication page now describe the configuration surface and refresh semantics.

Breaking Changes

• The default JWT/auth cookie lifetime changed from 24 hours → 30 days. If you were relying on the 24-hour default for session expiry, set JWT_EXPIRES_IN=24h (or any value you prefer) to preserve the previous behavior.

Installation

npm create sonicjs@latest my-app

Or update existing project:

npm install @sonicjs-cms/core@2.17.0

Full changelog: v2.16.1...v2.17.0

v2.16.1

Changes

• Security fix: Admin panel now restricted to admin role by default (#791) — previously any authenticated user could access /admin
• Bug fix: Resolved fresh install migration error — duplicate column name in 035_user_profiles_data_column.sql (#771)
• New config option: adminAccessRoles in createSonicJSApp() lets developers customize which roles can access the admin panel

Installation

npm create sonicjs@latest my-app

Or update existing project:

npm install @sonicjs-cms/core@2.16.1

v2.16.0

Changes

• Fix #785: BruteForceDetector no longer crashes when KV namespace is unavailable — added null guards to all KV-dependent methods
• Fix #786: New event tracking API (POST /api/events) for analytics — supports single and batch event tracking with filtering and stats endpoints
• Fix #787: Analytics admin dashboard now renders properly at /admin/analytics with real metrics from system logs
• Fix #788: Routes no longer return 400 Bad Request — expanded CSRF exempt paths and added Authorization header bypass

Installation

npm create sonicjs@latest my-app

Or update existing project:

npm install @sonicjs-cms/core@2.16.0

v2.15.0

Changes

Plugin Auto-Discovery System

• Manifest-driven plugin registry replaces 5+ hardcoded files — adding a new plugin now only requires a manifest.json
• All 26 plugin manifests enriched with standardized fields (codeName, iconEmoji, is_core, defaultSettings, adminMenu)
• Sidebar icons now resolve from text names to Heroicon SVGs automatically

Stripe Plugin Enhancements

• Sync from Stripe — Pull all existing subscriptions from the Stripe API into D1 with one click
• Webhook Event Log — New stripe_events table logs every webhook event with status (processed/failed/ignored), filterable admin UI
• Tabbed Admin UI — Subscriptions, Events, and Settings pages share a consistent tab bar
• Publishable Key — Settings page now includes the publishable key field matching Stripe's dashboard

Bug Fixes

• Fixed 404 on /admin/plugins/stripe caused by route registration order
• Fixed missing sidebar icons for media, analytics, and stripe plugins
• Fixed stripe settings page 404

Installation

npm create sonicjs@latest my-app

Or update existing project:

npm install @sonicjs-cms/core@2.15.0

v2.14.0

What's New

Stripe Subscription Plugin

New core plugin for managing Stripe subscriptions with full lifecycle support:

• Webhook endpoint with HMAC-SHA256 signature verification
• Handles subscription created/updated/deleted, checkout completed, payment succeeded/failed
• Checkout session creation with automatic Stripe customer linking
• Subscription status API for authenticated users
• Admin dashboard with stats cards and filterable subscription table
• requireSubscription() middleware for gating routes to active subscribers
• Zero external dependencies — uses fetch + Web Crypto API (Cloudflare Workers compatible)

Bug Fixes

• Fixed migration 029 detection and re-run when forms tables are missing (#762)

Installation

```bash
npm create sonicjs@latest my-app
```

Or update existing project:
```bash
npm install @sonicjs-cms/core@2.14.0
```