From fed40a5167f13a7e749a5dbc5301fe1a05b44f8c Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Fri, 17 Apr 2026 17:50:13 +0100
Subject: [PATCH 01/26] feat: plugin submission workflow

---
 apps/cms/config/plugins.ts                    |   4 +
 .../src/plugins/moderation/admin/custom.d.ts  |  26 +
 .../src/components/ReviewPanel/index.tsx      | 590 ++++++++++++
 .../plugins/moderation/admin/src/index.tsx    |  45 +
 .../src/pages/SubmissionDetail/index.tsx      | 756 ++++++++++++++++
 .../admin/src/pages/SubmissionList/index.tsx  | 226 +++++
 apps/cms/src/plugins/moderation/package.json  |  19 +
 .../moderation/server/content-types/index.js  |   3 +
 .../content-types/plugin-submission/index.js  |   3 +
 .../plugin-submission/schema.json             | 117 +++
 .../moderation/server/controllers/index.js    |   3 +
 .../server/controllers/plugin-submission.js   | 130 +++
 .../src/plugins/moderation/server/index.js    |   6 +
 .../plugins/moderation/server/routes/index.js |   1 +
 .../server/routes/plugin-submission.js        |  53 ++
 .../server/services/automated-checks.js       | 384 ++++++++
 .../moderation/server/services/index.js       |   3 +
 .../server/services/plugin-submission.js      | 271 ++++++
 .../server/services/security-checks.js        | 109 +++
 .../src/plugins/moderation/strapi-server.js   |  24 +
 apps/cms/types/generated/contentTypes.d.ts    |  82 ++
 apps/web/.env.example                         |  10 +-
 apps/web/src/app/api/categories/route.ts      |  34 +
 apps/web/src/app/api/submit-plugin/route.ts   | 287 ++++++
 apps/web/src/app/submit/plugin/page.tsx       | 843 ++++++++++++++++++
 25 files changed, 4028 insertions(+), 1 deletion(-)
 create mode 100644 apps/cms/src/plugins/moderation/admin/custom.d.ts
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/components/ReviewPanel/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/package.json
 create mode 100644 apps/cms/src/plugins/moderation/server/content-types/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
 create mode 100644 apps/cms/src/plugins/moderation/server/controllers/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
 create mode 100644 apps/cms/src/plugins/moderation/server/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/routes/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/automated-checks.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/plugin-submission.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/security-checks.js
 create mode 100644 apps/cms/src/plugins/moderation/strapi-server.js
 create mode 100644 apps/web/src/app/api/categories/route.ts
 create mode 100644 apps/web/src/app/api/submit-plugin/route.ts
 create mode 100644 apps/web/src/app/submit/plugin/page.tsx

diff --git a/apps/cms/config/plugins.ts b/apps/cms/config/plugins.ts
index c41de57..197adcf 100644
--- a/apps/cms/config/plugins.ts
+++ b/apps/cms/config/plugins.ts
@@ -23,6 +23,10 @@ export default ({ env }) => ({
     enabled: true,
     resolve: "./src/plugins/owner-selector",
   },
+  moderation: {
+    enabled: true,
+    resolve: "./src/plugins/moderation",
+  },
   "package-info": {
     enabled: true,
     resolve: "./src/plugins/package-info",
diff --git a/apps/cms/src/plugins/moderation/admin/custom.d.ts b/apps/cms/src/plugins/moderation/admin/custom.d.ts
new file mode 100644
index 0000000..5b0b4a0
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/custom.d.ts
@@ -0,0 +1,26 @@
+import type { StrapiTheme } from "@strapi/design-system";
+
+declare module "styled-components" {
+  export interface DefaultTheme extends StrapiTheme {}
+}
+
+export interface BrowserStrapi {
+  backendURL: string;
+  isEE: boolean;
+  features: {
+    SSO: "sso";
+    AUDIT_LOGS: "audit-logs";
+    REVIEW_WORKFLOWS: "review-workflows";
+    isEnabled: (featureName?: string) => boolean;
+  };
+  isTrialLicense: boolean;
+  flags: { promoteEE?: boolean; nps?: boolean };
+  projectType: "Community" | "Enterprise";
+  telemetryDisabled: boolean;
+}
+
+declare global {
+  interface Window {
+    strapi: BrowserStrapi;
+  }
+}
diff --git a/apps/cms/src/plugins/moderation/admin/src/components/ReviewPanel/index.tsx b/apps/cms/src/plugins/moderation/admin/src/components/ReviewPanel/index.tsx
new file mode 100644
index 0000000..eb2e771
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/components/ReviewPanel/index.tsx
@@ -0,0 +1,590 @@
+import {
+  Box,
+  Button,
+  Field,
+  Flex,
+  SingleSelect,
+  SingleSelectOption,
+  Textarea,
+  Typography,
+} from "@strapi/design-system";
+import { ChevronDown } from "@strapi/icons";
+import { useFetchClient, useNotification } from "@strapi/strapi/admin";
+import { useState } from "react";
+import { useMutation } from "react-query";
+
+interface Props {
+  documentId: string;
+  initialBusinessStatus: "pending" | "approved" | "rejected";
+  initialSecurityStatus: "pending" | "approved" | "rejected";
+  initialOverallStatus: string;
+  initialFeedback?: string;
+  initialRejectionReason?: string;
+  initialBusinessNotes?: string;
+  initialSecurityNotes?: string;
+  onSaved: () => void;
+}
+
+type ReviewStatus = "pending" | "approved" | "rejected";
+
+const REVIEW_STYLES: Record<
+  ReviewStatus,
+  { bg: string; text: string; dot: string }
+> = {
+  pending: { bg: "neutral150", text: "neutral600", dot: "#c0c0c0" },
+  approved: { bg: "success100", text: "success600", dot: "#27ae60" },
+  rejected: { bg: "danger100", text: "danger600", dot: "#e74c3c" },
+};
+
+const StatusPill = ({ status }: { status: ReviewStatus }) => {
+  const s = REVIEW_STYLES[status];
+  return (
+    <Box
+      background={s.bg}
+      hasRadius
+      paddingLeft={2}
+      paddingRight={2}
+      paddingTop={1}
+      paddingBottom={1}
+    >
+      <Flex gap={1} alignItems="center">
+        <Box
+          style={{
+            width: 7,
+            height: 7,
+            borderRadius: "50%",
+            background: s.dot,
+            flexShrink: 0,
+          }}
+        />
+        <Typography
+          variant="pi"
+          fontWeight="semiBold"
+          textColor={s.text}
+          style={{ textTransform: "capitalize" }}
+        >
+          {status}
+        </Typography>
+      </Flex>
+    </Box>
+  );
+};
+
+export const ReviewPanel = ({
+  documentId,
+  initialBusinessStatus,
+  initialSecurityStatus,
+  initialOverallStatus,
+  initialFeedback,
+  initialRejectionReason,
+  initialBusinessNotes,
+  initialSecurityNotes,
+  onSaved,
+}: Props) => {
+  const { put, post } = useFetchClient();
+  const { toggleNotification } = useNotification();
+
+  const [businessStatus, setBusinessStatus] = useState<ReviewStatus>(
+    initialBusinessStatus,
+  );
+  const [securityStatus, setSecurityStatus] = useState<ReviewStatus>(
+    initialSecurityStatus,
+  );
+  const [businessNotes, setBusinessNotes] = useState(
+    initialBusinessNotes || "",
+  );
+  const [securityNotes, setSecurityNotes] = useState(
+    initialSecurityNotes || "",
+  );
+  const [feedback, setFeedback] = useState(initialFeedback || "");
+  const [rejectionReason, setRejectionReason] = useState(
+    initialRejectionReason || "",
+  );
+  const [openSection, setOpenSection] = useState<
+    "business" | "security" | null
+  >(null);
+
+  const toggleSection = (section: "business" | "security") =>
+    setOpenSection((prev) => (prev === section ? null : section));
+
+  const bothApproved =
+    businessStatus === "approved" && securityStatus === "approved";
+  const isAlreadyApproved = initialOverallStatus === "approved";
+  const isAlreadyRejected = initialOverallStatus === "rejected";
+  const isLocked = isAlreadyApproved || isAlreadyRejected;
+
+  const { mutate: saveReview, isLoading: saving } = useMutation(
+    async () => {
+      await put(`/moderation/submissions/${documentId}/review`, {
+        data: {
+          business_review_status: businessStatus,
+          security_review_status: securityStatus,
+          business_review_notes: businessNotes,
+          security_review_notes: securityNotes,
+          reviewer_feedback: feedback,
+          rejection_reason: rejectionReason,
+        },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({ type: "success", message: "Review saved." });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message:
+            err instanceof Error ? err.message : "Failed to save review.",
+        });
+      },
+    },
+  );
+
+  const { mutate: approve, isLoading: approving } = useMutation(
+    async () => {
+      await put(`/moderation/submissions/${documentId}/review`, {
+        data: {
+          business_review_status: businessStatus,
+          security_review_status: securityStatus,
+          business_review_notes: businessNotes,
+          security_review_notes: securityNotes,
+          overall_status: "approved",
+        },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({
+          type: "success",
+          message: "Submission approved.",
+        });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message: err instanceof Error ? err.message : "Failed to approve.",
+        });
+      },
+    },
+  );
+
+  const { mutate: promote, isLoading: promoting } = useMutation(
+    async () => {
+      await post(`/moderation/submissions/${documentId}/promote`, {});
+    },
+    {
+      onSuccess() {
+        toggleNotification({
+          type: "success",
+          message: "Package entry created. Open Content Manager to publish.",
+        });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message: err instanceof Error ? err.message : "Promotion failed.",
+        });
+      },
+    },
+  );
+
+  const { mutate: reject, isLoading: rejecting } = useMutation(
+    async () => {
+      await post(`/moderation/submissions/${documentId}/decide`, {
+        data: { status: "rejected", reason: rejectionReason, feedback },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({
+          type: "success",
+          message: "Submission rejected.",
+        });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message: err instanceof Error ? err.message : "Failed to reject.",
+        });
+      },
+    },
+  );
+
+  const { mutate: requestChanges, isLoading: requesting } = useMutation(
+    async () => {
+      await post(`/moderation/submissions/${documentId}/decide`, {
+        data: { status: "changes_requested", feedback },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({ type: "success", message: "Changes requested." });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message:
+            err instanceof Error ? err.message : "Failed to request changes.",
+        });
+      },
+    },
+  );
+
+  return (
+    <Box
+      background="neutral0"
+      hasRadius
+      borderColor="neutral200"
+      borderWidth="1px"
+      borderStyle="solid"
+      overflow="hidden"
+    >
+      {/* Panel header */}
+      <Box
+        paddingLeft={6}
+        paddingRight={6}
+        paddingTop={5}
+        paddingBottom={5}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        <Flex justifyContent="space-between" alignItems="center">
+          <Typography variant="beta">Review Decision</Typography>
+          {!isLocked && (
+            <Button
+              variant="tertiary"
+              size="S"
+              onClick={() => saveReview()}
+              loading={saving}
+              style={{ whiteSpace: "nowrap" }}
+            >
+              Save Draft
+            </Button>
+          )}
+        </Flex>
+      </Box>
+
+      {/* Business Review — accordion */}
+      <Box borderColor="neutral150" borderWidth="0 0 1px 0" borderStyle="solid">
+        <button
+          type="button"
+          onClick={() => toggleSection("business")}
+          style={{
+            width: "100%",
+            background: "none",
+            border: "none",
+            cursor: "pointer",
+            padding: 0,
+            textAlign: "left",
+          }}
+        >
+          <Flex
+            justifyContent="space-between"
+            alignItems="center"
+            paddingLeft={6}
+            paddingRight={6}
+            paddingTop={5}
+            paddingBottom={5}
+          >
+            <Flex gap={3} alignItems="center">
+              <Typography
+                variant="omega"
+                fontWeight="semiBold"
+                textColor="neutral800"
+              >
+                Business Review
+              </Typography>
+              <StatusPill status={businessStatus} />
+            </Flex>
+            <Box
+              style={{
+                color: "#8e8ea9",
+                display: "flex",
+                transform:
+                  openSection === "business"
+                    ? "rotate(180deg)"
+                    : "rotate(0deg)",
+                transition: "transform 0.15s ease",
+              }}
+            >
+              <ChevronDown aria-hidden />
+            </Box>
+          </Flex>
+        </button>
+
+        {openSection === "business" && (
+          <Box
+            paddingLeft={6}
+            paddingRight={6}
+            paddingBottom={5}
+            borderColor="neutral100"
+            borderWidth="1px 0 0 0"
+            borderStyle="solid"
+            background="neutral50"
+          >
+            <Box paddingTop={4}>
+              <Flex direction="column" alignItems="stretch" gap={4}>
+                <Field.Root name="businessReview" style={{ width: "100%" }}>
+                  <Field.Label>Status</Field.Label>
+                  <SingleSelect
+                    value={businessStatus}
+                    onChange={(val) => setBusinessStatus(val as ReviewStatus)}
+                    disabled={isLocked}
+                  >
+                    <SingleSelectOption value="pending">
+                      Pending
+                    </SingleSelectOption>
+                    <SingleSelectOption value="approved">
+                      Approved
+                    </SingleSelectOption>
+                    <SingleSelectOption value="rejected">
+                      Rejected
+                    </SingleSelectOption>
+                  </SingleSelect>
+                </Field.Root>
+
+                <Field.Root name="businessNotes" style={{ width: "100%" }}>
+                  <Field.Label>Internal Notes</Field.Label>
+                  <Textarea
+                    value={businessNotes}
+                    onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                      setBusinessNotes(e.target.value)
+                    }
+                    placeholder="Internal notes for the business review track…"
+                    disabled={isLocked}
+                  />
+                </Field.Root>
+              </Flex>
+            </Box>
+          </Box>
+        )}
+      </Box>
+
+      {/* Security Review — accordion */}
+      <Box borderColor="neutral150" borderWidth="0 0 1px 0" borderStyle="solid">
+        <button
+          type="button"
+          onClick={() => toggleSection("security")}
+          style={{
+            width: "100%",
+            background: "none",
+            border: "none",
+            cursor: "pointer",
+            padding: 0,
+            textAlign: "left",
+          }}
+        >
+          <Flex
+            justifyContent="space-between"
+            alignItems="center"
+            paddingLeft={6}
+            paddingRight={6}
+            paddingTop={5}
+            paddingBottom={5}
+          >
+            <Flex gap={3} alignItems="center">
+              <Typography
+                variant="omega"
+                fontWeight="semiBold"
+                textColor="neutral800"
+              >
+                Security Review
+              </Typography>
+              <StatusPill status={securityStatus} />
+            </Flex>
+            <Box
+              style={{
+                color: "#8e8ea9",
+                display: "flex",
+                transform:
+                  openSection === "security"
+                    ? "rotate(180deg)"
+                    : "rotate(0deg)",
+                transition: "transform 0.15s ease",
+              }}
+            >
+              <ChevronDown aria-hidden />
+            </Box>
+          </Flex>
+        </button>
+
+        {openSection === "security" && (
+          <Box
+            paddingLeft={6}
+            paddingRight={6}
+            paddingBottom={5}
+            borderColor="neutral100"
+            borderWidth="1px 0 0 0"
+            borderStyle="solid"
+            background="neutral50"
+          >
+            <Box paddingTop={4}>
+              <Flex direction="column" alignItems="stretch" gap={4}>
+                <Field.Root name="securityReview" style={{ width: "100%" }}>
+                  <Field.Label>Status</Field.Label>
+                  <SingleSelect
+                    value={securityStatus}
+                    onChange={(val) => setSecurityStatus(val as ReviewStatus)}
+                    disabled={isLocked}
+                  >
+                    <SingleSelectOption value="pending">
+                      Pending
+                    </SingleSelectOption>
+                    <SingleSelectOption value="approved">
+                      Approved
+                    </SingleSelectOption>
+                    <SingleSelectOption value="rejected">
+                      Rejected
+                    </SingleSelectOption>
+                  </SingleSelect>
+                </Field.Root>
+
+                <Field.Root name="securityNotes" style={{ width: "100%" }}>
+                  <Field.Label>Internal Notes</Field.Label>
+                  <Textarea
+                    value={securityNotes}
+                    onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                      setSecurityNotes(e.target.value)
+                    }
+                    placeholder="Internal notes for the security review track…"
+                    disabled={isLocked}
+                  />
+                </Field.Root>
+              </Flex>
+            </Box>
+          </Box>
+        )}
+      </Box>
+
+      {/* Feedback */}
+      <Box
+        paddingLeft={6}
+        paddingRight={6}
+        paddingTop={5}
+        paddingBottom={5}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        <Flex direction="column" alignItems="stretch" gap={4}>
+          {/* Feedback — shown while actively reviewing */}
+          {!isAlreadyApproved && (
+            <Field.Root name="feedback" style={{ width: "100%" }}>
+              <Field.Label>Feedback to Submitter</Field.Label>
+              <Field.Hint>
+                Shown to the submitter if changes are requested
+              </Field.Hint>
+              <Textarea
+                value={feedback}
+                onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                  setFeedback(e.target.value)
+                }
+                placeholder="Describe what changes are needed…"
+                disabled={isAlreadyRejected}
+              />
+            </Field.Root>
+          )}
+
+          {/* Rejection reason — only when a track is rejected */}
+          {(businessStatus === "rejected" ||
+            securityStatus === "rejected" ||
+            isAlreadyRejected) && (
+            <Field.Root name="rejectionReason" style={{ width: "100%" }}>
+              <Field.Label>Rejection Reason</Field.Label>
+              <Field.Hint>
+                Internal only — not shown to the submitter
+              </Field.Hint>
+              <Textarea
+                value={rejectionReason}
+                onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                  setRejectionReason(e.target.value)
+                }
+                placeholder="Internal reason for rejection…"
+                disabled={isAlreadyRejected}
+              />
+            </Field.Root>
+          )}
+        </Flex>
+      </Box>
+
+      {/* Actions */}
+      <Box paddingLeft={6} paddingRight={6} paddingTop={5} paddingBottom={5}>
+        {isAlreadyApproved ? (
+          <Flex direction="column" alignItems="stretch" gap={3}>
+            <Box background="success100" padding={3} hasRadius>
+              <Typography
+                variant="pi"
+                fontWeight="semiBold"
+                textColor="success700"
+              >
+                This submission has been approved.
+              </Typography>
+            </Box>
+            <Button
+              variant="default"
+              onClick={() => promote()}
+              loading={promoting}
+              fullWidth
+            >
+              Promote to Package
+            </Button>
+          </Flex>
+        ) : isAlreadyRejected ? (
+          <Box background="danger100" padding={3} hasRadius>
+            <Typography
+              variant="pi"
+              fontWeight="semiBold"
+              textColor="danger700"
+            >
+              This submission has been rejected.
+            </Typography>
+          </Box>
+        ) : (
+          <>
+            {/* Decision buttons — two rows to avoid squashing */}
+            <Flex direction="column" alignItems="stretch" gap={3}>
+              <Flex gap={2} justifyContent="flex-end">
+                <Button
+                  variant="secondary"
+                  onClick={() => requestChanges()}
+                  loading={requesting}
+                  style={{ whiteSpace: "nowrap" }}
+                >
+                  Request Changes
+                </Button>
+                <Button
+                  variant="danger"
+                  onClick={() => reject()}
+                  loading={rejecting}
+                  style={{ whiteSpace: "nowrap" }}
+                >
+                  Reject
+                </Button>
+                <Button
+                  variant="success"
+                  onClick={() => approve()}
+                  loading={approving}
+                  disabled={!bothApproved}
+                  title={
+                    bothApproved
+                      ? undefined
+                      : "Both review tracks must be approved first"
+                  }
+                  style={{ whiteSpace: "nowrap" }}
+                >
+                  Approve
+                </Button>
+              </Flex>
+            </Flex>
+          </>
+        )}
+      </Box>
+    </Box>
+  );
+};
diff --git a/apps/cms/src/plugins/moderation/admin/src/index.tsx b/apps/cms/src/plugins/moderation/admin/src/index.tsx
new file mode 100644
index 0000000..0ae897e
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/index.tsx
@@ -0,0 +1,45 @@
+import type { StrapiApp } from "@strapi/strapi/admin";
+import { Route, Routes } from "react-router-dom";
+import { SubmissionDetail } from "./pages/SubmissionDetail";
+import { SubmissionList } from "./pages/SubmissionList";
+
+// Simple shield icon for the menu
+const ShieldIcon = () => (
+  <svg
+    viewBox="0 0 24 24"
+    fill="none"
+    stroke="currentColor"
+    strokeWidth="2"
+    width="1em"
+    height="1em"
+    aria-label="Moderation plugin"
+  >
+    <title>Moderation plugin</title>
+    <path d="M12 22s8-4 8-10V5l-8-3-8 3v7c0 6 8 10 8 10z" />
+  </svg>
+);
+
+export default {
+  register(app: StrapiApp) {
+    app.addMenuLink({
+      to: "/plugins/moderation",
+      icon: ShieldIcon,
+      intlLabel: {
+        id: "moderation.label",
+        defaultMessage: "Moderation",
+      },
+      Component: () =>
+        Promise.resolve({
+          default: () => (
+            <Routes>
+              <Route index element={<SubmissionList />} />
+              <Route
+                path="submissions/:documentId"
+                element={<SubmissionDetail />}
+              />
+            </Routes>
+          ),
+        }),
+    });
+  },
+};
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
new file mode 100644
index 0000000..b3e143e
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
@@ -0,0 +1,756 @@
+import {
+  Box,
+  Button,
+  Divider,
+  Flex,
+  Loader,
+  Typography,
+} from "@strapi/design-system";
+import { ArrowLeft, ExternalLink } from "@strapi/icons";
+import { useFetchClient, useNotification } from "@strapi/strapi/admin";
+import { useEffect, useState } from "react";
+import { useNavigate, useParams } from "react-router-dom";
+import { ReviewPanel } from "../../components/ReviewPanel";
+
+interface AutomatedCheckResult {
+  passed: boolean | null;
+  skipped?: boolean;
+  message: string;
+  detail?: unknown;
+}
+
+interface AutomatedChecks {
+  runAt?: string;
+  provider?: string;
+  checks?: Record<string, AutomatedCheckResult>;
+}
+
+interface PluginSubmissionDetail {
+  documentId: string;
+  plugin_name: string;
+  npm_package_name: string | null;
+  description: string;
+  git_repository: string;
+  logo_url: string | null;
+  package_type: string;
+  categories_list: string[];
+  owner_name: string;
+  owner_email: string;
+  maintainers_list: Array<{ name: string; email?: string }>;
+  readme: string | null;
+  submission_notes: string | null;
+  overall_status: string;
+  business_review_status: "pending" | "approved" | "rejected";
+  security_review_status: "pending" | "approved" | "rejected";
+  reviewer_feedback: string | null;
+  rejection_reason: string | null;
+  business_review_notes: string | null;
+  security_review_notes: string | null;
+  automated_check_results: AutomatedChecks | null;
+  promoted_package: { documentId: string } | null;
+  createdAt: string;
+}
+
+const STATUS_STYLES: Record<
+  string,
+  { bg: string; color: string; label: string }
+> = {
+  submitted: { bg: "neutral150", color: "neutral700", label: "Submitted" },
+  under_review: {
+    bg: "primary100",
+    color: "primary700",
+    label: "Under Review",
+  },
+  changes_requested: {
+    bg: "warning100",
+    color: "warning700",
+    label: "Changes Requested",
+  },
+  rejected: { bg: "danger100", color: "danger700", label: "Rejected" },
+  approved: { bg: "success100", color: "success700", label: "Approved" },
+};
+
+const CHECK_LABELS: Record<string, string> = {
+  repo_public: "Repository is public",
+  readme_exists: "README present",
+  mit_license: "MIT license",
+  strapi_peer_dep: "Strapi peer dependency",
+  enterprise_competition: "Enterprise competition",
+  npm_advisories: "NPM advisories",
+  dependency_vulnerabilities: "Dependency vulnerabilities",
+  ai_analysis: "AI security analysis",
+};
+
+// ─── Sub-components ───────────────────────────────────────────────────────────
+
+const StatusBadge = ({ status }: { status: string }) => {
+  const s = STATUS_STYLES[status] ?? STATUS_STYLES.submitted;
+  return (
+    <Box
+      background={s.bg}
+      hasRadius
+      paddingLeft={3}
+      paddingRight={3}
+      style={{ display: "inline-flex", alignItems: "center", height: 24 }}
+    >
+      <Typography variant="pi" fontWeight="semiBold" textColor={s.color}>
+        {s.label}
+      </Typography>
+    </Box>
+  );
+};
+
+// Plain pill — no icon (unlike Tag which includes a remove icon)
+const CategoryPill = ({ label }: { label: string }) => (
+  <Box
+    background="primary100"
+    hasRadius
+    paddingLeft={2}
+    paddingRight={2}
+    style={{ display: "inline-flex", alignItems: "center", height: 20 }}
+  >
+    <Typography variant="pi" fontWeight="semiBold" textColor="primary600">
+      {label}
+    </Typography>
+  </Box>
+);
+
+const CheckRow = ({
+  label,
+  result,
+}: {
+  label: string;
+  result: AutomatedCheckResult;
+}) => {
+  const state = result.skipped
+    ? "skipped"
+    : result.passed === true
+      ? "passed"
+      : result.passed === false
+        ? "failed"
+        : "unknown";
+
+  const cfg = {
+    passed: { bg: "success100", text: "success700", icon: "✓" },
+    failed: { bg: "danger100", text: "danger700", icon: "✗" },
+    skipped: { bg: "neutral150", text: "neutral600", icon: "—" },
+    unknown: { bg: "warning100", text: "warning700", icon: "?" },
+  }[state];
+
+  return (
+    <Flex gap={3} alignItems="flex-start" paddingTop={3} paddingBottom={3}>
+      <Box
+        background={cfg.bg}
+        hasRadius
+        style={{
+          width: 26,
+          height: 26,
+          display: "flex",
+          alignItems: "center",
+          justifyContent: "center",
+          flexShrink: 0,
+        }}
+      >
+        <Typography textColor={cfg.text} fontWeight="bold" variant="omega">
+          {cfg.icon}
+        </Typography>
+      </Box>
+      <Box style={{ flex: 1, minWidth: 0 }}>
+        <Typography
+          fontWeight="semiBold"
+          textColor="neutral800"
+          variant="omega"
+          style={{ display: "block", textAlign: "left" }}
+        >
+          {label}
+        </Typography>
+        <Typography
+          variant="pi"
+          textColor="neutral500"
+          style={{ display: "block", textAlign: "left" }}
+        >
+          {result.message}
+        </Typography>
+      </Box>
+    </Flex>
+  );
+};
+
+// Horizontal label → value row used inside Plugin Info
+const InfoRow = ({
+  label,
+  value,
+}: {
+  label: string;
+  value: React.ReactNode;
+}) => (
+  <Flex gap={4} alignItems="flex-start" paddingTop={3} paddingBottom={3}>
+    <Box style={{ width: 130, flexShrink: 0 }}>
+      <Typography
+        variant="pi"
+        fontWeight="semiBold"
+        textColor="neutral500"
+        style={{
+          textTransform: "uppercase",
+          letterSpacing: "0.04em",
+          display: "block",
+          textAlign: "left",
+        }}
+      >
+        {label}
+      </Typography>
+    </Box>
+    <Box style={{ flex: 1, minWidth: 0 }}>
+      {typeof value === "string" ? (
+        <Typography
+          textColor="neutral800"
+          style={{
+            wordBreak: "break-word",
+            display: "block",
+            textAlign: "left",
+          }}
+        >
+          {value}
+        </Typography>
+      ) : (
+        value
+      )}
+    </Box>
+  </Flex>
+);
+
+const Card = ({
+  title,
+  action,
+  children,
+  noPadding,
+}: {
+  title?: string;
+  action?: React.ReactNode;
+  children: React.ReactNode;
+  noPadding?: boolean;
+}) => (
+  <Box
+    background="neutral0"
+    hasRadius
+    borderColor="neutral200"
+    borderWidth="1px"
+    borderStyle="solid"
+    overflow="hidden"
+  >
+    {(title || action) && (
+      <Flex
+        justifyContent="space-between"
+        alignItems="center"
+        paddingLeft={5}
+        paddingRight={5}
+        paddingTop={4}
+        paddingBottom={4}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        {title && (
+          <Typography
+            variant="sigma"
+            textColor="neutral600"
+            style={{ textTransform: "uppercase", letterSpacing: "0.05em" }}
+          >
+            {title}
+          </Typography>
+        )}
+        {action}
+      </Flex>
+    )}
+    {noPadding ? children : <Box padding={5}>{children}</Box>}
+  </Box>
+);
+
+type TabId = "details" | "checks" | "readme";
+
+// ─── Page ─────────────────────────────────────────────────────────────────────
+
+export const SubmissionDetail = () => {
+  const { documentId } = useParams<{ documentId: string }>();
+  const navigate = useNavigate();
+  const { get } = useFetchClient();
+  const { toggleNotification } = useNotification();
+
+  const [submission, setSubmission] = useState<PluginSubmissionDetail | null>(
+    null,
+  );
+  const [loading, setLoading] = useState(true);
+  const [activeTab, setActiveTab] = useState<TabId>("details");
+
+  const load = async () => {
+    setLoading(true);
+    try {
+      const res = await get(`/moderation/submissions/${documentId}`);
+      setSubmission(res.data.data);
+    } catch {
+      toggleNotification({
+        type: "danger",
+        message: "Failed to load submission.",
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    if (documentId) load();
+  }, [documentId]);
+
+  if (loading) {
+    return (
+      <Flex justifyContent="center" alignItems="center" style={{ height: 300 }}>
+        <Loader />
+      </Flex>
+    );
+  }
+
+  if (!submission) {
+    return (
+      <Box padding={8}>
+        <Typography textColor="neutral600">Submission not found.</Typography>
+      </Box>
+    );
+  }
+
+  const checks = submission.automated_check_results?.checks ?? {};
+  const securityChecks =
+    (checks.security as Record<string, AutomatedCheckResult> | undefined) ?? {};
+  const businessCheckKeys = Object.keys(checks).filter((k) => k !== "security");
+  const hasChecks = Boolean(submission.automated_check_results);
+  const hasReadme = Boolean(submission.readme);
+
+  const TABS: Array<{ id: TabId; label: string }> = [
+    { id: "details", label: "Details" },
+    { id: "checks", label: "Automated Checks" },
+    ...(hasReadme ? [{ id: "readme" as TabId, label: "README" }] : []),
+  ];
+
+  return (
+    <Box padding={8}>
+      {/* ── Header ─────────────────────────────────────────────────────── */}
+      <Flex alignItems="center" gap={3} marginBottom={1}>
+        <Button
+          variant="tertiary"
+          startIcon={<ArrowLeft />}
+          size="S"
+          onClick={() => navigate("/plugins/moderation")}
+        >
+          Back
+        </Button>
+        <Box
+          background="neutral200"
+          style={{ width: 1, height: 20, flexShrink: 0 }}
+        />
+        {submission.logo_url && (
+          <Box
+            style={{
+              width: 36,
+              height: 36,
+              borderRadius: 8,
+              overflow: "hidden",
+              border: "1px solid #e3e9ef",
+              flexShrink: 0,
+            }}
+          >
+            <img
+              src={submission.logo_url}
+              alt=""
+              style={{ width: "100%", height: "100%", objectFit: "cover" }}
+            />
+          </Box>
+        )}
+        <Typography variant="alpha" style={{ lineHeight: 1 }}>
+          {submission.plugin_name}
+        </Typography>
+        <StatusBadge status={submission.overall_status} />
+      </Flex>
+
+      {/* Submitted date */}
+      <Box marginBottom={6} paddingLeft={1}>
+        <Typography variant="pi" textColor="neutral400">
+          Submitted{" "}
+          {new Date(submission.createdAt).toLocaleDateString("en-GB", {
+            day: "numeric",
+            month: "short",
+            year: "numeric",
+          })}
+        </Typography>
+      </Box>
+
+      {/* ── Two-column layout ──────────────────────────────────────────── */}
+      <Flex gap={6} alignItems="flex-start">
+        {/* Left column */}
+        <Box style={{ flex: 1, minWidth: 0 }}>
+          {/* Tab nav */}
+          <Flex gap={1} marginBottom={4}>
+            {TABS.map((tab) => (
+              <Button
+                key={tab.id}
+                variant={activeTab === tab.id ? "default" : "tertiary"}
+                size="S"
+                onClick={() => setActiveTab(tab.id)}
+              >
+                {tab.label}
+              </Button>
+            ))}
+          </Flex>
+
+          {/* ── Details tab ── */}
+          {activeTab === "details" && (
+            <Flex direction="column" alignItems="flex-start" gap={4}>
+              {/* Plugin Info */}
+              <Box style={{ width: "100%" }}>
+                <Card title="Plugin Info">
+                  <Box>
+                    <InfoRow
+                      label="Plugin Name"
+                      value={submission.plugin_name}
+                    />
+                    <Divider />
+                    <InfoRow
+                      label="NPM Package"
+                      value={submission.npm_package_name ?? "—"}
+                    />
+                    <Divider />
+                    <InfoRow
+                      label="Package Type"
+                      value={submission.package_type}
+                    />
+                    <Divider />
+                    <InfoRow
+                      label="Git Repository"
+                      value={
+                        <a
+                          href={submission.git_repository}
+                          target="_blank"
+                          rel="noreferrer"
+                          style={{ color: "inherit", textDecoration: "none" }}
+                        >
+                          <Flex as="span" gap={1} alignItems="flex-start">
+                            <Typography
+                              textColor="primary600"
+                              style={{
+                                wordBreak: "break-all",
+                                display: "inline",
+                                textAlign: "left",
+                              }}
+                            >
+                              {submission.git_repository}
+                            </Typography>
+                            <Box style={{ flexShrink: 0, marginTop: 2 }}>
+                              <ExternalLink
+                                aria-hidden
+                                style={{ width: 12, height: 12 }}
+                              />
+                            </Box>
+                          </Flex>
+                        </a>
+                      }
+                    />
+                    {submission.categories_list?.length > 0 && (
+                      <>
+                        <Divider />
+                        <InfoRow
+                          label="Categories"
+                          value={
+                            <Flex gap={1} flexWrap="wrap">
+                              {submission.categories_list.map((c) => (
+                                <CategoryPill key={c} label={c} />
+                              ))}
+                            </Flex>
+                          }
+                        />
+                      </>
+                    )}
+                  </Box>
+                </Card>
+              </Box>
+
+              {/* Description + Owner side by side */}
+              <Flex gap={4} alignItems="flex-start" style={{ width: "100%" }}>
+                <Box style={{ flex: 2, minWidth: 0 }}>
+                  <Card title="Description">
+                    <Typography
+                      textColor="neutral700"
+                      style={{
+                        lineHeight: 1.65,
+                        whiteSpace: "pre-wrap",
+                        display: "block",
+                        textAlign: "left",
+                      }}
+                    >
+                      {submission.description}
+                    </Typography>
+                  </Card>
+                </Box>
+
+                <Box style={{ flex: 1, minWidth: 0 }}>
+                  <Card title="Owner">
+                    <Flex gap={3} alignItems="center">
+                      <Box
+                        background="primary100"
+                        style={{
+                          width: 40,
+                          height: 40,
+                          borderRadius: "50%",
+                          display: "flex",
+                          alignItems: "center",
+                          justifyContent: "center",
+                          flexShrink: 0,
+                        }}
+                      >
+                        <Typography
+                          fontWeight="bold"
+                          textColor="primary600"
+                          variant="beta"
+                        >
+                          {submission.owner_name.charAt(0).toUpperCase()}
+                        </Typography>
+                      </Box>
+                      <Box style={{ minWidth: 0 }}>
+                        <Typography
+                          fontWeight="semiBold"
+                          textColor="neutral800"
+                          style={{
+                            display: "block",
+                            textAlign: "left",
+                            whiteSpace: "nowrap",
+                            overflow: "hidden",
+                            textOverflow: "ellipsis",
+                          }}
+                        >
+                          {submission.owner_name}
+                        </Typography>
+                        <Typography
+                          variant="pi"
+                          textColor="neutral500"
+                          style={{
+                            display: "block",
+                            textAlign: "left",
+                            whiteSpace: "nowrap",
+                            overflow: "hidden",
+                            textOverflow: "ellipsis",
+                          }}
+                        >
+                          {submission.owner_email}
+                        </Typography>
+                      </Box>
+                    </Flex>
+                  </Card>
+                </Box>
+              </Flex>
+
+              {/* Submitter Notes */}
+              {submission.submission_notes && (
+                <Box style={{ width: "100%" }}>
+                  <Card title="Submitter Notes">
+                    <Typography
+                      textColor="neutral700"
+                      style={{
+                        lineHeight: 1.65,
+                        display: "block",
+                        textAlign: "left",
+                      }}
+                    >
+                      {submission.submission_notes}
+                    </Typography>
+                  </Card>
+                </Box>
+              )}
+            </Flex>
+          )}
+
+          {/* ── Automated Checks tab ── */}
+          {activeTab === "checks" && (
+            <Flex
+              direction="column"
+              alignItems="flex-start"
+              gap={4}
+              style={{ width: "100%" }}
+            >
+              {!hasChecks ? (
+                <Box style={{ width: "100%" }}>
+                  <Card>
+                    <Box
+                      background="neutral100"
+                      padding={8}
+                      hasRadius
+                      style={{ textAlign: "center" }}
+                    >
+                      <Typography textColor="neutral500">
+                        Automated checks have not run yet.
+                      </Typography>
+                    </Box>
+                  </Card>
+                </Box>
+              ) : (
+                <>
+                  <Box style={{ width: "100%" }}>
+                    <Card title="Business Checks" noPadding>
+                      <Box paddingLeft={5} paddingRight={5}>
+                        {businessCheckKeys.length === 0 ? (
+                          <Box paddingTop={4} paddingBottom={4}>
+                            <Typography variant="pi" textColor="neutral500">
+                              No business checks recorded.
+                            </Typography>
+                          </Box>
+                        ) : (
+                          businessCheckKeys.map((key, i) => (
+                            <Box
+                              key={key}
+                              borderColor="neutral150"
+                              borderWidth={i > 0 ? "1px 0 0 0" : "0"}
+                              borderStyle="solid"
+                            >
+                              <CheckRow
+                                label={CHECK_LABELS[key] ?? key}
+                                result={checks[key] as AutomatedCheckResult}
+                              />
+                            </Box>
+                          ))
+                        )}
+                      </Box>
+                    </Card>
+                  </Box>
+
+                  <Box style={{ width: "100%" }}>
+                    <Card title="Security Checks" noPadding>
+                      <Box paddingLeft={5} paddingRight={5}>
+                        {Object.keys(securityChecks).length === 0 ? (
+                          <Box paddingTop={4} paddingBottom={4}>
+                            <Box background="neutral100" padding={4} hasRadius>
+                              <Typography variant="pi" textColor="neutral500">
+                                No security checks have run yet.
+                              </Typography>
+                            </Box>
+                          </Box>
+                        ) : (
+                          Object.entries(securityChecks).map(
+                            ([key, result], i) => (
+                              <Box
+                                key={key}
+                                borderColor="neutral150"
+                                borderWidth={i > 0 ? "1px 0 0 0" : "0"}
+                                borderStyle="solid"
+                              >
+                                <CheckRow
+                                  label={CHECK_LABELS[key] ?? key}
+                                  result={result}
+                                />
+                              </Box>
+                            ),
+                          )
+                        )}
+                      </Box>
+                    </Card>
+                  </Box>
+                </>
+              )}
+            </Flex>
+          )}
+
+          {/* ── README tab ── */}
+          {activeTab === "readme" && (
+            <Box style={{ width: "100%" }}>
+              <Card title="README Preview">
+                {hasReadme ? (
+                  <Box
+                    background="neutral100"
+                    padding={4}
+                    hasRadius
+                    style={{
+                      maxHeight: 600,
+                      overflow: "auto",
+                    }}
+                  >
+                    <pre
+                      style={{
+                        margin: 0,
+                        fontFamily:
+                          "'SF Mono', 'Fira Code', 'Fira Mono', 'Roboto Mono', monospace",
+                        fontSize: 12,
+                        lineHeight: 1.75,
+                        color: "#32324d",
+                        whiteSpace: "pre-wrap",
+                        wordBreak: "break-word",
+                      }}
+                    >
+                      {submission.readme}
+                    </pre>
+                  </Box>
+                ) : (
+                  <Typography textColor="neutral500">
+                    No README provided with this submission.
+                  </Typography>
+                )}
+              </Card>
+            </Box>
+          )}
+        </Box>
+
+        {/* Right column — sticky, offset to align with tab content */}
+        <Box
+          style={{
+            width: 360,
+            flexShrink: 0,
+            position: "sticky",
+            top: 24,
+            paddingTop: 48,
+          }}
+        >
+          <ReviewPanel
+            documentId={submission.documentId}
+            initialBusinessStatus={submission.business_review_status}
+            initialSecurityStatus={submission.security_review_status}
+            initialOverallStatus={submission.overall_status}
+            initialFeedback={submission.reviewer_feedback || ""}
+            initialRejectionReason={submission.rejection_reason || ""}
+            initialBusinessNotes={submission.business_review_notes || ""}
+            initialSecurityNotes={submission.security_review_notes || ""}
+            onSaved={load}
+          />
+
+          {submission.promoted_package && (
+            <Box
+              marginTop={4}
+              background="success100"
+              padding={5}
+              hasRadius
+              borderColor="success200"
+              borderWidth="1px"
+              borderStyle="solid"
+            >
+              <Flex direction="column" alignItems="flex-start" gap={3}>
+                <Typography
+                  fontWeight="semiBold"
+                  textColor="success700"
+                  variant="omega"
+                >
+                  Promoted to Package
+                </Typography>
+                <Button
+                  variant="tertiary"
+                  size="S"
+                  endIcon={<ExternalLink />}
+                  onClick={() =>
+                    window.open(
+                      `${window.strapi.backendURL}/admin/content-manager/collection-types/api::package.package/${submission.promoted_package!.documentId}`,
+                      "_blank",
+                    )
+                  }
+                >
+                  Open in Content Manager
+                </Button>
+              </Flex>
+            </Box>
+          )}
+        </Box>
+      </Flex>
+    </Box>
+  );
+};
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
new file mode 100644
index 0000000..75070d5
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
@@ -0,0 +1,226 @@
+import {
+  Badge,
+  Box,
+  Button,
+  Flex,
+  Loader,
+  Table,
+  Tbody,
+  Td,
+  Th,
+  Thead,
+  Tr,
+  Typography,
+} from "@strapi/design-system";
+import { useFetchClient, useNotification } from "@strapi/strapi/admin";
+import { useEffect, useState } from "react";
+import { useNavigate } from "react-router-dom";
+
+export type SubmissionStatus =
+  | "submitted"
+  | "under_review"
+  | "changes_requested"
+  | "rejected"
+  | "approved";
+
+export interface PluginSubmission {
+  documentId: string;
+  plugin_name: string;
+  npm_package_name: string | null;
+  git_repository: string;
+  owner_name: string;
+  owner_email: string;
+  overall_status: SubmissionStatus;
+  business_review_status: "pending" | "approved" | "rejected";
+  security_review_status: "pending" | "approved" | "rejected";
+  createdAt: string;
+}
+
+const statusColour: Record<
+  SubmissionStatus,
+  "primary" | "success" | "warning" | "danger" | "secondary"
+> = {
+  submitted: "secondary",
+  under_review: "primary",
+  changes_requested: "warning",
+  rejected: "danger",
+  approved: "success",
+};
+
+const reviewColour = {
+  pending: "secondary" as const,
+  approved: "success" as const,
+  rejected: "danger" as const,
+};
+
+const STATUS_FILTERS: Array<{ label: string; value: string }> = [
+  { label: "All", value: "" },
+  { label: "Submitted", value: "submitted" },
+  { label: "Under Review", value: "under_review" },
+  { label: "Changes Requested", value: "changes_requested" },
+  { label: "Approved", value: "approved" },
+  { label: "Rejected", value: "rejected" },
+];
+
+export const SubmissionList = () => {
+  const { get } = useFetchClient();
+  const { toggleNotification } = useNotification();
+  const navigate = useNavigate();
+
+  const [submissions, setSubmissions] = useState<PluginSubmission[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [statusFilter, setStatusFilter] = useState("");
+
+  const load = async (status: string) => {
+    setLoading(true);
+    try {
+      const qs = status ? `?status=${status}` : "";
+      const res = await get(`/moderation/submissions${qs}`);
+      setSubmissions(res.data.data ?? []);
+    } catch {
+      toggleNotification({
+        type: "danger",
+        message: "Failed to load submissions.",
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    load(statusFilter);
+  }, [statusFilter]);
+
+  return (
+    <Box padding={8}>
+      <Flex justifyContent="space-between" alignItems="center" marginBottom={6}>
+        <Typography variant="alpha">Plugin Submissions</Typography>
+        <Typography variant="omega" textColor="neutral600">
+          {submissions.length} submission{submissions.length !== 1 ? "s" : ""}
+        </Typography>
+      </Flex>
+
+      {/* Status filter tabs */}
+      <Flex gap={2} marginBottom={6} flexWrap="wrap">
+        {STATUS_FILTERS.map((f) => (
+          <Button
+            key={f.value}
+            variant={statusFilter === f.value ? "default" : "tertiary"}
+            size="S"
+            onClick={() => setStatusFilter(f.value)}
+          >
+            {f.label}
+          </Button>
+        ))}
+      </Flex>
+
+      {loading ? (
+        <Flex justifyContent="center" padding={8}>
+          <Loader />
+        </Flex>
+      ) : submissions.length === 0 ? (
+        <Box padding={8} background="neutral100" hasRadius>
+          <Typography textColor="neutral600" textAlign="center">
+            No submissions found.
+          </Typography>
+        </Box>
+      ) : (
+        <Table colCount={7} rowCount={submissions.length}>
+          <Thead>
+            <Tr>
+              <Th>
+                <Typography variant="sigma">Plugin Name</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Owner</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Status</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Business</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Security</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Submitted</Typography>
+              </Th>
+              <Th>
+                <Typography variant="sigma">Actions</Typography>
+              </Th>
+            </Tr>
+          </Thead>
+          <Tbody>
+            {submissions.map((s) => (
+              <Tr key={s.documentId}>
+                <Td>
+                  <Flex direction="column" alignItems="flex-start" gap={1}>
+                    <Typography fontWeight="semiBold">
+                      {s.plugin_name}
+                    </Typography>
+                    {s.npm_package_name && (
+                      <Typography variant="pi" textColor="neutral600">
+                        {s.npm_package_name}
+                      </Typography>
+                    )}
+                  </Flex>
+                </Td>
+                <Td>
+                  <Flex direction="column" alignItems="flex-start" gap={1}>
+                    <Typography>{s.owner_name}</Typography>
+                    <Typography variant="pi" textColor="neutral600">
+                      {s.owner_email}
+                    </Typography>
+                  </Flex>
+                </Td>
+                <Td>
+                  <Badge
+                    active={false}
+                    backgroundColor={`${statusColour[s.overall_status]}100`}
+                  >
+                    {s.overall_status.replace("_", " ")}
+                  </Badge>
+                </Td>
+                <Td>
+                  <Badge
+                    active={false}
+                    backgroundColor={`${reviewColour[s.business_review_status]}100`}
+                  >
+                    {s.business_review_status}
+                  </Badge>
+                </Td>
+                <Td>
+                  <Badge
+                    active={false}
+                    backgroundColor={`${reviewColour[s.security_review_status]}100`}
+                  >
+                    {s.security_review_status}
+                  </Badge>
+                </Td>
+                <Td>
+                  <Typography variant="pi">
+                    {new Date(s.createdAt).toLocaleDateString()}
+                  </Typography>
+                </Td>
+                <Td>
+                  <Button
+                    variant="tertiary"
+                    size="S"
+                    onClick={() =>
+                      navigate(
+                        `/plugins/moderation/submissions/${s.documentId}`,
+                      )
+                    }
+                  >
+                    Review
+                  </Button>
+                </Td>
+              </Tr>
+            ))}
+          </Tbody>
+        </Table>
+      )}
+    </Box>
+  );
+};
diff --git a/apps/cms/src/plugins/moderation/package.json b/apps/cms/src/plugins/moderation/package.json
new file mode 100644
index 0000000..98f7287
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/package.json
@@ -0,0 +1,19 @@
+{
+  "name": "moderation",
+  "version": "0.0.1",
+  "strapi": {
+    "name": "moderation",
+    "displayName": "Moderation",
+    "description": "Review and approve incoming plugin submissions before they are published to the marketplace",
+    "kind": "plugin"
+  },
+  "exports": {
+    "./strapi-server": {
+      "require": "./strapi-server.js"
+    },
+    "./strapi-admin": {
+      "source": "./admin/src/index.tsx",
+      "import": "./admin/src/index.tsx"
+    }
+  }
+}
diff --git a/apps/cms/src/plugins/moderation/server/content-types/index.js b/apps/cms/src/plugins/moderation/server/content-types/index.js
new file mode 100644
index 0000000..e8a3051
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/content-types/index.js
@@ -0,0 +1,3 @@
+module.exports = {
+  "plugin-submission": require("./plugin-submission"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
new file mode 100644
index 0000000..2fb2f3b
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
@@ -0,0 +1,3 @@
+module.exports = {
+  schema: require("./schema.json"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
new file mode 100644
index 0000000..18c6b82
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
@@ -0,0 +1,117 @@
+{
+  "kind": "collectionType",
+  "collectionName": "plugin_submissions",
+  "info": {
+    "singularName": "plugin-submission",
+    "pluralName": "plugin-submissions",
+    "displayName": "Plugin Submission",
+    "description": "Incoming plugin submissions awaiting moderation before publication"
+  },
+  "options": {
+    "draftAndPublish": false
+  },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "plugin_name": {
+      "type": "string",
+      "required": true
+    },
+    "npm_package_name": {
+      "type": "string"
+    },
+    "description": {
+      "type": "text",
+      "required": true
+    },
+    "git_repository": {
+      "type": "string",
+      "required": true
+    },
+    "logo_url": {
+      "type": "string"
+    },
+    "package_type": {
+      "type": "enumeration",
+      "enum": ["plugin", "provider", "sdk", "tool"],
+      "default": "plugin",
+      "required": true
+    },
+    "categories_list": {
+      "type": "json",
+      "default": []
+    },
+    "owner_name": {
+      "type": "string",
+      "required": true
+    },
+    "owner_email": {
+      "type": "string",
+      "required": true
+    },
+    "maintainers_list": {
+      "type": "json",
+      "default": []
+    },
+    "readme": {
+      "type": "richtext"
+    },
+    "submission_notes": {
+      "type": "text"
+    },
+    "submitter_agreed_to_terms": {
+      "type": "boolean",
+      "default": false,
+      "required": true
+    },
+    "submitter_ip": {
+      "type": "string"
+    },
+    "overall_status": {
+      "type": "enumeration",
+      "enum": [
+        "submitted",
+        "under_review",
+        "changes_requested",
+        "rejected",
+        "approved"
+      ],
+      "default": "submitted",
+      "required": true
+    },
+    "business_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"],
+      "default": "pending",
+      "required": true
+    },
+    "security_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"],
+      "default": "pending",
+      "required": true
+    },
+    "reviewer_feedback": {
+      "type": "text"
+    },
+    "rejection_reason": {
+      "type": "text"
+    },
+    "business_review_notes": {
+      "type": "text"
+    },
+    "security_review_notes": {
+      "type": "text"
+    },
+    "automated_check_results": {
+      "type": "json"
+    },
+    "promoted_package": {
+      "type": "relation",
+      "relation": "oneToOne",
+      "target": "api::package.package"
+    }
+  }
+}
diff --git a/apps/cms/src/plugins/moderation/server/controllers/index.js b/apps/cms/src/plugins/moderation/server/controllers/index.js
new file mode 100644
index 0000000..e8a3051
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/controllers/index.js
@@ -0,0 +1,3 @@
+module.exports = {
+  "plugin-submission": require("./plugin-submission"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
new file mode 100644
index 0000000..15d7a4b
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
@@ -0,0 +1,130 @@
+/**
+ * Plugin submission controller.
+ *
+ * Exposes two sets of endpoints:
+ *  - content-api: public-facing submission endpoint (called through Next.js proxy)
+ *  - admin: moderation endpoints for super admins
+ */
+
+const service = (strapi) =>
+  strapi.plugin("moderation").service("plugin-submission");
+
+module.exports = ({ strapi }) => ({
+  /**
+   * POST /api/moderation/plugin-submissions
+   * Accepts a new plugin submission from the public.
+   * Called by the Next.js proxy, never directly from the browser.
+   */
+  async create(ctx) {
+    const body = ctx.request.body?.data || ctx.request.body;
+
+    const required = [
+      "plugin_name",
+      "description",
+      "git_repository",
+      "owner_name",
+      "owner_email",
+    ];
+    const missing = required.filter((f) => !body[f]?.toString().trim());
+    if (missing.length > 0) {
+      return ctx.badRequest(`Missing required fields: ${missing.join(", ")}`);
+    }
+
+    if (!body.submitter_agreed_to_terms) {
+      return ctx.badRequest("You must agree to the terms before submitting.");
+    }
+
+    const submitterIp =
+      ctx.request.headers["x-forwarded-for"]?.split(",")[0]?.trim() ||
+      ctx.request.ip ||
+      null;
+
+    try {
+      const submission = await service(strapi).createSubmission(
+        body,
+        submitterIp,
+      );
+      ctx.created({ data: { documentId: submission.documentId } });
+    } catch (err) {
+      strapi.log.error(`[moderation] Submission create error: ${err.message}`);
+      ctx.internalServerError("Failed to create submission.");
+    }
+  },
+
+  /**
+   * GET /moderation/submissions
+   * List all plugin submissions (admin only).
+   */
+  async find(ctx) {
+    const { status, page, pageSize } = ctx.query;
+    const submissions = await service(strapi).listSubmissions({
+      status,
+      page: Number(page) || 1,
+      pageSize: Number(pageSize) || 25,
+    });
+    ctx.body = { data: submissions };
+  },
+
+  /**
+   * GET /moderation/submissions/:documentId
+   * Fetch a single submission (admin only).
+   */
+  async findOne(ctx) {
+    const { documentId } = ctx.params;
+    const submission = await service(strapi).getSubmission(documentId);
+    if (!submission) return ctx.notFound("Submission not found.");
+    ctx.body = { data: submission };
+  },
+
+  /**
+   * PUT /moderation/submissions/:documentId/review
+   * Update review status fields on a submission (admin only).
+   */
+  async updateReview(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+
+    try {
+      const updated = await service(strapi).updateReview(documentId, body);
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+
+  /**
+   * POST /moderation/submissions/:documentId/promote
+   * Promote an approved submission to a real package entry (admin only).
+   */
+  async promote(ctx) {
+    const { documentId } = ctx.params;
+
+    try {
+      const pkg = await service(strapi).promoteToPackage(documentId);
+      ctx.body = { data: pkg };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+
+  /**
+   * POST /moderation/submissions/:documentId/decide
+   * Reject a submission or request changes (admin only).
+   */
+  async decide(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+    const { status, reason, feedback } = body;
+
+    try {
+      const updated = await service(strapi).rejectOrRequestChanges(documentId, {
+        status,
+        reason,
+        feedback,
+      });
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+});
diff --git a/apps/cms/src/plugins/moderation/server/index.js b/apps/cms/src/plugins/moderation/server/index.js
new file mode 100644
index 0000000..5a88cd4
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/index.js
@@ -0,0 +1,6 @@
+module.exports = {
+  contentTypes: require("./content-types"),
+  controllers: require("./controllers"),
+  services: require("./services"),
+  routes: require("./routes"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/routes/index.js b/apps/cms/src/plugins/moderation/server/routes/index.js
new file mode 100644
index 0000000..032a163
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/routes/index.js
@@ -0,0 +1 @@
+module.exports = require("./plugin-submission");
diff --git a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
new file mode 100644
index 0000000..ccca2cf
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
@@ -0,0 +1,53 @@
+module.exports = {
+  "content-api": {
+    type: "content-api",
+    routes: [
+      {
+        method: "POST",
+        path: "/plugin-submissions",
+        handler: "plugin-submission.create",
+        config: {
+          // Public endpoint — auth is handled at the Next.js proxy layer.
+          // The proxy must include a valid API token via Authorization header.
+          auth: false,
+          policies: [],
+        },
+      },
+    ],
+  },
+  admin: {
+    type: "admin",
+    routes: [
+      {
+        method: "GET",
+        path: "/submissions",
+        handler: "plugin-submission.find",
+        config: { policies: [] },
+      },
+      {
+        method: "GET",
+        path: "/submissions/:documentId",
+        handler: "plugin-submission.findOne",
+        config: { policies: [] },
+      },
+      {
+        method: "PUT",
+        path: "/submissions/:documentId/review",
+        handler: "plugin-submission.updateReview",
+        config: { policies: [] },
+      },
+      {
+        method: "POST",
+        path: "/submissions/:documentId/promote",
+        handler: "plugin-submission.promote",
+        config: { policies: [] },
+      },
+      {
+        method: "POST",
+        path: "/submissions/:documentId/decide",
+        handler: "plugin-submission.decide",
+        config: { policies: [] },
+      },
+    ],
+  },
+};
diff --git a/apps/cms/src/plugins/moderation/server/services/automated-checks.js b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
new file mode 100644
index 0000000..cf302b8
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
@@ -0,0 +1,384 @@
+/**
+ * Automated checks run at submission time.
+ *
+ * Supports GitHub and GitLab repositories. Provider is detected from the URL;
+ * all check functions dispatch to the right API internally.
+ *
+ * Results are stored as JSON on the submission record in automated_check_results.
+ */
+
+// ---------------------------------------------------------------------------
+// URL / provider helpers
+// ---------------------------------------------------------------------------
+
+function parseUrl(raw) {
+  let href = (raw || "").trim();
+  if (!href) return null;
+  if (!/^https?:\/\//i.test(href)) href = `https://${href}`;
+  try {
+    return new URL(href);
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Detect which Git provider hosts the repository and return structured info.
+ *
+ * Returns one of:
+ *   { provider: 'github', owner, repo }
+ *   { provider: 'gitlab', projectPath, encoded }   (encoded = URI-encoded path)
+ *   { provider: 'unknown' }
+ *   null  — if the URL is unparseable
+ */
+function parseRepoInfo(gitRepository) {
+  const url = parseUrl(gitRepository);
+  if (!url) return null;
+
+  const hostname = url.hostname.replace(/^www\./i, "").toLowerCase();
+  const cleanPath = url.pathname
+    .replace(/^\//, "")
+    .replace(/\.git$/, "")
+    .replace(/\/$/, "");
+
+  if (hostname === "github.com") {
+    const parts = cleanPath.split("/");
+    if (parts.length < 2 || !parts[0] || !parts[1]) return null;
+    return { provider: "github", owner: parts[0], repo: parts[1] };
+  }
+
+  if (hostname === "gitlab.com" || hostname.endsWith(".gitlab.com")) {
+    if (!cleanPath) return null;
+    return {
+      provider: "gitlab",
+      projectPath: cleanPath,
+      encoded: encodeURIComponent(cleanPath),
+    };
+  }
+
+  return { provider: "unknown" };
+}
+
+// ---------------------------------------------------------------------------
+// GitHub API helpers
+// ---------------------------------------------------------------------------
+
+function githubHeaders() {
+  const headers = { Accept: "application/vnd.github+json" };
+  if (process.env.GITHUB_TOKEN) {
+    headers.Authorization = `Bearer ${process.env.GITHUB_TOKEN}`;
+  }
+  return headers;
+}
+
+async function githubFetch(path) {
+  return fetch(`https://api.github.com${path}`, { headers: githubHeaders() });
+}
+
+// ---------------------------------------------------------------------------
+// GitLab API helpers
+// ---------------------------------------------------------------------------
+
+function gitlabHeaders() {
+  const headers = { Accept: "application/json" };
+  if (process.env.GITLAB_TOKEN) {
+    // GitLab supports both header styles; PRIVATE-TOKEN is more universally supported.
+    headers["PRIVATE-TOKEN"] = process.env.GITLAB_TOKEN;
+  }
+  return headers;
+}
+
+async function gitlabFetch(path) {
+  return fetch(`https://gitlab.com/api/v4${path}`, {
+    headers: gitlabHeaders(),
+  });
+}
+
+/**
+ * Attempt to fetch a raw file from GitLab across common default branches.
+ * Returns the Response if found, or null.
+ */
+async function gitlabRawFile(encoded, filePath) {
+  const encodedFile = encodeURIComponent(filePath);
+  const branches = ["main", "master", "HEAD"];
+  for (const ref of branches) {
+    try {
+      const res = await gitlabFetch(
+        `/projects/${encoded}/repository/files/${encodedFile}/raw?ref=${ref}`,
+      );
+      if (res.ok) return res;
+    } catch {
+      // try next ref
+    }
+  }
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Check: repository is public
+// ---------------------------------------------------------------------------
+
+async function checkRepoPublic(gitRepository) {
+  const info = parseRepoInfo(gitRepository);
+
+  if (!info) {
+    return { passed: null, message: "Could not parse repository URL." };
+  }
+
+  if (info.provider === "github") {
+    try {
+      const res = await githubFetch(`/repos/${info.owner}/${info.repo}`);
+      if (res.status === 404) {
+        return {
+          passed: false,
+          message: "Repository not found or is private.",
+        };
+      }
+      if (!res.ok) {
+        return { passed: null, message: `GitHub API returned ${res.status}.` };
+      }
+      const data = await res.json();
+      const isPublic = !data.private;
+      return {
+        passed: isPublic,
+        message: isPublic ? "Repository is public." : "Repository is private.",
+      };
+    } catch (err) {
+      return { passed: null, message: `GitHub check failed: ${err.message}` };
+    }
+  }
+
+  if (info.provider === "gitlab") {
+    try {
+      const res = await gitlabFetch(`/projects/${info.encoded}`);
+      if (res.status === 404) {
+        return {
+          passed: false,
+          message: "Repository not found or is private.",
+        };
+      }
+      if (!res.ok) {
+        return { passed: null, message: `GitLab API returned ${res.status}.` };
+      }
+      const data = await res.json();
+      const isPublic = data.visibility === "public";
+      return {
+        passed: isPublic,
+        message: isPublic
+          ? "Repository is public."
+          : `Repository visibility is "${data.visibility}".`,
+      };
+    } catch (err) {
+      return { passed: null, message: `GitLab check failed: ${err.message}` };
+    }
+  }
+
+  return {
+    passed: null,
+    skipped: true,
+    message: `Unsupported provider; manual check required.`,
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Check: README exists
+// ---------------------------------------------------------------------------
+
+async function checkReadmeExists(gitRepository) {
+  const info = parseRepoInfo(gitRepository);
+
+  if (!info) {
+    return { passed: null, message: "Could not parse repository URL." };
+  }
+
+  if (info.provider === "github") {
+    try {
+      const res = await githubFetch(`/repos/${info.owner}/${info.repo}/readme`);
+      if (res.ok)
+        return { passed: true, message: "README found in repository." };
+      if (res.status === 404)
+        return { passed: false, message: "No README found." };
+      return { passed: null, message: `GitHub API returned ${res.status}.` };
+    } catch (err) {
+      return { passed: null, message: `GitHub check failed: ${err.message}` };
+    }
+  }
+
+  if (info.provider === "gitlab") {
+    // Try common README filenames
+    const candidates = ["README.md", "README.rst", "README.txt", "README"];
+    for (const name of candidates) {
+      try {
+        const res = await gitlabRawFile(info.encoded, name);
+        if (res) return { passed: true, message: `README found (${name}).` };
+      } catch {
+        // continue
+      }
+    }
+    return { passed: false, message: "No README found in repository root." };
+  }
+
+  return {
+    passed: null,
+    skipped: true,
+    message: "Unsupported provider; manual check required.",
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Fetch package.json (provider-aware)
+// ---------------------------------------------------------------------------
+
+async function fetchPackageJson(info) {
+  if (info.provider === "github") {
+    const branches = ["main", "master"];
+    for (const branch of branches) {
+      try {
+        const res = await fetch(
+          `https://raw.githubusercontent.com/${info.owner}/${info.repo}/${branch}/package.json`,
+        );
+        if (res.ok) return await res.json();
+      } catch {
+        // try next branch
+      }
+    }
+    return null;
+  }
+
+  if (info.provider === "gitlab") {
+    const res = await gitlabRawFile(info.encoded, "package.json");
+    if (!res) return null;
+    try {
+      return await res.json();
+    } catch {
+      return null;
+    }
+  }
+
+  return null;
+}
+
+// ---------------------------------------------------------------------------
+// Check: MIT license
+// ---------------------------------------------------------------------------
+
+async function checkMitLicense(gitRepository, npmPackageName) {
+  const info = parseRepoInfo(gitRepository);
+  let pkg = null;
+
+  if (info && info.provider !== "unknown") {
+    pkg = await fetchPackageJson(info);
+  }
+
+  // Fallback: npm registry
+  if (!pkg && npmPackageName) {
+    try {
+      const res = await fetch(
+        `https://registry.npmjs.org/${encodeURIComponent(npmPackageName)}/latest`,
+      );
+      if (res.ok) pkg = await res.json();
+    } catch {
+      // ignore
+    }
+  }
+
+  if (!pkg) {
+    return {
+      passed: null,
+      message: "Could not retrieve package.json to verify license.",
+    };
+  }
+
+  const license = (pkg.license || "").toLowerCase().trim();
+  const isMit = license === "mit";
+  return {
+    passed: isMit,
+    message: isMit
+      ? "License is MIT."
+      : `License is "${pkg.license || "not specified"}"; MIT is required.`,
+    detail: { license: pkg.license },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Check: Strapi peer dependency
+// ---------------------------------------------------------------------------
+
+async function checkStrapiPeerDep(gitRepository, npmPackageName) {
+  const info = parseRepoInfo(gitRepository);
+  let pkg = null;
+
+  if (info && info.provider !== "unknown") {
+    pkg = await fetchPackageJson(info);
+  }
+
+  if (!pkg && npmPackageName) {
+    try {
+      const res = await fetch(
+        `https://registry.npmjs.org/${encodeURIComponent(npmPackageName)}/latest`,
+      );
+      if (res.ok) pkg = await res.json();
+    } catch {
+      // ignore
+    }
+  }
+
+  if (!pkg) {
+    return {
+      passed: null,
+      message: "Could not retrieve package.json to verify peer dependencies.",
+    };
+  }
+
+  const peerDeps = pkg.peerDependencies || {};
+  const hasStrapi = "@strapi/strapi" in peerDeps || "strapi" in peerDeps;
+  return {
+    passed: hasStrapi,
+    message: hasStrapi
+      ? "Strapi is listed as a peer dependency."
+      : "Strapi is not listed as a peer dependency.",
+    detail: { peerDependencies: peerDeps },
+  };
+}
+
+// ---------------------------------------------------------------------------
+// Main entry point
+// ---------------------------------------------------------------------------
+
+async function runAutomatedChecks({ git_repository, npm_package_name }) {
+  const [repoPublic, readmeExists, mitLicense, strapiPeerDep] =
+    await Promise.allSettled([
+      checkRepoPublic(git_repository),
+      checkReadmeExists(git_repository),
+      checkMitLicense(git_repository, npm_package_name),
+      checkStrapiPeerDep(git_repository, npm_package_name),
+    ]);
+
+  const resolve = (settled) =>
+    settled.status === "fulfilled"
+      ? settled.value
+      : { passed: null, message: settled.reason?.message || "Check error." };
+
+  // Detect provider for the result metadata
+  const info = parseRepoInfo(git_repository);
+  const provider = info?.provider ?? "unknown";
+
+  return {
+    runAt: new Date().toISOString(),
+    provider,
+    checks: {
+      repo_public: resolve(repoPublic),
+      readme_exists: resolve(readmeExists),
+      mit_license: resolve(mitLicense),
+      strapi_peer_dep: resolve(strapiPeerDep),
+      // Enterprise competition requires human review regardless of provider.
+      enterprise_competition: {
+        passed: null,
+        skipped: true,
+        message: "Requires manual business review.",
+      },
+    },
+  };
+}
+
+module.exports = { runAutomatedChecks };
diff --git a/apps/cms/src/plugins/moderation/server/services/index.js b/apps/cms/src/plugins/moderation/server/services/index.js
new file mode 100644
index 0000000..e8a3051
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/index.js
@@ -0,0 +1,3 @@
+module.exports = {
+  "plugin-submission": require("./plugin-submission"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
new file mode 100644
index 0000000..ba73b07
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -0,0 +1,271 @@
+/**
+ * Plugin submission service.
+ *
+ * Architecture choice: Option B — separate moderation content type.
+ *
+ * Incoming submissions are stored as `plugin::moderation.plugin-submission`
+ * records and go through two independent review tracks (business + security)
+ * before a moderator can promote them to a real `api::package.package` entry.
+ *
+ * This keeps unapproved submissions completely isolated from the live package
+ * catalogue and supports full review auditability.
+ */
+
+const { runAutomatedChecks } = require("./automated-checks");
+const { runSecurityChecks } = require("./security-checks");
+
+const CONTENT_TYPE = "plugin::moderation.plugin-submission";
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Create a new submission and immediately kick off automated checks.
+   * Called by the public-facing API endpoint proxied through Next.js.
+   */
+  async createSubmission(data, submitterIp) {
+    const submission = await strapi.documents(CONTENT_TYPE).create({
+      data: {
+        plugin_name: data.plugin_name,
+        npm_package_name: data.npm_package_name || null,
+        description: data.description,
+        git_repository: data.git_repository,
+        logo_url: data.logo_url || null,
+        package_type: data.package_type || "plugin",
+        categories_list: data.categories_list || [],
+        owner_name: data.owner_name,
+        owner_email: data.owner_email,
+        maintainers_list: data.maintainers_list || [],
+        readme: data.readme || null,
+        submission_notes: data.submission_notes || null,
+        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
+        submitter_ip: submitterIp || null,
+        overall_status: "submitted",
+        business_review_status: "pending",
+        security_review_status: "pending",
+        automated_check_results: null,
+      },
+    });
+
+    // Run checks asynchronously so the submission response is fast.
+    // Results are saved back to the record once available.
+    this.runChecksAsync(submission.documentId, {
+      git_repository: data.git_repository,
+      npm_package_name: data.npm_package_name,
+      plugin_name: data.plugin_name,
+    }).catch((err) => {
+      strapi.log.error(
+        `[moderation] Async checks failed for submission ${submission.documentId}: ${err.message}`,
+      );
+    });
+
+    // TODO: Trigger n8n "submission received" workflow here.
+    // Example: await triggerN8nWorkflow('plugin-submission-received', { submissionId: submission.documentId });
+
+    return submission;
+  },
+
+  /**
+   * Run all automated and security checks, then save results to the submission.
+   * Called internally after creation; not exposed as a public endpoint.
+   */
+  async runChecksAsync(
+    documentId,
+    { git_repository, npm_package_name, plugin_name },
+  ) {
+    const [businessChecks, securityChecks] = await Promise.allSettled([
+      runAutomatedChecks({ git_repository, npm_package_name }),
+      runSecurityChecks({ git_repository, npm_package_name, plugin_name }),
+    ]);
+
+    const automated =
+      businessChecks.status === "fulfilled" ? businessChecks.value : null;
+    const security =
+      securityChecks.status === "fulfilled" ? securityChecks.value : null;
+
+    const combined = {
+      ...(automated || {}),
+      checks: {
+        ...(automated?.checks || {}),
+        security: security || {},
+      },
+    };
+
+    await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        automated_check_results: combined,
+        overall_status: "under_review",
+      },
+    });
+  },
+
+  /**
+   * Update review status fields for a submission.
+   * Enforces the rule: overall approval requires BOTH review tracks to pass.
+   */
+  async updateReview(documentId, reviewData) {
+    const {
+      business_review_status,
+      security_review_status,
+      reviewer_feedback,
+      rejection_reason,
+      business_review_notes,
+      security_review_notes,
+      overall_status,
+    } = reviewData;
+
+    // Derive computed overall status if both review tracks have a result.
+    let computedOverall = overall_status;
+    if (business_review_status && security_review_status) {
+      if (
+        business_review_status === "approved" &&
+        security_review_status === "approved"
+      ) {
+        // Both passed — moderator may set to approved, but keep any explicit override.
+        if (!overall_status || overall_status === "under_review") {
+          computedOverall = "approved";
+        }
+      } else if (
+        business_review_status === "rejected" ||
+        security_review_status === "rejected"
+      ) {
+        // At least one review failed — cannot be approved regardless.
+        if (overall_status === "approved") {
+          throw new Error(
+            "Cannot approve a submission when either business or security review has been rejected.",
+          );
+        }
+      }
+    }
+
+    return strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        ...(business_review_status && { business_review_status }),
+        ...(security_review_status && { security_review_status }),
+        ...(reviewer_feedback !== undefined && { reviewer_feedback }),
+        ...(rejection_reason !== undefined && { rejection_reason }),
+        ...(business_review_notes !== undefined && { business_review_notes }),
+        ...(security_review_notes !== undefined && { security_review_notes }),
+        ...(computedOverall && { overall_status: computedOverall }),
+      },
+    });
+  },
+
+  /**
+   * Promote an approved submission to a real package entry.
+   * Can only be called when both review tracks have passed and overall_status is 'approved'.
+   *
+   * The promoted package is created in draft state. A moderator publishes it manually
+   * in the content manager, giving a final human sign-off before it goes live.
+   */
+  async promoteToPackage(documentId) {
+    const submission = await strapi.documents(CONTENT_TYPE).findOne({
+      documentId,
+    });
+
+    if (!submission) {
+      throw new Error("Submission not found.");
+    }
+
+    if (submission.overall_status !== "approved") {
+      throw new Error("Submission must be approved before promotion.");
+    }
+    if (submission.business_review_status !== "approved") {
+      throw new Error("Business review must be approved before promotion.");
+    }
+    if (submission.security_review_status !== "approved") {
+      throw new Error("Security review must be approved before promotion.");
+    }
+    if (submission.promoted_package) {
+      throw new Error("Submission has already been promoted to a package.");
+    }
+
+    // Create the package entry in draft state. Publish step is manual.
+    const pkg = await strapi.documents("api::package.package").create({
+      data: {
+        name: submission.plugin_name,
+        description: submission.description,
+        git_repository: submission.git_repository,
+        package_location: submission.npm_package_name || null,
+        type: submission.package_type,
+        readme: submission.readme || null,
+        labels: {
+          official: false,
+          featured: false,
+          paid: false,
+        },
+      },
+    });
+
+    // Link the submission to the new package.
+    await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: { promoted_package: { connect: [{ documentId: pkg.documentId }] } },
+    });
+
+    // TODO: Trigger n8n "submission approved" workflow here.
+    // Example: await triggerN8nWorkflow('plugin-submission-approved', {
+    //   submissionId: documentId,
+    //   packageId: pkg.documentId,
+    //   ownerEmail: submission.owner_email,
+    // });
+
+    return pkg;
+  },
+
+  /**
+   * Mark a submission as rejected or changes-requested and store reviewer feedback.
+   * Triggers the appropriate n8n workflow (TODO).
+   */
+  async rejectOrRequestChanges(documentId, { status, reason, feedback }) {
+    if (!["rejected", "changes_requested"].includes(status)) {
+      throw new Error("Status must be 'rejected' or 'changes_requested'.");
+    }
+
+    const updated = await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        overall_status: status,
+        rejection_reason: reason || null,
+        reviewer_feedback: feedback || null,
+      },
+    });
+
+    if (status === "rejected") {
+      // TODO: Trigger n8n "submission rejected" workflow.
+      // Example: await triggerN8nWorkflow('plugin-submission-rejected', {
+      //   submissionId: documentId,
+      //   ownerEmail: updated.owner_email,
+      //   reason,
+      // });
+    } else {
+      // TODO: Trigger n8n "changes requested" workflow.
+      // Example: await triggerN8nWorkflow('plugin-submission-changes-requested', {
+      //   submissionId: documentId,
+      //   ownerEmail: updated.owner_email,
+      //   feedback,
+      // });
+    }
+
+    return updated;
+  },
+
+  /**
+   * List submissions with optional status filter and pagination.
+   */
+  async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
+    const filters = status ? { overall_status: { $eq: status } } : {};
+    return strapi.documents(CONTENT_TYPE).findMany({
+      filters,
+      sort: { createdAt: "desc" },
+      pagination: { page, pageSize },
+    });
+  },
+
+  /**
+   * Fetch a single submission by documentId.
+   */
+  async getSubmission(documentId) {
+    return strapi.documents(CONTENT_TYPE).findOne({ documentId });
+  },
+});
diff --git a/apps/cms/src/plugins/moderation/server/services/security-checks.js b/apps/cms/src/plugins/moderation/server/services/security-checks.js
new file mode 100644
index 0000000..e641c5d
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/security-checks.js
@@ -0,0 +1,109 @@
+/**
+ * Security checks service.
+ *
+ * Placeholder structure for the security review pipeline.
+ * The scaffolding here is designed so real implementations can be dropped in
+ * without restructuring the calling code.
+ *
+ * Future integrations to wire in:
+ *  - npm audit / Socket.dev / Snyk for dependency scanning
+ *  - GitHub advisory / OSV database lookups
+ *  - Claude API for AI-powered code/dependency analysis
+ */
+
+/**
+ * Check the npm registry for known security advisories.
+ *
+ * TODO: Integrate with https://registry.npmjs.org/-/npm/v1/security/advisories
+ *       or Socket.dev API (requires SOCKET_API_KEY env var).
+ */
+async function checkNpmAdvisories(npmPackageName) {
+  if (!npmPackageName) {
+    return {
+      passed: null,
+      skipped: true,
+      message: "No npm package name provided; skipping advisory check.",
+    };
+  }
+
+  // TODO: implement real advisory lookup
+  return {
+    passed: null,
+    skipped: true,
+    message:
+      "npm advisory check not yet implemented — requires SOCKET_API_KEY.",
+  };
+}
+
+/**
+ * Scan package dependencies for known vulnerabilities.
+ *
+ * TODO: Fetch package.json, enumerate dependencies, and cross-reference
+ *       against the OSV (https://osv.dev) or GitHub Advisory database.
+ */
+async function checkDependencyVulnerabilities(gitRepository, npmPackageName) {
+  // TODO: implement dependency scanning
+  return {
+    passed: null,
+    skipped: true,
+    message:
+      "Dependency vulnerability scan not yet implemented — planned for v2.",
+  };
+}
+
+/**
+ * Run an AI-powered security analysis using the Claude API.
+ *
+ * TODO: Use @anthropic-ai/sdk to analyse:
+ *  - README content for red flags
+ *  - Package metadata for suspicious patterns
+ *  - Known malicious package name patterns (typosquatting etc.)
+ *
+ * Requires ANTHROPIC_API_KEY env var.
+ */
+async function runAiSecurityAnalysis({
+  pluginName,
+  npmPackageName,
+  gitRepository,
+}) {
+  // TODO: implement Claude API integration
+  return {
+    passed: null,
+    skipped: true,
+    message:
+      "AI security analysis not yet implemented — requires ANTHROPIC_API_KEY.",
+  };
+}
+
+/**
+ * Run all security checks for a submission.
+ * Returns structured results to be merged into automated_check_results.
+ */
+async function runSecurityChecks({
+  git_repository,
+  npm_package_name,
+  plugin_name,
+}) {
+  const [advisories, dependencies, aiAnalysis] = await Promise.allSettled([
+    checkNpmAdvisories(npm_package_name),
+    checkDependencyVulnerabilities(git_repository, npm_package_name),
+    runAiSecurityAnalysis({
+      pluginName: plugin_name,
+      npmPackageName: npm_package_name,
+      gitRepository: git_repository,
+    }),
+  ]);
+
+  const resolve = (settled) =>
+    settled.status === "fulfilled"
+      ? settled.value
+      : { passed: null, message: settled.reason?.message || "Check error." };
+
+  return {
+    npm_advisories: resolve(advisories),
+    dependency_vulnerabilities: resolve(dependencies),
+    ai_analysis: resolve(aiAnalysis),
+  };
+}
+
+module.exports = { runSecurityChecks };
diff --git a/apps/cms/src/plugins/moderation/strapi-server.js b/apps/cms/src/plugins/moderation/strapi-server.js
new file mode 100644
index 0000000..9c7c784
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/strapi-server.js
@@ -0,0 +1,24 @@
+const server = require("./server");
+
+/**
+ * Moderation plugin for the Strapi Marketplace.
+ *
+ * Architecture: Option B — separate moderation content type.
+ *
+ * Incoming plugin submissions are stored as plugin::moderation.plugin-submission
+ * records. They go through two independent review tracks (business + security)
+ * before a moderator can promote them to a real api::package.package entry.
+ * This keeps unapproved content completely isolated from the live catalogue.
+ */
+module.exports = {
+  register() {
+    strapi.log.info("[moderation] plugin registered");
+  },
+
+  bootstrap() {},
+
+  contentTypes: server.contentTypes,
+  controllers: server.controllers,
+  services: server.services,
+  routes: server.routes,
+};
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index be2e635..1f9d63d 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -1975,6 +1975,87 @@ export interface PluginI18NLocale extends Struct.CollectionTypeSchema {
   };
 }
 
+export interface PluginModerationPluginSubmission
+  extends Struct.CollectionTypeSchema {
+  collectionName: 'plugin_submissions';
+  info: {
+    description: 'Incoming plugin submissions awaiting moderation before publication';
+    displayName: 'Plugin Submission';
+    pluralName: 'plugin-submissions';
+    singularName: 'plugin-submission';
+  };
+  options: {
+    draftAndPublish: false;
+  };
+  pluginOptions: {
+    'content-manager': {
+      visible: false;
+    };
+    'content-type-builder': {
+      visible: false;
+    };
+  };
+  attributes: {
+    automated_check_results: Schema.Attribute.JSON;
+    business_review_notes: Schema.Attribute.Text;
+    business_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    > &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<'pending'>;
+    categories_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
+    createdAt: Schema.Attribute.DateTime;
+    createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+    description: Schema.Attribute.Text & Schema.Attribute.Required;
+    git_repository: Schema.Attribute.String & Schema.Attribute.Required;
+    locale: Schema.Attribute.String & Schema.Attribute.Private;
+    localizations: Schema.Attribute.Relation<
+      'oneToMany',
+      'plugin::moderation.plugin-submission'
+    > &
+      Schema.Attribute.Private;
+    logo_url: Schema.Attribute.String;
+    maintainers_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
+    npm_package_name: Schema.Attribute.String;
+    overall_status: Schema.Attribute.Enumeration<
+      ['submitted', 'under_review', 'changes_requested', 'rejected', 'approved']
+    > &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<'submitted'>;
+    owner_email: Schema.Attribute.String & Schema.Attribute.Required;
+    owner_name: Schema.Attribute.String & Schema.Attribute.Required;
+    package_type: Schema.Attribute.Enumeration<
+      ['plugin', 'provider', 'sdk', 'tool']
+    > &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<'plugin'>;
+    plugin_name: Schema.Attribute.String & Schema.Attribute.Required;
+    promoted_package: Schema.Attribute.Relation<
+      'oneToOne',
+      'api::package.package'
+    >;
+    publishedAt: Schema.Attribute.DateTime;
+    readme: Schema.Attribute.RichText;
+    rejection_reason: Schema.Attribute.Text;
+    reviewer_feedback: Schema.Attribute.Text;
+    security_review_notes: Schema.Attribute.Text;
+    security_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    > &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<'pending'>;
+    submission_notes: Schema.Attribute.Text;
+    submitter_agreed_to_terms: Schema.Attribute.Boolean &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<false>;
+    submitter_ip: Schema.Attribute.String;
+    updatedAt: Schema.Attribute.DateTime;
+    updatedBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+  };
+}
+
 export interface PluginReviewWorkflowsWorkflow
   extends Struct.CollectionTypeSchema {
   collectionName: 'strapi_workflows';
@@ -2317,6 +2398,7 @@ declare module '@strapi/strapi' {
       'plugin::content-releases.release': PluginContentReleasesRelease;
       'plugin::content-releases.release-action': PluginContentReleasesReleaseAction;
       'plugin::i18n.locale': PluginI18NLocale;
+      'plugin::moderation.plugin-submission': PluginModerationPluginSubmission;
       'plugin::review-workflows.workflow': PluginReviewWorkflowsWorkflow;
       'plugin::review-workflows.workflow-stage': PluginReviewWorkflowsWorkflowStage;
       'plugin::upload.file': PluginUploadFile;
diff --git a/apps/web/.env.example b/apps/web/.env.example
index c1246ff..799f606 100644
--- a/apps/web/.env.example
+++ b/apps/web/.env.example
@@ -17,4 +17,12 @@ NEXT_PUBLIC_MEILISEARCH_INTEGRATIONS_INDEX_NAME=integrations
 NEXT_PUBLIC_MEILISEARCH_RECIPES_INDEX_NAME=recipes
 NEXT_PUBLIC_MEILISEARCH_PACKAGES_INDEX_NAME=packages
 NEXT_PUBLIC_MEILISEARCH_TEMPLATES_INDEX_NAME=templates
-NEXT_PUBLIC_MEILISEARCH_SHOWCASES_INDEX_NAME=showcases
\ No newline at end of file
+NEXT_PUBLIC_MEILISEARCH_SHOWCASES_INDEX_NAME=showcases
+
+# reCAPTCHA Enterprise — https://console.cloud.google.com/security/recaptcha
+# Site key: the key shown in your reCAPTCHA Enterprise key list (also the recaptchaKey in the sample snippet)
+# Project ID: your Google Cloud project ID (e.g. project-e4c1e76c-...)
+# API key: the Google Cloud API key used to authenticate server-side assessment calls
+NEXT_PUBLIC_RECAPTCHA_SITE_KEY=
+RECAPTCHA_PROJECT_ID=
+RECAPTCHA_API_KEY=
diff --git a/apps/web/src/app/api/categories/route.ts b/apps/web/src/app/api/categories/route.ts
new file mode 100644
index 0000000..5104a63
--- /dev/null
+++ b/apps/web/src/app/api/categories/route.ts
@@ -0,0 +1,34 @@
+import { NextResponse } from "next/server";
+
+const CMS_URL = process.env.NEXT_PUBLIC_CMS_URL ?? "http://localhost:1337";
+const CMS_BEARER_TOKEN = process.env.CMS_BEARER_TOKEN;
+
+/**
+ * GET /api/categories
+ * Server-side proxy that fetches published categories from Strapi.
+ * Avoids CORS issues and keeps the CMS token out of the browser.
+ */
+export async function GET() {
+  try {
+    const res = await fetch(
+      `${CMS_URL}/api/categories?pagination[pageSize]=100&sort=name:asc&fields[0]=name&status=published`,
+      {
+        headers: {
+          ...(CMS_BEARER_TOKEN
+            ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
+            : {}),
+        },
+        next: { revalidate: 300 },
+      },
+    );
+
+    if (!res.ok) {
+      return NextResponse.json({ data: [] }, { status: 200 });
+    }
+
+    const json = await res.json();
+    return NextResponse.json(json);
+  } catch {
+    return NextResponse.json({ data: [] }, { status: 200 });
+  }
+}
diff --git a/apps/web/src/app/api/submit-plugin/route.ts b/apps/web/src/app/api/submit-plugin/route.ts
new file mode 100644
index 0000000..18dd48e
--- /dev/null
+++ b/apps/web/src/app/api/submit-plugin/route.ts
@@ -0,0 +1,287 @@
+import { type NextRequest, NextResponse } from "next/server";
+
+// reCAPTCHA Enterprise — set these in .env
+// NEXT_PUBLIC_RECAPTCHA_SITE_KEY : your Enterprise site key (used on the frontend too)
+// RECAPTCHA_PROJECT_ID           : your Google Cloud project ID
+// RECAPTCHA_API_KEY              : a Google Cloud API key with reCAPTCHA Enterprise API enabled
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY;
+const RECAPTCHA_PROJECT_ID = process.env.RECAPTCHA_PROJECT_ID;
+const RECAPTCHA_API_KEY = process.env.RECAPTCHA_API_KEY;
+const RECAPTCHA_MIN_SCORE = 0.5;
+
+const CMS_URL = process.env.NEXT_PUBLIC_CMS_URL ?? "http://localhost:1337";
+const CMS_BEARER_TOKEN = process.env.CMS_BEARER_TOKEN;
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+interface EnterpriseAssessment {
+  tokenProperties?: { valid: boolean; action?: string; invalidReason?: string };
+  riskAnalysis?: { score: number; reasons?: string[] };
+}
+
+/**
+ * Verify a reCAPTCHA Enterprise token via the REST Assessments API.
+ * Returns { success, score } — success is true when the token is valid and
+ * the score meets the minimum threshold.
+ * When credentials are not configured (local dev) the check is skipped.
+ */
+async function verifyRecaptcha(
+  token: string,
+  expectedAction: string,
+): Promise<{ success: boolean; score: number }> {
+  if (!RECAPTCHA_SITE_KEY || !RECAPTCHA_PROJECT_ID || !RECAPTCHA_API_KEY) {
+    console.warn(
+      "[submit-plugin] reCAPTCHA Enterprise not configured — skipping verification.",
+    );
+    return { success: true, score: 1 };
+  }
+
+  const url =
+    `https://recaptchaenterprise.googleapis.com/v1/projects/${RECAPTCHA_PROJECT_ID}` +
+    `/assessments?key=${RECAPTCHA_API_KEY}`;
+
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      event: { token, siteKey: RECAPTCHA_SITE_KEY, expectedAction },
+    }),
+  });
+
+  if (!res.ok) {
+    throw new Error(`reCAPTCHA Enterprise API returned ${res.status}`);
+  }
+
+  const data = (await res.json()) as EnterpriseAssessment;
+
+  if (!data.tokenProperties?.valid) {
+    console.warn(
+      "[submit-plugin] reCAPTCHA token invalid:",
+      data.tokenProperties?.invalidReason,
+    );
+    return { success: false, score: 0 };
+  }
+
+  if (data.tokenProperties.action !== expectedAction) {
+    console.warn(
+      `[submit-plugin] reCAPTCHA action mismatch: expected "${expectedAction}", got "${data.tokenProperties.action}"`,
+    );
+    return { success: false, score: 0 };
+  }
+
+  const score = data.riskAnalysis?.score ?? 0;
+  return { success: score >= RECAPTCHA_MIN_SCORE, score };
+}
+
+function str(value: FormDataEntryValue | null): string | null {
+  if (!value || typeof value !== "string") return null;
+  const t = value.trim();
+  return t.length > 0 ? t : null;
+}
+
+/**
+ * Upload a logo file to Strapi's media library.
+ * Returns the public URL of the uploaded file, or null on failure.
+ */
+async function uploadLogoToStrapi(file: File): Promise<string | null> {
+  const form = new FormData();
+  form.append("files", file, file.name);
+
+  try {
+    const res = await fetch(`${CMS_URL}/api/upload`, {
+      method: "POST",
+      headers: {
+        ...(CMS_BEARER_TOKEN
+          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
+          : {}),
+      },
+      body: form,
+    });
+
+    if (!res.ok) {
+      console.error(`[submit-plugin] Logo upload failed: ${res.status}`);
+      return null;
+    }
+
+    const data = (await res.json()) as Array<{ url: string }>;
+    const url = data[0]?.url;
+    if (!url) return null;
+
+    // Strapi returns a relative URL for local uploads — make it absolute.
+    return url.startsWith("http") ? url : `${CMS_URL}${url}`;
+  } catch (err) {
+    console.error("[submit-plugin] Logo upload error:", err);
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// POST /api/submit-plugin
+// ---------------------------------------------------------------------------
+
+export async function POST(req: NextRequest) {
+  let formData: FormData;
+  try {
+    formData = await req.formData();
+  } catch {
+    return NextResponse.json({ error: "Invalid form data." }, { status: 400 });
+  }
+
+  // --- reCAPTCHA Enterprise (skipped when env vars not configured) ---
+  if (RECAPTCHA_SITE_KEY && RECAPTCHA_PROJECT_ID && RECAPTCHA_API_KEY) {
+    const token = str(formData.get("recaptcha_token"));
+    if (!token) {
+      return NextResponse.json(
+        { error: "Missing reCAPTCHA token." },
+        { status: 400 },
+      );
+    }
+    try {
+      const { success } = await verifyRecaptcha(token, "submit_plugin");
+      if (!success) {
+        return NextResponse.json(
+          { error: "reCAPTCHA verification failed. Please try again." },
+          { status: 400 },
+        );
+      }
+    } catch (err) {
+      console.error("[submit-plugin] reCAPTCHA error:", err);
+      return NextResponse.json(
+        { error: "reCAPTCHA service unavailable. Please try again later." },
+        { status: 503 },
+      );
+    }
+  }
+
+  // --- Extract + validate fields ---
+  const plugin_name = str(formData.get("plugin_name"));
+  const description = str(formData.get("description"));
+  const git_repository = str(formData.get("git_repository"));
+  const owner_name = str(formData.get("owner_name"));
+  const owner_email = str(formData.get("owner_email"));
+  const agreed = formData.get("submitter_agreed_to_terms") === "true";
+
+  const errors: string[] = [];
+  if (!plugin_name) errors.push("Plugin name is required.");
+  if (!description) errors.push("Description is required.");
+  if (!git_repository) errors.push("Git repository URL is required.");
+  else if (!/^https?:\/\//i.test(git_repository))
+    errors.push("Git repository must be a valid https:// URL.");
+  if (!owner_name) errors.push("Owner name is required.");
+  if (!owner_email) errors.push("Contact email is required.");
+  else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(owner_email))
+    errors.push("Contact email is not valid.");
+  if (!agreed) errors.push("You must agree to the terms.");
+
+  if (errors.length > 0) {
+    return NextResponse.json({ errors }, { status: 422 });
+  }
+
+  // --- Logo upload ---
+  let logo_url: string | null = null;
+  const logoFile = formData.get("logo_file");
+  if (logoFile instanceof File && logoFile.size > 0) {
+    if (
+      ![
+        "image/png",
+        "image/jpeg",
+        "image/svg+xml",
+        "image/webp",
+        "image/gif",
+      ].includes(logoFile.type)
+    ) {
+      return NextResponse.json(
+        { error: "Logo must be a PNG, JPEG, SVG, or WebP image." },
+        { status: 422 },
+      );
+    }
+    if (logoFile.size > 2 * 1024 * 1024) {
+      return NextResponse.json(
+        { error: "Logo file must be smaller than 2 MB." },
+        { status: 422 },
+      );
+    }
+    logo_url = await uploadLogoToStrapi(logoFile);
+    // Non-fatal: submission proceeds even if upload fails; reviewer can add logo later.
+    if (!logo_url) {
+      console.warn(
+        "[submit-plugin] Logo upload failed — submission will proceed without logo.",
+      );
+    }
+  }
+
+  // --- Parse categories ---
+  let categories_list: string[] = [];
+  try {
+    const raw = formData.get("categories_list");
+    if (typeof raw === "string" && raw) {
+      categories_list = JSON.parse(raw);
+    }
+  } catch {
+    categories_list = [];
+  }
+
+  // --- Build submission payload ---
+  const payload = {
+    plugin_name,
+    npm_package_name: str(formData.get("npm_package_name")),
+    description,
+    git_repository,
+    logo_url,
+    package_type: "plugin",
+    categories_list,
+    owner_name,
+    owner_email,
+    maintainers_list: [],
+    readme: str(formData.get("readme")),
+    submission_notes: str(formData.get("submission_notes")),
+    submitter_agreed_to_terms: true,
+  };
+
+  // --- Proxy to Strapi ---
+  if (!CMS_BEARER_TOKEN) {
+    console.warn(
+      "[submit-plugin] CMS_BEARER_TOKEN not set — Strapi may reject the request.",
+    );
+  }
+
+  let strapiRes: Response;
+  try {
+    strapiRes = await fetch(`${CMS_URL}/api/moderation/plugin-submissions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(CMS_BEARER_TOKEN
+          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
+          : {}),
+      },
+      body: JSON.stringify({ data: payload }),
+    });
+  } catch (err) {
+    console.error("[submit-plugin] Could not reach Strapi:", err);
+    return NextResponse.json(
+      {
+        error:
+          "Could not submit your plugin at this time. Please try again later.",
+      },
+      { status: 503 },
+    );
+  }
+
+  if (!strapiRes.ok) {
+    const body = await strapiRes.text();
+    console.error(`[submit-plugin] Strapi ${strapiRes.status}: ${body}`);
+    return NextResponse.json(
+      { error: "Submission failed. Please try again." },
+      { status: 500 },
+    );
+  }
+
+  const result = (await strapiRes.json()) as { data: { documentId: string } };
+  return NextResponse.json(
+    { success: true, submissionId: result.data?.documentId },
+    { status: 201 },
+  );
+}
diff --git a/apps/web/src/app/submit/plugin/page.tsx b/apps/web/src/app/submit/plugin/page.tsx
new file mode 100644
index 0000000..9b89f8b
--- /dev/null
+++ b/apps/web/src/app/submit/plugin/page.tsx
@@ -0,0 +1,843 @@
+"use client";
+
+// TODO: Set NEXT_PUBLIC_RECAPTCHA_SITE_KEY in .env (v3 site key from https://www.google.com/recaptcha/admin)
+
+import Image from "next/image";
+import Link from "next/link";
+import Script from "next/script";
+import { useEffect, useRef, useState } from "react";
+import { Container } from "@/components/layout/container";
+import { Navigation } from "@/components/layout/navigation";
+import { Button } from "@/components/ui/button";
+import { Checkbox } from "@/components/ui/checkbox";
+import { Input } from "@/components/ui/input";
+import { cn } from "@/lib/utils";
+
+declare global {
+  interface Window {
+    // reCAPTCHA Enterprise exposes grecaptcha.enterprise, not grecaptcha directly
+    grecaptcha: {
+      enterprise: {
+        ready: (cb: () => void) => void;
+        execute: (
+          siteKey: string,
+          options: { action: string },
+        ) => Promise<string>;
+      };
+    };
+  }
+}
+
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
+
+// ---------------------------------------------------------------------------
+// Small UI helpers
+// ---------------------------------------------------------------------------
+
+function Label({
+  htmlFor,
+  children,
+  required,
+}: {
+  htmlFor: string;
+  children: React.ReactNode;
+  required?: boolean;
+}) {
+  return (
+    <label
+      htmlFor={htmlFor}
+      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
+    >
+      {children}
+      {required && (
+        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
+          *
+        </span>
+      )}
+    </label>
+  );
+}
+
+function FieldError({ message }: { message?: string }) {
+  if (!message) return null;
+  return (
+    <p role="alert" className="mt-1 text-xs text-red-600">
+      {message}
+    </p>
+  );
+}
+
+function Hint({ children }: { children: React.ReactNode }) {
+  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
+}
+
+function Textarea({
+  id,
+  value,
+  onChange,
+  placeholder,
+  rows = 5,
+  hasError,
+}: {
+  id?: string;
+  value: string;
+  onChange: (v: string) => void;
+  placeholder?: string;
+  rows?: number;
+  hasError?: boolean;
+}) {
+  return (
+    <textarea
+      id={id}
+      value={value}
+      onChange={(e) => onChange(e.target.value)}
+      placeholder={placeholder}
+      rows={rows}
+      className={cn(
+        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
+        hasError ? "border-red-400" : "border-(--color-neutral150)",
+      )}
+    />
+  );
+}
+
+function SectionDivider({ label }: { label: string }) {
+  return (
+    <div className="relative my-6">
+      <div className="absolute inset-0 flex items-center">
+        <div className="w-full border-t border-(--color-neutral150)" />
+      </div>
+      <div className="relative flex justify-start">
+        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
+          {label}
+        </span>
+      </div>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Logo upload field
+// ---------------------------------------------------------------------------
+
+function LogoUpload({
+  file,
+  onChange,
+  hasError,
+}: {
+  file: File | null;
+  onChange: (f: File | null) => void;
+  hasError?: boolean;
+}) {
+  const inputRef = useRef<HTMLInputElement>(null);
+  const [dragOver, setDragOver] = useState(false);
+  const preview = file ? URL.createObjectURL(file) : null;
+
+  const handleFiles = (files: FileList | null) => {
+    const f = files?.[0] ?? null;
+    onChange(f);
+  };
+
+  return (
+    <div>
+      <input
+        ref={inputRef}
+        id="logo_file"
+        type="file"
+        accept="image/png,image/jpeg,image/svg+xml,image/webp"
+        className="sr-only"
+        onChange={(e) => handleFiles(e.target.files)}
+      />
+
+      {/* Drop zone */}
+      <button
+        type="button"
+        onClick={() => inputRef.current?.click()}
+        onDragOver={(e) => {
+          e.preventDefault();
+          setDragOver(true);
+        }}
+        onDragLeave={() => setDragOver(false)}
+        onDrop={(e) => {
+          e.preventDefault();
+          setDragOver(false);
+          handleFiles(e.dataTransfer.files);
+        }}
+        className={cn(
+          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
+          dragOver
+            ? "border-(--color-primary600) bg-(--color-primary100)"
+            : hasError
+              ? "border-red-400 bg-red-50"
+              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
+        )}
+      >
+        {preview ? (
+          <div className="flex flex-col items-center gap-3">
+            <Image
+              src={preview}
+              alt="Logo preview"
+              width={64}
+              height={64}
+              className="h-16 w-16 rounded-lg object-contain"
+              unoptimized
+            />
+            <span className="text-xs text-(--color-neutral600)">
+              {file?.name}{" "}
+              <span className="text-(--color-primary600) underline">
+                Change
+              </span>
+            </span>
+          </div>
+        ) : (
+          <>
+            {/* Upload icon */}
+            <svg
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              className="h-8 w-8 text-(--color-neutral400)"
+            >
+              <title>Upload a File</title>
+              <path
+                d="M12 16V8m0 0-3 3m3-3 3 3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+              <path
+                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+            </svg>
+            <span className="font-medium text-(--color-neutral700)">
+              Upload a File
+            </span>
+            <span className="text-xs text-(--color-neutral500)">
+              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
+            </span>
+          </>
+        )}
+      </button>
+
+      {/* Clear button */}
+      {file && (
+        <button
+          type="button"
+          onClick={() => {
+            onChange(null);
+            if (inputRef.current) inputRef.current.value = "";
+          }}
+          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
+        >
+          Remove logo
+        </button>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Category pills
+// ---------------------------------------------------------------------------
+
+function CategoryPill({
+  label,
+  onRemove,
+}: {
+  label: string;
+  onRemove: () => void;
+}) {
+  return (
+    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
+      {label}
+      <button
+        type="button"
+        onClick={onRemove}
+        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
+        aria-label={`Remove ${label}`}
+      >
+        ×
+      </button>
+    </span>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form state
+// ---------------------------------------------------------------------------
+
+interface FormFields {
+  plugin_name: string;
+  npm_package_name: string;
+  git_repository: string;
+  description: string;
+  logo_file: File | null;
+  categories_list: string[];
+  readme: string;
+  submission_notes: string;
+  owner_name: string;
+  owner_email: string;
+  agreed: boolean;
+}
+
+const INITIAL: FormFields = {
+  plugin_name: "",
+  npm_package_name: "",
+  git_repository: "",
+  description: "",
+  logo_file: null,
+  categories_list: [],
+  readme: "",
+  submission_notes: "",
+  owner_name: "",
+  owner_email: "",
+  agreed: false,
+};
+
+type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
+
+function validate(f: FormFields): FieldErrors {
+  const e: FieldErrors = {};
+  if (!f.plugin_name.trim()) e.plugin_name = "Plugin name is required.";
+  if (!f.description.trim()) e.description = "Description is required.";
+  if (!f.git_repository.trim()) {
+    e.git_repository = "Git repository URL is required.";
+  } else if (!/^https?:\/\//i.test(f.git_repository.trim())) {
+    e.git_repository = "Must be a valid https:// URL.";
+  }
+  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
+  if (!f.owner_email.trim()) {
+    e.owner_email = "Contact email is required.";
+  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
+    e.owner_email = "Must be a valid email address.";
+  }
+  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
+  return e;
+}
+
+// ---------------------------------------------------------------------------
+// Success screen
+// ---------------------------------------------------------------------------
+
+function SuccessScreen() {
+  return (
+    <>
+      <Navigation theme="light" />
+      <main>
+        <Container>
+          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
+            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-8 w-8 text-(--color-primary600)"
+              >
+                <title>Submission received</title>
+                <polyline points="20 6 9 17 4 12" />
+              </svg>
+            </div>
+            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
+              Submission received!
+            </h1>
+            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
+              Thank you for submitting your plugin. Our team will review it and
+              reach out at the email address you provided.
+            </p>
+            <Button href="/" variant="secondary">
+              Back to Marketplace
+            </Button>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Page
+// ---------------------------------------------------------------------------
+
+export default function SubmitPluginPage() {
+  const [fields, setFields] = useState<FormFields>(INITIAL);
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [success, setSuccess] = useState(false);
+  const [categories, setCategories] = useState<string[]>([]);
+
+  // Fetch categories from server-side proxy (avoids CORS + keeps token out of browser)
+  useEffect(() => {
+    fetch("/api/categories")
+      .then((r) => (r.ok ? r.json() : null))
+      .then((json) => {
+        const names: string[] = (json?.data ?? [])
+          .map((c: { name?: string }) => c.name)
+          .filter(Boolean) as string[];
+        setCategories(names);
+      })
+      .catch(() => {});
+  }, []);
+
+  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
+    setFields((f) => ({ ...f, [key]: value }));
+    setErrors((e) => ({ ...e, [key]: undefined }));
+  };
+
+  const addCategory = (cat: string) => {
+    if (cat && !fields.categories_list.includes(cat)) {
+      set("categories_list", [...fields.categories_list, cat]);
+    }
+  };
+
+  const removeCategory = (cat: string) => {
+    set(
+      "categories_list",
+      fields.categories_list.filter((c) => c !== cat),
+    );
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    const errs = validate(fields);
+    if (Object.keys(errs).length > 0) {
+      setErrors(errs);
+      const firstKey = Object.keys(errs)[0];
+      document.getElementById(firstKey as string)?.focus();
+      return;
+    }
+
+    setSubmitting(true);
+    setErrors({});
+
+    try {
+      let recaptchaToken = "";
+      if (
+        RECAPTCHA_SITE_KEY &&
+        typeof window !== "undefined" &&
+        window.grecaptcha?.enterprise
+      ) {
+        await new Promise<void>((resolve) =>
+          window.grecaptcha.enterprise.ready(resolve),
+        );
+        recaptchaToken = await window.grecaptcha.enterprise.execute(
+          RECAPTCHA_SITE_KEY,
+          {
+            action: "submit_plugin",
+          },
+        );
+      }
+
+      const form = new FormData();
+      form.append("plugin_name", fields.plugin_name.trim());
+      form.append("npm_package_name", fields.npm_package_name.trim());
+      form.append("git_repository", fields.git_repository.trim());
+      form.append("description", fields.description.trim());
+      form.append("readme", fields.readme.trim());
+      form.append("submission_notes", fields.submission_notes.trim());
+      form.append("owner_name", fields.owner_name.trim());
+      form.append("owner_email", fields.owner_email.trim());
+      form.append("categories_list", JSON.stringify(fields.categories_list));
+      form.append("submitter_agreed_to_terms", "true");
+      form.append("recaptcha_token", recaptchaToken);
+      if (fields.logo_file) {
+        form.append("logo_file", fields.logo_file, fields.logo_file.name);
+      }
+
+      const res = await fetch("/api/submit-plugin", {
+        method: "POST",
+        body: form,
+      });
+      const data = (await res.json()) as {
+        success?: boolean;
+        error?: string;
+        errors?: string[];
+      };
+
+      if (!res.ok) {
+        setErrors({
+          _form:
+            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
+            "Something went wrong. Please try again.",
+        });
+        return;
+      }
+
+      setSuccess(true);
+    } catch {
+      setErrors({
+        _form:
+          "Could not submit your plugin. Please check your connection and try again.",
+      });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (success) return <SuccessScreen />;
+
+  const availableCategories = categories.filter(
+    (c) => !fields.categories_list.includes(c),
+  );
+
+  return (
+    <>
+      {RECAPTCHA_SITE_KEY && (
+        <Script
+          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
+          strategy="lazyOnload"
+        />
+      )}
+
+      <Navigation theme="light" />
+
+      <main className="pb-24">
+        <Container>
+          {/* Back link */}
+          <div className="py-6">
+            <Link
+              href="/"
+              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
+            >
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-4 w-4"
+              >
+                <title>Back to submissions</title>
+                <polyline points="15 18 9 12 15 6" />
+              </svg>
+              Submit other content
+            </Link>
+          </div>
+
+          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
+            {/* ── Left: intro ── */}
+            <div className="lg:col-span-2 lg:pt-2">
+              <p className="mb-2 text-sm text-(--color-neutral600)">
+                Submit your content
+              </p>
+              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
+                Submit a Plugin
+              </h1>
+              <p className="text-sm leading-7 text-(--color-neutral700)">
+                Share your Strapi plugin with the community. All submissions go
+                through a business and security review before being listed in
+                the marketplace. We&rsquo;ll reach out if we need more
+                information.{" "}
+                <Link
+                  href="/community"
+                  className="underline underline-offset-2 hover:text-(--color-primary600)"
+                >
+                  Community Guidelines
+                </Link>
+              </p>
+
+              <div className="mt-8 space-y-3">
+                {[
+                  {
+                    title: "Business review",
+                    body: "We check your repo is public, MIT-licensed, has a README, and lists Strapi as a peer dependency.",
+                  },
+                  {
+                    title: "Security review",
+                    body: "We scan dependencies for known vulnerabilities and flag security concerns before listing.",
+                  },
+                ].map(({ title, body }) => (
+                  <div
+                    key={title}
+                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
+                  >
+                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
+                      <svg
+                        viewBox="0 0 24 24"
+                        fill="none"
+                        stroke="currentColor"
+                        strokeWidth="2.5"
+                        className="h-3 w-3"
+                      >
+                        <title>Business review</title>
+                        <polyline points="20 6 9 17 4 12" />
+                      </svg>
+                    </div>
+                    <div>
+                      <p className="text-sm font-semibold text-(--color-neutral800)">
+                        {title}
+                      </p>
+                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
+                        {body}
+                      </p>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            {/* ── Right: form ── */}
+            <div className="lg:col-span-3">
+              <form
+                onSubmit={handleSubmit}
+                noValidate
+                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
+              >
+                {errors._form && (
+                  <div
+                    role="alert"
+                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
+                  >
+                    {errors._form}
+                  </div>
+                )}
+
+                {/* Plugin Name */}
+                <div className="mb-5">
+                  <Label htmlFor="plugin_name" required>
+                    Plugin Name
+                  </Label>
+                  <Input
+                    id="plugin_name"
+                    value={fields.plugin_name}
+                    onChange={(e) => set("plugin_name", e.target.value)}
+                    placeholder="e.g. Strapi Plugin SEO"
+                    className={errors.plugin_name ? "border-red-400" : ""}
+                    autoComplete="off"
+                  />
+                  <FieldError message={errors.plugin_name} />
+                </div>
+
+                {/* NPM Package Name */}
+                <div className="mb-5">
+                  <Label htmlFor="npm_package_name">NPM Package Name</Label>
+                  <Input
+                    id="npm_package_name"
+                    value={fields.npm_package_name}
+                    onChange={(e) => set("npm_package_name", e.target.value)}
+                    placeholder="@scope/strapi-plugin-name"
+                    autoComplete="off"
+                  />
+                  <Hint>
+                    Package name as it appears on npm, if already published.
+                  </Hint>
+                </div>
+
+                {/* Git Repository */}
+                <div className="mb-5">
+                  <Label htmlFor="git_repository" required>
+                    Git Repository
+                  </Label>
+                  <Input
+                    id="git_repository"
+                    type="url"
+                    value={fields.git_repository}
+                    onChange={(e) => set("git_repository", e.target.value)}
+                    placeholder="https://github.com/org/repo or https://gitlab.com/org/repo"
+                    className={errors.git_repository ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.git_repository} />
+                  <Hint>
+                    GitHub and GitLab repositories are both supported.
+                  </Hint>
+                </div>
+
+                {/* Description */}
+                <div className="mb-5">
+                  <Label htmlFor="description" required>
+                    Plugin Description
+                  </Label>
+                  <Textarea
+                    id="description"
+                    value={fields.description}
+                    onChange={(v) => set("description", v)}
+                    placeholder="Tell us about your plugin — what it does and why it's useful."
+                    rows={4}
+                    hasError={!!errors.description}
+                  />
+                  <FieldError message={errors.description} />
+                </div>
+
+                {/* Logo upload */}
+                <div className="mb-5">
+                  <Label htmlFor="logo_file">Plugin Logo / Icon</Label>
+                  <LogoUpload
+                    file={fields.logo_file}
+                    onChange={(f) => set("logo_file", f)}
+                    hasError={!!errors.logo_file}
+                  />
+                  <FieldError message={errors.logo_file as string} />
+                </div>
+
+                {/* Categories */}
+                <div className="mb-5">
+                  <Label htmlFor="category_select">Categories</Label>
+                  {fields.categories_list.length > 0 && (
+                    <div className="mb-2 flex flex-wrap gap-2">
+                      {fields.categories_list.map((c) => (
+                        <CategoryPill
+                          key={c}
+                          label={c}
+                          onRemove={() => removeCategory(c)}
+                        />
+                      ))}
+                    </div>
+                  )}
+                  <select
+                    id="category_select"
+                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
+                    value=""
+                    onChange={(e) => {
+                      addCategory(e.target.value);
+                      e.target.value = "";
+                    }}
+                  >
+                    <option value="">
+                      {categories.length === 0
+                        ? "Loading categories…"
+                        : availableCategories.length === 0
+                          ? "All categories selected"
+                          : "Select a category to add…"}
+                    </option>
+                    {availableCategories.map((c) => (
+                      <option key={c} value={c}>
+                        {c}
+                      </option>
+                    ))}
+                  </select>
+                </div>
+
+                {/* README */}
+                <div className="mb-5">
+                  <Label htmlFor="readme">README / Documentation</Label>
+                  <Textarea
+                    id="readme"
+                    value={fields.readme}
+                    onChange={(v) => set("readme", v)}
+                    placeholder="Paste your plugin's README or any additional documentation here."
+                    rows={6}
+                  />
+                </div>
+
+                <SectionDivider label="Owner" />
+
+                {/* Owner */}
+                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
+                  <div>
+                    <Label htmlFor="owner_name" required>
+                      Owner / Author Name
+                    </Label>
+                    <Input
+                      id="owner_name"
+                      value={fields.owner_name}
+                      onChange={(e) => set("owner_name", e.target.value)}
+                      placeholder="Your name or organisation"
+                      className={errors.owner_name ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_name} />
+                  </div>
+                  <div>
+                    <Label htmlFor="owner_email" required>
+                      Contact Email
+                    </Label>
+                    <Input
+                      id="owner_email"
+                      type="email"
+                      value={fields.owner_email}
+                      onChange={(e) => set("owner_email", e.target.value)}
+                      placeholder="you@example.com"
+                      className={errors.owner_email ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_email} />
+                  </div>
+                </div>
+
+                {/* Notes */}
+                <div className="mb-5">
+                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
+                  <Textarea
+                    id="submission_notes"
+                    value={fields.submission_notes}
+                    onChange={(v) => set("submission_notes", v)}
+                    placeholder="Anything you'd like the review team to know."
+                    rows={3}
+                  />
+                </div>
+
+                <SectionDivider label="Terms" />
+
+                {/* Terms */}
+                <div className="mb-6">
+                  <label
+                    className="flex cursor-pointer items-start gap-3"
+                    htmlFor="agreed"
+                  >
+                    <Checkbox
+                      id="agreed"
+                      checked={fields.agreed}
+                      onCheckedChange={(checked) =>
+                        set("agreed", checked === true)
+                      }
+                      className={errors.agreed ? "border-red-400" : ""}
+                    />
+                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
+                      I confirm this plugin is open-source, MIT-licensed, and
+                      compliant with the{" "}
+                      <Link
+                        href="/community"
+                        className="underline underline-offset-2 hover:text-(--color-primary600)"
+                      >
+                        Community Guidelines
+                      </Link>
+                      .
+                    </span>
+                  </label>
+                  <FieldError message={errors.agreed} />
+                </div>
+
+                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
+                  By submitting you agree to our review process. We will contact
+                  you if we need additional information. Submissions are
+                  reviewed manually and may take a few business days.
+                </p>
+
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="large"
+                  className="w-full"
+                  disabled={submitting}
+                >
+                  {submitting ? "Submitting…" : "Submit Plugin"}
+                </Button>
+
+                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
+                  Protected by reCAPTCHA —{" "}
+                  <a
+                    href="https://policies.google.com/privacy"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Privacy
+                  </a>{" "}
+                  &amp;{" "}
+                  <a
+                    href="https://policies.google.com/terms"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Terms
+                  </a>
+                </p>
+              </form>
+            </div>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}

From a236ffc661573b23d02f3ff2c1041f1d2380daf2 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Fri, 17 Apr 2026 18:51:27 +0100
Subject: [PATCH 02/26] feat: add template workflow

---
 apps/cms/config/plugins.ts                    |   7 +
 .../components/TemplateReviewPanel/index.tsx  | 255 ++++++
 .../plugins/moderation/admin/src/index.tsx    |   9 +-
 .../src/pages/SubmissionDetail/index.tsx      |   8 +-
 .../admin/src/pages/SubmissionList/index.tsx  | 248 +++++-
 .../pages/TemplateSubmissionDetail/index.tsx  | 465 ++++++++++
 .../moderation/server/content-types/index.js  |   1 +
 .../plugin-submission/schema.json             |   2 +-
 .../template-submission/index.js              |   3 +
 .../template-submission/schema.json           |  75 ++
 .../moderation/server/controllers/index.js    |   1 +
 .../server/controllers/plugin-submission.js   |   2 +-
 .../server/controllers/template-submission.js | 118 +++
 .../plugins/moderation/server/routes/index.js |  20 +-
 .../server/routes/template-submission.js      |  47 +
 .../server/services/automated-checks.js       |  12 +-
 .../moderation/server/services/index.js       |   1 +
 .../server/services/plugin-submission.js      |  12 +-
 .../server/services/security-checks.js        |  14 +-
 .../server/services/template-submission.js    | 132 +++
 apps/cms/types/generated/contentTypes.d.ts    |  61 +-
 apps/web/src/app/api/submit-plugin/route.ts   |  10 +-
 apps/web/src/app/api/submit-template/route.ts | 272 ++++++
 apps/web/src/app/submit/plugin/page.tsx       |  32 +-
 apps/web/src/app/submit/template/page.tsx     | 821 ++++++++++++++++++
 25 files changed, 2530 insertions(+), 98 deletions(-)
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/components/TemplateReviewPanel/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/admin/src/pages/TemplateSubmissionDetail/index.tsx
 create mode 100644 apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
 create mode 100644 apps/cms/src/plugins/moderation/server/controllers/template-submission.js
 create mode 100644 apps/cms/src/plugins/moderation/server/routes/template-submission.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/template-submission.js
 create mode 100644 apps/web/src/app/api/submit-template/route.ts
 create mode 100644 apps/web/src/app/submit/template/page.tsx

diff --git a/apps/cms/config/plugins.ts b/apps/cms/config/plugins.ts
index 197adcf..d6c05aa 100644
--- a/apps/cms/config/plugins.ts
+++ b/apps/cms/config/plugins.ts
@@ -19,6 +19,13 @@ export default ({ env }) => ({
             },
           },
   },
+  upload: {
+    config: {
+      security: {
+        strictSsrf: true,
+      },
+    },
+  },
   "owner-selector": {
     enabled: true,
     resolve: "./src/plugins/owner-selector",
diff --git a/apps/cms/src/plugins/moderation/admin/src/components/TemplateReviewPanel/index.tsx b/apps/cms/src/plugins/moderation/admin/src/components/TemplateReviewPanel/index.tsx
new file mode 100644
index 0000000..0ab1052
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/components/TemplateReviewPanel/index.tsx
@@ -0,0 +1,255 @@
+import {
+  Box,
+  Button,
+  Field,
+  Flex,
+  Textarea,
+  Typography,
+} from "@strapi/design-system";
+import { useFetchClient, useNotification } from "@strapi/strapi/admin";
+import { useState } from "react";
+import { useMutation } from "react-query";
+
+interface Props {
+  documentId: string;
+  initialStatus: "submitted" | "approved" | "rejected";
+  initialFeedback?: string;
+  initialNotes?: string;
+  initialRejectionReason?: string;
+  onSaved: () => void;
+}
+
+export const TemplateReviewPanel = ({
+  documentId,
+  initialStatus,
+  initialFeedback,
+  initialNotes,
+  initialRejectionReason,
+  onSaved,
+}: Props) => {
+  const { put, post } = useFetchClient();
+  const { toggleNotification } = useNotification();
+
+  const [feedback, setFeedback] = useState(initialFeedback || "");
+  const [notes, setNotes] = useState(initialNotes || "");
+  const [rejectionReason, setRejectionReason] = useState(
+    initialRejectionReason || "",
+  );
+
+  const isApproved = initialStatus === "approved";
+  const isRejected = initialStatus === "rejected";
+  const isLocked = isApproved || isRejected;
+
+  const { mutate: saveDraft, isLoading: saving } = useMutation(
+    async () => {
+      await put(`/moderation/template-submissions/${documentId}/review`, {
+        data: {
+          reviewer_feedback: feedback,
+          reviewer_notes: notes,
+          rejection_reason: rejectionReason,
+        },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({ type: "success", message: "Review saved." });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message:
+            err instanceof Error ? err.message : "Failed to save review.",
+        });
+      },
+    },
+  );
+
+  const { mutate: approve, isLoading: approving } = useMutation(
+    async () => {
+      await post(`/moderation/template-submissions/${documentId}/decide`, {
+        data: {
+          status: "approved",
+          feedback,
+          notes,
+        },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({ type: "success", message: "Template approved." });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message: err instanceof Error ? err.message : "Failed to approve.",
+        });
+      },
+    },
+  );
+
+  const { mutate: reject, isLoading: rejecting } = useMutation(
+    async () => {
+      await post(`/moderation/template-submissions/${documentId}/decide`, {
+        data: {
+          status: "rejected",
+          feedback,
+          notes,
+          reason: rejectionReason,
+        },
+      });
+    },
+    {
+      onSuccess() {
+        toggleNotification({ type: "success", message: "Template rejected." });
+        onSaved();
+      },
+      onError(err: unknown) {
+        toggleNotification({
+          type: "danger",
+          message: err instanceof Error ? err.message : "Failed to reject.",
+        });
+      },
+    },
+  );
+
+  return (
+    <Box
+      background="neutral0"
+      hasRadius
+      borderColor="neutral200"
+      borderWidth="1px"
+      borderStyle="solid"
+      overflow="hidden"
+    >
+      {/* Panel header */}
+      <Box
+        paddingLeft={6}
+        paddingRight={6}
+        paddingTop={5}
+        paddingBottom={5}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        <Flex justifyContent="space-between" alignItems="center">
+          <Typography variant="beta">Review Decision</Typography>
+          {!isLocked && (
+            <Button
+              variant="tertiary"
+              size="S"
+              onClick={() => saveDraft()}
+              loading={saving}
+              style={{ whiteSpace: "nowrap" }}
+            >
+              Save Draft
+            </Button>
+          )}
+        </Flex>
+      </Box>
+
+      {/* Review fields */}
+      <Box
+        paddingLeft={6}
+        paddingRight={6}
+        paddingTop={5}
+        paddingBottom={5}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        <Flex direction="column" alignItems="stretch" gap={4}>
+          <Field.Root name="feedback" style={{ width: "100%" }}>
+            <Field.Label>Feedback to Submitter</Field.Label>
+            <Field.Hint>
+              Sent to the submitter when a decision is made
+            </Field.Hint>
+            <Textarea
+              value={feedback}
+              onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                setFeedback(e.target.value)
+              }
+              placeholder="Describe your decision or any required changes…"
+              disabled={isLocked}
+            />
+          </Field.Root>
+
+          <Field.Root name="notes" style={{ width: "100%" }}>
+            <Field.Label>Internal Notes</Field.Label>
+            <Field.Hint>Internal only — not shown to the submitter</Field.Hint>
+            <Textarea
+              value={notes}
+              onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                setNotes(e.target.value)
+              }
+              placeholder="Notes for the review team…"
+              disabled={isLocked}
+            />
+          </Field.Root>
+
+          {(isRejected || (!isApproved && rejectionReason !== undefined)) && (
+            <Field.Root name="rejectionReason" style={{ width: "100%" }}>
+              <Field.Label>Rejection Reason</Field.Label>
+              <Field.Hint>
+                Internal only — not shown to the submitter
+              </Field.Hint>
+              <Textarea
+                value={rejectionReason}
+                onChange={(e: React.ChangeEvent<HTMLTextAreaElement>) =>
+                  setRejectionReason(e.target.value)
+                }
+                placeholder="Internal reason for rejection…"
+                disabled={isLocked}
+              />
+            </Field.Root>
+          )}
+        </Flex>
+      </Box>
+
+      {/* Actions */}
+      <Box paddingLeft={6} paddingRight={6} paddingTop={5} paddingBottom={5}>
+        {isApproved ? (
+          <Box background="success100" padding={3} hasRadius>
+            <Typography
+              variant="pi"
+              fontWeight="semiBold"
+              textColor="success700"
+            >
+              This template has been approved.
+            </Typography>
+          </Box>
+        ) : isRejected ? (
+          <Box background="danger100" padding={3} hasRadius>
+            <Typography
+              variant="pi"
+              fontWeight="semiBold"
+              textColor="danger700"
+            >
+              This template has been rejected.
+            </Typography>
+          </Box>
+        ) : (
+          <Flex gap={2} justifyContent="flex-end">
+            <Button
+              variant="danger"
+              onClick={() => reject()}
+              loading={rejecting}
+              style={{ whiteSpace: "nowrap" }}
+            >
+              Reject
+            </Button>
+            <Button
+              variant="success"
+              onClick={() => approve()}
+              loading={approving}
+              style={{ whiteSpace: "nowrap" }}
+            >
+              Approve
+            </Button>
+          </Flex>
+        )}
+      </Box>
+    </Box>
+  );
+};
diff --git a/apps/cms/src/plugins/moderation/admin/src/index.tsx b/apps/cms/src/plugins/moderation/admin/src/index.tsx
index 0ae897e..5d904da 100644
--- a/apps/cms/src/plugins/moderation/admin/src/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/index.tsx
@@ -2,6 +2,7 @@ import type { StrapiApp } from "@strapi/strapi/admin";
 import { Route, Routes } from "react-router-dom";
 import { SubmissionDetail } from "./pages/SubmissionDetail";
 import { SubmissionList } from "./pages/SubmissionList";
+import { TemplateSubmissionDetail } from "./pages/TemplateSubmissionDetail";
 
 // Simple shield icon for the menu
 const ShieldIcon = () => (
@@ -10,8 +11,8 @@ const ShieldIcon = () => (
     fill="none"
     stroke="currentColor"
     strokeWidth="2"
-    width="1em"
-    height="1em"
+    width="1.4em"
+    height="1.4em"
     aria-label="Moderation plugin"
   >
     <title>Moderation plugin</title>
@@ -37,6 +38,10 @@ export default {
                 path="submissions/:documentId"
                 element={<SubmissionDetail />}
               />
+              <Route
+                path="template-submissions/:documentId"
+                element={<TemplateSubmissionDetail />}
+              />
             </Routes>
           ),
         }),
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
index b3e143e..cb48bda 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
@@ -30,7 +30,7 @@ interface PluginSubmissionDetail {
   plugin_name: string;
   npm_package_name: string | null;
   description: string;
-  git_repository: string;
+  repository_url: string;
   logo_url: string | null;
   package_type: string;
   categories_list: string[];
@@ -423,10 +423,10 @@ export const SubmissionDetail = () => {
                     />
                     <Divider />
                     <InfoRow
-                      label="Git Repository"
+                      label="Repository URL"
                       value={
                         <a
-                          href={submission.git_repository}
+                          href={submission.repository_url}
                           target="_blank"
                           rel="noreferrer"
                           style={{ color: "inherit", textDecoration: "none" }}
@@ -440,7 +440,7 @@ export const SubmissionDetail = () => {
                                 textAlign: "left",
                               }}
                             >
-                              {submission.git_repository}
+                              {submission.repository_url}
                             </Typography>
                             <Box style={{ flexShrink: 0, marginTop: 2 }}>
                               <ExternalLink
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
index 75070d5..6e3ac96 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
@@ -27,7 +27,7 @@ export interface PluginSubmission {
   documentId: string;
   plugin_name: string;
   npm_package_name: string | null;
-  git_repository: string;
+  repository_url: string;
   owner_name: string;
   owner_email: string;
   overall_status: SubmissionStatus;
@@ -36,8 +36,18 @@ export interface PluginSubmission {
   createdAt: string;
 }
 
+export interface TemplateSubmission {
+  documentId: string;
+  template_name: string;
+  repository_url: string;
+  owner_name: string;
+  owner_email: string;
+  overall_status: "submitted" | "approved" | "rejected";
+  createdAt: string;
+}
+
 const statusColour: Record<
-  SubmissionStatus,
+  string,
   "primary" | "success" | "warning" | "danger" | "secondary"
 > = {
   submitted: "secondary",
@@ -53,7 +63,7 @@ const reviewColour = {
   rejected: "danger" as const,
 };
 
-const STATUS_FILTERS: Array<{ label: string; value: string }> = [
+const PLUGIN_STATUS_FILTERS: Array<{ label: string; value: string }> = [
   { label: "All", value: "" },
   { label: "Submitted", value: "submitted" },
   { label: "Under Review", value: "under_review" },
@@ -62,21 +72,49 @@ const STATUS_FILTERS: Array<{ label: string; value: string }> = [
   { label: "Rejected", value: "rejected" },
 ];
 
+const TEMPLATE_STATUS_FILTERS: Array<{ label: string; value: string }> = [
+  { label: "All", value: "" },
+  { label: "Submitted", value: "submitted" },
+  { label: "Approved", value: "approved" },
+  { label: "Rejected", value: "rejected" },
+];
+
+type SubmissionType = "plugins" | "templates";
+
 export const SubmissionList = () => {
   const { get } = useFetchClient();
   const { toggleNotification } = useNotification();
   const navigate = useNavigate();
 
-  const [submissions, setSubmissions] = useState<PluginSubmission[]>([]);
+  const [submissionType, setSubmissionType] =
+    useState<SubmissionType>("plugins");
+  const [plugins, setPlugins] = useState<PluginSubmission[]>([]);
+  const [templates, setTemplates] = useState<TemplateSubmission[]>([]);
   const [loading, setLoading] = useState(true);
   const [statusFilter, setStatusFilter] = useState("");
 
-  const load = async (status: string) => {
+  const loadPlugins = async (status: string) => {
     setLoading(true);
     try {
       const qs = status ? `?status=${status}` : "";
       const res = await get(`/moderation/submissions${qs}`);
-      setSubmissions(res.data.data ?? []);
+      setPlugins(res.data.data ?? []);
+    } catch {
+      toggleNotification({
+        type: "danger",
+        message: "Failed to load submissions.",
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  const loadTemplates = async (status: string) => {
+    setLoading(true);
+    try {
+      const qs = status ? `?status=${status}` : "";
+      const res = await get(`/moderation/template-submissions${qs}`);
+      setTemplates(res.data.data ?? []);
     } catch {
       toggleNotification({
         type: "danger",
@@ -88,21 +126,60 @@ export const SubmissionList = () => {
   };
 
   useEffect(() => {
-    load(statusFilter);
+    setStatusFilter("");
+    if (submissionType === "plugins") {
+      loadPlugins("");
+    } else {
+      loadTemplates("");
+    }
+  }, [submissionType]);
+
+  useEffect(() => {
+    if (submissionType === "plugins") {
+      loadPlugins(statusFilter);
+    } else {
+      loadTemplates(statusFilter);
+    }
   }, [statusFilter]);
 
+  const statusFilters =
+    submissionType === "plugins"
+      ? PLUGIN_STATUS_FILTERS
+      : TEMPLATE_STATUS_FILTERS;
+
+  const totalCount =
+    submissionType === "plugins" ? plugins.length : templates.length;
+
   return (
     <Box padding={8}>
       <Flex justifyContent="space-between" alignItems="center" marginBottom={6}>
-        <Typography variant="alpha">Plugin Submissions</Typography>
+        <Typography variant="alpha">Marketplace Submissions</Typography>
         <Typography variant="omega" textColor="neutral600">
-          {submissions.length} submission{submissions.length !== 1 ? "s" : ""}
+          {totalCount} submission{totalCount !== 1 ? "s" : ""}
         </Typography>
       </Flex>
 
+      {/* Type tabs */}
+      <Flex gap={1} marginBottom={4}>
+        <Button
+          variant={submissionType === "plugins" ? "default" : "tertiary"}
+          size="S"
+          onClick={() => setSubmissionType("plugins")}
+        >
+          Plugins
+        </Button>
+        <Button
+          variant={submissionType === "templates" ? "default" : "tertiary"}
+          size="S"
+          onClick={() => setSubmissionType("templates")}
+        >
+          Templates
+        </Button>
+      </Flex>
+
       {/* Status filter tabs */}
       <Flex gap={2} marginBottom={6} flexWrap="wrap">
-        {STATUS_FILTERS.map((f) => (
+        {statusFilters.map((f) => (
           <Button
             key={f.value}
             variant={statusFilter === f.value ? "default" : "tertiary"}
@@ -118,18 +195,122 @@ export const SubmissionList = () => {
         <Flex justifyContent="center" padding={8}>
           <Loader />
         </Flex>
-      ) : submissions.length === 0 ? (
+      ) : submissionType === "plugins" ? (
+        plugins.length === 0 ? (
+          <Box padding={8} background="neutral100" hasRadius>
+            <Typography textColor="neutral600" textAlign="center">
+              No submissions found.
+            </Typography>
+          </Box>
+        ) : (
+          <Table colCount={7} rowCount={plugins.length}>
+            <Thead>
+              <Tr>
+                <Th>
+                  <Typography variant="sigma">Plugin Name</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Owner</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Status</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Business</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Security</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Submitted</Typography>
+                </Th>
+                <Th>
+                  <Typography variant="sigma">Actions</Typography>
+                </Th>
+              </Tr>
+            </Thead>
+            <Tbody>
+              {plugins.map((s) => (
+                <Tr key={s.documentId}>
+                  <Td>
+                    <Flex direction="column" alignItems="flex-start" gap={1}>
+                      <Typography fontWeight="semiBold">
+                        {s.plugin_name}
+                      </Typography>
+                      {s.npm_package_name && (
+                        <Typography variant="pi" textColor="neutral600">
+                          {s.npm_package_name}
+                        </Typography>
+                      )}
+                    </Flex>
+                  </Td>
+                  <Td>
+                    <Flex direction="column" alignItems="flex-start" gap={1}>
+                      <Typography>{s.owner_name}</Typography>
+                      <Typography variant="pi" textColor="neutral600">
+                        {s.owner_email}
+                      </Typography>
+                    </Flex>
+                  </Td>
+                  <Td>
+                    <Badge
+                      active={false}
+                      backgroundColor={`${statusColour[s.overall_status]}100`}
+                    >
+                      {s.overall_status.replace(/_/g, " ")}
+                    </Badge>
+                  </Td>
+                  <Td>
+                    <Badge
+                      active={false}
+                      backgroundColor={`${reviewColour[s.business_review_status]}100`}
+                    >
+                      {s.business_review_status}
+                    </Badge>
+                  </Td>
+                  <Td>
+                    <Badge
+                      active={false}
+                      backgroundColor={`${reviewColour[s.security_review_status]}100`}
+                    >
+                      {s.security_review_status}
+                    </Badge>
+                  </Td>
+                  <Td>
+                    <Typography variant="pi">
+                      {new Date(s.createdAt).toLocaleDateString()}
+                    </Typography>
+                  </Td>
+                  <Td>
+                    <Button
+                      variant="tertiary"
+                      size="S"
+                      onClick={() =>
+                        navigate(
+                          `/plugins/moderation/submissions/${s.documentId}`,
+                        )
+                      }
+                    >
+                      Review
+                    </Button>
+                  </Td>
+                </Tr>
+              ))}
+            </Tbody>
+          </Table>
+        )
+      ) : templates.length === 0 ? (
         <Box padding={8} background="neutral100" hasRadius>
           <Typography textColor="neutral600" textAlign="center">
             No submissions found.
           </Typography>
         </Box>
       ) : (
-        <Table colCount={7} rowCount={submissions.length}>
+        <Table colCount={5} rowCount={templates.length}>
           <Thead>
             <Tr>
               <Th>
-                <Typography variant="sigma">Plugin Name</Typography>
+                <Typography variant="sigma">Template Name</Typography>
               </Th>
               <Th>
                 <Typography variant="sigma">Owner</Typography>
@@ -137,12 +318,6 @@ export const SubmissionList = () => {
               <Th>
                 <Typography variant="sigma">Status</Typography>
               </Th>
-              <Th>
-                <Typography variant="sigma">Business</Typography>
-              </Th>
-              <Th>
-                <Typography variant="sigma">Security</Typography>
-              </Th>
               <Th>
                 <Typography variant="sigma">Submitted</Typography>
               </Th>
@@ -152,19 +327,12 @@ export const SubmissionList = () => {
             </Tr>
           </Thead>
           <Tbody>
-            {submissions.map((s) => (
+            {templates.map((s) => (
               <Tr key={s.documentId}>
                 <Td>
-                  <Flex direction="column" alignItems="flex-start" gap={1}>
-                    <Typography fontWeight="semiBold">
-                      {s.plugin_name}
-                    </Typography>
-                    {s.npm_package_name && (
-                      <Typography variant="pi" textColor="neutral600">
-                        {s.npm_package_name}
-                      </Typography>
-                    )}
-                  </Flex>
+                  <Typography fontWeight="semiBold">
+                    {s.template_name}
+                  </Typography>
                 </Td>
                 <Td>
                   <Flex direction="column" alignItems="flex-start" gap={1}>
@@ -179,23 +347,7 @@ export const SubmissionList = () => {
                     active={false}
                     backgroundColor={`${statusColour[s.overall_status]}100`}
                   >
-                    {s.overall_status.replace("_", " ")}
-                  </Badge>
-                </Td>
-                <Td>
-                  <Badge
-                    active={false}
-                    backgroundColor={`${reviewColour[s.business_review_status]}100`}
-                  >
-                    {s.business_review_status}
-                  </Badge>
-                </Td>
-                <Td>
-                  <Badge
-                    active={false}
-                    backgroundColor={`${reviewColour[s.security_review_status]}100`}
-                  >
-                    {s.security_review_status}
+                    {s.overall_status}
                   </Badge>
                 </Td>
                 <Td>
@@ -209,7 +361,7 @@ export const SubmissionList = () => {
                     size="S"
                     onClick={() =>
                       navigate(
-                        `/plugins/moderation/submissions/${s.documentId}`,
+                        `/plugins/moderation/template-submissions/${s.documentId}`,
                       )
                     }
                   >
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/TemplateSubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/TemplateSubmissionDetail/index.tsx
new file mode 100644
index 0000000..925341e
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/TemplateSubmissionDetail/index.tsx
@@ -0,0 +1,465 @@
+import {
+  Box,
+  Button,
+  Divider,
+  Flex,
+  Loader,
+  Typography,
+} from "@strapi/design-system";
+import { ArrowLeft, ExternalLink } from "@strapi/icons";
+import { useFetchClient, useNotification } from "@strapi/strapi/admin";
+import { useEffect, useState } from "react";
+import { useNavigate, useParams } from "react-router-dom";
+import { TemplateReviewPanel } from "../../components/TemplateReviewPanel";
+
+interface TemplateSubmissionDetail {
+  documentId: string;
+  template_name: string;
+  description: string;
+  repository_url: string;
+  demo_url: string | null;
+  logo_url: string | null;
+  categories_list: string[];
+  owner_name: string;
+  owner_email: string;
+  submission_notes: string | null;
+  overall_status: "submitted" | "approved" | "rejected";
+  reviewer_feedback: string | null;
+  reviewer_notes: string | null;
+  rejection_reason: string | null;
+  createdAt: string;
+}
+
+const STATUS_STYLES: Record<
+  string,
+  { bg: string; color: string; label: string }
+> = {
+  submitted: { bg: "neutral150", color: "neutral700", label: "Submitted" },
+  approved: { bg: "success100", color: "success700", label: "Approved" },
+  rejected: { bg: "danger100", color: "danger700", label: "Rejected" },
+};
+
+const StatusBadge = ({ status }: { status: string }) => {
+  const s = STATUS_STYLES[status] ?? STATUS_STYLES.submitted;
+  return (
+    <Box
+      background={s.bg}
+      hasRadius
+      paddingLeft={3}
+      paddingRight={3}
+      style={{ display: "inline-flex", alignItems: "center", height: 24 }}
+    >
+      <Typography variant="pi" fontWeight="semiBold" textColor={s.color}>
+        {s.label}
+      </Typography>
+    </Box>
+  );
+};
+
+const CategoryPill = ({ label }: { label: string }) => (
+  <Box
+    background="primary100"
+    hasRadius
+    paddingLeft={2}
+    paddingRight={2}
+    style={{ display: "inline-flex", alignItems: "center", height: 20 }}
+  >
+    <Typography variant="pi" fontWeight="semiBold" textColor="primary600">
+      {label}
+    </Typography>
+  </Box>
+);
+
+const InfoRow = ({
+  label,
+  value,
+}: {
+  label: string;
+  value: React.ReactNode;
+}) => (
+  <Flex gap={4} alignItems="flex-start" paddingTop={3} paddingBottom={3}>
+    <Box style={{ width: 130, flexShrink: 0 }}>
+      <Typography
+        variant="pi"
+        fontWeight="semiBold"
+        textColor="neutral500"
+        style={{
+          textTransform: "uppercase",
+          letterSpacing: "0.04em",
+          display: "block",
+          textAlign: "left",
+        }}
+      >
+        {label}
+      </Typography>
+    </Box>
+    <Box style={{ flex: 1, minWidth: 0 }}>
+      {typeof value === "string" ? (
+        <Typography
+          textColor="neutral800"
+          style={{
+            wordBreak: "break-word",
+            display: "block",
+            textAlign: "left",
+          }}
+        >
+          {value}
+        </Typography>
+      ) : (
+        value
+      )}
+    </Box>
+  </Flex>
+);
+
+const Card = ({
+  title,
+  children,
+}: {
+  title?: string;
+  children: React.ReactNode;
+}) => (
+  <Box
+    background="neutral0"
+    hasRadius
+    borderColor="neutral200"
+    borderWidth="1px"
+    borderStyle="solid"
+    overflow="hidden"
+  >
+    {title && (
+      <Flex
+        paddingLeft={5}
+        paddingRight={5}
+        paddingTop={4}
+        paddingBottom={4}
+        borderColor="neutral150"
+        borderWidth="0 0 1px 0"
+        borderStyle="solid"
+      >
+        <Typography
+          variant="sigma"
+          textColor="neutral600"
+          style={{ textTransform: "uppercase", letterSpacing: "0.05em" }}
+        >
+          {title}
+        </Typography>
+      </Flex>
+    )}
+    <Box padding={5}>{children}</Box>
+  </Box>
+);
+
+export const TemplateSubmissionDetail = () => {
+  const { documentId } = useParams<{ documentId: string }>();
+  const navigate = useNavigate();
+  const { get } = useFetchClient();
+  const { toggleNotification } = useNotification();
+
+  const [submission, setSubmission] = useState<TemplateSubmissionDetail | null>(
+    null,
+  );
+  const [loading, setLoading] = useState(true);
+
+  const load = async () => {
+    setLoading(true);
+    try {
+      const res = await get(`/moderation/template-submissions/${documentId}`);
+      setSubmission(res.data.data);
+    } catch {
+      toggleNotification({
+        type: "danger",
+        message: "Failed to load submission.",
+      });
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    if (documentId) load();
+  }, [documentId]);
+
+  if (loading) {
+    return (
+      <Flex justifyContent="center" alignItems="center" style={{ height: 300 }}>
+        <Loader />
+      </Flex>
+    );
+  }
+
+  if (!submission) {
+    return (
+      <Box padding={8}>
+        <Typography textColor="neutral600">Submission not found.</Typography>
+      </Box>
+    );
+  }
+
+  return (
+    <Box padding={8}>
+      {/* Header */}
+      <Flex alignItems="center" gap={3} marginBottom={1}>
+        <Button
+          variant="tertiary"
+          startIcon={<ArrowLeft />}
+          size="S"
+          onClick={() => navigate("/plugins/moderation")}
+        >
+          Back
+        </Button>
+        <Box
+          background="neutral200"
+          style={{ width: 1, height: 20, flexShrink: 0 }}
+        />
+        {submission.logo_url && (
+          <Box
+            style={{
+              width: 36,
+              height: 36,
+              borderRadius: 8,
+              overflow: "hidden",
+              border: "1px solid #e3e9ef",
+              flexShrink: 0,
+            }}
+          >
+            <img
+              src={submission.logo_url}
+              alt=""
+              style={{ width: "100%", height: "100%", objectFit: "cover" }}
+            />
+          </Box>
+        )}
+        <Typography variant="alpha" style={{ lineHeight: 1 }}>
+          {submission.template_name}
+        </Typography>
+        <StatusBadge status={submission.overall_status} />
+      </Flex>
+
+      {/* Submitted date */}
+      <Box marginBottom={6} paddingLeft={1}>
+        <Typography variant="pi" textColor="neutral400">
+          Submitted{" "}
+          {new Date(submission.createdAt).toLocaleDateString("en-GB", {
+            day: "numeric",
+            month: "short",
+            year: "numeric",
+          })}
+        </Typography>
+      </Box>
+
+      {/* Two-column layout */}
+      <Flex gap={6} alignItems="flex-start">
+        {/* Left column */}
+        <Box style={{ flex: 1, minWidth: 0 }}>
+          <Flex direction="column" alignItems="flex-start" gap={4}>
+            {/* Template Info */}
+            <Box style={{ width: "100%" }}>
+              <Card title="Template Info">
+                <Box>
+                  <InfoRow
+                    label="Template Name"
+                    value={submission.template_name}
+                  />
+                  <Divider />
+                  <InfoRow
+                    label="Repository URL"
+                    value={
+                      <a
+                        href={submission.repository_url}
+                        target="_blank"
+                        rel="noreferrer"
+                        style={{ color: "inherit", textDecoration: "none" }}
+                      >
+                        <Flex as="span" gap={1} alignItems="flex-start">
+                          <Typography
+                            textColor="primary600"
+                            style={{
+                              wordBreak: "break-all",
+                              display: "inline",
+                              textAlign: "left",
+                            }}
+                          >
+                            {submission.repository_url}
+                          </Typography>
+                          <Box style={{ flexShrink: 0, marginTop: 2 }}>
+                            <ExternalLink
+                              aria-hidden
+                              style={{ width: 12, height: 12 }}
+                            />
+                          </Box>
+                        </Flex>
+                      </a>
+                    }
+                  />
+                  {submission.demo_url && (
+                    <>
+                      <Divider />
+                      <InfoRow
+                        label="Demo URL"
+                        value={
+                          <a
+                            href={submission.demo_url}
+                            target="_blank"
+                            rel="noreferrer"
+                            style={{ color: "inherit", textDecoration: "none" }}
+                          >
+                            <Flex as="span" gap={1} alignItems="flex-start">
+                              <Typography
+                                textColor="primary600"
+                                style={{
+                                  wordBreak: "break-all",
+                                  display: "inline",
+                                  textAlign: "left",
+                                }}
+                              >
+                                {submission.demo_url}
+                              </Typography>
+                              <Box style={{ flexShrink: 0, marginTop: 2 }}>
+                                <ExternalLink
+                                  aria-hidden
+                                  style={{ width: 12, height: 12 }}
+                                />
+                              </Box>
+                            </Flex>
+                          </a>
+                        }
+                      />
+                    </>
+                  )}
+                  {submission.categories_list?.length > 0 && (
+                    <>
+                      <Divider />
+                      <InfoRow
+                        label="Categories"
+                        value={
+                          <Flex gap={1} flexWrap="wrap">
+                            {submission.categories_list.map((c) => (
+                              <CategoryPill key={c} label={c} />
+                            ))}
+                          </Flex>
+                        }
+                      />
+                    </>
+                  )}
+                </Box>
+              </Card>
+            </Box>
+
+            {/* Description + Owner side by side */}
+            <Flex gap={4} alignItems="flex-start" style={{ width: "100%" }}>
+              <Box style={{ flex: 2, minWidth: 0 }}>
+                <Card title="Description">
+                  <Typography
+                    textColor="neutral700"
+                    style={{
+                      lineHeight: 1.65,
+                      whiteSpace: "pre-wrap",
+                      display: "block",
+                      textAlign: "left",
+                    }}
+                  >
+                    {submission.description}
+                  </Typography>
+                </Card>
+              </Box>
+
+              <Box style={{ flex: 1, minWidth: 0 }}>
+                <Card title="Owner">
+                  <Flex gap={3} alignItems="center">
+                    <Box
+                      background="primary100"
+                      style={{
+                        width: 40,
+                        height: 40,
+                        borderRadius: "50%",
+                        display: "flex",
+                        alignItems: "center",
+                        justifyContent: "center",
+                        flexShrink: 0,
+                      }}
+                    >
+                      <Typography
+                        fontWeight="bold"
+                        textColor="primary600"
+                        variant="beta"
+                      >
+                        {submission.owner_name.charAt(0).toUpperCase()}
+                      </Typography>
+                    </Box>
+                    <Box style={{ minWidth: 0 }}>
+                      <Typography
+                        fontWeight="semiBold"
+                        textColor="neutral800"
+                        style={{
+                          display: "block",
+                          textAlign: "left",
+                          whiteSpace: "nowrap",
+                          overflow: "hidden",
+                          textOverflow: "ellipsis",
+                        }}
+                      >
+                        {submission.owner_name}
+                      </Typography>
+                      <Typography
+                        variant="pi"
+                        textColor="neutral500"
+                        style={{
+                          display: "block",
+                          textAlign: "left",
+                          whiteSpace: "nowrap",
+                          overflow: "hidden",
+                          textOverflow: "ellipsis",
+                        }}
+                      >
+                        {submission.owner_email}
+                      </Typography>
+                    </Box>
+                  </Flex>
+                </Card>
+              </Box>
+            </Flex>
+
+            {/* Submitter Notes */}
+            {submission.submission_notes && (
+              <Box style={{ width: "100%" }}>
+                <Card title="Submitter Notes">
+                  <Typography
+                    textColor="neutral700"
+                    style={{
+                      lineHeight: 1.65,
+                      display: "block",
+                      textAlign: "left",
+                    }}
+                  >
+                    {submission.submission_notes}
+                  </Typography>
+                </Card>
+              </Box>
+            )}
+          </Flex>
+        </Box>
+
+        {/* Right column — sticky, offset to align with content */}
+        <Box
+          style={{
+            width: 360,
+            flexShrink: 0,
+            position: "sticky",
+            top: 24,
+            paddingTop: 0,
+          }}
+        >
+          <TemplateReviewPanel
+            documentId={submission.documentId}
+            initialStatus={submission.overall_status}
+            initialFeedback={submission.reviewer_feedback || ""}
+            initialNotes={submission.reviewer_notes || ""}
+            initialRejectionReason={submission.rejection_reason || ""}
+            onSaved={load}
+          />
+        </Box>
+      </Flex>
+    </Box>
+  );
+};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/index.js b/apps/cms/src/plugins/moderation/server/content-types/index.js
index e8a3051..b29a911 100644
--- a/apps/cms/src/plugins/moderation/server/content-types/index.js
+++ b/apps/cms/src/plugins/moderation/server/content-types/index.js
@@ -1,3 +1,4 @@
 module.exports = {
   "plugin-submission": require("./plugin-submission"),
+  "template-submission": require("./template-submission"),
 };
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
index 18c6b82..f88a464 100644
--- a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
+++ b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
@@ -26,7 +26,7 @@
       "type": "text",
       "required": true
     },
-    "git_repository": {
+    "repository_url": {
       "type": "string",
       "required": true
     },
diff --git a/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js b/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
new file mode 100644
index 0000000..2fb2f3b
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
@@ -0,0 +1,3 @@
+module.exports = {
+  schema: require("./schema.json"),
+};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
new file mode 100644
index 0000000..91824fa
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
@@ -0,0 +1,75 @@
+{
+  "kind": "collectionType",
+  "collectionName": "template_submissions",
+  "info": {
+    "singularName": "template-submission",
+    "pluralName": "template-submissions",
+    "displayName": "Template Submission",
+    "description": "Incoming template submissions awaiting approval before publication"
+  },
+  "options": {
+    "draftAndPublish": false
+  },
+  "pluginOptions": {
+    "content-manager": { "visible": false },
+    "content-type-builder": { "visible": false }
+  },
+  "attributes": {
+    "template_name": {
+      "type": "string",
+      "required": true
+    },
+    "description": {
+      "type": "text",
+      "required": true
+    },
+    "repository_url": {
+      "type": "string",
+      "required": true
+    },
+    "demo_url": {
+      "type": "string"
+    },
+    "logo_url": {
+      "type": "string"
+    },
+    "categories_list": {
+      "type": "json",
+      "default": []
+    },
+    "owner_name": {
+      "type": "string",
+      "required": true
+    },
+    "owner_email": {
+      "type": "string",
+      "required": true
+    },
+    "submission_notes": {
+      "type": "text"
+    },
+    "submitter_agreed_to_terms": {
+      "type": "boolean",
+      "default": false,
+      "required": true
+    },
+    "submitter_ip": {
+      "type": "string"
+    },
+    "overall_status": {
+      "type": "enumeration",
+      "enum": ["submitted", "approved", "rejected"],
+      "default": "submitted",
+      "required": true
+    },
+    "reviewer_feedback": {
+      "type": "text"
+    },
+    "reviewer_notes": {
+      "type": "text"
+    },
+    "rejection_reason": {
+      "type": "text"
+    }
+  }
+}
diff --git a/apps/cms/src/plugins/moderation/server/controllers/index.js b/apps/cms/src/plugins/moderation/server/controllers/index.js
index e8a3051..b29a911 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/index.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/index.js
@@ -1,3 +1,4 @@
 module.exports = {
   "plugin-submission": require("./plugin-submission"),
+  "template-submission": require("./template-submission"),
 };
diff --git a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
index 15d7a4b..e8f9b0e 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
@@ -21,7 +21,7 @@ module.exports = ({ strapi }) => ({
     const required = [
       "plugin_name",
       "description",
-      "git_repository",
+      "repository_url",
       "owner_name",
       "owner_email",
     ];
diff --git a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
new file mode 100644
index 0000000..5ab6743
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
@@ -0,0 +1,118 @@
+/**
+ * Template submission controller.
+ *
+ * Exposes two sets of endpoints:
+ *  - content-api: public-facing submission endpoint (called through Next.js proxy)
+ *  - admin: moderation endpoints for super admins
+ */
+
+const service = (strapi) =>
+  strapi.plugin("moderation").service("template-submission");
+
+module.exports = ({ strapi }) => ({
+  /**
+   * POST /api/moderation/template-submissions
+   * Accepts a new template submission from the public.
+   * Called by the Next.js proxy, never directly from the browser.
+   */
+  async create(ctx) {
+    const body = ctx.request.body?.data || ctx.request.body;
+
+    const required = [
+      "template_name",
+      "description",
+      "repository_url",
+      "owner_name",
+      "owner_email",
+    ];
+    const missing = required.filter((f) => !body[f]?.toString().trim());
+    if (missing.length > 0) {
+      return ctx.badRequest(`Missing required fields: ${missing.join(", ")}`);
+    }
+
+    if (!body.submitter_agreed_to_terms) {
+      return ctx.badRequest("You must agree to the terms before submitting.");
+    }
+
+    const submitterIp =
+      ctx.request.headers["x-forwarded-for"]?.split(",")[0]?.trim() ||
+      ctx.request.ip ||
+      null;
+
+    try {
+      const submission = await service(strapi).createSubmission(
+        body,
+        submitterIp,
+      );
+      ctx.created({ data: { documentId: submission.documentId } });
+    } catch (err) {
+      strapi.log.error(
+        `[moderation] Template submission create error: ${err.message}`,
+      );
+      ctx.internalServerError("Failed to create submission.");
+    }
+  },
+
+  /**
+   * GET /moderation/template-submissions
+   * List all template submissions (admin only).
+   */
+  async find(ctx) {
+    const { status, page, pageSize } = ctx.query;
+    const submissions = await service(strapi).listSubmissions({
+      status,
+      page: Number(page) || 1,
+      pageSize: Number(pageSize) || 25,
+    });
+    ctx.body = { data: submissions };
+  },
+
+  /**
+   * GET /moderation/template-submissions/:documentId
+   * Fetch a single template submission (admin only).
+   */
+  async findOne(ctx) {
+    const { documentId } = ctx.params;
+    const submission = await service(strapi).getSubmission(documentId);
+    if (!submission) return ctx.notFound("Submission not found.");
+    ctx.body = { data: submission };
+  },
+
+  /**
+   * PUT /moderation/template-submissions/:documentId/review
+   * Save draft review fields (admin only).
+   */
+  async updateReview(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+
+    try {
+      const updated = await service(strapi).updateReview(documentId, body);
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+
+  /**
+   * POST /moderation/template-submissions/:documentId/decide
+   * Approve or reject a template submission (admin only).
+   */
+  async decide(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+    const { status, feedback, notes, reason } = body;
+
+    try {
+      const updated = await service(strapi).decide(documentId, {
+        status,
+        feedback,
+        notes,
+        reason,
+      });
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+});
diff --git a/apps/cms/src/plugins/moderation/server/routes/index.js b/apps/cms/src/plugins/moderation/server/routes/index.js
index 032a163..855dbc3 100644
--- a/apps/cms/src/plugins/moderation/server/routes/index.js
+++ b/apps/cms/src/plugins/moderation/server/routes/index.js
@@ -1 +1,19 @@
-module.exports = require("./plugin-submission");
+const pluginSubmission = require("./plugin-submission");
+const templateSubmission = require("./template-submission");
+
+module.exports = {
+  "content-api": {
+    type: "content-api",
+    routes: [
+      ...pluginSubmission["content-api"].routes,
+      ...templateSubmission["content-api"].routes,
+    ],
+  },
+  admin: {
+    type: "admin",
+    routes: [
+      ...pluginSubmission.admin.routes,
+      ...templateSubmission.admin.routes,
+    ],
+  },
+};
diff --git a/apps/cms/src/plugins/moderation/server/routes/template-submission.js b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
new file mode 100644
index 0000000..f2bc665
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
@@ -0,0 +1,47 @@
+module.exports = {
+  "content-api": {
+    type: "content-api",
+    routes: [
+      {
+        method: "POST",
+        path: "/template-submissions",
+        handler: "template-submission.create",
+        config: {
+          // Public endpoint — auth is handled at the Next.js proxy layer.
+          // The proxy must include a valid API token via Authorization header.
+          auth: false,
+          policies: [],
+        },
+      },
+    ],
+  },
+  admin: {
+    type: "admin",
+    routes: [
+      {
+        method: "GET",
+        path: "/template-submissions",
+        handler: "template-submission.find",
+        config: { policies: [] },
+      },
+      {
+        method: "GET",
+        path: "/template-submissions/:documentId",
+        handler: "template-submission.findOne",
+        config: { policies: [] },
+      },
+      {
+        method: "PUT",
+        path: "/template-submissions/:documentId/review",
+        handler: "template-submission.updateReview",
+        config: { policies: [] },
+      },
+      {
+        method: "POST",
+        path: "/template-submissions/:documentId/decide",
+        handler: "template-submission.decide",
+        config: { policies: [] },
+      },
+    ],
+  },
+};
diff --git a/apps/cms/src/plugins/moderation/server/services/automated-checks.js b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
index cf302b8..25b8413 100644
--- a/apps/cms/src/plugins/moderation/server/services/automated-checks.js
+++ b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
@@ -345,13 +345,13 @@ async function checkStrapiPeerDep(gitRepository, npmPackageName) {
 // Main entry point
 // ---------------------------------------------------------------------------
 
-async function runAutomatedChecks({ git_repository, npm_package_name }) {
+async function runAutomatedChecks({ repository_url, npm_package_name }) {
   const [repoPublic, readmeExists, mitLicense, strapiPeerDep] =
     await Promise.allSettled([
-      checkRepoPublic(git_repository),
-      checkReadmeExists(git_repository),
-      checkMitLicense(git_repository, npm_package_name),
-      checkStrapiPeerDep(git_repository, npm_package_name),
+      checkRepoPublic(repository_url),
+      checkReadmeExists(repository_url),
+      checkMitLicense(repository_url, npm_package_name),
+      checkStrapiPeerDep(repository_url, npm_package_name),
     ]);
 
   const resolve = (settled) =>
@@ -360,7 +360,7 @@ async function runAutomatedChecks({ git_repository, npm_package_name }) {
       : { passed: null, message: settled.reason?.message || "Check error." };
 
   // Detect provider for the result metadata
-  const info = parseRepoInfo(git_repository);
+  const info = parseRepoInfo(repository_url);
   const provider = info?.provider ?? "unknown";
 
   return {
diff --git a/apps/cms/src/plugins/moderation/server/services/index.js b/apps/cms/src/plugins/moderation/server/services/index.js
index e8a3051..b29a911 100644
--- a/apps/cms/src/plugins/moderation/server/services/index.js
+++ b/apps/cms/src/plugins/moderation/server/services/index.js
@@ -1,3 +1,4 @@
 module.exports = {
   "plugin-submission": require("./plugin-submission"),
+  "template-submission": require("./template-submission"),
 };
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
index ba73b07..68beab5 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -27,7 +27,7 @@ module.exports = ({ strapi }) => ({
         plugin_name: data.plugin_name,
         npm_package_name: data.npm_package_name || null,
         description: data.description,
-        git_repository: data.git_repository,
+        repository_url: data.repository_url,
         logo_url: data.logo_url || null,
         package_type: data.package_type || "plugin",
         categories_list: data.categories_list || [],
@@ -48,7 +48,7 @@ module.exports = ({ strapi }) => ({
     // Run checks asynchronously so the submission response is fast.
     // Results are saved back to the record once available.
     this.runChecksAsync(submission.documentId, {
-      git_repository: data.git_repository,
+      repository_url: data.repository_url,
       npm_package_name: data.npm_package_name,
       plugin_name: data.plugin_name,
     }).catch((err) => {
@@ -69,11 +69,11 @@ module.exports = ({ strapi }) => ({
    */
   async runChecksAsync(
     documentId,
-    { git_repository, npm_package_name, plugin_name },
+    { repository_url, npm_package_name, plugin_name },
   ) {
     const [businessChecks, securityChecks] = await Promise.allSettled([
-      runAutomatedChecks({ git_repository, npm_package_name }),
-      runSecurityChecks({ git_repository, npm_package_name, plugin_name }),
+      runAutomatedChecks({ repository_url, npm_package_name }),
+      runSecurityChecks({ repository_url, npm_package_name, plugin_name }),
     ]);
 
     const automated =
@@ -185,7 +185,7 @@ module.exports = ({ strapi }) => ({
       data: {
         name: submission.plugin_name,
         description: submission.description,
-        git_repository: submission.git_repository,
+        repository_url: submission.repository_url,
         package_location: submission.npm_package_name || null,
         type: submission.package_type,
         readme: submission.readme || null,
diff --git a/apps/cms/src/plugins/moderation/server/services/security-checks.js b/apps/cms/src/plugins/moderation/server/services/security-checks.js
index e641c5d..57594e6 100644
--- a/apps/cms/src/plugins/moderation/server/services/security-checks.js
+++ b/apps/cms/src/plugins/moderation/server/services/security-checks.js
@@ -41,7 +41,7 @@ async function checkNpmAdvisories(npmPackageName) {
  * TODO: Fetch package.json, enumerate dependencies, and cross-reference
  *       against the OSV (https://osv.dev) or GitHub Advisory database.
  */
-async function checkDependencyVulnerabilities(gitRepository, npmPackageName) {
+async function checkDependencyVulnerabilities(_gitRepository, _npmPackageName) {
   // TODO: implement dependency scanning
   return {
     passed: null,
@@ -62,9 +62,9 @@ async function checkDependencyVulnerabilities(gitRepository, npmPackageName) {
  * Requires ANTHROPIC_API_KEY env var.
  */
 async function runAiSecurityAnalysis({
-  pluginName,
-  npmPackageName,
-  gitRepository,
+  pluginName: _pluginName,
+  npmPackageName: _npmPackageName,
+  gitRepository: _gitRepository,
 }) {
   // TODO: implement Claude API integration
   return {
@@ -80,17 +80,17 @@ async function runAiSecurityAnalysis({
  * Returns structured results to be merged into automated_check_results.
  */
 async function runSecurityChecks({
-  git_repository,
+  repository_url,
   npm_package_name,
   plugin_name,
 }) {
   const [advisories, dependencies, aiAnalysis] = await Promise.allSettled([
     checkNpmAdvisories(npm_package_name),
-    checkDependencyVulnerabilities(git_repository, npm_package_name),
+    checkDependencyVulnerabilities(repository_url, npm_package_name),
     runAiSecurityAnalysis({
       pluginName: plugin_name,
       npmPackageName: npm_package_name,
-      gitRepository: git_repository,
+      gitRepository: repository_url,
     }),
   ]);
 
diff --git a/apps/cms/src/plugins/moderation/server/services/template-submission.js b/apps/cms/src/plugins/moderation/server/services/template-submission.js
new file mode 100644
index 0000000..3a5cce7
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/template-submission.js
@@ -0,0 +1,132 @@
+/**
+ * Template submission service.
+ *
+ * Templates have a simple single-track review: submitted → approved | rejected.
+ * There are no automated checks and no two-track review process.
+ *
+ * Feedback to the submitter is delivered via n8n workflows (see TODO comments).
+ */
+
+const CONTENT_TYPE = "plugin::moderation.template-submission";
+
+module.exports = ({ strapi }) => ({
+  /**
+   * Create a new template submission.
+   * Called by the public-facing API endpoint proxied through Next.js.
+   */
+  async createSubmission(data, submitterIp) {
+    const submission = await strapi.documents(CONTENT_TYPE).create({
+      data: {
+        template_name: data.template_name,
+        description: data.description,
+        repository_url: data.repository_url,
+        demo_url: data.demo_url || null,
+        logo_url: data.logo_url || null,
+        categories_list: data.categories_list || [],
+        owner_name: data.owner_name,
+        owner_email: data.owner_email,
+        submission_notes: data.submission_notes || null,
+        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
+        submitter_ip: submitterIp || null,
+        overall_status: "submitted",
+      },
+    });
+
+    // TODO: Trigger n8n "template submission received" workflow here.
+    // Example: await triggerN8nWorkflow('template-submission-received', {
+    //   submissionId: submission.documentId,
+    //   ownerEmail: data.owner_email,
+    //   templateName: data.template_name,
+    // });
+
+    return submission;
+  },
+
+  /**
+   * Update review fields on a template submission (notes, feedback, status).
+   * Used for saving draft review state without finalising the decision.
+   */
+  async updateReview(documentId, reviewData) {
+    const {
+      overall_status,
+      reviewer_feedback,
+      reviewer_notes,
+      rejection_reason,
+    } = reviewData;
+
+    if (
+      overall_status &&
+      !["submitted", "approved", "rejected"].includes(overall_status)
+    ) {
+      throw new Error("Invalid overall_status value.");
+    }
+
+    return strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        ...(overall_status && { overall_status }),
+        ...(reviewer_feedback !== undefined && { reviewer_feedback }),
+        ...(reviewer_notes !== undefined && { reviewer_notes }),
+        ...(rejection_reason !== undefined && { rejection_reason }),
+      },
+    });
+  },
+
+  /**
+   * Approve or reject a template submission.
+   * Triggers the appropriate n8n workflow (TODO).
+   */
+  async decide(documentId, { status, feedback, notes, reason }) {
+    if (!["approved", "rejected"].includes(status)) {
+      throw new Error("Status must be 'approved' or 'rejected'.");
+    }
+
+    const updated = await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        overall_status: status,
+        reviewer_feedback: feedback || null,
+        reviewer_notes: notes || null,
+        rejection_reason: reason || null,
+      },
+    });
+
+    if (status === "approved") {
+      // TODO: Trigger n8n "template approved" workflow.
+      // Example: await triggerN8nWorkflow('template-submission-approved', {
+      //   submissionId: documentId,
+      //   ownerEmail: updated.owner_email,
+      //   templateName: updated.template_name,
+      // });
+    } else {
+      // TODO: Trigger n8n "template rejected" workflow.
+      // Example: await triggerN8nWorkflow('template-submission-rejected', {
+      //   submissionId: documentId,
+      //   ownerEmail: updated.owner_email,
+      //   reason,
+      //   feedback,
+      // });
+    }
+
+    return updated;
+  },
+
+  /**
+   * List template submissions with optional status filter and pagination.
+   */
+  async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
+    const filters = status ? { overall_status: { $eq: status } } : {};
+    return strapi.documents(CONTENT_TYPE).findMany({
+      filters,
+      sort: { createdAt: "desc" },
+      pagination: { page, pageSize },
+    });
+  },
+
+  /**
+   * Fetch a single template submission by documentId.
+   */
+  async getSubmission(documentId) {
+    return strapi.documents(CONTENT_TYPE).findOne({ documentId });
+  },
+});
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index 1f9d63d..424dfa5 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -2008,7 +2008,6 @@ export interface PluginModerationPluginSubmission
     createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
       Schema.Attribute.Private;
     description: Schema.Attribute.Text & Schema.Attribute.Required;
-    git_repository: Schema.Attribute.String & Schema.Attribute.Required;
     locale: Schema.Attribute.String & Schema.Attribute.Private;
     localizations: Schema.Attribute.Relation<
       'oneToMany',
@@ -2038,6 +2037,7 @@ export interface PluginModerationPluginSubmission
     publishedAt: Schema.Attribute.DateTime;
     readme: Schema.Attribute.RichText;
     rejection_reason: Schema.Attribute.Text;
+    repository_url: Schema.Attribute.String & Schema.Attribute.Required;
     reviewer_feedback: Schema.Attribute.Text;
     security_review_notes: Schema.Attribute.Text;
     security_review_status: Schema.Attribute.Enumeration<
@@ -2056,6 +2056,64 @@ export interface PluginModerationPluginSubmission
   };
 }
 
+export interface PluginModerationTemplateSubmission
+  extends Struct.CollectionTypeSchema {
+  collectionName: 'template_submissions';
+  info: {
+    description: 'Incoming template submissions awaiting approval before publication';
+    displayName: 'Template Submission';
+    pluralName: 'template-submissions';
+    singularName: 'template-submission';
+  };
+  options: {
+    draftAndPublish: false;
+  };
+  pluginOptions: {
+    'content-manager': {
+      visible: false;
+    };
+    'content-type-builder': {
+      visible: false;
+    };
+  };
+  attributes: {
+    categories_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
+    createdAt: Schema.Attribute.DateTime;
+    createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+    demo_url: Schema.Attribute.String;
+    description: Schema.Attribute.Text & Schema.Attribute.Required;
+    locale: Schema.Attribute.String & Schema.Attribute.Private;
+    localizations: Schema.Attribute.Relation<
+      'oneToMany',
+      'plugin::moderation.template-submission'
+    > &
+      Schema.Attribute.Private;
+    logo_url: Schema.Attribute.String;
+    overall_status: Schema.Attribute.Enumeration<
+      ['submitted', 'approved', 'rejected']
+    > &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<'submitted'>;
+    owner_email: Schema.Attribute.String & Schema.Attribute.Required;
+    owner_name: Schema.Attribute.String & Schema.Attribute.Required;
+    publishedAt: Schema.Attribute.DateTime;
+    rejection_reason: Schema.Attribute.Text;
+    repository_url: Schema.Attribute.String & Schema.Attribute.Required;
+    reviewer_feedback: Schema.Attribute.Text;
+    reviewer_notes: Schema.Attribute.Text;
+    submission_notes: Schema.Attribute.Text;
+    submitter_agreed_to_terms: Schema.Attribute.Boolean &
+      Schema.Attribute.Required &
+      Schema.Attribute.DefaultTo<false>;
+    submitter_ip: Schema.Attribute.String;
+    template_name: Schema.Attribute.String & Schema.Attribute.Required;
+    updatedAt: Schema.Attribute.DateTime;
+    updatedBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+  };
+}
+
 export interface PluginReviewWorkflowsWorkflow
   extends Struct.CollectionTypeSchema {
   collectionName: 'strapi_workflows';
@@ -2399,6 +2457,7 @@ declare module '@strapi/strapi' {
       'plugin::content-releases.release-action': PluginContentReleasesReleaseAction;
       'plugin::i18n.locale': PluginI18NLocale;
       'plugin::moderation.plugin-submission': PluginModerationPluginSubmission;
+      'plugin::moderation.template-submission': PluginModerationTemplateSubmission;
       'plugin::review-workflows.workflow': PluginReviewWorkflowsWorkflow;
       'plugin::review-workflows.workflow-stage': PluginReviewWorkflowsWorkflowStage;
       'plugin::upload.file': PluginUploadFile;
diff --git a/apps/web/src/app/api/submit-plugin/route.ts b/apps/web/src/app/api/submit-plugin/route.ts
index 18dd48e..c04cbdb 100644
--- a/apps/web/src/app/api/submit-plugin/route.ts
+++ b/apps/web/src/app/api/submit-plugin/route.ts
@@ -158,7 +158,7 @@ export async function POST(req: NextRequest) {
   // --- Extract + validate fields ---
   const plugin_name = str(formData.get("plugin_name"));
   const description = str(formData.get("description"));
-  const git_repository = str(formData.get("git_repository"));
+  const repository_url = str(formData.get("repository_url"));
   const owner_name = str(formData.get("owner_name"));
   const owner_email = str(formData.get("owner_email"));
   const agreed = formData.get("submitter_agreed_to_terms") === "true";
@@ -166,9 +166,9 @@ export async function POST(req: NextRequest) {
   const errors: string[] = [];
   if (!plugin_name) errors.push("Plugin name is required.");
   if (!description) errors.push("Description is required.");
-  if (!git_repository) errors.push("Git repository URL is required.");
-  else if (!/^https?:\/\//i.test(git_repository))
-    errors.push("Git repository must be a valid https:// URL.");
+  if (!repository_url) errors.push("Repository URL is required.");
+  else if (!/^https?:\/\//i.test(repository_url))
+    errors.push("Repository URL must be a valid https:// URL.");
   if (!owner_name) errors.push("Owner name is required.");
   if (!owner_email) errors.push("Contact email is required.");
   else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(owner_email))
@@ -228,7 +228,7 @@ export async function POST(req: NextRequest) {
     plugin_name,
     npm_package_name: str(formData.get("npm_package_name")),
     description,
-    git_repository,
+    repository_url,
     logo_url,
     package_type: "plugin",
     categories_list,
diff --git a/apps/web/src/app/api/submit-template/route.ts b/apps/web/src/app/api/submit-template/route.ts
new file mode 100644
index 0000000..48642b1
--- /dev/null
+++ b/apps/web/src/app/api/submit-template/route.ts
@@ -0,0 +1,272 @@
+import { type NextRequest, NextResponse } from "next/server";
+
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY;
+const RECAPTCHA_PROJECT_ID = process.env.RECAPTCHA_PROJECT_ID;
+const RECAPTCHA_API_KEY = process.env.RECAPTCHA_API_KEY;
+const RECAPTCHA_MIN_SCORE = 0.5;
+
+const CMS_URL = process.env.NEXT_PUBLIC_CMS_URL ?? "http://localhost:1337";
+const CMS_BEARER_TOKEN = process.env.CMS_BEARER_TOKEN;
+
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+
+interface EnterpriseAssessment {
+  tokenProperties?: { valid: boolean; action?: string; invalidReason?: string };
+  riskAnalysis?: { score: number; reasons?: string[] };
+}
+
+async function verifyRecaptcha(
+  token: string,
+  expectedAction: string,
+): Promise<{ success: boolean; score: number }> {
+  if (!RECAPTCHA_SITE_KEY || !RECAPTCHA_PROJECT_ID || !RECAPTCHA_API_KEY) {
+    console.warn(
+      "[submit-template] reCAPTCHA Enterprise not configured — skipping verification.",
+    );
+    return { success: true, score: 1 };
+  }
+
+  const url =
+    `https://recaptchaenterprise.googleapis.com/v1/projects/${RECAPTCHA_PROJECT_ID}` +
+    `/assessments?key=${RECAPTCHA_API_KEY}`;
+
+  const res = await fetch(url, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      event: { token, siteKey: RECAPTCHA_SITE_KEY, expectedAction },
+    }),
+  });
+
+  if (!res.ok) {
+    throw new Error(`reCAPTCHA Enterprise API returned ${res.status}`);
+  }
+
+  const data = (await res.json()) as EnterpriseAssessment;
+
+  if (!data.tokenProperties?.valid) {
+    console.warn(
+      "[submit-template] reCAPTCHA token invalid:",
+      data.tokenProperties?.invalidReason,
+    );
+    return { success: false, score: 0 };
+  }
+
+  if (data.tokenProperties.action !== expectedAction) {
+    console.warn(
+      `[submit-template] reCAPTCHA action mismatch: expected "${expectedAction}", got "${data.tokenProperties.action}"`,
+    );
+    return { success: false, score: 0 };
+  }
+
+  const score = data.riskAnalysis?.score ?? 0;
+  return { success: score >= RECAPTCHA_MIN_SCORE, score };
+}
+
+function str(value: FormDataEntryValue | null): string | null {
+  if (!value || typeof value !== "string") return null;
+  const t = value.trim();
+  return t.length > 0 ? t : null;
+}
+
+async function uploadLogoToStrapi(file: File): Promise<string | null> {
+  const form = new FormData();
+  form.append("files", file, file.name);
+
+  try {
+    const res = await fetch(`${CMS_URL}/api/upload`, {
+      method: "POST",
+      headers: {
+        ...(CMS_BEARER_TOKEN
+          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
+          : {}),
+      },
+      body: form,
+    });
+
+    if (!res.ok) {
+      console.error(`[submit-template] Logo upload failed: ${res.status}`);
+      return null;
+    }
+
+    const data = (await res.json()) as Array<{ url: string }>;
+    const url = data[0]?.url;
+    if (!url) return null;
+
+    return url.startsWith("http") ? url : `${CMS_URL}${url}`;
+  } catch (err) {
+    console.error("[submit-template] Logo upload error:", err);
+    return null;
+  }
+}
+
+// ---------------------------------------------------------------------------
+// POST /api/submit-template
+// ---------------------------------------------------------------------------
+
+export async function POST(req: NextRequest) {
+  let formData: FormData;
+  try {
+    formData = await req.formData();
+  } catch {
+    return NextResponse.json({ error: "Invalid form data." }, { status: 400 });
+  }
+
+  // --- reCAPTCHA Enterprise (skipped when env vars not configured) ---
+  if (RECAPTCHA_SITE_KEY && RECAPTCHA_PROJECT_ID && RECAPTCHA_API_KEY) {
+    const token = str(formData.get("recaptcha_token"));
+    if (!token) {
+      return NextResponse.json(
+        { error: "Missing reCAPTCHA token." },
+        { status: 400 },
+      );
+    }
+    try {
+      const { success } = await verifyRecaptcha(token, "submit_template");
+      if (!success) {
+        return NextResponse.json(
+          { error: "reCAPTCHA verification failed. Please try again." },
+          { status: 400 },
+        );
+      }
+    } catch (err) {
+      console.error("[submit-template] reCAPTCHA error:", err);
+      return NextResponse.json(
+        { error: "reCAPTCHA service unavailable. Please try again later." },
+        { status: 503 },
+      );
+    }
+  }
+
+  // --- Extract + validate fields ---
+  const template_name = str(formData.get("template_name"));
+  const description = str(formData.get("description"));
+  const repository_url = str(formData.get("repository_url"));
+  const demo_url = str(formData.get("demo_url"));
+  const owner_name = str(formData.get("owner_name"));
+  const owner_email = str(formData.get("owner_email"));
+  const agreed = formData.get("submitter_agreed_to_terms") === "true";
+
+  const errors: string[] = [];
+  if (!template_name) errors.push("Template name is required.");
+  if (!description) errors.push("Description is required.");
+  if (!repository_url) errors.push("Repository URL is required.");
+  else if (!/^https?:\/\//i.test(repository_url))
+    errors.push("Repository URL must be a valid https:// URL.");
+  if (demo_url && !/^https?:\/\//i.test(demo_url))
+    errors.push("Demo URL must be a valid https:// URL.");
+  if (!owner_name) errors.push("Owner name is required.");
+  if (!owner_email) errors.push("Contact email is required.");
+  else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(owner_email))
+    errors.push("Contact email is not valid.");
+  if (!agreed) errors.push("You must agree to the terms.");
+
+  if (errors.length > 0) {
+    return NextResponse.json({ errors }, { status: 422 });
+  }
+
+  // --- Logo upload ---
+  let logo_url: string | null = null;
+  const logoFile = formData.get("logo_file");
+  if (logoFile instanceof File && logoFile.size > 0) {
+    if (
+      ![
+        "image/png",
+        "image/jpeg",
+        "image/svg+xml",
+        "image/webp",
+        "image/gif",
+      ].includes(logoFile.type)
+    ) {
+      return NextResponse.json(
+        { error: "Logo must be a PNG, JPEG, SVG, or WebP image." },
+        { status: 422 },
+      );
+    }
+    if (logoFile.size > 2 * 1024 * 1024) {
+      return NextResponse.json(
+        { error: "Logo file must be smaller than 2 MB." },
+        { status: 422 },
+      );
+    }
+    logo_url = await uploadLogoToStrapi(logoFile);
+    if (!logo_url) {
+      console.warn(
+        "[submit-template] Logo upload failed — submission will proceed without logo.",
+      );
+    }
+  }
+
+  // --- Parse categories ---
+  let categories_list: string[] = [];
+  try {
+    const raw = formData.get("categories_list");
+    if (typeof raw === "string" && raw) {
+      categories_list = JSON.parse(raw);
+    }
+  } catch {
+    categories_list = [];
+  }
+
+  // --- Build submission payload ---
+  const payload = {
+    template_name,
+    description,
+    repository_url,
+    demo_url,
+    logo_url,
+    categories_list,
+    owner_name,
+    owner_email,
+    submission_notes: str(formData.get("submission_notes")),
+    submitter_agreed_to_terms: true,
+  };
+
+  // --- Proxy to Strapi ---
+  if (!CMS_BEARER_TOKEN) {
+    console.warn(
+      "[submit-template] CMS_BEARER_TOKEN not set — Strapi may reject the request.",
+    );
+  }
+
+  let strapiRes: Response;
+  try {
+    strapiRes = await fetch(`${CMS_URL}/api/moderation/template-submissions`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(CMS_BEARER_TOKEN
+          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
+          : {}),
+      },
+      body: JSON.stringify({ data: payload }),
+    });
+  } catch (err) {
+    console.error("[submit-template] Could not reach Strapi:", err);
+    return NextResponse.json(
+      {
+        error:
+          "Could not submit your template at this time. Please try again later.",
+      },
+      { status: 503 },
+    );
+  }
+
+  if (!strapiRes.ok) {
+    console.error(
+      `[submit-template] Strapi returned status ${strapiRes.status}`,
+    );
+    return NextResponse.json(
+      { error: "Submission failed. Please try again." },
+      { status: 500 },
+    );
+  }
+
+  const result = (await strapiRes.json()) as { data: { documentId: string } };
+  return NextResponse.json(
+    { success: true, submissionId: result.data?.documentId },
+    { status: 201 },
+  );
+}
diff --git a/apps/web/src/app/submit/plugin/page.tsx b/apps/web/src/app/submit/plugin/page.tsx
index 9b89f8b..a19236e 100644
--- a/apps/web/src/app/submit/plugin/page.tsx
+++ b/apps/web/src/app/submit/plugin/page.tsx
@@ -271,7 +271,7 @@ function CategoryPill({
 interface FormFields {
   plugin_name: string;
   npm_package_name: string;
-  git_repository: string;
+  repository_url: string;
   description: string;
   logo_file: File | null;
   categories_list: string[];
@@ -285,7 +285,7 @@ interface FormFields {
 const INITIAL: FormFields = {
   plugin_name: "",
   npm_package_name: "",
-  git_repository: "",
+  repository_url: "",
   description: "",
   logo_file: null,
   categories_list: [],
@@ -302,10 +302,10 @@ function validate(f: FormFields): FieldErrors {
   const e: FieldErrors = {};
   if (!f.plugin_name.trim()) e.plugin_name = "Plugin name is required.";
   if (!f.description.trim()) e.description = "Description is required.";
-  if (!f.git_repository.trim()) {
-    e.git_repository = "Git repository URL is required.";
-  } else if (!/^https?:\/\//i.test(f.git_repository.trim())) {
-    e.git_repository = "Must be a valid https:// URL.";
+  if (!f.repository_url.trim()) {
+    e.repository_url = "Repository URL is required.";
+  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
+    e.repository_url = "Must be a valid https:// URL.";
   }
   if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
   if (!f.owner_email.trim()) {
@@ -434,7 +434,7 @@ export default function SubmitPluginPage() {
       const form = new FormData();
       form.append("plugin_name", fields.plugin_name.trim());
       form.append("npm_package_name", fields.npm_package_name.trim());
-      form.append("git_repository", fields.git_repository.trim());
+      form.append("repository_url", fields.repository_url.trim());
       form.append("description", fields.description.trim());
       form.append("readme", fields.readme.trim());
       form.append("submission_notes", fields.submission_notes.trim());
@@ -625,22 +625,22 @@ export default function SubmitPluginPage() {
                   </Hint>
                 </div>
 
-                {/* Git Repository */}
+                {/* Repository URL */}
                 <div className="mb-5">
-                  <Label htmlFor="git_repository" required>
-                    Git Repository
+                  <Label htmlFor="repository_url" required>
+                    Repository URL
                   </Label>
                   <Input
-                    id="git_repository"
+                    id="repository_url"
                     type="url"
-                    value={fields.git_repository}
-                    onChange={(e) => set("git_repository", e.target.value)}
+                    value={fields.repository_url}
+                    onChange={(e) => set("repository_url", e.target.value)}
                     placeholder="https://github.com/org/repo or https://gitlab.com/org/repo"
-                    className={errors.git_repository ? "border-red-400" : ""}
+                    className={errors.repository_url ? "border-red-400" : ""}
                   />
-                  <FieldError message={errors.git_repository} />
+                  <FieldError message={errors.repository_url} />
                   <Hint>
-                    GitHub and GitLab repositories are both supported.
+                    GitHub, GitLab, Bitbucket, or any public repository URL.
                   </Hint>
                 </div>
 
diff --git a/apps/web/src/app/submit/template/page.tsx b/apps/web/src/app/submit/template/page.tsx
new file mode 100644
index 0000000..edc2226
--- /dev/null
+++ b/apps/web/src/app/submit/template/page.tsx
@@ -0,0 +1,821 @@
+"use client";
+
+import Image from "next/image";
+import Link from "next/link";
+import Script from "next/script";
+import { useEffect, useRef, useState } from "react";
+import { Container } from "@/components/layout/container";
+import { Navigation } from "@/components/layout/navigation";
+import { Button } from "@/components/ui/button";
+import { Checkbox } from "@/components/ui/checkbox";
+import { Input } from "@/components/ui/input";
+import { cn } from "@/lib/utils";
+
+declare global {
+  interface Window {
+    grecaptcha: {
+      enterprise: {
+        ready: (cb: () => void) => void;
+        execute: (
+          siteKey: string,
+          options: { action: string },
+        ) => Promise<string>;
+      };
+    };
+  }
+}
+
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
+
+// ---------------------------------------------------------------------------
+// Small UI helpers
+// ---------------------------------------------------------------------------
+
+function Label({
+  htmlFor,
+  children,
+  required,
+}: {
+  htmlFor: string;
+  children: React.ReactNode;
+  required?: boolean;
+}) {
+  return (
+    <label
+      htmlFor={htmlFor}
+      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
+    >
+      {children}
+      {required && (
+        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
+          *
+        </span>
+      )}
+    </label>
+  );
+}
+
+function FieldError({ message }: { message?: string }) {
+  if (!message) return null;
+  return (
+    <p role="alert" className="mt-1 text-xs text-red-600">
+      {message}
+    </p>
+  );
+}
+
+function Hint({ children }: { children: React.ReactNode }) {
+  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
+}
+
+function Textarea({
+  id,
+  value,
+  onChange,
+  placeholder,
+  rows = 5,
+  hasError,
+}: {
+  id?: string;
+  value: string;
+  onChange: (v: string) => void;
+  placeholder?: string;
+  rows?: number;
+  hasError?: boolean;
+}) {
+  return (
+    <textarea
+      id={id}
+      value={value}
+      onChange={(e) => onChange(e.target.value)}
+      placeholder={placeholder}
+      rows={rows}
+      className={cn(
+        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
+        hasError ? "border-red-400" : "border-(--color-neutral150)",
+      )}
+    />
+  );
+}
+
+function SectionDivider({ label }: { label: string }) {
+  return (
+    <div className="relative my-6">
+      <div className="absolute inset-0 flex items-center">
+        <div className="w-full border-t border-(--color-neutral150)" />
+      </div>
+      <div className="relative flex justify-start">
+        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
+          {label}
+        </span>
+      </div>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Logo upload field
+// ---------------------------------------------------------------------------
+
+function LogoUpload({
+  file,
+  onChange,
+  hasError,
+}: {
+  file: File | null;
+  onChange: (f: File | null) => void;
+  hasError?: boolean;
+}) {
+  const inputRef = useRef<HTMLInputElement>(null);
+  const [dragOver, setDragOver] = useState(false);
+  const preview = file ? URL.createObjectURL(file) : null;
+
+  const handleFiles = (files: FileList | null) => {
+    const f = files?.[0] ?? null;
+    onChange(f);
+  };
+
+  return (
+    <div>
+      <input
+        ref={inputRef}
+        id="logo_file"
+        type="file"
+        accept="image/png,image/jpeg,image/svg+xml,image/webp"
+        className="sr-only"
+        onChange={(e) => handleFiles(e.target.files)}
+      />
+
+      <button
+        type="button"
+        onClick={() => inputRef.current?.click()}
+        onDragOver={(e) => {
+          e.preventDefault();
+          setDragOver(true);
+        }}
+        onDragLeave={() => setDragOver(false)}
+        onDrop={(e) => {
+          e.preventDefault();
+          setDragOver(false);
+          handleFiles(e.dataTransfer.files);
+        }}
+        className={cn(
+          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
+          dragOver
+            ? "border-(--color-primary600) bg-(--color-primary100)"
+            : hasError
+              ? "border-red-400 bg-red-50"
+              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
+        )}
+      >
+        {preview ? (
+          <div className="flex flex-col items-center gap-3">
+            <Image
+              src={preview}
+              alt="Logo preview"
+              width={64}
+              height={64}
+              className="h-16 w-16 rounded-lg object-contain"
+              unoptimized
+            />
+            <span className="text-xs text-(--color-neutral600)">
+              {file?.name}{" "}
+              <span className="text-(--color-primary600) underline">
+                Change
+              </span>
+            </span>
+          </div>
+        ) : (
+          <>
+            <svg
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              className="h-8 w-8 text-(--color-neutral400)"
+              aria-hidden="true"
+            >
+              <path
+                d="M12 16V8m0 0-3 3m3-3 3 3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+              <path
+                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+            </svg>
+            <span className="font-medium text-(--color-neutral700)">
+              Upload a File
+            </span>
+            <span className="text-xs text-(--color-neutral500)">
+              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
+            </span>
+          </>
+        )}
+      </button>
+
+      {file && (
+        <button
+          type="button"
+          onClick={() => {
+            onChange(null);
+            if (inputRef.current) inputRef.current.value = "";
+          }}
+          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
+        >
+          Remove logo
+        </button>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Category pills
+// ---------------------------------------------------------------------------
+
+function CategoryPill({
+  label,
+  onRemove,
+}: {
+  label: string;
+  onRemove: () => void;
+}) {
+  return (
+    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
+      {label}
+      <button
+        type="button"
+        onClick={onRemove}
+        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
+        aria-label={`Remove ${label}`}
+      >
+        ×
+      </button>
+    </span>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form state
+// ---------------------------------------------------------------------------
+
+interface FormFields {
+  template_name: string;
+  repository_url: string;
+  demo_url: string;
+  description: string;
+  logo_file: File | null;
+  categories_list: string[];
+  submission_notes: string;
+  owner_name: string;
+  owner_email: string;
+  agreed: boolean;
+}
+
+const INITIAL: FormFields = {
+  template_name: "",
+  repository_url: "",
+  demo_url: "",
+  description: "",
+  logo_file: null,
+  categories_list: [],
+  submission_notes: "",
+  owner_name: "",
+  owner_email: "",
+  agreed: false,
+};
+
+type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
+
+function validate(f: FormFields): FieldErrors {
+  const e: FieldErrors = {};
+  if (!f.template_name.trim()) e.template_name = "Template name is required.";
+  if (!f.description.trim()) e.description = "Description is required.";
+  if (!f.repository_url.trim()) {
+    e.repository_url = "Repository URL is required.";
+  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
+    e.repository_url = "Must be a valid https:// URL.";
+  }
+  if (f.demo_url.trim() && !/^https?:\/\//i.test(f.demo_url.trim())) {
+    e.demo_url = "Must be a valid https:// URL.";
+  }
+  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
+  if (!f.owner_email.trim()) {
+    e.owner_email = "Contact email is required.";
+  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
+    e.owner_email = "Must be a valid email address.";
+  }
+  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
+  return e;
+}
+
+// ---------------------------------------------------------------------------
+// Success screen
+// ---------------------------------------------------------------------------
+
+function SuccessScreen() {
+  return (
+    <>
+      <Navigation theme="light" />
+      <main>
+        <Container>
+          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
+            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-8 w-8 text-(--color-primary600)"
+                aria-hidden="true"
+              >
+                <polyline points="20 6 9 17 4 12" />
+              </svg>
+            </div>
+            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
+              Submission received!
+            </h1>
+            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
+              Thank you for submitting your template. Our team will review it
+              and reach out at the email address you provided.
+            </p>
+            <Button href="/" variant="secondary">
+              Back to Marketplace
+            </Button>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Page
+// ---------------------------------------------------------------------------
+
+export default function SubmitTemplatePage() {
+  const [fields, setFields] = useState<FormFields>(INITIAL);
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [success, setSuccess] = useState(false);
+  const [categories, setCategories] = useState<string[]>([]);
+
+  useEffect(() => {
+    fetch("/api/categories")
+      .then((r) => (r.ok ? r.json() : null))
+      .then((json) => {
+        const names: string[] = (json?.data ?? [])
+          .map((c: { name?: string }) => c.name)
+          .filter(Boolean) as string[];
+        setCategories(names);
+      })
+      .catch(() => {});
+  }, []);
+
+  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
+    setFields((f) => ({ ...f, [key]: value }));
+    setErrors((e) => ({ ...e, [key]: undefined }));
+  };
+
+  const addCategory = (cat: string) => {
+    if (cat && !fields.categories_list.includes(cat)) {
+      set("categories_list", [...fields.categories_list, cat]);
+    }
+  };
+
+  const removeCategory = (cat: string) => {
+    set(
+      "categories_list",
+      fields.categories_list.filter((c) => c !== cat),
+    );
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    const errs = validate(fields);
+    if (Object.keys(errs).length > 0) {
+      setErrors(errs);
+      const firstKey = Object.keys(errs)[0];
+      document.getElementById(firstKey as string)?.focus();
+      return;
+    }
+
+    setSubmitting(true);
+    setErrors({});
+
+    try {
+      let recaptchaToken = "";
+      if (
+        RECAPTCHA_SITE_KEY &&
+        typeof window !== "undefined" &&
+        window.grecaptcha?.enterprise
+      ) {
+        await new Promise<void>((resolve) =>
+          window.grecaptcha.enterprise.ready(resolve),
+        );
+        recaptchaToken = await window.grecaptcha.enterprise.execute(
+          RECAPTCHA_SITE_KEY,
+          { action: "submit_template" },
+        );
+      }
+
+      const form = new FormData();
+      form.append("template_name", fields.template_name.trim());
+      form.append("repository_url", fields.repository_url.trim());
+      form.append("demo_url", fields.demo_url.trim());
+      form.append("description", fields.description.trim());
+      form.append("submission_notes", fields.submission_notes.trim());
+      form.append("owner_name", fields.owner_name.trim());
+      form.append("owner_email", fields.owner_email.trim());
+      form.append("categories_list", JSON.stringify(fields.categories_list));
+      form.append("submitter_agreed_to_terms", "true");
+      form.append("recaptcha_token", recaptchaToken);
+      if (fields.logo_file) {
+        form.append("logo_file", fields.logo_file, fields.logo_file.name);
+      }
+
+      const res = await fetch("/api/submit-template", {
+        method: "POST",
+        body: form,
+      });
+      const data = (await res.json()) as {
+        success?: boolean;
+        error?: string;
+        errors?: string[];
+      };
+
+      if (!res.ok) {
+        setErrors({
+          _form:
+            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
+            "Something went wrong. Please try again.",
+        });
+        return;
+      }
+
+      setSuccess(true);
+    } catch {
+      setErrors({
+        _form:
+          "Could not submit your template. Please check your connection and try again.",
+      });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (success) return <SuccessScreen />;
+
+  const availableCategories = categories.filter(
+    (c) => !fields.categories_list.includes(c),
+  );
+
+  return (
+    <>
+      {RECAPTCHA_SITE_KEY && (
+        <Script
+          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
+          strategy="lazyOnload"
+        />
+      )}
+
+      <Navigation theme="light" />
+
+      <main className="pb-24">
+        <Container>
+          {/* Back link */}
+          <div className="py-6">
+            <Link
+              href="/"
+              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
+            >
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-4 w-4"
+                aria-hidden="true"
+              >
+                <polyline points="15 18 9 12 15 6" />
+              </svg>
+              Submit other content
+            </Link>
+          </div>
+
+          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
+            {/* Left: intro */}
+            <div className="lg:col-span-2 lg:pt-2">
+              <p className="mb-2 text-sm text-(--color-neutral600)">
+                Submit your content
+              </p>
+              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
+                Submit a Template
+              </h1>
+              <p className="text-sm leading-7 text-(--color-neutral700)">
+                Share your Strapi starter template with the community. All
+                submissions are reviewed before being listed in the marketplace.
+                We&rsquo;ll reach out if we need more information.{" "}
+                <Link
+                  href="/community"
+                  className="underline underline-offset-2 hover:text-(--color-primary600)"
+                >
+                  Community Guidelines
+                </Link>
+              </p>
+
+              <div className="mt-8 space-y-3">
+                {[
+                  {
+                    title: "Quick review",
+                    body: "Templates go through a simplified review process — no automated checks, just a manual approval.",
+                  },
+                  {
+                    title: "Get discovered",
+                    body: "Approved templates are listed in the marketplace and discoverable by the Strapi community.",
+                  },
+                ].map(({ title, body }) => (
+                  <div
+                    key={title}
+                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
+                  >
+                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
+                      <svg
+                        viewBox="0 0 24 24"
+                        fill="none"
+                        stroke="currentColor"
+                        strokeWidth="2.5"
+                        className="h-3 w-3"
+                        aria-hidden="true"
+                      >
+                        <polyline points="20 6 9 17 4 12" />
+                      </svg>
+                    </div>
+                    <div>
+                      <p className="text-sm font-semibold text-(--color-neutral800)">
+                        {title}
+                      </p>
+                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
+                        {body}
+                      </p>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            {/* Right: form */}
+            <div className="lg:col-span-3">
+              <form
+                onSubmit={handleSubmit}
+                noValidate
+                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
+              >
+                {errors._form && (
+                  <div
+                    role="alert"
+                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
+                  >
+                    {errors._form}
+                  </div>
+                )}
+
+                {/* Template Name */}
+                <div className="mb-5">
+                  <Label htmlFor="template_name" required>
+                    Template Name
+                  </Label>
+                  <Input
+                    id="template_name"
+                    value={fields.template_name}
+                    onChange={(e) => set("template_name", e.target.value)}
+                    placeholder="e.g. Strapi Blog Starter"
+                    className={errors.template_name ? "border-red-400" : ""}
+                    autoComplete="off"
+                  />
+                  <FieldError message={errors.template_name} />
+                </div>
+
+                {/* Repository URL */}
+                <div className="mb-5">
+                  <Label htmlFor="repository_url" required>
+                    Repository URL
+                  </Label>
+                  <Input
+                    id="repository_url"
+                    type="url"
+                    value={fields.repository_url}
+                    onChange={(e) => set("repository_url", e.target.value)}
+                    placeholder="https://github.com/org/repo"
+                    className={errors.repository_url ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.repository_url} />
+                  <Hint>
+                    GitHub, GitLab, Bitbucket, or any public repository URL.
+                  </Hint>
+                </div>
+
+                {/* Demo URL */}
+                <div className="mb-5">
+                  <Label htmlFor="demo_url">Live Demo URL</Label>
+                  <Input
+                    id="demo_url"
+                    type="url"
+                    value={fields.demo_url}
+                    onChange={(e) => set("demo_url", e.target.value)}
+                    placeholder="https://my-template-demo.com"
+                    className={errors.demo_url ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.demo_url} />
+                  <Hint>A live preview URL, if available.</Hint>
+                </div>
+
+                {/* Description */}
+                <div className="mb-5">
+                  <Label htmlFor="description" required>
+                    Template Description
+                  </Label>
+                  <Textarea
+                    id="description"
+                    value={fields.description}
+                    onChange={(v) => set("description", v)}
+                    placeholder="Tell us about your template — what it includes and what use cases it covers."
+                    rows={4}
+                    hasError={!!errors.description}
+                  />
+                  <FieldError message={errors.description} />
+                </div>
+
+                {/* Logo upload */}
+                <div className="mb-5">
+                  <Label htmlFor="logo_file">Template Logo / Screenshot</Label>
+                  <LogoUpload
+                    file={fields.logo_file}
+                    onChange={(f) => set("logo_file", f)}
+                    hasError={!!errors.logo_file}
+                  />
+                  <FieldError message={errors.logo_file as string} />
+                </div>
+
+                {/* Categories */}
+                <div className="mb-5">
+                  <Label htmlFor="category_select">Categories</Label>
+                  {fields.categories_list.length > 0 && (
+                    <div className="mb-2 flex flex-wrap gap-2">
+                      {fields.categories_list.map((c) => (
+                        <CategoryPill
+                          key={c}
+                          label={c}
+                          onRemove={() => removeCategory(c)}
+                        />
+                      ))}
+                    </div>
+                  )}
+                  <select
+                    id="category_select"
+                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
+                    value=""
+                    onChange={(e) => {
+                      addCategory(e.target.value);
+                      e.target.value = "";
+                    }}
+                  >
+                    <option value="">
+                      {categories.length === 0
+                        ? "Loading categories…"
+                        : availableCategories.length === 0
+                          ? "All categories selected"
+                          : "Select a category to add…"}
+                    </option>
+                    {availableCategories.map((c) => (
+                      <option key={c} value={c}>
+                        {c}
+                      </option>
+                    ))}
+                  </select>
+                </div>
+
+                <SectionDivider label="Owner" />
+
+                {/* Owner */}
+                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
+                  <div>
+                    <Label htmlFor="owner_name" required>
+                      Owner / Author Name
+                    </Label>
+                    <Input
+                      id="owner_name"
+                      value={fields.owner_name}
+                      onChange={(e) => set("owner_name", e.target.value)}
+                      placeholder="Your name or organisation"
+                      className={errors.owner_name ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_name} />
+                  </div>
+                  <div>
+                    <Label htmlFor="owner_email" required>
+                      Contact Email
+                    </Label>
+                    <Input
+                      id="owner_email"
+                      type="email"
+                      value={fields.owner_email}
+                      onChange={(e) => set("owner_email", e.target.value)}
+                      placeholder="you@example.com"
+                      className={errors.owner_email ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_email} />
+                  </div>
+                </div>
+
+                {/* Notes */}
+                <div className="mb-5">
+                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
+                  <Textarea
+                    id="submission_notes"
+                    value={fields.submission_notes}
+                    onChange={(v) => set("submission_notes", v)}
+                    placeholder="Anything you'd like the review team to know."
+                    rows={3}
+                  />
+                </div>
+
+                <SectionDivider label="Terms" />
+
+                {/* Terms */}
+                <div className="mb-6">
+                  <label
+                    htmlFor="agreed"
+                    className="flex cursor-pointer items-start gap-3"
+                  >
+                    <Checkbox
+                      id="agreed"
+                      checked={fields.agreed}
+                      onCheckedChange={(checked) =>
+                        set("agreed", checked === true)
+                      }
+                      className={errors.agreed ? "border-red-400" : ""}
+                    />
+                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
+                      I confirm this template is open-source and compliant with
+                      the{" "}
+                      <Link
+                        href="/community"
+                        className="underline underline-offset-2 hover:text-(--color-primary600)"
+                      >
+                        Community Guidelines
+                      </Link>
+                      .
+                    </span>
+                  </label>
+                  <FieldError message={errors.agreed} />
+                </div>
+
+                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
+                  By submitting you agree to our review process. We will contact
+                  you if we need additional information. Submissions are
+                  reviewed manually and may take a few business days.
+                </p>
+
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="large"
+                  className="w-full"
+                  disabled={submitting}
+                >
+                  {submitting ? "Submitting…" : "Submit Template"}
+                </Button>
+
+                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
+                  Protected by reCAPTCHA —{" "}
+                  <a
+                    href="https://policies.google.com/privacy"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Privacy
+                  </a>{" "}
+                  &amp;{" "}
+                  <a
+                    href="https://policies.google.com/terms"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Terms
+                  </a>
+                </p>
+              </form>
+            </div>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}

From 6c4eaf676b320d6ded559350b8207125c869266d Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 09:39:11 -0700
Subject: [PATCH 03/26] feat(automation): n8n-mcp compose stack, workflow
 version control, Claude skills

Extends apps/automation with an engine-agnostic Docker/Podman compose setup
that runs a local n8n plus an opt-in n8n-mcp service (--profile mcp). A shell
wrapper auto-detects the installed compose engine so pnpm scripts work for
both Docker and Podman users.

Adds Node 20+ scripts for exporting workflows from the local n8n into
apps/automation/workflows/<slug>/workflow.json and importing them back,
with instance-specific fields stripped for clean diffs and optional README
files preserved across re-exports.

Introduces seven project-scoped Claude Code skills covering lifecycle
(start/stop/restart/status), workflow sync (export/import), and domain
expertise for building workflows via n8n-mcp tools. Adds a root CLAUDE.md
that indexes them and gitignores personal .claude/settings*.json plus the
tmp/ scratch directory.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .claude/skills/n8n-export/SKILL.md           |  40 +++++
 .claude/skills/n8n-import/SKILL.md           |  38 +++++
 .claude/skills/n8n-restart/SKILL.md          |  38 +++++
 .claude/skills/n8n-start/SKILL.md            |  48 ++++++
 .claude/skills/n8n-status/SKILL.md           |  35 ++++
 .claude/skills/n8n-stop/SKILL.md             |  25 +++
 .claude/skills/n8n-workflow-builder/SKILL.md | 122 ++++++++++++++
 .gitignore                                   |   7 +
 CLAUDE.md                                    |  44 +++++
 apps/automation/.env.example                 |  14 ++
 apps/automation/README.md                    | 112 +++++++++++++
 apps/automation/docker-compose.yml           |  41 ++++-
 apps/automation/package.json                 |  15 +-
 apps/automation/scripts/compose.sh           |  37 ++++
 apps/automation/scripts/export-workflows.mjs | 168 +++++++++++++++++++
 apps/automation/scripts/import-workflows.mjs | 167 ++++++++++++++++++
 16 files changed, 942 insertions(+), 9 deletions(-)
 create mode 100644 .claude/skills/n8n-export/SKILL.md
 create mode 100644 .claude/skills/n8n-import/SKILL.md
 create mode 100644 .claude/skills/n8n-restart/SKILL.md
 create mode 100644 .claude/skills/n8n-start/SKILL.md
 create mode 100644 .claude/skills/n8n-status/SKILL.md
 create mode 100644 .claude/skills/n8n-stop/SKILL.md
 create mode 100644 .claude/skills/n8n-workflow-builder/SKILL.md
 create mode 100644 CLAUDE.md
 create mode 100644 apps/automation/.env.example
 create mode 100644 apps/automation/README.md
 create mode 100755 apps/automation/scripts/compose.sh
 create mode 100755 apps/automation/scripts/export-workflows.mjs
 create mode 100755 apps/automation/scripts/import-workflows.mjs

diff --git a/.claude/skills/n8n-export/SKILL.md b/.claude/skills/n8n-export/SKILL.md
new file mode 100644
index 0000000..4870d31
--- /dev/null
+++ b/.claude/skills/n8n-export/SKILL.md
@@ -0,0 +1,40 @@
+---
+name: n8n-export
+description: Export all workflows from the local n8n instance into version-controlled JSON under apps/automation/workflows/. Use when the user asks to export, pull, snapshot, or sync workflows from the local n8n.
+---
+
+# n8n-export
+
+Fetches every workflow from the local n8n instance via the REST API and writes each one to `apps/automation/workflows/<slug>/workflow.json` with instance-specific fields stripped for clean diffs.
+
+## Preconditions
+
+- n8n is running locally (`pnpm --filter automation n8n:ps` shows it).
+- `apps/automation/.env` has `N8N_API_KEY` set. If missing, stop and direct the user to create one at <http://localhost:5678/settings/api> and paste into `.env`.
+
+## Steps
+
+1. **Pre-flight checks:**
+   ```bash
+   grep -E '^N8N_API_KEY=.+' apps/automation/.env >/dev/null || echo 'MISSING N8N_API_KEY'
+   curl -sf http://localhost:5678/healthz >/dev/null || echo 'n8n not reachable'
+   ```
+
+2. **Run the export:**
+   ```bash
+   pnpm --filter automation workflows:export
+   ```
+
+3. **Report the summary** to the user (added / updated / removed / skipped-with-notes counts printed by the script).
+
+## What's stripped
+
+Instance-specific fields (`id`, `versionId`, `createdAt`, `updatedAt`, `triggerCount`, `active`, `shared`, `meta`, `pinData`) are removed before writing. Tag IDs/timestamps are stripped too; tag names are kept.
+
+## Preserved across exports
+
+If `apps/automation/workflows/<slug>/README.md` exists and is non-empty, the script will NOT delete that directory even if the workflow has been removed from n8n. It warns instead, so you notice the dangling directory and can resolve it intentionally.
+
+## Credentials
+
+Credentials are never exported. Only the reference (name + id) appears in the JSON; secrets stay in n8n's encrypted store.
diff --git a/.claude/skills/n8n-import/SKILL.md b/.claude/skills/n8n-import/SKILL.md
new file mode 100644
index 0000000..f0f1682
--- /dev/null
+++ b/.claude/skills/n8n-import/SKILL.md
@@ -0,0 +1,38 @@
+---
+name: n8n-import
+description: Import workflows from apps/automation/workflows/ into the local n8n instance. Use when the user asks to import, push, load, or sync workflow JSON files to the local n8n.
+---
+
+# n8n-import
+
+Reads every `apps/automation/workflows/<slug>/workflow.json` and creates or updates the matching workflow on the local n8n instance. Matching is by workflow `name`.
+
+## Preconditions
+
+- n8n is running locally.
+- `apps/automation/.env` has `N8N_API_KEY` set.
+
+## Steps
+
+1. **Pre-flight checks:**
+   ```bash
+   grep -E '^N8N_API_KEY=.+' apps/automation/.env >/dev/null || echo 'MISSING N8N_API_KEY'
+   curl -sf http://localhost:5678/healthz >/dev/null || echo 'n8n not reachable'
+   ```
+
+2. **Run the import:**
+   ```bash
+   pnpm --filter automation workflows:import
+   ```
+
+3. **Report the summary** to the user (created / updated / failed counts).
+
+## Behavior
+
+- **Match by name:** if a workflow with the same `name` already exists on the instance, it's updated in place via `PUT /api/v1/workflows/{id}`. The instance-side id and any activations are preserved.
+- **Imported inactive:** the `active` field is stripped on export, so nothing is auto-activated on import. The user activates workflows manually in the UI.
+- **Credentials:** dangling credential references are warned per-node. Recreate the credentials in the n8n UI to clear the warning — secrets are never in the JSON.
+
+## Sanitization
+
+Only whitelisted fields (`name`, `nodes`, `connections`, `settings`, `staticData`) are sent to the API. Tags aren't associated on import (n8n manages tag links via a separate endpoint; that's intentionally out of scope for now).
diff --git a/.claude/skills/n8n-restart/SKILL.md b/.claude/skills/n8n-restart/SKILL.md
new file mode 100644
index 0000000..5741e7e
--- /dev/null
+++ b/.claude/skills/n8n-restart/SKILL.md
@@ -0,0 +1,38 @@
+---
+name: n8n-restart
+description: Restart the local n8n automation stack, preserving whatever profile (plain or mcp) is currently running. Use when the user asks to restart, reload, or reboot n8n.
+---
+
+# n8n-restart
+
+Restarts the running services in place. This is faster than `down`/`up` because volumes stay mounted. It also preserves the currently active compose profile — if `n8n-mcp` was up, it stays up.
+
+## Steps
+
+1. **Detect whether the mcp profile is active:**
+   ```bash
+   cd apps/automation
+   if ./scripts/compose.sh ps --services --status running | grep -q '^n8n-mcp$'; then
+     MCP_RUNNING=1
+   else
+     MCP_RUNNING=0
+   fi
+   ```
+
+2. **Restart the appropriate set of services:**
+   ```bash
+   if [ "$MCP_RUNNING" = "1" ]; then
+     pnpm --filter automation n8n:restart:mcp
+   else
+     pnpm --filter automation n8n:restart
+   fi
+   ```
+
+3. **Verify:**
+   ```bash
+   pnpm --filter automation n8n:ps
+   ```
+
+## Notes
+
+- If nothing is currently running, `n8n-restart` will do nothing useful. Use `n8n-start` to bring the stack up instead.
diff --git a/.claude/skills/n8n-start/SKILL.md b/.claude/skills/n8n-start/SKILL.md
new file mode 100644
index 0000000..b9847a8
--- /dev/null
+++ b/.claude/skills/n8n-start/SKILL.md
@@ -0,0 +1,48 @@
+---
+name: n8n-start
+description: Start the local n8n instance for the Strapi community hub. Use when the user asks to start, launch, bring up, or run n8n or the automation stack. Pass --mcp to also bring up n8n-mcp (requires N8N_API_KEY and MCP_AUTH_TOKEN in .env).
+---
+
+# n8n-start
+
+Starts the n8n container(s) defined in `apps/automation/docker-compose.yml` via the engine-agnostic `scripts/compose.sh` wrapper (autodetects Docker or Podman).
+
+## Steps
+
+1. **Change to the automation directory.** All commands below run from `apps/automation/`.
+
+2. **Ensure `.env` exists:**
+   ```bash
+   test -f apps/automation/.env || cp apps/automation/.env.example apps/automation/.env
+   ```
+   If it was just created, tell the user and point them at `apps/automation/.env.example`.
+
+3. **Decide on MCP.** If the user's request didn't specify, ask whether to include `n8n-mcp`. Default is no.
+
+4. **If starting with MCP, pre-check required env vars:**
+   ```bash
+   grep -E '^(N8N_API_KEY|MCP_AUTH_TOKEN)=.+' apps/automation/.env
+   ```
+   Both must be non-empty. If either is missing, stop and explain:
+   - `MCP_AUTH_TOKEN` — generate with `openssl rand -hex 32`.
+   - `N8N_API_KEY` — chicken-and-egg: start n8n first (without `--mcp`), create the key in the UI at <http://localhost:5678/settings/api>, paste it into `.env`, then run `n8n-start --mcp`.
+
+5. **Start the stack:**
+   ```bash
+   # without MCP
+   pnpm --filter automation n8n:up
+
+   # with MCP
+   pnpm --filter automation n8n:up:mcp
+   ```
+
+6. **Tail startup logs briefly** to confirm health:
+   ```bash
+   pnpm --filter automation n8n:logs --tail=20 &
+   # (stop after a few seconds)
+   ```
+   Or run `pnpm --filter automation n8n:ps` to confirm the containers are `running` / `healthy`.
+
+7. **Report URLs to the user:**
+   - n8n UI: <http://localhost:5678>
+   - n8n-mcp endpoint (if started): <http://localhost:3000/mcp>
diff --git a/.claude/skills/n8n-status/SKILL.md b/.claude/skills/n8n-status/SKILL.md
new file mode 100644
index 0000000..ddd9784
--- /dev/null
+++ b/.claude/skills/n8n-status/SKILL.md
@@ -0,0 +1,35 @@
+---
+name: n8n-status
+description: Show the health and status of the local n8n automation stack. Use when the user asks about n8n status, health, whether it is running, or which containers are up.
+---
+
+# n8n-status
+
+Prints container status plus health probes for n8n and (if running) n8n-mcp.
+
+## Steps
+
+1. **List containers:**
+   ```bash
+   pnpm --filter automation n8n:ps
+   ```
+
+2. **Probe n8n health:**
+   ```bash
+   curl -sf -o /dev/null -w '%{http_code}\n' http://localhost:5678/healthz || echo 'unreachable'
+   ```
+   A `200` means healthy. Anything else means n8n isn't ready (or isn't running).
+
+3. **Probe n8n-mcp health (only if its container is running):**
+   ```bash
+   curl -sf -o /dev/null -w '%{http_code}\n' http://localhost:3000/health || echo 'unreachable'
+   ```
+
+4. **Summarize** per service in one line each:
+   - engine (docker compose vs podman-compose, from `apps/automation/scripts/compose.sh`)
+   - container state (running / exited / healthy)
+   - local URL and probe result
+
+## Notes
+
+- If both probes fail but containers show as running, it usually means the service is still booting. Wait ~20s and retry, or inspect logs: `pnpm --filter automation n8n:logs`.
diff --git a/.claude/skills/n8n-stop/SKILL.md b/.claude/skills/n8n-stop/SKILL.md
new file mode 100644
index 0000000..d272ed2
--- /dev/null
+++ b/.claude/skills/n8n-stop/SKILL.md
@@ -0,0 +1,25 @@
+---
+name: n8n-stop
+description: Stop the local n8n automation stack. Use when the user asks to stop, shut down, halt, or bring down n8n. Data in the n8n_data volume persists across stops.
+---
+
+# n8n-stop
+
+Stops and removes the automation containers. The named volume `n8n_data` (workflows, credentials, settings) is preserved.
+
+## Steps
+
+1. **Run `down` from the workspace root:**
+   ```bash
+   pnpm --filter automation n8n:down
+   ```
+
+2. **Confirm nothing is running:**
+   ```bash
+   pnpm --filter automation n8n:ps
+   ```
+
+## Safety notes
+
+- **Never pass `-v`** here. `down -v` deletes the `n8n_data` volume and all workflows/credentials would be lost. The `n8n:down` package script deliberately omits it.
+- If the user asks to wipe state, confirm explicitly before running `./scripts/compose.sh down -v` from `apps/automation/`.
diff --git a/.claude/skills/n8n-workflow-builder/SKILL.md b/.claude/skills/n8n-workflow-builder/SKILL.md
new file mode 100644
index 0000000..a722a63
--- /dev/null
+++ b/.claude/skills/n8n-workflow-builder/SKILL.md
@@ -0,0 +1,122 @@
+---
+name: n8n-workflow-builder
+description: Domain-expertise guide for designing, building, validating, and modifying n8n workflows using the n8n-mcp tools. Use whenever the user asks to build, create, design, edit, or validate an n8n workflow. Requires the n8n-mcp server to be running (see n8n-start).
+---
+
+# n8n Workflow Builder (via n8n-mcp)
+
+You are an n8n automation expert. Use the **n8n-mcp** tools to design, build, and validate workflows with maximum accuracy and minimum token cost.
+
+## Core principles
+
+1. **Silent execution.** Run tool calls without per-call commentary. Summarize only after the batch completes.
+2. **Parallel when independent.** Fire off independent `search_*` / `get_node` / `validate_node` calls in a single tool-use block.
+3. **Templates first.** With 2,700+ curated templates available, always try `search_templates` before building from scratch.
+4. **Multi-level validation.** `validate_node(mode='minimal')` → `validate_node(mode='full')` → `validate_workflow`.
+5. **Never trust defaults.** The #1 source of runtime failures. Explicitly set every parameter that controls node behavior.
+
+## Process
+
+1. **Bootstrap** — `tools_documentation()` once, to pull current best-practice guidance from the MCP server.
+
+2. **Template discovery** (parallel when searching multiple axes):
+   - `search_templates({searchMode:'by_metadata', complexity:'simple', maxSetupMinutes:30})`
+   - `search_templates({searchMode:'by_task', task:'webhook_processing'})`
+   - `search_templates({searchMode:'by_nodes', nodeTypes:['n8n-nodes-base.slack']})`
+   - `search_templates({query:'slack notification'})` for keyword search.
+
+3. **Node discovery** (if no suitable template):
+   - `search_nodes({query:'...', includeExamples:true})` — returns real configs from templates.
+   - Before configuring, present the intended architecture to the user for approval.
+
+4. **Configuration** (parallel for multiple nodes):
+   - `get_node({nodeType, detail:'standard', includeExamples:true})` — default.
+   - `detail:'minimal'` (~200 tokens) for quick metadata, `detail:'full'` (~3-8k tokens) only when needed.
+   - `mode:'search_properties', propertyQuery:'auth'` to locate a specific property.
+   - `mode:'docs'` for the human-readable node docs.
+
+5. **Node validation** (parallel):
+   - `validate_node({nodeType, config, mode:'minimal'})` — quick required-fields check.
+   - `validate_node({nodeType, config, mode:'full', profile:'runtime'})` — full with auto-fixes.
+   - Fix every error before continuing.
+
+6. **Build:**
+   - Using a template: `get_template(id, {mode:'full'})`. **Attribution is mandatory** — always cite the template author and link: `Based on template by **<author.name>** (@<username>). View: <url>`.
+   - Set every meaningful parameter explicitly. Wire nodes correctly. Add error handling. Use n8n expression syntax (`$json`, `$node["Name"].json`).
+   - Avoid the **Code node** unless no standard node fits.
+   - Remember: any node can be used as an AI agent tool, not just nodes marked as such.
+
+7. **Workflow validation** (before deployment):
+   - `validate_workflow(workflow)` — full sweep.
+   - `validate_workflow_connections(workflow)` / `validate_workflow_expressions(workflow)` for targeted checks.
+
+8. **Deployment** (if the n8n API is configured and the user wants it pushed):
+   - `n8n_create_workflow(workflow)` to deploy.
+   - `n8n_validate_workflow({id})` to post-check.
+   - `n8n_update_partial_workflow({id, operations:[...]})` — **always batch** multiple operations into one call.
+   - `n8n_test_workflow({workflowId})` to run it.
+
+## Critical pitfalls
+
+### `addConnection` requires four **separate string** parameters
+
+```json
+{
+  "type": "addConnection",
+  "source": "Source Node",
+  "target": "Target Node",
+  "sourcePort": "main",
+  "targetPort": "main"
+}
+```
+
+Not an object, not a tuple — four discrete string fields. See [n8n-mcp issue #327](https://github.com/czlonkowski/n8n-mcp/issues/327).
+
+### IF-node branches
+
+`addConnection` on an IF node must specify `branch: "true"` or `branch: "false"`. Without it, both connections may land on the same output and the logic silently breaks.
+
+```json
+{ "type":"addConnection", "source":"If", "target":"OnTrue",  "sourcePort":"main", "targetPort":"main", "branch":"true"  }
+{ "type":"addConnection", "source":"If", "target":"OnFalse", "sourcePort":"main", "targetPort":"main", "branch":"false" }
+```
+
+### Batch partial updates
+
+One `n8n_update_partial_workflow` with an array of operations beats N calls. Don't split.
+
+### Explicit parameters
+
+```
+BAD:  { resource:"message", operation:"post", text:"hi" }
+GOOD: { resource:"message", operation:"post", select:"channel", channelId:"C123", text:"hi" }
+```
+
+The "BAD" form fails at runtime because default selections aren't filled in.
+
+## Popular node types (exact IDs)
+
+Use `n8n-nodes-base.` for core nodes and `@n8n/n8n-nodes-langchain.` for LangChain nodes.
+
+- `n8n-nodes-base.code` — JS/Python (avoid when possible)
+- `n8n-nodes-base.httpRequest`
+- `n8n-nodes-base.webhook`, `n8n-nodes-base.respondToWebhook`
+- `n8n-nodes-base.set`, `n8n-nodes-base.merge`, `n8n-nodes-base.splitInBatches`
+- `n8n-nodes-base.if`, `n8n-nodes-base.switch`
+- `n8n-nodes-base.manualTrigger`, `n8n-nodes-base.scheduleTrigger`, `n8n-nodes-base.executeWorkflowTrigger`
+- `n8n-nodes-base.googleSheets`, `n8n-nodes-base.gmail`, `n8n-nodes-base.telegram`
+- `n8n-nodes-base.stickyNote` — documentation inside the canvas
+- `@n8n/n8n-nodes-langchain.agent`, `@n8n/n8n-nodes-langchain.lmChatOpenAi`
+
+## Response format
+
+After a batch of tool calls, report concisely:
+
+```
+Created workflow: Webhook → Validate → Slack
+- Trigger: POST /webhook/contact-form
+- Validation: If email present → Slack #support
+- All nodes validated (0 errors, 0 warnings)
+```
+
+Defer long explanations until asked.
diff --git a/.gitignore b/.gitignore
index 4006871..77ef7b9 100644
--- a/.gitignore
+++ b/.gitignore
@@ -35,3 +35,10 @@ yarn-error.log*
 # Misc
 .DS_Store
 *.pem
+
+# Local scratch (specs, plans, ad-hoc notes — not committed)
+tmp/
+
+# Claude Code personal settings (permissions, env, hooks — not shared)
+.claude/settings.json
+.claude/settings.local.json
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 0000000..9395bd0
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,44 @@
+# Claude Code Guide — Strapi Community
+
+pnpm + turbo monorepo for the Strapi community hub.
+
+## Layout
+
+- `apps/automation/` — Local n8n instance and version-controlled workflows
+- `apps/cms/` — Strapi application
+- `apps/search/` — Search service
+- `apps/web/` — Web app
+- `packages/biome-config/` — Shared Biome (lint/format) config
+- `packages/strapi-client/` — Strapi client SDK
+- `packages/typescript-config/` — Shared TypeScript configs
+
+## Common commands
+
+- `pnpm install` — install all workspace deps
+- `pnpm dev` — run all app `dev` scripts via turbo
+- `pnpm build` / `pnpm lint` / `pnpm test` / `pnpm check-types` — turbo tasks
+
+## Automation stack (n8n)
+
+Local n8n plus optional `n8n-mcp` managed by an engine-agnostic compose setup under `apps/automation/`. Works with either Docker or Podman — the wrapper script picks whichever is installed.
+
+See [`apps/automation/README.md`](apps/automation/README.md) for full setup.
+
+### Skills (under `.claude/skills/`)
+
+| Skill | Purpose |
+| --- | --- |
+| `n8n-start` | Start n8n (pass `--mcp` to also start n8n-mcp). |
+| `n8n-stop` | Stop the automation stack. The `n8n_data` volume is preserved. |
+| `n8n-restart` | Restart the running services, preserving the active profile. |
+| `n8n-status` | Show container state, ports, and health probes. |
+| `n8n-export` | Pull workflows from the local n8n instance into `apps/automation/workflows/<slug>/workflow.json`. |
+| `n8n-import` | Push every `workflows/<slug>/workflow.json` back into the local n8n instance. |
+| `n8n-workflow-builder` | Domain-expertise prompt for designing, building, and validating n8n workflows via `n8n-mcp` tools. Invoke whenever the user asks to build or modify a workflow. |
+
+## Conventions
+
+- **`tmp/`** is gitignored local scratch (specs, plans, ad-hoc notes). Do not commit any content placed under `tmp/`.
+- **`.claude/settings.json`** and **`.claude/settings.local.json`** are gitignored — they hold personal permissions, env vars, and hooks. Do not commit them.
+- **`.claude/skills/**`** is committed and shared with the team.
+- The team self-hosted n8n instance is **not** reachable from this repo's tooling. `n8n-export` / `n8n-import` target `http://localhost:5678` only. Team deployments are manual and out of scope for the scripts in this repo.
diff --git a/apps/automation/.env.example b/apps/automation/.env.example
new file mode 100644
index 0000000..8465a55
--- /dev/null
+++ b/apps/automation/.env.example
@@ -0,0 +1,14 @@
+# n8n API key — generate inside the n8n UI at http://localhost:5678/settings/api
+# after first startup. Required for n8n-mcp and for the export/import scripts.
+N8N_API_KEY=
+
+# n8n-mcp authentication token. Generate with:
+#   openssl rand -hex 32
+# Required only when starting with the `mcp` profile.
+MCP_AUTH_TOKEN=
+
+# Optional: override the local n8n URL used by export/import scripts.
+# N8N_URL=http://localhost:5678
+
+# Optional: IANA timezone for n8n (default: UTC).
+GENERIC_TIMEZONE=UTC
diff --git a/apps/automation/README.md b/apps/automation/README.md
new file mode 100644
index 0000000..1ae0a75
--- /dev/null
+++ b/apps/automation/README.md
@@ -0,0 +1,112 @@
+# Automation (n8n)
+
+Local n8n instance for authoring and testing workflows used by the Strapi community hub. Optionally runs [n8n-mcp](https://github.com/czlonkowski/n8n-mcp) alongside n8n so Claude Code (or any MCP client) can build and validate workflows programmatically.
+
+Engine-agnostic: works with either Docker or Podman. All scripts detect your installed engine automatically.
+
+## Prerequisites
+
+One of:
+
+- **Docker Desktop** (includes the `docker compose` v2 plugin), or
+- **Podman + podman-compose** — `pip install --user podman-compose`
+
+Node.js 20+ is required for the workflow export/import scripts (uses built-in `fetch`).
+
+## Ports
+
+| Service   | Port  | URL                            |
+| --------- | ----- | ------------------------------ |
+| n8n       | 5678  | http://localhost:5678          |
+| n8n-mcp   | 3000  | http://localhost:3000/mcp      |
+
+## First-time setup
+
+```bash
+cd apps/automation
+cp .env.example .env
+```
+
+For n8n alone, the defaults in `.env` are fine. For **n8n-mcp** you'll also need:
+
+1. Generate an MCP auth token:
+   ```bash
+   openssl rand -hex 32
+   ```
+   Paste it into `.env` as `MCP_AUTH_TOKEN`.
+
+2. Start n8n first so you can create an n8n API key:
+   ```bash
+   pnpm --filter automation n8n:up
+   ```
+   Visit <http://localhost:5678>, create the owner account, then Settings → n8n API → create a new API key. Paste the value into `.env` as `N8N_API_KEY`.
+
+3. Bring up n8n-mcp:
+   ```bash
+   pnpm --filter automation n8n:up:mcp
+   ```
+
+## Daily use
+
+All commands run from the repo root:
+
+```bash
+pnpm --filter automation n8n:up          # n8n only
+pnpm --filter automation n8n:up:mcp      # n8n + n8n-mcp
+pnpm --filter automation n8n:down        # stop everything (data persists)
+pnpm --filter automation n8n:restart     # restart running services
+pnpm --filter automation n8n:ps          # container status
+pnpm --filter automation n8n:logs        # tail service logs
+```
+
+Data persists in the `n8n_data` named volume across `down` / `up`. Volumes are only removed if you explicitly run `docker compose down -v` or `podman-compose down -v`.
+
+## Workflow version control
+
+Workflows live under `workflows/<slug>/`:
+
+```
+workflows/
+└── my-workflow/
+    ├── workflow.json   # Auto-managed by export/import
+    └── README.md       # Optional human context; preserved across re-exports
+```
+
+### Export local workflows to the repo
+
+```bash
+pnpm --filter automation workflows:export
+```
+
+Fetches all workflows from <http://localhost:5678>, strips instance-specific fields (ids, timestamps, runtime state, pin data), and writes them to `workflows/<slug>/workflow.json`. Slug is derived from the workflow name.
+
+If you deleted a workflow in n8n, its `<slug>/` directory is removed on the next export — **unless** it contains a non-empty `README.md`, in which case it's skipped with a warning so human notes aren't silently lost.
+
+### Import workflows from the repo
+
+```bash
+pnpm --filter automation workflows:import
+```
+
+Reads every `workflows/*/workflow.json` and creates or updates the matching workflow on the local n8n instance (matched by `name`). Workflows are always imported as **inactive** — activate them manually in the n8n UI.
+
+Credentials are never exported (only the reference by name/id is kept in the JSON). When importing to a fresh instance, recreate the credentials in the n8n UI first; dangling credential refs will be flagged by n8n at runtime.
+
+### Team self-hosted instance
+
+The export/import scripts target `http://localhost:5678` only. Deploying workflows to the team self-hosted n8n is a separate manual process and not covered by this tooling.
+
+## Using with Claude Code
+
+Several skills under `.claude/skills/` wrap this stack:
+
+- `n8n-start`, `n8n-stop`, `n8n-restart`, `n8n-status` — lifecycle
+- `n8n-export`, `n8n-import` — workflow sync
+- `n8n-workflow-builder` — domain-expertise prompt for building workflows via n8n-mcp tools
+
+## Troubleshooting
+
+- **Port 5678 or 3000 already in use** — another container or process is bound. Stop it or edit the port mapping in `docker-compose.yml`.
+- **n8n-mcp refuses to start** — check `MCP_AUTH_TOKEN` is at least 32 chars and `N8N_API_KEY` is set. Both are required for the `mcp` profile.
+- **`podman-compose` not found** — `pip install --user podman-compose`, then ensure `~/.local/bin` is on your `PATH`.
+- **Can't reach n8n from n8n-mcp** — n8n-mcp uses `http://n8n:5678` (service DNS inside the compose network). Don't set `N8N_API_URL` to `localhost` in `.env`; it's overridden in the compose file.
diff --git a/apps/automation/docker-compose.yml b/apps/automation/docker-compose.yml
index 6b15575..b52e943 100644
--- a/apps/automation/docker-compose.yml
+++ b/apps/automation/docker-compose.yml
@@ -1,17 +1,46 @@
+name: strapi-automation
+
 services:
   n8n:
     image: n8nio/n8n:latest
-    container_name: n8n
-    environment:
-      - GENERIC_TIMEZONE=Europe/Amsterdam
-      - NODE_ENV=production
-      - N8N_SECURE_COOKIE=false
+    restart: unless-stopped
     ports:
       - "5678:5678"
+    environment:
+      GENERIC_TIMEZONE: ${GENERIC_TIMEZONE:-UTC}
+      TZ: ${GENERIC_TIMEZONE:-UTC}
+      NODE_ENV: production
+      N8N_SECURE_COOKIE: "false"
     volumes:
       - n8n_data:/home/node/.n8n
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:5678/healthz >/dev/null 2>&1 || exit 1"]
+      interval: 15s
+      timeout: 5s
+      retries: 10
+      start_period: 30s
+
+  n8n-mcp:
+    image: ghcr.io/czlonkowski/n8n-mcp:latest
+    pull_policy: always
+    profiles:
+      - mcp
     restart: unless-stopped
+    depends_on:
+      n8n:
+        condition: service_healthy
+    ports:
+      - "3000:3000"
+    environment:
+      N8N_MODE: "true"
+      MCP_MODE: http
+      N8N_API_URL: http://n8n:5678
+      N8N_API_KEY: ${N8N_API_KEY}
+      MCP_AUTH_TOKEN: ${MCP_AUTH_TOKEN}
+      AUTH_TOKEN: ${MCP_AUTH_TOKEN}
+      PORT: "3000"
+      LOG_LEVEL: info
 
 volumes:
   n8n_data:
-    name: n8n_data
\ No newline at end of file
+    name: n8n_data
diff --git a/apps/automation/package.json b/apps/automation/package.json
index 2c08b07..c9ac117 100644
--- a/apps/automation/package.json
+++ b/apps/automation/package.json
@@ -2,9 +2,18 @@
   "name": "automation",
   "version": "0.0.0",
   "private": true,
-  "description": "Local n8n instance for workflow automation",
+  "description": "Local n8n instance and workflow version control for the Strapi community hub. Engine-agnostic (Docker or Podman).",
   "scripts": {
-    "dev": "docker-compose up",
-    "start": "docker-compose up"
+    "dev": "./scripts/compose.sh up",
+    "start": "./scripts/compose.sh up -d",
+    "n8n:up": "./scripts/compose.sh up -d",
+    "n8n:up:mcp": "./scripts/compose.sh --profile mcp up -d",
+    "n8n:down": "./scripts/compose.sh down",
+    "n8n:restart": "./scripts/compose.sh restart",
+    "n8n:restart:mcp": "./scripts/compose.sh --profile mcp restart",
+    "n8n:ps": "./scripts/compose.sh ps",
+    "n8n:logs": "./scripts/compose.sh logs -f",
+    "workflows:export": "node ./scripts/export-workflows.mjs",
+    "workflows:import": "node ./scripts/import-workflows.mjs"
   }
 }
diff --git a/apps/automation/scripts/compose.sh b/apps/automation/scripts/compose.sh
new file mode 100755
index 0000000..b07f004
--- /dev/null
+++ b/apps/automation/scripts/compose.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Engine-agnostic compose wrapper. Resolves compose file relative to this script
+# so it works regardless of the caller's CWD.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+COMPOSE_FILE="$SCRIPT_DIR/../docker-compose.yml"
+
+resolve_engine() {
+  if command -v podman-compose >/dev/null 2>&1 && command -v podman >/dev/null 2>&1; then
+    echo "podman-compose"
+    return
+  fi
+  if command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
+    echo "docker compose"
+    return
+  fi
+  if command -v docker-compose >/dev/null 2>&1; then
+    echo "docker-compose"
+    return
+  fi
+  cat >&2 <<'EOF'
+Error: no compose engine found.
+
+Install one of:
+  - Docker Desktop (includes the "docker compose" v2 plugin)
+  - Podman + podman-compose:
+      pip install --user podman-compose
+EOF
+  exit 1
+}
+
+ENGINE="$(resolve_engine)"
+
+# shellcheck disable=SC2086
+exec $ENGINE -f "$COMPOSE_FILE" "$@"
diff --git a/apps/automation/scripts/export-workflows.mjs b/apps/automation/scripts/export-workflows.mjs
new file mode 100755
index 0000000..ddf7dd5
--- /dev/null
+++ b/apps/automation/scripts/export-workflows.mjs
@@ -0,0 +1,168 @@
+#!/usr/bin/env node
+// Export workflows from the local n8n instance into apps/automation/workflows/<slug>/workflow.json.
+// Strips instance-specific fields so diffs are clean. Preserves <slug>/README.md across re-exports.
+
+import {
+  readFileSync,
+  writeFileSync,
+  mkdirSync,
+  readdirSync,
+  rmSync,
+  existsSync,
+  statSync,
+} from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const AUTOMATION_ROOT = join(dirname(fileURLToPath(import.meta.url)), '..');
+const WORKFLOWS_DIR = join(AUTOMATION_ROOT, 'workflows');
+
+loadDotEnv(join(AUTOMATION_ROOT, '.env'));
+
+const N8N_URL = process.env.N8N_URL || 'http://localhost:5678';
+const API_KEY = process.env.N8N_API_KEY;
+
+if (!API_KEY) {
+  console.error('Error: N8N_API_KEY is not set in apps/automation/.env');
+  console.error(`Generate a key in the n8n UI: ${N8N_URL}/settings/api`);
+  process.exit(1);
+}
+
+const headers = {
+  'X-N8N-API-KEY': API_KEY,
+  Accept: 'application/json',
+};
+
+const STRIP_WORKFLOW_FIELDS = [
+  'id',
+  'versionId',
+  'createdAt',
+  'updatedAt',
+  'triggerCount',
+  'active',
+  'shared',
+  'meta',
+  'pinData',
+  'homeProject',
+  'scopes',
+  'isArchived',
+];
+const STRIP_TAG_FIELDS = ['id', 'createdAt', 'updatedAt'];
+
+function slugify(name) {
+  return (
+    name
+      .toLowerCase()
+      .replace(/[^a-z0-9]+/g, '-')
+      .replace(/^-+|-+$/g, '') || 'untitled'
+  );
+}
+
+function stripWorkflow(wf) {
+  const out = { ...wf };
+  for (const f of STRIP_WORKFLOW_FIELDS) delete out[f];
+  if (Array.isArray(out.tags)) {
+    out.tags = out.tags.map((t) => {
+      const copy = { ...t };
+      for (const f of STRIP_TAG_FIELDS) delete copy[f];
+      return copy;
+    });
+  }
+  return out;
+}
+
+async function listWorkflows() {
+  const all = [];
+  let cursor;
+  do {
+    const url = new URL(`${N8N_URL}/api/v1/workflows`);
+    url.searchParams.set('limit', '100');
+    if (cursor) url.searchParams.set('cursor', cursor);
+    const r = await fetch(url, { headers });
+    if (!r.ok) {
+      throw new Error(`List workflows failed: ${r.status} ${await r.text()}`);
+    }
+    const body = await r.json();
+    all.push(...(body.data ?? []));
+    cursor = body.nextCursor;
+  } while (cursor);
+  return all;
+}
+
+async function getWorkflow(id) {
+  const r = await fetch(`${N8N_URL}/api/v1/workflows/${id}`, { headers });
+  if (!r.ok) {
+    throw new Error(`Get workflow ${id} failed: ${r.status} ${await r.text()}`);
+  }
+  return r.json();
+}
+
+function loadDotEnv(path) {
+  if (!existsSync(path)) return;
+  for (const line of readFileSync(path, 'utf8').split('\n')) {
+    const m = line.match(/^\s*([A-Z_][A-Z0-9_]*)\s*=\s*(.*?)\s*$/);
+    if (!m) continue;
+    const val = m[2].replace(/^["']|["']$/g, '');
+    if (!(m[1] in process.env)) process.env[m[1]] = val;
+  }
+}
+
+async function main() {
+  mkdirSync(WORKFLOWS_DIR, { recursive: true });
+
+  console.log(`Fetching workflows from ${N8N_URL}...`);
+  const summaries = await listWorkflows();
+  console.log(`Found ${summaries.length} workflow(s).`);
+
+  const seenSlugs = new Set();
+  const livingSlugs = new Set();
+  let added = 0;
+  let updated = 0;
+
+  for (const summary of summaries) {
+    const wf = await getWorkflow(summary.id);
+    let slug = slugify(wf.name);
+    const base = slug;
+    let suffix = 1;
+    while (seenSlugs.has(slug)) slug = `${base}-${++suffix}`;
+    seenSlugs.add(slug);
+    livingSlugs.add(slug);
+
+    const dir = join(WORKFLOWS_DIR, slug);
+    mkdirSync(dir, { recursive: true });
+    const out = join(dir, 'workflow.json');
+    const existed = existsSync(out);
+    writeFileSync(out, `${JSON.stringify(stripWorkflow(wf), null, 2)}\n`);
+    if (existed) updated++;
+    else added++;
+    console.log(`  ${existed ? 'updated' : 'added  '}  ${slug}/workflow.json`);
+  }
+
+  let removed = 0;
+  let skippedWithNotes = 0;
+  if (existsSync(WORKFLOWS_DIR)) {
+    for (const entry of readdirSync(WORKFLOWS_DIR, { withFileTypes: true })) {
+      if (!entry.isDirectory()) continue;
+      if (livingSlugs.has(entry.name)) continue;
+      const dir = join(WORKFLOWS_DIR, entry.name);
+      const readmePath = join(dir, 'README.md');
+      if (existsSync(readmePath) && statSync(readmePath).size > 0) {
+        console.log(`  skipped  ${entry.name}/ (has README.md)`);
+        skippedWithNotes++;
+        continue;
+      }
+      rmSync(dir, { recursive: true, force: true });
+      console.log(`  removed  ${entry.name}/`);
+      removed++;
+    }
+  }
+
+  console.log(
+    `\nSummary: ${added} added, ${updated} updated, ${removed} removed, ${skippedWithNotes} skipped-with-notes.`
+  );
+}
+
+main().catch((e) => {
+  console.error(e.stack ?? e.message);
+  process.exit(1);
+});
diff --git a/apps/automation/scripts/import-workflows.mjs b/apps/automation/scripts/import-workflows.mjs
new file mode 100755
index 0000000..006aace
--- /dev/null
+++ b/apps/automation/scripts/import-workflows.mjs
@@ -0,0 +1,167 @@
+#!/usr/bin/env node
+// Import workflows from apps/automation/workflows/<slug>/workflow.json into the local n8n instance.
+// Creates new workflows or updates existing ones in place (matched by name). Always imports as inactive.
+
+import { readFileSync, readdirSync, existsSync } from 'node:fs';
+import { join, dirname } from 'node:path';
+import { fileURLToPath } from 'node:url';
+
+const AUTOMATION_ROOT = join(dirname(fileURLToPath(import.meta.url)), '..');
+const WORKFLOWS_DIR = join(AUTOMATION_ROOT, 'workflows');
+
+loadDotEnv(join(AUTOMATION_ROOT, '.env'));
+
+const N8N_URL = process.env.N8N_URL || 'http://localhost:5678';
+const API_KEY = process.env.N8N_API_KEY;
+
+if (!API_KEY) {
+  console.error('Error: N8N_API_KEY is not set in apps/automation/.env');
+  console.error(`Generate a key in the n8n UI: ${N8N_URL}/settings/api`);
+  process.exit(1);
+}
+
+const headers = {
+  'X-N8N-API-KEY': API_KEY,
+  Accept: 'application/json',
+  'Content-Type': 'application/json',
+};
+
+// n8n's workflow API accepts this whitelist. Tag associations are managed separately and skipped here.
+const ALLOWED_FIELDS = ['name', 'nodes', 'connections', 'settings', 'staticData'];
+
+function sanitizePayload(wf) {
+  const out = {};
+  for (const f of ALLOWED_FIELDS) {
+    if (wf[f] !== undefined) out[f] = wf[f];
+  }
+  // n8n requires a settings object even if empty.
+  if (!out.settings || typeof out.settings !== 'object') out.settings = {};
+  return out;
+}
+
+async function listWorkflows() {
+  const all = [];
+  let cursor;
+  do {
+    const url = new URL(`${N8N_URL}/api/v1/workflows`);
+    url.searchParams.set('limit', '100');
+    if (cursor) url.searchParams.set('cursor', cursor);
+    const r = await fetch(url, { headers });
+    if (!r.ok) {
+      throw new Error(`List workflows failed: ${r.status} ${await r.text()}`);
+    }
+    const body = await r.json();
+    all.push(...(body.data ?? []));
+    cursor = body.nextCursor;
+  } while (cursor);
+  return all;
+}
+
+async function createWorkflow(payload) {
+  const r = await fetch(`${N8N_URL}/api/v1/workflows`, {
+    method: 'POST',
+    headers,
+    body: JSON.stringify(payload),
+  });
+  if (!r.ok) throw new Error(`Create failed: ${r.status} ${await r.text()}`);
+  return r.json();
+}
+
+async function updateWorkflow(id, payload) {
+  const r = await fetch(`${N8N_URL}/api/v1/workflows/${id}`, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify(payload),
+  });
+  if (!r.ok) throw new Error(`Update ${id} failed: ${r.status} ${await r.text()}`);
+  return r.json();
+}
+
+function warnAboutCredentials(wf) {
+  for (const node of wf.nodes ?? []) {
+    if (!node.credentials) continue;
+    for (const [type, ref] of Object.entries(node.credentials)) {
+      const label = ref?.name || ref?.id || '(unknown)';
+      console.warn(
+        `    note: node "${node.name}" references credential "${label}" (${type}) — verify it exists in the instance`
+      );
+    }
+  }
+}
+
+function loadDotEnv(path) {
+  if (!existsSync(path)) return;
+  for (const line of readFileSync(path, 'utf8').split('\n')) {
+    const m = line.match(/^\s*([A-Z_][A-Z0-9_]*)\s*=\s*(.*?)\s*$/);
+    if (!m) continue;
+    const val = m[2].replace(/^["']|["']$/g, '');
+    if (!(m[1] in process.env)) process.env[m[1]] = val;
+  }
+}
+
+async function main() {
+  if (!existsSync(WORKFLOWS_DIR)) {
+    console.log(`No workflows/ directory at ${WORKFLOWS_DIR}. Nothing to import.`);
+    return;
+  }
+
+  const dirs = readdirSync(WORKFLOWS_DIR, { withFileTypes: true }).filter((e) => e.isDirectory());
+  if (dirs.length === 0) {
+    console.log('No workflow directories to import.');
+    return;
+  }
+
+  console.log(`Looking up existing workflows at ${N8N_URL}...`);
+  const existing = await listWorkflows();
+  const byName = new Map(existing.map((wf) => [wf.name, wf]));
+
+  let created = 0;
+  let updated = 0;
+  let failed = 0;
+
+  for (const entry of dirs) {
+    const path = join(WORKFLOWS_DIR, entry.name, 'workflow.json');
+    if (!existsSync(path)) continue;
+
+    let wf;
+    try {
+      wf = JSON.parse(readFileSync(path, 'utf8'));
+    } catch (e) {
+      console.error(`  failed   ${entry.name}/: parse error — ${e.message}`);
+      failed++;
+      continue;
+    }
+
+    const payload = sanitizePayload(wf);
+    if (!payload.name) {
+      console.error(`  failed   ${entry.name}/: workflow.json missing "name"`);
+      failed++;
+      continue;
+    }
+
+    try {
+      const match = byName.get(payload.name);
+      if (match) {
+        await updateWorkflow(match.id, payload);
+        console.log(`  updated  ${payload.name}`);
+        updated++;
+      } else {
+        await createWorkflow(payload);
+        console.log(`  created  ${payload.name}`);
+        created++;
+      }
+      warnAboutCredentials(wf);
+    } catch (e) {
+      console.error(`  failed   ${payload.name}: ${e.message}`);
+      failed++;
+    }
+  }
+
+  console.log(`\nSummary: ${created} created, ${updated} updated, ${failed} failed.`);
+  if (failed > 0) process.exit(1);
+}
+
+main().catch((e) => {
+  console.error(e.stack ?? e.message);
+  process.exit(1);
+});

From 64adb2b771dd6752cf54e35fe990fb21f64ae08c Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 09:44:15 -0700
Subject: [PATCH 04/26] docs(automation): document connecting Claude Code to
 the local n8n-mcp

Adds a README section covering both project-scoped (.mcp.json with
${MCP_AUTH_TOKEN} substitution) and user-scoped (claude mcp add without
--scope project) registration paths, plus a curl verification step. The
n8n-start skill now reminds the user about the registration step when the
mcp profile is brought up, and CLAUDE.md points at the new README section
from the skill index.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .claude/skills/n8n-start/SKILL.md |  7 ++++
 CLAUDE.md                         |  8 ++++
 apps/automation/README.md         | 68 +++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)

diff --git a/.claude/skills/n8n-start/SKILL.md b/.claude/skills/n8n-start/SKILL.md
index b9847a8..dc9cf14 100644
--- a/.claude/skills/n8n-start/SKILL.md
+++ b/.claude/skills/n8n-start/SKILL.md
@@ -46,3 +46,10 @@ Starts the n8n container(s) defined in `apps/automation/docker-compose.yml` via
 7. **Report URLs to the user:**
    - n8n UI: <http://localhost:5678>
    - n8n-mcp endpoint (if started): <http://localhost:3000/mcp>
+
+8. **If the `mcp` profile was started**, also remind the user that Claude Code must be registered against the MCP server to actually use it. Point them at the "Connecting Claude Code to the local n8n-mcp" section of `apps/automation/README.md`. The one-line summary:
+
+   - Project-scoped: `claude mcp add --scope project --transport http n8n-mcp http://localhost:3000/mcp --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"` (writes `.mcp.json`; export `MCP_AUTH_TOKEN` before launching `claude`).
+   - User-scoped: same command without `--scope project` and with the literal token inlined.
+
+   Skip this reminder if the user has clearly registered it already (e.g. they're invoking an `n8n-*` tool and it's responding).
diff --git a/CLAUDE.md b/CLAUDE.md
index 9395bd0..86da6ca 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -36,6 +36,14 @@ See [`apps/automation/README.md`](apps/automation/README.md) for full setup.
 | `n8n-import` | Push every `workflows/<slug>/workflow.json` back into the local n8n instance. |
 | `n8n-workflow-builder` | Domain-expertise prompt for designing, building, and validating n8n workflows via `n8n-mcp` tools. Invoke whenever the user asks to build or modify a workflow. |
 
+### Connecting to n8n-mcp
+
+The `n8n-workflow-builder` skill assumes Claude Code is already connected to the local `n8n-mcp` server. If its tools are unavailable:
+
+1. Ensure the `mcp` profile is running: `pnpm --filter automation n8n:ps` should show `n8n-mcp` healthy.
+2. Register the MCP server with Claude Code. See **"Connecting Claude Code to the local n8n-mcp"** in [`apps/automation/README.md`](apps/automation/README.md) for the exact `claude mcp add` command and `.mcp.json` shape.
+3. Remember to `export MCP_AUTH_TOKEN=...` (from `apps/automation/.env`) in the shell that launches `claude`.
+
 ## Conventions
 
 - **`tmp/`** is gitignored local scratch (specs, plans, ad-hoc notes). Do not commit any content placed under `tmp/`.
diff --git a/apps/automation/README.md b/apps/automation/README.md
index 1ae0a75..b58ccb5 100644
--- a/apps/automation/README.md
+++ b/apps/automation/README.md
@@ -104,6 +104,74 @@ Several skills under `.claude/skills/` wrap this stack:
 - `n8n-export`, `n8n-import` — workflow sync
 - `n8n-workflow-builder` — domain-expertise prompt for building workflows via n8n-mcp tools
 
+### Connecting Claude Code to the local n8n-mcp
+
+Once `n8n-mcp` is running (the `mcp` profile is up), Claude Code can connect to it at:
+
+- **URL:** `http://localhost:3000/mcp`
+- **Auth:** `Authorization: Bearer <MCP_AUTH_TOKEN>` (the same value in `apps/automation/.env`)
+
+You only need to register the server **once** per scope. Pick one of the two approaches below.
+
+#### Option A — Register at the project scope (committed `.mcp.json`)
+
+Run this from the repo root:
+
+```bash
+claude mcp add --scope project --transport http n8n-mcp \
+  http://localhost:3000/mcp \
+  --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"
+```
+
+This writes a `.mcp.json` file at the repo root that the whole team can share:
+
+```json
+{
+  "mcpServers": {
+    "n8n-mcp": {
+      "type": "http",
+      "url": "http://localhost:3000/mcp",
+      "headers": {
+        "Authorization": "Bearer ${MCP_AUTH_TOKEN}"
+      }
+    }
+  }
+}
+```
+
+The `${MCP_AUTH_TOKEN}` placeholder is resolved from your shell environment at launch time, so no secret is committed. **Before starting Claude Code**, export the token:
+
+```bash
+export MCP_AUTH_TOKEN="$(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
+claude
+```
+
+Gotchas:
+
+- If `MCP_AUTH_TOKEN` is unset when Claude Code parses `.mcp.json`, the config fails — there's no fallback. Export it (or use direnv / a shell alias) before launching `claude`.
+- Project-scoped servers require workspace-trust approval on first use; Claude Code will prompt.
+
+#### Option B — Register at the user scope (not in the repo)
+
+If you'd rather not commit `.mcp.json`, register the server for your user account only:
+
+```bash
+claude mcp add --transport http n8n-mcp \
+  http://localhost:3000/mcp \
+  --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
+```
+
+This stores the server (including the literal token) in your user config, available across all projects. Nothing is written to the repo.
+
+#### Verify the connection
+
+From inside Claude Code, the `n8n-mcp` server should appear in `/mcp` status. You can also probe the endpoint directly:
+
+```bash
+curl -sf -H "Authorization: Bearer $MCP_AUTH_TOKEN" http://localhost:3000/health
+# → HTTP 200
+```
+
 ## Troubleshooting
 
 - **Port 5678 or 3000 already in use** — another container or process is bound. Stop it or edit the port mapping in `docker-compose.yml`.

From 7a3e25d6bdd8642c6b45323244dcf705e9a682ca Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 09:50:33 -0700
Subject: [PATCH 05/26] docs(automation): clarify three MCP registration scopes
 and fix markdown lint

Expands the "Connecting Claude Code to the local n8n-mcp" section to cover
all three scopes (local / user / project) with a decision table, not just
two. The prior write-up conflated local (default) with user scope. Also
notes that an already-running Claude Code session must be relaunched after
`claude mcp add` for the new server's tools to appear.

Incidentally fixes pre-existing markdown-lint warnings in the README
(bare URLs in the Ports table, missing blank lines around fenced code
blocks inside numbered-list steps, missing language hint on the workflow
tree diagram).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/automation/README.md | 74 ++++++++++++++++++++++++++++-----------
 1 file changed, 54 insertions(+), 20 deletions(-)

diff --git a/apps/automation/README.md b/apps/automation/README.md
index b58ccb5..81938d0 100644
--- a/apps/automation/README.md
+++ b/apps/automation/README.md
@@ -15,10 +15,10 @@ Node.js 20+ is required for the workflow export/import scripts (uses built-in `f
 
 ## Ports
 
-| Service   | Port  | URL                            |
-| --------- | ----- | ------------------------------ |
-| n8n       | 5678  | http://localhost:5678          |
-| n8n-mcp   | 3000  | http://localhost:3000/mcp      |
+| Service   | Port  | URL                              |
+| --------- | ----- | -------------------------------- |
+| n8n       | 5678  | <http://localhost:5678>          |
+| n8n-mcp   | 3000  | <http://localhost:3000/mcp>      |
 
 ## First-time setup
 
@@ -30,18 +30,23 @@ cp .env.example .env
 For n8n alone, the defaults in `.env` are fine. For **n8n-mcp** you'll also need:
 
 1. Generate an MCP auth token:
+
    ```bash
    openssl rand -hex 32
    ```
+
    Paste it into `.env` as `MCP_AUTH_TOKEN`.
 
 2. Start n8n first so you can create an n8n API key:
+
    ```bash
    pnpm --filter automation n8n:up
    ```
+
    Visit <http://localhost:5678>, create the owner account, then Settings → n8n API → create a new API key. Paste the value into `.env` as `N8N_API_KEY`.
 
 3. Bring up n8n-mcp:
+
    ```bash
    pnpm --filter automation n8n:up:mcp
    ```
@@ -65,7 +70,7 @@ Data persists in the `n8n_data` named volume across `down` / `up`. Volumes are o
 
 Workflows live under `workflows/<slug>/`:
 
-```
+```text
 workflows/
 └── my-workflow/
     ├── workflow.json   # Auto-managed by export/import
@@ -111,11 +116,39 @@ Once `n8n-mcp` is running (the `mcp` profile is up), Claude Code can connect to
 - **URL:** `http://localhost:3000/mcp`
 - **Auth:** `Authorization: Bearer <MCP_AUTH_TOKEN>` (the same value in `apps/automation/.env`)
 
-You only need to register the server **once** per scope. Pick one of the two approaches below.
+Register the server **once per scope** using `claude mcp add`. There are three scopes to choose from; pick the one that fits how broadly you want this server available.
+
+#### Which scope?
 
-#### Option A — Register at the project scope (committed `.mcp.json`)
+| Scope | Command flag | Stored in | Available from | Best when |
+| --- | --- | --- | --- | --- |
+| **local** (default) | *(no flag)* | your user config, keyed to this project path | this repo only | You want n8n-mcp to activate only when you're working in this repo and you don't need to share the config with others. |
+| **user** | `--scope user` | your user config | every project you open with `claude` | You plan to use n8n-mcp outside this repo too — e.g. wiring workflows from other codebases or ad-hoc sessions. |
+| **project** | `--scope project` | `.mcp.json` at the repo root (committed) | this repo, for every teammate who clones it | The team wants one shared config that travels with the repo. |
 
-Run this from the repo root:
+All three assume n8n-mcp is running at `http://localhost:3000/mcp` on the machine where Claude Code is running. If you need a different layout later, change the `url`.
+
+#### Local scope (project-specific, personal)
+
+```bash
+claude mcp add --transport http n8n-mcp \
+  http://localhost:3000/mcp \
+  --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
+```
+
+The literal token is stored in your user config, attached to this project path. Nothing is written to the repo.
+
+#### User scope (available everywhere)
+
+```bash
+claude mcp add --scope user --transport http n8n-mcp \
+  http://localhost:3000/mcp \
+  --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
+```
+
+Same storage mechanism as local, but the server is exposed in every project you open. You only need to re-run this if the token rotates.
+
+#### Project scope (committed, shared with the team)
 
 ```bash
 claude mcp add --scope project --transport http n8n-mcp \
@@ -123,7 +156,7 @@ claude mcp add --scope project --transport http n8n-mcp \
   --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"
 ```
 
-This writes a `.mcp.json` file at the repo root that the whole team can share:
+This writes a `.mcp.json` at the repo root:
 
 ```json
 {
@@ -139,7 +172,7 @@ This writes a `.mcp.json` file at the repo root that the whole team can share:
 }
 ```
 
-The `${MCP_AUTH_TOKEN}` placeholder is resolved from your shell environment at launch time, so no secret is committed. **Before starting Claude Code**, export the token:
+`${MCP_AUTH_TOKEN}` is resolved from the shell environment at Claude Code launch, so the secret itself is never committed. Before starting `claude`:
 
 ```bash
 export MCP_AUTH_TOKEN="$(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
@@ -151,27 +184,28 @@ Gotchas:
 - If `MCP_AUTH_TOKEN` is unset when Claude Code parses `.mcp.json`, the config fails — there's no fallback. Export it (or use direnv / a shell alias) before launching `claude`.
 - Project-scoped servers require workspace-trust approval on first use; Claude Code will prompt.
 
-#### Option B — Register at the user scope (not in the repo)
+#### Verify the connection
 
-If you'd rather not commit `.mcp.json`, register the server for your user account only:
+After running `claude mcp add`, confirm the server is reachable:
 
 ```bash
-claude mcp add --transport http n8n-mcp \
-  http://localhost:3000/mcp \
-  --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
+claude mcp list | grep n8n-mcp
+# → n8n-mcp: http://localhost:3000/mcp (HTTP) - ✓ Connected
 ```
 
-This stores the server (including the literal token) in your user config, available across all projects. Nothing is written to the repo.
-
-#### Verify the connection
-
-From inside Claude Code, the `n8n-mcp` server should appear in `/mcp` status. You can also probe the endpoint directly:
+You can also probe the endpoint directly:
 
 ```bash
 curl -sf -H "Authorization: Bearer $MCP_AUTH_TOKEN" http://localhost:3000/health
 # → HTTP 200
 ```
 
+#### Use the server in your current session
+
+`claude mcp add` writes the config, but an **already-running** Claude Code session only loads MCP servers at startup. After registering, exit and relaunch `claude` for the `n8n-mcp` tools to appear in the tool list.
+
+If you rotate `MCP_AUTH_TOKEN` in `.env`, also re-run `claude mcp add` (for local / user scope) or update your shell export (for project scope).
+
 ## Troubleshooting
 
 - **Port 5678 or 3000 already in use** — another container or process is bound. Stop it or edit the port mapping in `docker-compose.yml`.

From 5ce74e8cef31a13930ddf5ffae8166c4db1185c6 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 10:12:14 -0700
Subject: [PATCH 06/26] chore(automation): keep workflows/ in git with .gitkeep

Ensures the workflows directory survives in version control when no
workflows are checked in yet, so the n8n-export / n8n-import skills
have a target path immediately after cloning.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/automation/workflows/.gitkeep | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 apps/automation/workflows/.gitkeep

diff --git a/apps/automation/workflows/.gitkeep b/apps/automation/workflows/.gitkeep
new file mode 100644
index 0000000..e69de29

From 6a47391035692d8282748b12062330506b65446d Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 10:37:16 -0700
Subject: [PATCH 07/26] feat(automation): draft n8n workflows for package
 review lifecycle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scaffolds six draft workflows covering the automation work tracked in
issues #12-#17, #21, #53, and #54. Everything is inactive by default —
they reference a Strapi email-template content-type (#53) and lifecycle
webhook endpoints that don't exist yet, so activation waits on Boaz's
CMS work landing.

- render-email (shared sub-workflow): fetches the template from Strapi
  by key, interpolates {{ variables }}, wraps in a branded HTML shell,
  and sends via SendGrid (community@strapi.io, separate key from #54).
  Other workflows call this rather than each handling SendGrid themselves.
- package-submission-received: #12 developer email + #16 Slack post
- package-approved: #14 developer email + #17 Slack post
- package-declined: #15 developer email with decline reason
- package-changes-requested: #13 developer email with reviewer feedback
- cleanup-new-label-after-60d: #21 daily cron that strips the 'is_new'
  label from packages older than 60 days

Webhook paths are namespaced under /strapi/* and expect header auth.
Env vars referenced: STRAPI_BASE_URL, STRAPI_API_TOKEN. Credentials for
SendGrid, Slack, and the webhook header need to be attached in the n8n
UI once the real deployment targets are picked.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../cleanup-new-label-after-60d/workflow.json | 221 ++++++++++++++
 .../workflows/package-approved/workflow.json  | 269 +++++++++++++++++
 .../package-changes-requested/workflow.json   | 200 +++++++++++++
 .../workflows/package-declined/workflow.json  | 188 ++++++++++++
 .../package-submission-received/workflow.json | 270 ++++++++++++++++++
 .../workflow.json                             | 192 +++++++++++++
 6 files changed, 1340 insertions(+)
 create mode 100644 apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
 create mode 100644 apps/automation/workflows/package-approved/workflow.json
 create mode 100644 apps/automation/workflows/package-changes-requested/workflow.json
 create mode 100644 apps/automation/workflows/package-declined/workflow.json
 create mode 100644 apps/automation/workflows/package-submission-received/workflow.json
 create mode 100644 apps/automation/workflows/render-email-shared-sub-workflow/workflow.json

diff --git a/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json b/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
new file mode 100644
index 0000000..288314f
--- /dev/null
+++ b/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
@@ -0,0 +1,221 @@
+{
+  "name": "cleanup-new-label-after-60d",
+  "description": null,
+  "nodes": [
+    {
+      "id": "sched-1",
+      "name": "Daily at 03:00 UTC",
+      "type": "n8n-nodes-base.scheduleTrigger",
+      "typeVersion": 1.2,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "rule": {
+          "interval": [
+            {
+              "field": "cronExpression",
+              "expression": "0 3 * * *"
+            }
+          ]
+        }
+      },
+      "notes": "Runs once a day. Offset from package-info plugin's 02:00 stats sync so we don't hammer Strapi at the same time."
+    },
+    {
+      "id": "compute-cutoff-1",
+      "name": "Compute Cutoff Date",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "c1",
+              "name": "cutoff_iso",
+              "type": "string",
+              "value": "={{ $now.minus({days: 60}).toISO() }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      },
+      "notes": "60 days = 2 months per issue #21."
+    },
+    {
+      "id": "fetch-stale-1",
+      "name": "Fetch Stale 'New' Packages",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.4,
+      "position": [
+        680,
+        300
+      ],
+      "parameters": {
+        "method": "GET",
+        "url": "={{ $env.STRAPI_BASE_URL }}/api/packages",
+        "sendQuery": true,
+        "queryParameters": {
+          "parameters": [
+            {
+              "name": "filters[labels][is_new][$eq]",
+              "value": "true"
+            },
+            {
+              "name": "filters[publishedAt][$lt]",
+              "value": "={{ $json.cutoff_iso }}"
+            },
+            {
+              "name": "fields[0]",
+              "value": "id"
+            },
+            {
+              "name": "fields[1]",
+              "value": "name"
+            },
+            {
+              "name": "fields[2]",
+              "value": "publishedAt"
+            },
+            {
+              "name": "populate[labels]",
+              "value": "true"
+            },
+            {
+              "name": "pagination[limit]",
+              "value": "100"
+            }
+          ]
+        },
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "Authorization",
+              "value": "=Bearer {{ $env.STRAPI_API_TOKEN }}"
+            }
+          ]
+        },
+        "options": {}
+      },
+      "retryOnFail": true,
+      "notes": "TODO: add pagination loop once we expect >100 stale packages. Depends on #21's 'is_new' field being added to the package 'labels' component (not yet present in the schema)."
+    },
+    {
+      "id": "split-1",
+      "name": "Split Into Items",
+      "type": "n8n-nodes-base.splitOut",
+      "typeVersion": 1,
+      "position": [
+        900,
+        300
+      ],
+      "parameters": {
+        "fieldToSplitOut": "data",
+        "options": {}
+      }
+    },
+    {
+      "id": "patch-1",
+      "name": "Strip 'is_new' Label",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.4,
+      "position": [
+        1120,
+        300
+      ],
+      "parameters": {
+        "method": "PUT",
+        "url": "={{ $env.STRAPI_BASE_URL }}/api/packages/{{ $json.id }}",
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "Authorization",
+              "value": "=Bearer {{ $env.STRAPI_API_TOKEN }}"
+            },
+            {
+              "name": "Content-Type",
+              "value": "application/json"
+            }
+          ]
+        },
+        "sendBody": true,
+        "contentType": "json",
+        "jsonBody": "={\n  \"data\": {\n    \"labels\": {\n      \"is_new\": false\n    }\n  }\n}",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "onError": "continueRegularOutput",
+      "notes": "Continue on error so one bad entry doesn't block the rest of the batch."
+    }
+  ],
+  "connections": {
+    "Daily at 03:00 UTC": {
+      "main": [
+        [
+          {
+            "node": "Compute Cutoff Date",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Compute Cutoff Date": {
+      "main": [
+        [
+          {
+            "node": "Fetch Stale 'New' Packages",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Fetch Stale 'New' Packages": {
+      "main": [
+        [
+          {
+            "node": "Split Into Items",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Split Into Items": {
+      "main": [
+        [
+          {
+            "node": "Strip 'is_new' Label",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/package-approved/workflow.json b/apps/automation/workflows/package-approved/workflow.json
new file mode 100644
index 0000000..68b217c
--- /dev/null
+++ b/apps/automation/workflows/package-approved/workflow.json
@@ -0,0 +1,269 @@
+{
+  "name": "package-approved",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Package Approved",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/package-approved",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fires when BOTH business review AND security review reach 'approved'. Strapi lifecycle emits this on state-change transition. Expects body.entry { id, name, author { email, name }, slug }.",
+      "webhookId": "5b4adc60-df90-4ca1-aca8-c2ea4ca513d7"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_id",
+              "type": "string",
+              "value": "={{ $json.body.entry.id }}"
+            },
+            {
+              "id": "a2",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.name }}"
+            },
+            {
+              "id": "a3",
+              "name": "package_slug",
+              "type": "string",
+              "value": "={{ $json.body.entry.slug }}"
+            },
+            {
+              "id": "a4",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.email }}"
+            },
+            {
+              "id": "a5",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.name }}"
+            },
+            {
+              "id": "a6",
+              "name": "marketplace_link",
+              "type": "string",
+              "value": "=https://strapi.io/community/packages/{{ $json.body.entry.slug }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        200
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "plugin-approved"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, marketplace_link: $json.marketplace_link } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        200
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    },
+    {
+      "id": "build-slack-1",
+      "name": "Build Slack Message",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        400
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "s1",
+              "name": "text",
+              "type": "string",
+              "value": "=:white_check_mark: Package approved & published: *{{ $json.package_name }}* by {{ $json.author_name }}\nLive: {{ $json.marketplace_link }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Notify #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        900,
+        400
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "={{ $json.text }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "webhookId": "8d87996f-de91-4a91-b61c-cefe6cc3bb1c"
+    }
+  ],
+  "connections": {
+    "Webhook: Package Approved": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Build Slack Message",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Slack Message": {
+      "main": [
+        [
+          {
+            "node": "Notify #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/package-changes-requested/workflow.json b/apps/automation/workflows/package-changes-requested/workflow.json
new file mode 100644
index 0000000..34dcba1
--- /dev/null
+++ b/apps/automation/workflows/package-changes-requested/workflow.json
@@ -0,0 +1,200 @@
+{
+  "name": "package-changes-requested",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Changes Requested",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/package-changes-requested",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fires when business_review_state transitions to 'changes_requested'. Expects body.entry { id, name, author { email, name }, business_review_feedback }.",
+      "webhookId": "2f6e1cec-6e97-4e6d-b9f6-8b3fbda1e310"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_id",
+              "type": "string",
+              "value": "={{ $json.body.entry.id }}"
+            },
+            {
+              "id": "a2",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.name }}"
+            },
+            {
+              "id": "a3",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.email }}"
+            },
+            {
+              "id": "a4",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.name }}"
+            },
+            {
+              "id": "a5",
+              "name": "reviewer_feedback",
+              "type": "string",
+              "value": "={{ $json.body.entry.business_review_feedback }}"
+            },
+            {
+              "id": "a6",
+              "name": "dashboard_link",
+              "type": "string",
+              "value": "=https://strapi.io/community/admin/content-manager/collectionType/api::package.package/{{ $json.body.entry.id }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "plugin-changes-requested"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, reviewer_feedback: $json.reviewer_feedback, dashboard_link: $json.dashboard_link } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        300
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    }
+  ],
+  "connections": {
+    "Webhook: Changes Requested": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/package-declined/workflow.json b/apps/automation/workflows/package-declined/workflow.json
new file mode 100644
index 0000000..9cba072
--- /dev/null
+++ b/apps/automation/workflows/package-declined/workflow.json
@@ -0,0 +1,188 @@
+{
+  "name": "package-declined",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Package Declined",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/package-declined",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fires when business_review_state transitions to 'declined'. Expects body.entry { id, name, author { email, name }, business_review_feedback (decline reason) }.",
+      "webhookId": "37f3f735-2a1c-4c22-89e0-237bb2b5a245"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.name }}"
+            },
+            {
+              "id": "a2",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.email }}"
+            },
+            {
+              "id": "a3",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.name }}"
+            },
+            {
+              "id": "a4",
+              "name": "decline_reason",
+              "type": "string",
+              "value": "={{ $json.body.entry.business_review_feedback }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "plugin-declined"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, decline_reason: $json.decline_reason } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        300
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    }
+  ],
+  "connections": {
+    "Webhook: Package Declined": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/package-submission-received/workflow.json b/apps/automation/workflows/package-submission-received/workflow.json
new file mode 100644
index 0000000..5e12ad1
--- /dev/null
+++ b/apps/automation/workflows/package-submission-received/workflow.json
@@ -0,0 +1,270 @@
+{
+  "name": "package-submission-received",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Submission Received",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/package-submission-received",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fires from Strapi package.afterCreate lifecycle. Expects body.entry { id, name, git_repository, author { email, name } }. Requires header-auth credential in n8n.",
+      "webhookId": "e9741c13-e5b0-40a4-99a5-9a30031ea8a7"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_id",
+              "type": "string",
+              "value": "={{ $json.body.entry.id }}"
+            },
+            {
+              "id": "a2",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.name }}"
+            },
+            {
+              "id": "a3",
+              "name": "git_repository",
+              "type": "string",
+              "value": "={{ $json.body.entry.git_repository }}"
+            },
+            {
+              "id": "a4",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.email }}"
+            },
+            {
+              "id": "a5",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.entry.author.name }}"
+            },
+            {
+              "id": "a6",
+              "name": "dashboard_link",
+              "type": "string",
+              "value": "=https://strapi.io/community/admin/content-manager/collectionType/api::package.package/{{ $json.body.entry.id }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        200
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "plugin-submission-received"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, git_repository: $json.git_repository } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        200
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Calls render-email sub-workflow. TODO when n8n UI available: bump to typeVersion 1.3 and use resourceMapper for typed inputs."
+    },
+    {
+      "id": "build-slack-1",
+      "name": "Build Slack Message",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        400
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "s1",
+              "name": "text",
+              "type": "string",
+              "value": "=:package: New package submission received: *{{ $json.package_name }}* by {{ $json.author_name }}\nRepo: {{ $json.git_repository }}\nReview: {{ $json.dashboard_link }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Notify #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        900,
+        400
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "={{ $json.text }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "webhookId": "e70d036e-994f-4429-ab41-1c5e88539b7d"
+    }
+  ],
+  "connections": {
+    "Webhook: Submission Received": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Build Slack Message",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Slack Message": {
+      "main": [
+        [
+          {
+            "node": "Notify #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json b/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json
new file mode 100644
index 0000000..d0d7bbb
--- /dev/null
+++ b/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json
@@ -0,0 +1,192 @@
+{
+  "name": "render-email (shared sub-workflow)",
+  "description": null,
+  "nodes": [
+    {
+      "id": "trig-1",
+      "name": "When Called by Another Workflow",
+      "type": "n8n-nodes-base.executeWorkflowTrigger",
+      "typeVersion": 1.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "inputSource": "passthrough",
+        "workflowInputs": {
+          "values": [
+            {
+              "name": "template_key",
+              "type": "string"
+            },
+            {
+              "name": "to_email",
+              "type": "string"
+            },
+            {
+              "name": "to_name",
+              "type": "string"
+            },
+            {
+              "name": "variables",
+              "type": "object"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "id": "fetch-1",
+      "name": "Fetch Template From Strapi",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "method": "GET",
+        "url": "={{ $env.STRAPI_BASE_URL }}/api/email-templates",
+        "sendQuery": true,
+        "queryParameters": {
+          "parameters": [
+            {
+              "name": "filters[key][$eq]",
+              "value": "={{ $json.template_key }}"
+            },
+            {
+              "name": "pagination[limit]",
+              "value": "1"
+            }
+          ]
+        },
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "Authorization",
+              "value": "=Bearer {{ $env.STRAPI_API_TOKEN }}"
+            }
+          ]
+        },
+        "options": {}
+      },
+      "retryOnFail": true,
+      "notes": "TODO: swap env-var auth for an n8n 'Strapi' credential once the CMS token is issued"
+    },
+    {
+      "id": "render-1",
+      "name": "Render Template",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        680,
+        300
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "const input = $('When Called by Another Workflow').first().json;\nconst response = $input.first().json;\nconst tpl = (response.data && response.data[0]) || null;\n\nif (!tpl) {\n  throw new Error(`No email-template found with key=${input.template_key}`);\n}\n\nconst attrs = tpl.attributes || tpl;\nconst vars = input.variables || {};\n\nfunction interpolate(str) {\n  if (typeof str !== 'string') return str;\n  return str.replace(/\\{\\{\\s*([\\w.]+)\\s*\\}\\}/g, (_, key) => {\n    const val = key.split('.').reduce((acc, k) => (acc == null ? undefined : acc[k]), vars);\n    return val == null ? '' : String(val);\n  });\n}\n\nreturn [{\n  json: {\n    to_email: input.to_email,\n    to_name: input.to_name,\n    subject: interpolate(attrs.subject),\n    body: interpolate(typeof attrs.body === 'string' ? attrs.body : JSON.stringify(attrs.body)),\n    from_name: attrs.from_name || 'Strapi Community',\n    reply_to: attrs.reply_to || null,\n    template_key: input.template_key,\n  },\n}];"
+      }
+    },
+    {
+      "id": "wrap-1",
+      "name": "Wrap In Branded Shell",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        900,
+        300
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "const item = $input.first().json;\n\nconst shell = `<!doctype html>\n<html>\n<body style=\"font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',sans-serif;color:#212134;max-width:600px;margin:0 auto;padding:24px;\">\n  <header style=\"border-bottom:1px solid #dcdce4;padding-bottom:16px;margin-bottom:24px;\">\n    <strong style=\"color:#4945ff;\">Strapi Community</strong>\n  </header>\n  <main>${item.body}</main>\n  <footer style=\"border-top:1px solid #dcdce4;margin-top:32px;padding-top:16px;font-size:12px;color:#666687;\">\n    You're receiving this because you interacted with the Strapi community hub.\n  </footer>\n</body>\n</html>`;\n\nreturn [{ json: { ...item, html_body: shell } }];"
+      }
+    },
+    {
+      "id": "send-1",
+      "name": "Send via SendGrid",
+      "type": "n8n-nodes-base.sendGrid",
+      "typeVersion": 1,
+      "position": [
+        1120,
+        300
+      ],
+      "parameters": {
+        "resource": "mail",
+        "operation": "send",
+        "fromEmail": "community@strapi.io",
+        "fromName": "={{ $json.from_name }}",
+        "toEmail": "={{ $json.to_email }}",
+        "subject": "={{ $json.subject }}",
+        "dynamicTemplate": false,
+        "contentType": "text/html",
+        "contentValue": "={{ $json.html_body }}",
+        "additionalFields": {
+          "replyToEmail": "={{ $json.reply_to }}"
+        }
+      },
+      "retryOnFail": true,
+      "notes": "Uses community@strapi.io sender. Requires SendGrid credential configured in n8n."
+    }
+  ],
+  "connections": {
+    "When Called by Another Workflow": {
+      "main": [
+        [
+          {
+            "node": "Fetch Template From Strapi",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Fetch Template From Strapi": {
+      "main": [
+        [
+          {
+            "node": "Render Template",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Render Template": {
+      "main": [
+        [
+          {
+            "node": "Wrap In Branded Shell",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Wrap In Branded Shell": {
+      "main": [
+        [
+          {
+            "node": "Send via SendGrid",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 2,
+  "tags": [],
+  "activeVersion": null
+}

From 2c1f7c5e0035a48204a98cefb9bb9b100e534e78 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 10:54:06 -0700
Subject: [PATCH 08/26] feat(cms): email-template content-type + SendGrid
 provider
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses #53 and #54 — closing the Strapi-side dependencies for the
n8n package review automation workflows on feat/n8n-mcp-automation-setup.

- email-template content-type (collectionType, draftAndPublish: false)
  with key (uid), subject, body (richtext), description, from_name,
  reply_to. n8n workflows look up templates by key.
- Seeds four default templates on bootstrap if missing:
  plugin-submission-received, plugin-approved, plugin-declined,
  plugin-changes-requested. Uses `strapi.documents(...)` v5 API, skips
  existing rows so edits in the admin UI aren't clobbered.
- @strapi/provider-email-sendgrid added at the same experimental
  version as the rest of the Strapi catalog, wired through
  config/plugins.ts with SENDGRID_API_KEY / EMAIL_DEFAULT_FROM /
  EMAIL_DEFAULT_REPLY_TO env vars. Defaults the sender to
  community@strapi.io per the decided automation architecture.
- Automation emails continue to use a separate SendGrid key configured
  in n8n — native Strapi emails (password resets, admin invites) use
  the key wired here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/cms/.env.example                         |  9 +-
 apps/cms/config/plugins.ts                    | 12 +++
 apps/cms/package.json                         |  1 +
 .../content-types/email-template/schema.json  | 36 ++++++++
 .../controllers/email-template.ts             |  5 +
 .../email-template/routes/email-template.ts   |  3 +
 .../email-template/services/email-template.ts |  5 +
 apps/cms/src/index.ts                         | 20 +---
 apps/cms/src/seed/email-templates.ts          | 91 +++++++++++++++++++
 apps/cms/types/generated/contentTypes.d.ts    | 36 ++++++++
 pnpm-workspace.yaml                           |  1 +
 11 files changed, 203 insertions(+), 16 deletions(-)
 create mode 100644 apps/cms/src/api/email-template/content-types/email-template/schema.json
 create mode 100644 apps/cms/src/api/email-template/controllers/email-template.ts
 create mode 100644 apps/cms/src/api/email-template/routes/email-template.ts
 create mode 100644 apps/cms/src/api/email-template/services/email-template.ts
 create mode 100644 apps/cms/src/seed/email-templates.ts

diff --git a/apps/cms/.env.example b/apps/cms/.env.example
index 1ed561b..6655310 100644
--- a/apps/cms/.env.example
+++ b/apps/cms/.env.example
@@ -36,4 +36,11 @@ ENABLE_MIGRATION=false
 
 GITHUB_ACCESS_TOKEN=tobemodified
 
-SCREENSHOTONE_KEY=tobemodified
\ No newline at end of file
+SCREENSHOTONE_KEY=tobemodified
+
+# SendGrid — used for Strapi-native emails (password resets, admin invites).
+# Automation emails (submission received, approved, etc.) run through n8n with
+# a separate SendGrid key. See github.com/strapi/community/issues/54.
+SENDGRID_API_KEY=
+EMAIL_DEFAULT_FROM=community@strapi.io
+EMAIL_DEFAULT_REPLY_TO=community@strapi.io
diff --git a/apps/cms/config/plugins.ts b/apps/cms/config/plugins.ts
index d6c05aa..fd0b446 100644
--- a/apps/cms/config/plugins.ts
+++ b/apps/cms/config/plugins.ts
@@ -26,6 +26,18 @@ export default ({ env }) => ({
       },
     },
   },
+  email: {
+    config: {
+      provider: "sendgrid",
+      providerOptions: {
+        apiKey: env("SENDGRID_API_KEY"),
+      },
+      settings: {
+        defaultFrom: env("EMAIL_DEFAULT_FROM", "community@strapi.io"),
+        defaultReplyTo: env("EMAIL_DEFAULT_REPLY_TO", "community@strapi.io"),
+      },
+    },
+  },
   "owner-selector": {
     enabled: true,
     resolve: "./src/plugins/owner-selector",
diff --git a/apps/cms/package.json b/apps/cms/package.json
index 6e2c562..52dce36 100644
--- a/apps/cms/package.json
+++ b/apps/cms/package.json
@@ -27,6 +27,7 @@
     "@strapi/design-system": "^2.0.0",
     "@strapi/icons": "^2.0.0",
     "@strapi/plugin-cloud": "catalog:strapi",
+    "@strapi/provider-email-sendgrid": "catalog:strapi",
     "@strapi/strapi": "catalog:strapi",
     "@strapi/types": "catalog:strapi",
     "@strapi/typescript-utils": "catalog:strapi",
diff --git a/apps/cms/src/api/email-template/content-types/email-template/schema.json b/apps/cms/src/api/email-template/content-types/email-template/schema.json
new file mode 100644
index 0000000..e996da0
--- /dev/null
+++ b/apps/cms/src/api/email-template/content-types/email-template/schema.json
@@ -0,0 +1,36 @@
+{
+  "kind": "collectionType",
+  "collectionName": "email_templates",
+  "info": {
+    "singularName": "email-template",
+    "pluralName": "email-templates",
+    "displayName": "Email Templates",
+    "description": "Templates rendered by n8n automation workflows (submission received, approved, declined, changes requested)."
+  },
+  "options": {
+    "draftAndPublish": false
+  },
+  "attributes": {
+    "key": {
+      "type": "uid",
+      "required": true
+    },
+    "subject": {
+      "type": "string",
+      "required": true
+    },
+    "body": {
+      "type": "richtext",
+      "required": true
+    },
+    "description": {
+      "type": "text"
+    },
+    "from_name": {
+      "type": "string"
+    },
+    "reply_to": {
+      "type": "email"
+    }
+  }
+}
diff --git a/apps/cms/src/api/email-template/controllers/email-template.ts b/apps/cms/src/api/email-template/controllers/email-template.ts
new file mode 100644
index 0000000..c726904
--- /dev/null
+++ b/apps/cms/src/api/email-template/controllers/email-template.ts
@@ -0,0 +1,5 @@
+import { factories } from "@strapi/strapi";
+
+export default factories.createCoreController(
+  "api::email-template.email-template",
+);
diff --git a/apps/cms/src/api/email-template/routes/email-template.ts b/apps/cms/src/api/email-template/routes/email-template.ts
new file mode 100644
index 0000000..4304d5f
--- /dev/null
+++ b/apps/cms/src/api/email-template/routes/email-template.ts
@@ -0,0 +1,3 @@
+import { factories } from "@strapi/strapi";
+
+export default factories.createCoreRouter("api::email-template.email-template");
diff --git a/apps/cms/src/api/email-template/services/email-template.ts b/apps/cms/src/api/email-template/services/email-template.ts
new file mode 100644
index 0000000..193130d
--- /dev/null
+++ b/apps/cms/src/api/email-template/services/email-template.ts
@@ -0,0 +1,5 @@
+import { factories } from "@strapi/strapi";
+
+export default factories.createCoreService(
+  "api::email-template.email-template",
+);
diff --git a/apps/cms/src/index.ts b/apps/cms/src/index.ts
index b1707cf..730e201 100644
--- a/apps/cms/src/index.ts
+++ b/apps/cms/src/index.ts
@@ -1,27 +1,17 @@
-// import type { Core } from '@strapi/strapi';
+import type { Core } from "@strapi/strapi";
 import { migrateIntegrations } from "./migration/integrations";
 import { migratePartners } from "./migration/partners";
 import { migratePlugins } from "./migration/plugins";
 import { migrateProviders } from "./migration/providers";
 import { migrateShowcases } from "./migration/showcases";
+import { seedEmailTemplates } from "./seed/email-templates";
 
 export default {
-  /**
-   * An asynchronous register function that runs before
-   * your application is initialized.
-   *
-   * This gives you an opportunity to extend code.
-   */
   register(/* { strapi }: { strapi: Core.Strapi } */) {},
 
-  /**
-   * An asynchronous bootstrap function that runs before
-   * your application gets started.
-   *
-   * This gives you an opportunity to set up your data model,
-   * run jobs, or perform some special logic.
-   */
-  async bootstrap(/* { strapi }: { strapi: Core.Strapi } */) {
+  async bootstrap({ strapi }: { strapi: Core.Strapi }) {
+    await seedEmailTemplates(strapi);
+
     if (process.env.ENABLE_MIGRATION !== "true") {
       return;
     }
diff --git a/apps/cms/src/seed/email-templates.ts b/apps/cms/src/seed/email-templates.ts
new file mode 100644
index 0000000..f9094d9
--- /dev/null
+++ b/apps/cms/src/seed/email-templates.ts
@@ -0,0 +1,91 @@
+import type { Core } from "@strapi/strapi";
+
+type SeedTemplate = {
+  key: string;
+  subject: string;
+  body: string;
+  description: string;
+  from_name?: string;
+  reply_to?: string;
+};
+
+const seeds: SeedTemplate[] = [
+  {
+    key: "plugin-submission-received",
+    subject: "We've received your submission: {{ package_name }}",
+    description:
+      "Sent by n8n when a package is submitted to the community marketplace. Variables: package_name, author_name, git_repository.",
+    body: `Hi {{ author_name }},
+
+Thanks for submitting **{{ package_name }}** to the Strapi community marketplace.
+
+We've received your submission ({{ git_repository }}) and it's now queued for business and security review. You'll hear from us once both reviews complete — typically within a few business days.
+
+In the meantime, you can keep iterating on the repository; the review looks at the current \`main\`/default branch.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "plugin-approved",
+    subject: "Your plugin is live: {{ package_name }}",
+    description:
+      "Sent by n8n when both business and security review reach 'approved' and the package is published. Variables: package_name, author_name, marketplace_link.",
+    body: `Hi {{ author_name }},
+
+Good news — **{{ package_name }}** passed review and is now live on the Strapi community marketplace.
+
+View your listing: {{ marketplace_link }}
+
+Share it, celebrate, and thanks for contributing to the ecosystem.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "plugin-declined",
+    subject: "Update on your submission: {{ package_name }}",
+    description:
+      "Sent by n8n when business review state becomes 'declined'. Variables: package_name, author_name, decline_reason.",
+    body: `Hi {{ author_name }},
+
+Thanks again for submitting **{{ package_name }}** to the Strapi community marketplace.
+
+After review we've decided not to list this plugin at this time. Here's the specific feedback from the reviewer:
+
+> {{ decline_reason }}
+
+If you'd like to discuss the decision or address the points raised, reply to this email and we'll be in touch.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "plugin-changes-requested",
+    subject: "Changes requested for {{ package_name }}",
+    description:
+      "Sent by n8n when business review state becomes 'changes_requested'. Variables: package_name, author_name, reviewer_feedback, dashboard_link.",
+    body: `Hi {{ author_name }},
+
+Thanks for submitting **{{ package_name }}**. Before we can publish it, the reviewer has asked for a few changes:
+
+> {{ reviewer_feedback }}
+
+Once you've addressed the feedback, update the repository and we'll re-review. You can track status here: {{ dashboard_link }}
+
+— The Strapi Community team`,
+  },
+];
+
+export async function seedEmailTemplates(strapi: Core.Strapi): Promise<void> {
+  for (const seed of seeds) {
+    const existing = await strapi
+      .documents("api::email-template.email-template")
+      .findFirst({ filters: { key: seed.key } });
+
+    if (existing) continue;
+
+    await strapi
+      .documents("api::email-template.email-template")
+      .create({ data: seed });
+
+    strapi.log.info(`[seed] Created email template: ${seed.key}`);
+  }
+}
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index 424dfa5..a172e64 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -531,6 +531,41 @@ export interface ApiCtaCta extends Struct.CollectionTypeSchema {
   };
 }
 
+export interface ApiEmailTemplateEmailTemplate
+  extends Struct.CollectionTypeSchema {
+  collectionName: 'email_templates';
+  info: {
+    description: 'Templates rendered by n8n automation workflows (submission received, approved, declined, changes requested).';
+    displayName: 'Email Templates';
+    pluralName: 'email-templates';
+    singularName: 'email-template';
+  };
+  options: {
+    draftAndPublish: false;
+  };
+  attributes: {
+    body: Schema.Attribute.RichText & Schema.Attribute.Required;
+    createdAt: Schema.Attribute.DateTime;
+    createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+    description: Schema.Attribute.Text;
+    from_name: Schema.Attribute.String;
+    key: Schema.Attribute.UID & Schema.Attribute.Required;
+    locale: Schema.Attribute.String & Schema.Attribute.Private;
+    localizations: Schema.Attribute.Relation<
+      'oneToMany',
+      'api::email-template.email-template'
+    > &
+      Schema.Attribute.Private;
+    publishedAt: Schema.Attribute.DateTime;
+    reply_to: Schema.Attribute.Email;
+    subject: Schema.Attribute.String & Schema.Attribute.Required;
+    updatedAt: Schema.Attribute.DateTime;
+    updatedBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
+      Schema.Attribute.Private;
+  };
+}
+
 export interface ApiHomeHome extends Struct.SingleTypeSchema {
   collectionName: 'homes';
   info: {
@@ -2429,6 +2464,7 @@ declare module '@strapi/strapi' {
       'api::category.category': ApiCategoryCategory;
       'api::country.country': ApiCountryCountry;
       'api::cta.cta': ApiCtaCta;
+      'api::email-template.email-template': ApiEmailTemplateEmailTemplate;
       'api::home.home': ApiHomeHome;
       'api::integration-category.integration-category': ApiIntegrationCategoryIntegrationCategory;
       'api::integration.integration': ApiIntegrationIntegration;
diff --git a/pnpm-workspace.yaml b/pnpm-workspace.yaml
index e01b5e7..6fb5ab3 100644
--- a/pnpm-workspace.yaml
+++ b/pnpm-workspace.yaml
@@ -7,6 +7,7 @@ catalogs:
     better-auth: 1.6.9
   strapi:
     '@strapi/plugin-cloud': 5.45.0
+    '@strapi/provider-email-sendgrid': 5.45.0
     '@strapi/strapi': 5.45.0
     '@strapi/types': 5.45.0
     '@strapi/admin': 5.45.0

From dd756849393d6fb90432b4807e68e03c95b69c4b Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 10:59:27 -0700
Subject: [PATCH 09/26] =?UTF-8?q?fix(automation):=20move=20n8n-mcp=20host?=
 =?UTF-8?q?=20port=203000=20=E2=86=92=203100=20to=20free=20Next.js?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Next.js dev server defaults to :3000, which collides with the n8n-mcp
host mapping. Remap n8n-mcp to 3100 on the host; container-internal
port stays at 3000 so the image defaults are untouched.

Updates README, n8n-start skill, and n8n-status skill accordingly. Any
existing Claude Code MCP registration needs its URL updated from
http://localhost:3000/mcp → http://localhost:3100/mcp (remove the old
server, then re-register with the new URL).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .claude/skills/n8n-start/SKILL.md  |  4 ++--
 .claude/skills/n8n-status/SKILL.md |  2 +-
 apps/automation/README.md          | 20 ++++++++++----------
 apps/automation/docker-compose.yml |  2 +-
 4 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/.claude/skills/n8n-start/SKILL.md b/.claude/skills/n8n-start/SKILL.md
index dc9cf14..442d8d0 100644
--- a/.claude/skills/n8n-start/SKILL.md
+++ b/.claude/skills/n8n-start/SKILL.md
@@ -45,11 +45,11 @@ Starts the n8n container(s) defined in `apps/automation/docker-compose.yml` via
 
 7. **Report URLs to the user:**
    - n8n UI: <http://localhost:5678>
-   - n8n-mcp endpoint (if started): <http://localhost:3000/mcp>
+   - n8n-mcp endpoint (if started): <http://localhost:3100/mcp>
 
 8. **If the `mcp` profile was started**, also remind the user that Claude Code must be registered against the MCP server to actually use it. Point them at the "Connecting Claude Code to the local n8n-mcp" section of `apps/automation/README.md`. The one-line summary:
 
-   - Project-scoped: `claude mcp add --scope project --transport http n8n-mcp http://localhost:3000/mcp --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"` (writes `.mcp.json`; export `MCP_AUTH_TOKEN` before launching `claude`).
+   - Project-scoped: `claude mcp add --scope project --transport http n8n-mcp http://localhost:3100/mcp --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"` (writes `.mcp.json`; export `MCP_AUTH_TOKEN` before launching `claude`).
    - User-scoped: same command without `--scope project` and with the literal token inlined.
 
    Skip this reminder if the user has clearly registered it already (e.g. they're invoking an `n8n-*` tool and it's responding).
diff --git a/.claude/skills/n8n-status/SKILL.md b/.claude/skills/n8n-status/SKILL.md
index ddd9784..72ee7b2 100644
--- a/.claude/skills/n8n-status/SKILL.md
+++ b/.claude/skills/n8n-status/SKILL.md
@@ -22,7 +22,7 @@ Prints container status plus health probes for n8n and (if running) n8n-mcp.
 
 3. **Probe n8n-mcp health (only if its container is running):**
    ```bash
-   curl -sf -o /dev/null -w '%{http_code}\n' http://localhost:3000/health || echo 'unreachable'
+   curl -sf -o /dev/null -w '%{http_code}\n' http://localhost:3100/health || echo 'unreachable'
    ```
 
 4. **Summarize** per service in one line each:
diff --git a/apps/automation/README.md b/apps/automation/README.md
index 81938d0..8084b09 100644
--- a/apps/automation/README.md
+++ b/apps/automation/README.md
@@ -18,7 +18,7 @@ Node.js 20+ is required for the workflow export/import scripts (uses built-in `f
 | Service   | Port  | URL                              |
 | --------- | ----- | -------------------------------- |
 | n8n       | 5678  | <http://localhost:5678>          |
-| n8n-mcp   | 3000  | <http://localhost:3000/mcp>      |
+| n8n-mcp   | 3100  | <http://localhost:3100/mcp>      |
 
 ## First-time setup
 
@@ -113,7 +113,7 @@ Several skills under `.claude/skills/` wrap this stack:
 
 Once `n8n-mcp` is running (the `mcp` profile is up), Claude Code can connect to it at:
 
-- **URL:** `http://localhost:3000/mcp`
+- **URL:** `http://localhost:3100/mcp`
 - **Auth:** `Authorization: Bearer <MCP_AUTH_TOKEN>` (the same value in `apps/automation/.env`)
 
 Register the server **once per scope** using `claude mcp add`. There are three scopes to choose from; pick the one that fits how broadly you want this server available.
@@ -126,13 +126,13 @@ Register the server **once per scope** using `claude mcp add`. There are three s
 | **user** | `--scope user` | your user config | every project you open with `claude` | You plan to use n8n-mcp outside this repo too — e.g. wiring workflows from other codebases or ad-hoc sessions. |
 | **project** | `--scope project` | `.mcp.json` at the repo root (committed) | this repo, for every teammate who clones it | The team wants one shared config that travels with the repo. |
 
-All three assume n8n-mcp is running at `http://localhost:3000/mcp` on the machine where Claude Code is running. If you need a different layout later, change the `url`.
+All three assume n8n-mcp is running at `http://localhost:3100/mcp` on the machine where Claude Code is running. If you need a different layout later, change the `url`.
 
 #### Local scope (project-specific, personal)
 
 ```bash
 claude mcp add --transport http n8n-mcp \
-  http://localhost:3000/mcp \
+  http://localhost:3100/mcp \
   --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
 ```
 
@@ -142,7 +142,7 @@ The literal token is stored in your user config, attached to this project path.
 
 ```bash
 claude mcp add --scope user --transport http n8n-mcp \
-  http://localhost:3000/mcp \
+  http://localhost:3100/mcp \
   --header "Authorization: Bearer $(grep '^MCP_AUTH_TOKEN=' apps/automation/.env | cut -d= -f2-)"
 ```
 
@@ -152,7 +152,7 @@ Same storage mechanism as local, but the server is exposed in every project you
 
 ```bash
 claude mcp add --scope project --transport http n8n-mcp \
-  http://localhost:3000/mcp \
+  http://localhost:3100/mcp \
   --header "Authorization: Bearer \${MCP_AUTH_TOKEN}"
 ```
 
@@ -163,7 +163,7 @@ This writes a `.mcp.json` at the repo root:
   "mcpServers": {
     "n8n-mcp": {
       "type": "http",
-      "url": "http://localhost:3000/mcp",
+      "url": "http://localhost:3100/mcp",
       "headers": {
         "Authorization": "Bearer ${MCP_AUTH_TOKEN}"
       }
@@ -190,13 +190,13 @@ After running `claude mcp add`, confirm the server is reachable:
 
 ```bash
 claude mcp list | grep n8n-mcp
-# → n8n-mcp: http://localhost:3000/mcp (HTTP) - ✓ Connected
+# → n8n-mcp: http://localhost:3100/mcp (HTTP) - ✓ Connected
 ```
 
 You can also probe the endpoint directly:
 
 ```bash
-curl -sf -H "Authorization: Bearer $MCP_AUTH_TOKEN" http://localhost:3000/health
+curl -sf -H "Authorization: Bearer $MCP_AUTH_TOKEN" http://localhost:3100/health
 # → HTTP 200
 ```
 
@@ -208,7 +208,7 @@ If you rotate `MCP_AUTH_TOKEN` in `.env`, also re-run `claude mcp add` (for loca
 
 ## Troubleshooting
 
-- **Port 5678 or 3000 already in use** — another container or process is bound. Stop it or edit the port mapping in `docker-compose.yml`.
+- **Port 5678 or 3100 already in use** — another container or process is bound. Stop it or edit the port mapping in `docker-compose.yml`. (n8n-mcp uses 3100 on the host to avoid clashing with the Next.js dev server on 3000.)
 - **n8n-mcp refuses to start** — check `MCP_AUTH_TOKEN` is at least 32 chars and `N8N_API_KEY` is set. Both are required for the `mcp` profile.
 - **`podman-compose` not found** — `pip install --user podman-compose`, then ensure `~/.local/bin` is on your `PATH`.
 - **Can't reach n8n from n8n-mcp** — n8n-mcp uses `http://n8n:5678` (service DNS inside the compose network). Don't set `N8N_API_URL` to `localhost` in `.env`; it's overridden in the compose file.
diff --git a/apps/automation/docker-compose.yml b/apps/automation/docker-compose.yml
index b52e943..b215aae 100644
--- a/apps/automation/docker-compose.yml
+++ b/apps/automation/docker-compose.yml
@@ -30,7 +30,7 @@ services:
       n8n:
         condition: service_healthy
     ports:
-      - "3000:3000"
+      - "3100:3000"
     environment:
       N8N_MODE: "true"
       MCP_MODE: http

From d777754178b338a6c14d2c3f2c0c241e34835ec9 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 14:30:22 -0700
Subject: [PATCH 10/26] feat(cms/moderation): n8n-driven security scan +
 lifecycle webhooks

- Rename plugin-submission.npm_package_name -> package_location (URL; supports
  npm/packagist/pypi/rubygems/nuget), propagated through admin UI, service,
  promoteToPackage, automated checks, and generated types
- Add security_scan_* fields (status/started_at/run_at/dependencies/ai_analysis
  /summary) on both plugin-submission and template-submission; drop orphaned
  npm_advisories field (consolidated into OSV)
- New helper get-package-security-info.js reuses package-info registry extract
  functions to fetch deps/scripts/install-hooks/readme/declared-repo before
  firing the scan webhook (n8n does not duplicate registry lookups)
- New helper n8n-webhook.js centralises webhook URL construction from
  CLOUD_APP_URL (Strapi Cloud default) + N8N_WEBHOOK_MODE (production | test)
- Wire Alex's 7 lifecycle TODO markers: plugin-submission-received/approved/
  declined/changes-requested + template-submission-received/approved/declined
- New content-api routes per submission type: security-scan-result (write-back
  from n8n) + stale-scans (polled by the sweeper workflow)
- Delete security-checks.js; registry-based vuln scanning and AI analysis now
  run in n8n workflows
- Extend email-templates seed with 3 template-* entries; drop dashboard_link
  from developer-facing email bodies (admin URL is internal-only)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/cms/.env.example                         |  19 ++
 .../src/pages/SubmissionDetail/index.tsx      |   6 +-
 .../admin/src/pages/SubmissionList/index.tsx  |   6 +-
 .../plugin-submission/schema.json             |  25 +-
 .../template-submission/schema.json           |  20 ++
 .../server/controllers/plugin-submission.js   |  51 ++++
 .../server/controllers/template-submission.js |  50 ++++
 .../server/routes/plugin-submission.js        |  25 ++
 .../server/routes/template-submission.js      |  23 ++
 .../server/services/automated-checks.js       |  33 ++-
 .../services/get-package-security-info.js     | 167 +++++++++++++
 .../moderation/server/services/n8n-webhook.js |  95 +++++++
 .../server/services/plugin-submission.js      | 231 ++++++++++++++----
 .../server/services/security-checks.js        | 109 ---------
 .../server/services/template-submission.js    | 154 ++++++++++--
 apps/cms/src/seed/email-templates.ts          |  49 +++-
 apps/cms/types/generated/contentTypes.d.ts    |  20 +-
 17 files changed, 886 insertions(+), 197 deletions(-)
 create mode 100644 apps/cms/src/plugins/moderation/server/services/get-package-security-info.js
 create mode 100644 apps/cms/src/plugins/moderation/server/services/n8n-webhook.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/services/security-checks.js

diff --git a/apps/cms/.env.example b/apps/cms/.env.example
index 6655310..b187bd6 100644
--- a/apps/cms/.env.example
+++ b/apps/cms/.env.example
@@ -1,5 +1,12 @@
 HOST=0.0.0.0
 PORT=1337
+
+# Public base URL of this Strapi instance (e.g. https://abc123.strapiapp.com).
+# On Strapi Cloud this is injected automatically as CLOUD_APP_URL — no action
+# needed. Used to build the `dashboard_link` field in lifecycle webhook payloads,
+# which is rendered into internal Slack messages to #integration-marketplace
+# only (reviewer-facing) — never in outbound emails to submitters.
+CLOUD_APP_URL=http://localhost:1337
 APP_KEYS="toBeModified1,toBeModified2"
 API_TOKEN_SALT=tobemodified
 ADMIN_JWT_SECRET=tobemodified
@@ -44,3 +51,15 @@ SCREENSHOTONE_KEY=tobemodified
 SENDGRID_API_KEY=
 EMAIL_DEFAULT_FROM=community@strapi.io
 EMAIL_DEFAULT_REPLY_TO=community@strapi.io
+
+# n8n webhook base URL + mode.
+# MODE=test uses n8n's test listener path (/webhook-test/...) which only fires
+#   while "Listen for test event" is open in the n8n UI. Use for local dev.
+# MODE=production uses the always-on path (/webhook/...). Use when the workflow
+#   is active on the target n8n instance.
+# All lifecycle + scan webhooks share this base + mode; paths are hardcoded per
+# webhook key in apps/cms/src/plugins/moderation/server/services/n8n-webhook.js.
+N8N_WEBHOOK_BASE_URL=http://localhost:5678
+N8N_WEBHOOK_MODE=production
+N8N_WEBHOOK_AUTH_HEADER=X-N8N-Auth
+N8N_WEBHOOK_AUTH_VALUE=
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
index cb48bda..697f7bb 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
@@ -28,7 +28,7 @@ interface AutomatedChecks {
 interface PluginSubmissionDetail {
   documentId: string;
   plugin_name: string;
-  npm_package_name: string | null;
+  package_location: string | null;
   description: string;
   repository_url: string;
   logo_url: string | null;
@@ -413,8 +413,8 @@ export const SubmissionDetail = () => {
                     />
                     <Divider />
                     <InfoRow
-                      label="NPM Package"
-                      value={submission.npm_package_name ?? "—"}
+                      label="Registry URL"
+                      value={submission.package_location ?? "—"}
                     />
                     <Divider />
                     <InfoRow
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
index 6e3ac96..0e74904 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
@@ -26,7 +26,7 @@ export type SubmissionStatus =
 export interface PluginSubmission {
   documentId: string;
   plugin_name: string;
-  npm_package_name: string | null;
+  package_location: string | null;
   repository_url: string;
   owner_name: string;
   owner_email: string;
@@ -237,9 +237,9 @@ export const SubmissionList = () => {
                       <Typography fontWeight="semiBold">
                         {s.plugin_name}
                       </Typography>
-                      {s.npm_package_name && (
+                      {s.package_location && (
                         <Typography variant="pi" textColor="neutral600">
-                          {s.npm_package_name}
+                          {s.package_location}
                         </Typography>
                       )}
                     </Flex>
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
index f88a464..155492d 100644
--- a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
+++ b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
@@ -19,8 +19,9 @@
       "type": "string",
       "required": true
     },
-    "npm_package_name": {
-      "type": "string"
+    "package_location": {
+      "type": "string",
+      "description": "URL to the published package (npm / packagist / pypi / rubygems / nuget). Registry is inferred from the hostname at scan time. Optional — plugins without a published artifact are scanned from their source repo only."
     },
     "description": {
       "type": "text",
@@ -108,6 +109,26 @@
     "automated_check_results": {
       "type": "json"
     },
+    "security_scan_status": {
+      "type": "enumeration",
+      "enum": ["pending", "running", "completed", "failed"],
+      "default": "pending"
+    },
+    "security_scan_started_at": {
+      "type": "datetime"
+    },
+    "security_scan_run_at": {
+      "type": "datetime"
+    },
+    "security_scan_dependencies": {
+      "type": "json"
+    },
+    "security_scan_ai_analysis": {
+      "type": "json"
+    },
+    "security_scan_summary": {
+      "type": "json"
+    },
     "promoted_package": {
       "type": "relation",
       "relation": "oneToOne",
diff --git a/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
index 91824fa..aa336ec 100644
--- a/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
+++ b/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
@@ -56,6 +56,26 @@
     "submitter_ip": {
       "type": "string"
     },
+    "security_scan_status": {
+      "type": "enumeration",
+      "enum": ["pending", "running", "completed", "failed"],
+      "default": "pending"
+    },
+    "security_scan_started_at": {
+      "type": "datetime"
+    },
+    "security_scan_run_at": {
+      "type": "datetime"
+    },
+    "security_scan_dependencies": {
+      "type": "json"
+    },
+    "security_scan_ai_analysis": {
+      "type": "json"
+    },
+    "security_scan_summary": {
+      "type": "json"
+    },
     "overall_status": {
       "type": "enumeration",
       "enum": ["submitted", "approved", "rejected"],
diff --git a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
index e8f9b0e..95267a7 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
@@ -127,4 +127,55 @@ module.exports = ({ strapi }) => ({
       ctx.badRequest(err.message);
     }
   },
+
+  /**
+   * POST /moderation/submissions/:documentId/run-security-scan
+   * Manually trigger the n8n security-scan workflow for a submission (admin only).
+   * Manual rather than automatic on submit to avoid burning LLM spend on spam submissions.
+   */
+  async runSecurityScan(ctx) {
+    const { documentId } = ctx.params;
+    try {
+      const result = await service(strapi).triggerSecurityScan(documentId);
+      ctx.body = { data: result };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+
+  /**
+   * GET /api/moderation/plugin-submissions/stale-scans?cutoff=<ISO timestamp>
+   * Content-api + API-token: returns plugin submissions whose scan has been
+   * 'running' since before `cutoff`. Consumed by the n8n scan-timeout-sweeper.
+   */
+  async listStaleScans(ctx) {
+    const { cutoff } = ctx.query;
+    if (!cutoff) return ctx.badRequest("cutoff query param is required");
+    try {
+      const results = await service(strapi).listStaleScans({ cutoff });
+      ctx.body = { data: results };
+    } catch (err) {
+      ctx.internalServerError(err.message);
+    }
+  },
+
+  /**
+   * POST /api/moderation/plugin-submissions/:documentId/security-scan-result
+   * Called by n8n (with a Strapi API token) to write back per-stage scan results.
+   */
+  async updateSecurityScan(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+    const { stage, result, status } = body || {};
+
+    try {
+      const updated = await service(strapi).updateSecurityScanResult(
+        documentId,
+        { stage, result, status },
+      );
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
 });
diff --git a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
index 5ab6743..27e1c9e 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
@@ -115,4 +115,54 @@ module.exports = ({ strapi }) => ({
       ctx.badRequest(err.message);
     }
   },
+
+  /**
+   * POST /moderation/template-submissions/:documentId/run-security-scan
+   * Manually trigger the n8n security-scan workflow for a template submission (admin only).
+   */
+  async runSecurityScan(ctx) {
+    const { documentId } = ctx.params;
+    try {
+      const result = await service(strapi).triggerSecurityScan(documentId);
+      ctx.body = { data: result };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
+
+  /**
+   * GET /api/moderation/template-submissions/stale-scans?cutoff=<ISO timestamp>
+   * Content-api + API-token: returns template submissions whose scan has been
+   * 'running' since before `cutoff`. Consumed by the n8n scan-timeout-sweeper.
+   */
+  async listStaleScans(ctx) {
+    const { cutoff } = ctx.query;
+    if (!cutoff) return ctx.badRequest("cutoff query param is required");
+    try {
+      const results = await service(strapi).listStaleScans({ cutoff });
+      ctx.body = { data: results };
+    } catch (err) {
+      ctx.internalServerError(err.message);
+    }
+  },
+
+  /**
+   * POST /api/moderation/template-submissions/:documentId/security-scan-result
+   * Called by n8n (with a Strapi API token) to write back per-stage scan results.
+   */
+  async updateSecurityScan(ctx) {
+    const { documentId } = ctx.params;
+    const body = ctx.request.body?.data || ctx.request.body;
+    const { stage, result, status } = body || {};
+
+    try {
+      const updated = await service(strapi).updateSecurityScanResult(
+        documentId,
+        { stage, result, status },
+      );
+      ctx.body = { data: updated };
+    } catch (err) {
+      ctx.badRequest(err.message);
+    }
+  },
 });
diff --git a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
index ccca2cf..5399314 100644
--- a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
@@ -13,6 +13,25 @@ module.exports = {
           policies: [],
         },
       },
+      {
+        method: "POST",
+        path: "/plugin-submissions/:documentId/security-scan-result",
+        handler: "plugin-submission.updateSecurityScan",
+        config: {
+          // Called by n8n over the public API using a Strapi API token.
+          // Strapi's content-api token middleware enforces the token.
+          policies: [],
+        },
+      },
+      {
+        method: "GET",
+        path: "/plugin-submissions/stale-scans",
+        handler: "plugin-submission.listStaleScans",
+        config: {
+          // Called by the scan-timeout-sweeper n8n workflow over API token.
+          policies: [],
+        },
+      },
     ],
   },
   admin: {
@@ -48,6 +67,12 @@ module.exports = {
         handler: "plugin-submission.decide",
         config: { policies: [] },
       },
+      {
+        method: "POST",
+        path: "/submissions/:documentId/run-security-scan",
+        handler: "plugin-submission.runSecurityScan",
+        config: { policies: [] },
+      },
     ],
   },
 };
diff --git a/apps/cms/src/plugins/moderation/server/routes/template-submission.js b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
index f2bc665..169a8bc 100644
--- a/apps/cms/src/plugins/moderation/server/routes/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
@@ -13,6 +13,23 @@ module.exports = {
           policies: [],
         },
       },
+      {
+        method: "POST",
+        path: "/template-submissions/:documentId/security-scan-result",
+        handler: "template-submission.updateSecurityScan",
+        config: {
+          // Called by n8n over the public API using a Strapi API token.
+          policies: [],
+        },
+      },
+      {
+        method: "GET",
+        path: "/template-submissions/stale-scans",
+        handler: "template-submission.listStaleScans",
+        config: {
+          policies: [],
+        },
+      },
     ],
   },
   admin: {
@@ -42,6 +59,12 @@ module.exports = {
         handler: "template-submission.decide",
         config: { policies: [] },
       },
+      {
+        method: "POST",
+        path: "/template-submissions/:documentId/run-security-scan",
+        handler: "template-submission.runSecurityScan",
+        config: { policies: [] },
+      },
     ],
   },
 };
diff --git a/apps/cms/src/plugins/moderation/server/services/automated-checks.js b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
index 25b8413..c71f201 100644
--- a/apps/cms/src/plugins/moderation/server/services/automated-checks.js
+++ b/apps/cms/src/plugins/moderation/server/services/automated-checks.js
@@ -5,6 +5,10 @@
  * all check functions dispatch to the right API internally.
  *
  * Results are stored as JSON on the submission record in automated_check_results.
+ *
+ * `package_location` is a URL to the published package (npm / packagist / etc.).
+ * Registry fallback lookups (for license / peer-dep checks) are npm-only for now;
+ * when the URL is not an npm URL the fallback is skipped and the repo check stands alone.
  */
 
 // ---------------------------------------------------------------------------
@@ -258,6 +262,28 @@ async function fetchPackageJson(info) {
   return null;
 }
 
+// ---------------------------------------------------------------------------
+// package_location URL → npm name (used for registry fallback lookups below).
+// Returns null for non-npm URLs; caller falls back to repo-only checks.
+// ---------------------------------------------------------------------------
+
+function extractNpmNameFromLocation(packageLocation) {
+  if (!packageLocation) return null;
+  let href = packageLocation.toString().trim();
+  if (!/^https?:\/\//i.test(href)) href = `https://${href}`;
+  let url;
+  try {
+    url = new URL(href);
+  } catch {
+    return null;
+  }
+  if (url.hostname.replace(/^www\./i, "").toLowerCase() !== "npmjs.com") {
+    return null;
+  }
+  const match = url.pathname.match(/^\/package\/(@[^/]+\/[^/]+|[^/]+)/);
+  return match?.[1] ?? null;
+}
+
 // ---------------------------------------------------------------------------
 // Check: MIT license
 // ---------------------------------------------------------------------------
@@ -345,13 +371,14 @@ async function checkStrapiPeerDep(gitRepository, npmPackageName) {
 // Main entry point
 // ---------------------------------------------------------------------------
 
-async function runAutomatedChecks({ repository_url, npm_package_name }) {
+async function runAutomatedChecks({ repository_url, package_location }) {
+  const npmPackageName = extractNpmNameFromLocation(package_location);
   const [repoPublic, readmeExists, mitLicense, strapiPeerDep] =
     await Promise.allSettled([
       checkRepoPublic(repository_url),
       checkReadmeExists(repository_url),
-      checkMitLicense(repository_url, npm_package_name),
-      checkStrapiPeerDep(repository_url, npm_package_name),
+      checkMitLicense(repository_url, npmPackageName),
+      checkStrapiPeerDep(repository_url, npmPackageName),
     ]);
 
   const resolve = (settled) =>
diff --git a/apps/cms/src/plugins/moderation/server/services/get-package-security-info.js b/apps/cms/src/plugins/moderation/server/services/get-package-security-info.js
new file mode 100644
index 0000000..e076565
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/get-package-security-info.js
@@ -0,0 +1,167 @@
+/**
+ * Security-focused registry metadata fetcher.
+ *
+ * The package-info plugin already detects registry + fetches basic info
+ * (version, downloads, description). This helper reuses its URL-extract
+ * patterns but returns the additional fields needed for security scanning:
+ * dependencies, scripts (especially install-time hooks), readme, declared
+ * repository, and dist/tarball info.
+ *
+ * Registry support:
+ *  - npm: fully implemented
+ *  - packagist / pypi / rubygems / nuget: stubbed (notImplemented: true);
+ *    downstream scan branches fall back to repo-only analysis.
+ */
+
+const {
+  extractNpmPackageName,
+} = require("../../../package-info/server/services/registries/npm");
+const {
+  extractPypiPackageName,
+} = require("../../../package-info/server/services/registries/pypi");
+const {
+  extractRubyGemsPackageName,
+} = require("../../../package-info/server/services/registries/rubygems");
+const {
+  extractPackagistPackageName,
+} = require("../../../package-info/server/services/registries/packagist");
+const {
+  extractNugetPackageName,
+} = require("../../../package-info/server/services/registries/nuget");
+
+const INSTALL_SCRIPT_KEYS = ["preinstall", "install", "postinstall"];
+
+function normalizeUrl(raw) {
+  if (!raw) return null;
+  let href = raw.toString().trim();
+  if (!/^https?:\/\//i.test(href)) href = `https://${href}`;
+  try {
+    return new URL(href);
+  } catch {
+    return null;
+  }
+}
+
+function detectRegistry(packageLocation) {
+  const url = normalizeUrl(packageLocation);
+  if (!url) return null;
+
+  const host = url.hostname.replace(/^www\./i, "").toLowerCase();
+  const path = url.pathname;
+
+  switch (host) {
+    case "npmjs.com": {
+      const name = extractNpmPackageName(path);
+      return name
+        ? { registry: "npm", packageName: name, ecosystem: "npm" }
+        : null;
+    }
+    case "pypi.org": {
+      const name = extractPypiPackageName(path);
+      return name
+        ? { registry: "pypi", packageName: name, ecosystem: "PyPI" }
+        : null;
+    }
+    case "rubygems.org": {
+      const name = extractRubyGemsPackageName(path);
+      return name
+        ? { registry: "rubygems", packageName: name, ecosystem: "RubyGems" }
+        : null;
+    }
+    case "packagist.org": {
+      const name = extractPackagistPackageName(path);
+      return name
+        ? { registry: "packagist", packageName: name, ecosystem: "Packagist" }
+        : null;
+    }
+    case "nuget.org": {
+      const name = extractNugetPackageName(path);
+      return name
+        ? { registry: "nuget", packageName: name, ecosystem: "NuGet" }
+        : null;
+    }
+    default:
+      return null;
+  }
+}
+
+async function fetchNpmSecurity(packageName) {
+  const res = await fetch(
+    `https://registry.npmjs.org/${encodeURIComponent(packageName)}`,
+    { headers: { Accept: "application/json" } },
+  );
+  if (!res.ok) {
+    return { available: false, reason: `npm registry returned ${res.status}` };
+  }
+  const data = await res.json();
+  const latestVersion = data["dist-tags"]?.latest;
+  const versionMeta = data.versions?.[latestVersion];
+  if (!versionMeta) {
+    return { available: false, reason: "npm package has no latest version" };
+  }
+
+  const scripts = versionMeta.scripts || {};
+  const installScripts = {};
+  for (const key of INSTALL_SCRIPT_KEYS) {
+    if (scripts[key]) installScripts[key] = scripts[key];
+  }
+
+  const declaredRepository =
+    typeof versionMeta.repository === "string"
+      ? versionMeta.repository
+      : versionMeta.repository?.url || null;
+
+  const readme =
+    (typeof data.readme === "string" && data.readme) ||
+    (typeof versionMeta.readme === "string" && versionMeta.readme) ||
+    null;
+
+  return {
+    available: true,
+    version: latestVersion,
+    dependencies: versionMeta.dependencies || {},
+    peerDependencies: versionMeta.peerDependencies || {},
+    scripts,
+    installScripts,
+    declaredRepository,
+    readme,
+    dist: versionMeta.dist || null,
+  };
+}
+
+/**
+ * Fetch security-relevant registry metadata for a published package.
+ *
+ * @param {string} packageLocation  The URL captured on the submission (e.g. https://www.npmjs.com/package/foo).
+ * @returns {Promise<object|null>}  Null when the URL is not a supported registry or fails to resolve.
+ *   When the URL resolves but the registry isn't fully implemented yet, returns
+ *   `{ registry, packageName, ecosystem, available: false, notImplemented: true }`.
+ */
+async function getPackageSecurityInfo(packageLocation) {
+  const detected = detectRegistry(packageLocation);
+  if (!detected) return null;
+
+  try {
+    switch (detected.registry) {
+      case "npm": {
+        const info = await fetchNpmSecurity(detected.packageName);
+        return { ...detected, ...info };
+      }
+      default:
+        return {
+          ...detected,
+          available: false,
+          notImplemented: true,
+          reason: `Deep scan for ${detected.registry} is not yet implemented; falling back to repo-only analysis.`,
+        };
+    }
+  } catch (err) {
+    return {
+      ...detected,
+      available: false,
+      reason: `Fetch failed: ${err.message}`,
+    };
+  }
+}
+
+module.exports = { getPackageSecurityInfo, detectRegistry };
diff --git a/apps/cms/src/plugins/moderation/server/services/n8n-webhook.js b/apps/cms/src/plugins/moderation/server/services/n8n-webhook.js
new file mode 100644
index 0000000..2a3460f
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/services/n8n-webhook.js
@@ -0,0 +1,95 @@
+/**
+ * n8n webhook helper.
+ *
+ * Centralises URL construction + POST mechanics for every lifecycle event the
+ * moderation plugin emits into n8n. Flipping `N8N_WEBHOOK_MODE` between
+ * `production` and `test` toggles all webhooks between n8n's always-on prod URL
+ * (`/webhook/<path>`) and the developer-only test URL (`/webhook-test/<path>`,
+ * active only while "Listen for test event" is open in the n8n UI).
+ *
+ * Failures are logged and surfaced via the returned object — NOT thrown — so
+ * callers can decide whether a lifecycle webhook failure should block the user's
+ * action (security-scan does block) or be fire-and-forget (notifications don't).
+ */
+
+/**
+ * Registry of webhook keys → n8n webhook paths.
+ * Keep paths aligned with the `path` parameter on each workflow's Webhook node
+ * under apps/automation/workflows/{slug}/workflow.json.
+ */
+const WEBHOOK_PATHS = {
+  "security-scan": "strapi/security-scan",
+  "plugin-submission-received": "strapi/plugin-submission-received",
+  "plugin-approved": "strapi/plugin-approved",
+  "plugin-declined": "strapi/plugin-declined",
+  "plugin-changes-requested": "strapi/plugin-changes-requested",
+  "template-submission-received": "strapi/template-submission-received",
+  "template-approved": "strapi/template-approved",
+  "template-declined": "strapi/template-declined",
+};
+
+function getWebhookUrl(key) {
+  const base = process.env.N8N_WEBHOOK_BASE_URL;
+  const mode = (process.env.N8N_WEBHOOK_MODE || "production").toLowerCase();
+  const path = WEBHOOK_PATHS[key];
+
+  if (!base) {
+    throw new Error(
+      "N8N_WEBHOOK_BASE_URL is not configured; cannot call n8n webhooks.",
+    );
+  }
+  if (!path) {
+    throw new Error(
+      `Unknown webhook key '${key}'. Known keys: ${Object.keys(WEBHOOK_PATHS).join(", ")}.`,
+    );
+  }
+  if (mode !== "production" && mode !== "test") {
+    throw new Error(
+      `Invalid N8N_WEBHOOK_MODE '${mode}'. Must be 'production' or 'test'.`,
+    );
+  }
+
+  const prefix = mode === "test" ? "webhook-test" : "webhook";
+  return `${base.replace(/\/$/, "")}/${prefix}/${path}`;
+}
+
+/**
+ * POST a payload to the named n8n webhook. Returns `{ ok, url, error? }` —
+ * never throws, so callers control failure behaviour.
+ */
+async function triggerN8nWebhook(key, payload, { strapi } = {}) {
+  let url;
+  try {
+    url = getWebhookUrl(key);
+  } catch (err) {
+    strapi?.log?.warn?.(`[moderation] ${err.message}`);
+    return { ok: false, error: err.message };
+  }
+
+  const authHeader = process.env.N8N_WEBHOOK_AUTH_HEADER || "X-N8N-Auth";
+  const authValue = process.env.N8N_WEBHOOK_AUTH_VALUE;
+
+  try {
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        ...(authValue ? { [authHeader]: authValue } : {}),
+      },
+      body: JSON.stringify(payload),
+    });
+    if (!res.ok) {
+      const body = await res.text().catch(() => "");
+      const error = `n8n webhook '${key}' returned ${res.status}${body ? `: ${body.slice(0, 200)}` : ""}`;
+      strapi?.log?.warn?.(`[moderation] ${error}`);
+      return { ok: false, url, error };
+    }
+    return { ok: true, url };
+  } catch (err) {
+    const error = `n8n webhook '${key}' fetch failed: ${err.message}`;
+    strapi?.log?.warn?.(`[moderation] ${error}`);
+    return { ok: false, url, error };
+  }
+}
+
+module.exports = { triggerN8nWebhook, getWebhookUrl, WEBHOOK_PATHS };
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
index 68beab5..067d209 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -12,10 +12,41 @@
  */
 
 const { runAutomatedChecks } = require("./automated-checks");
-const { runSecurityChecks } = require("./security-checks");
+const { getPackageSecurityInfo } = require("./get-package-security-info");
+const { triggerN8nWebhook } = require("./n8n-webhook");
 
 const CONTENT_TYPE = "plugin::moderation.plugin-submission";
 
+/**
+ * Build the standard payload sent to every plugin-* lifecycle webhook.
+ * Centralised so n8n workflows can rely on a stable shape across events.
+ *
+ * `dashboard_link` is the absolute URL to the submission in the Strapi admin.
+ * Only used in INTERNAL Slack messages (#integration-marketplace) — never in
+ * outbound emails to submitters. Base URL comes from CLOUD_APP_URL, which
+ * Strapi Cloud injects automatically; dev falls back to localhost:1337.
+ */
+function buildLifecyclePayload(submission, extras = {}) {
+  const adminBase = (
+    process.env.CLOUD_APP_URL || "http://localhost:1337"
+  ).replace(/\/$/, "");
+  const adminPath = `/admin/plugins/moderation/submissions/${submission.documentId}`;
+  return {
+    submissionId: submission.documentId,
+    submission_kind: "plugin",
+    plugin_name: submission.plugin_name,
+    package_location: submission.package_location || null,
+    package_type: submission.package_type,
+    repository_url: submission.repository_url,
+    owner_name: submission.owner_name,
+    owner_email: submission.owner_email,
+    dashboard_link: `${adminBase}${adminPath}`,
+    ...extras,
+  };
+}
+
+const VALID_SCAN_STAGES = ["dependencies", "ai_analysis", "summary"];
+
 module.exports = ({ strapi }) => ({
   /**
    * Create a new submission and immediately kick off automated checks.
@@ -25,7 +56,7 @@ module.exports = ({ strapi }) => ({
     const submission = await strapi.documents(CONTENT_TYPE).create({
       data: {
         plugin_name: data.plugin_name,
-        npm_package_name: data.npm_package_name || null,
+        package_location: data.package_location || null,
         description: data.description,
         repository_url: data.repository_url,
         logo_url: data.logo_url || null,
@@ -49,55 +80,132 @@ module.exports = ({ strapi }) => ({
     // Results are saved back to the record once available.
     this.runChecksAsync(submission.documentId, {
       repository_url: data.repository_url,
-      npm_package_name: data.npm_package_name,
-      plugin_name: data.plugin_name,
+      package_location: data.package_location,
     }).catch((err) => {
       strapi.log.error(
         `[moderation] Async checks failed for submission ${submission.documentId}: ${err.message}`,
       );
     });
 
-    // TODO: Trigger n8n "submission received" workflow here.
-    // Example: await triggerN8nWorkflow('plugin-submission-received', { submissionId: submission.documentId });
+    // Fire-and-forget: notify n8n. A transient n8n failure must not block submission creation.
+    triggerN8nWebhook(
+      "plugin-submission-received",
+      buildLifecyclePayload(submission),
+      { strapi },
+    );
 
     return submission;
   },
 
   /**
-   * Run all automated and security checks, then save results to the submission.
-   * Called internally after creation; not exposed as a public endpoint.
+   * Run automated business-side checks (repo public, README, MIT license, Strapi peer dep)
+   * and save results to the submission. Security scanning is NOT run here — it is driven
+   * manually by a moderator via `triggerSecurityScan` to avoid running costly scans
+   * (AI analysis in particular) on every submission, including potential spam.
    */
-  async runChecksAsync(
-    documentId,
-    { repository_url, npm_package_name, plugin_name },
-  ) {
-    const [businessChecks, securityChecks] = await Promise.allSettled([
-      runAutomatedChecks({ repository_url, npm_package_name }),
-      runSecurityChecks({ repository_url, npm_package_name, plugin_name }),
-    ]);
-
-    const automated =
-      businessChecks.status === "fulfilled" ? businessChecks.value : null;
-    const security =
-      securityChecks.status === "fulfilled" ? securityChecks.value : null;
-
-    const combined = {
-      ...(automated || {}),
-      checks: {
-        ...(automated?.checks || {}),
-        security: security || {},
-      },
-    };
+  async runChecksAsync(documentId, { repository_url, package_location }) {
+    const businessChecks = await runAutomatedChecks({
+      repository_url,
+      package_location,
+    }).catch(() => null);
 
     await strapi.documents(CONTENT_TYPE).update({
       documentId,
       data: {
-        automated_check_results: combined,
+        automated_check_results: businessChecks,
         overall_status: "under_review",
       },
     });
   },
 
+  /**
+   * Trigger the n8n security-scan workflow for a submission.
+   * Fire-and-forget: n8n writes per-stage results back via the content-api write-back route.
+   *
+   * Called by an admin action, not automatically on submission. Guarded against re-triggering
+   * while a scan is already in progress.
+   *
+   * Fetches registry metadata up-front (reusing package-info's extract patterns) so the n8n
+   * workflow does not duplicate registry lookups. When the submission points at an unsupported
+   * or unpublished package, `package_info` is sent as null and n8n falls back to repo-only scan.
+   */
+  async triggerSecurityScan(documentId) {
+    const submission = await strapi.documents(CONTENT_TYPE).findOne({
+      documentId,
+    });
+    if (!submission) throw new Error("Submission not found.");
+
+    if (submission.security_scan_status === "running") {
+      throw new Error(
+        "A security scan is already running for this submission.",
+      );
+    }
+
+    await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        security_scan_status: "running",
+        security_scan_started_at: new Date().toISOString(),
+      },
+    });
+
+    const packageInfo = submission.package_location
+      ? await getPackageSecurityInfo(submission.package_location).catch(
+          () => null,
+        )
+      : null;
+
+    const payload = {
+      ...buildLifecyclePayload(submission),
+      readme: submission.readme,
+      package_info: packageInfo,
+    };
+
+    const result = await triggerN8nWebhook("security-scan", payload, {
+      strapi,
+    });
+    if (!result.ok) {
+      await strapi.documents(CONTENT_TYPE).update({
+        documentId,
+        data: { security_scan_status: "failed" },
+      });
+      throw new Error(result.error || "Failed to trigger n8n security scan.");
+    }
+
+    return { documentId, status: "running" };
+  },
+
+  /**
+   * Write back a single security-scan stage result from n8n.
+   * Stages: npm_advisories, dependencies, ai_analysis, summary.
+   * Also accepts status transitions: 'completed' or 'failed' (with no stage result).
+   */
+  async updateSecurityScanResult(documentId, { stage, result, status }) {
+    if (stage && !VALID_SCAN_STAGES.includes(stage)) {
+      throw new Error(
+        `Invalid scan stage '${stage}'. Expected one of: ${VALID_SCAN_STAGES.join(", ")}.`,
+      );
+    }
+
+    const data = {};
+    if (stage === "dependencies")
+      data.security_scan_dependencies = result ?? null;
+    if (stage === "ai_analysis")
+      data.security_scan_ai_analysis = result ?? null;
+    if (stage === "summary") data.security_scan_summary = result ?? null;
+
+    if (status === "completed" || status === "failed") {
+      data.security_scan_status = status;
+      data.security_scan_run_at = new Date().toISOString();
+    }
+
+    if (Object.keys(data).length === 0) {
+      throw new Error("No stage result or status transition provided.");
+    }
+
+    return strapi.documents(CONTENT_TYPE).update({ documentId, data });
+  },
+
   /**
    * Update review status fields for a submission.
    * Enforces the rule: overall approval requires BOTH review tracks to pass.
@@ -186,7 +294,7 @@ module.exports = ({ strapi }) => ({
         name: submission.plugin_name,
         description: submission.description,
         repository_url: submission.repository_url,
-        package_location: submission.npm_package_name || null,
+        package_location: submission.package_location || null,
         type: submission.package_type,
         readme: submission.readme || null,
         labels: {
@@ -203,12 +311,19 @@ module.exports = ({ strapi }) => ({
       data: { promoted_package: { connect: [{ documentId: pkg.documentId }] } },
     });
 
-    // TODO: Trigger n8n "submission approved" workflow here.
-    // Example: await triggerN8nWorkflow('plugin-submission-approved', {
-    //   submissionId: documentId,
-    //   packageId: pkg.documentId,
-    //   ownerEmail: submission.owner_email,
-    // });
+    // Fire-and-forget: notify n8n so it can email the submitter + post to Slack.
+    // Package content-type uses a `url_alias` relation (webtools plugin) for slugs,
+    // which is populated out-of-band — don't guess. Pass null; n8n workflow falls back
+    // to the repo URL in the email.
+    triggerN8nWebhook(
+      "plugin-approved",
+      buildLifecyclePayload(submission, {
+        package_id: pkg.documentId,
+        package_slug: null,
+        marketplace_link: null,
+      }),
+      { strapi },
+    );
 
     return pkg;
   },
@@ -231,21 +346,16 @@ module.exports = ({ strapi }) => ({
       },
     });
 
-    if (status === "rejected") {
-      // TODO: Trigger n8n "submission rejected" workflow.
-      // Example: await triggerN8nWorkflow('plugin-submission-rejected', {
-      //   submissionId: documentId,
-      //   ownerEmail: updated.owner_email,
-      //   reason,
-      // });
-    } else {
-      // TODO: Trigger n8n "changes requested" workflow.
-      // Example: await triggerN8nWorkflow('plugin-submission-changes-requested', {
-      //   submissionId: documentId,
-      //   ownerEmail: updated.owner_email,
-      //   feedback,
-      // });
-    }
+    const lifecycleKey =
+      status === "rejected" ? "plugin-declined" : "plugin-changes-requested";
+    triggerN8nWebhook(
+      lifecycleKey,
+      buildLifecyclePayload(updated, {
+        reason: reason || null,
+        feedback: feedback || null,
+      }),
+      { strapi },
+    );
 
     return updated;
   },
@@ -262,6 +372,23 @@ module.exports = ({ strapi }) => ({
     });
   },
 
+  /**
+   * List submissions whose security scan is stuck in 'running' past a cutoff.
+   * Consumed by the n8n scan-timeout-sweeper workflow. Content-api + API-token
+   * guarded so the sweeper does not need an admin session.
+   */
+  async listStaleScans({ cutoff }) {
+    if (!cutoff) return [];
+    return strapi.documents(CONTENT_TYPE).findMany({
+      filters: {
+        security_scan_status: { $eq: "running" },
+        security_scan_started_at: { $lt: cutoff },
+      },
+      fields: ["documentId", "plugin_name", "security_scan_started_at"],
+      pagination: { page: 1, pageSize: 50 },
+    });
+  },
+
   /**
    * Fetch a single submission by documentId.
    */
diff --git a/apps/cms/src/plugins/moderation/server/services/security-checks.js b/apps/cms/src/plugins/moderation/server/services/security-checks.js
deleted file mode 100644
index 57594e6..0000000
--- a/apps/cms/src/plugins/moderation/server/services/security-checks.js
+++ /dev/null
@@ -1,109 +0,0 @@
-/**
- * Security checks service.
- *
- * Placeholder structure for the security review pipeline.
- * The scaffolding here is designed so real implementations can be dropped in
- * without restructuring the calling code.
- *
- * Future integrations to wire in:
- *  - npm audit / Socket.dev / Snyk for dependency scanning
- *  - GitHub advisory / OSV database lookups
- *  - Claude API for AI-powered code/dependency analysis
- */
-
-/**
- * Check the npm registry for known security advisories.
- *
- * TODO: Integrate with https://registry.npmjs.org/-/npm/v1/security/advisories
- *       or Socket.dev API (requires SOCKET_API_KEY env var).
- */
-async function checkNpmAdvisories(npmPackageName) {
-  if (!npmPackageName) {
-    return {
-      passed: null,
-      skipped: true,
-      message: "No npm package name provided; skipping advisory check.",
-    };
-  }
-
-  // TODO: implement real advisory lookup
-  return {
-    passed: null,
-    skipped: true,
-    message:
-      "npm advisory check not yet implemented — requires SOCKET_API_KEY.",
-  };
-}
-
-/**
- * Scan package dependencies for known vulnerabilities.
- *
- * TODO: Fetch package.json, enumerate dependencies, and cross-reference
- *       against the OSV (https://osv.dev) or GitHub Advisory database.
- */
-async function checkDependencyVulnerabilities(_gitRepository, _npmPackageName) {
-  // TODO: implement dependency scanning
-  return {
-    passed: null,
-    skipped: true,
-    message:
-      "Dependency vulnerability scan not yet implemented — planned for v2.",
-  };
-}
-
-/**
- * Run an AI-powered security analysis using the Claude API.
- *
- * TODO: Use @anthropic-ai/sdk to analyse:
- *  - README content for red flags
- *  - Package metadata for suspicious patterns
- *  - Known malicious package name patterns (typosquatting etc.)
- *
- * Requires ANTHROPIC_API_KEY env var.
- */
-async function runAiSecurityAnalysis({
-  pluginName: _pluginName,
-  npmPackageName: _npmPackageName,
-  gitRepository: _gitRepository,
-}) {
-  // TODO: implement Claude API integration
-  return {
-    passed: null,
-    skipped: true,
-    message:
-      "AI security analysis not yet implemented — requires ANTHROPIC_API_KEY.",
-  };
-}
-
-/**
- * Run all security checks for a submission.
- * Returns structured results to be merged into automated_check_results.
- */
-async function runSecurityChecks({
-  repository_url,
-  npm_package_name,
-  plugin_name,
-}) {
-  const [advisories, dependencies, aiAnalysis] = await Promise.allSettled([
-    checkNpmAdvisories(npm_package_name),
-    checkDependencyVulnerabilities(repository_url, npm_package_name),
-    runAiSecurityAnalysis({
-      pluginName: plugin_name,
-      npmPackageName: npm_package_name,
-      gitRepository: repository_url,
-    }),
-  ]);
-
-  const resolve = (settled) =>
-    settled.status === "fulfilled"
-      ? settled.value
-      : { passed: null, message: settled.reason?.message || "Check error." };
-
-  return {
-    npm_advisories: resolve(advisories),
-    dependency_vulnerabilities: resolve(dependencies),
-    ai_analysis: resolve(aiAnalysis),
-  };
-}
-
-module.exports = { runSecurityChecks };
diff --git a/apps/cms/src/plugins/moderation/server/services/template-submission.js b/apps/cms/src/plugins/moderation/server/services/template-submission.js
index 3a5cce7..ed486ab 100644
--- a/apps/cms/src/plugins/moderation/server/services/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/template-submission.js
@@ -7,8 +7,30 @@
  * Feedback to the submitter is delivered via n8n workflows (see TODO comments).
  */
 
+const { triggerN8nWebhook } = require("./n8n-webhook");
+
 const CONTENT_TYPE = "plugin::moderation.template-submission";
 
+const VALID_SCAN_STAGES = ["dependencies", "ai_analysis", "summary"];
+
+function buildLifecyclePayload(submission, extras = {}) {
+  const adminBase = (
+    process.env.CLOUD_APP_URL || "http://localhost:1337"
+  ).replace(/\/$/, "");
+  const adminPath = `/admin/plugins/moderation/template-submissions/${submission.documentId}`;
+  return {
+    submissionId: submission.documentId,
+    submission_kind: "template",
+    template_name: submission.template_name,
+    repository_url: submission.repository_url,
+    demo_url: submission.demo_url || null,
+    owner_name: submission.owner_name,
+    owner_email: submission.owner_email,
+    dashboard_link: `${adminBase}${adminPath}`,
+    ...extras,
+  };
+}
+
 module.exports = ({ strapi }) => ({
   /**
    * Create a new template submission.
@@ -32,12 +54,11 @@ module.exports = ({ strapi }) => ({
       },
     });
 
-    // TODO: Trigger n8n "template submission received" workflow here.
-    // Example: await triggerN8nWorkflow('template-submission-received', {
-    //   submissionId: submission.documentId,
-    //   ownerEmail: data.owner_email,
-    //   templateName: data.template_name,
-    // });
+    triggerN8nWebhook(
+      "template-submission-received",
+      buildLifecyclePayload(submission),
+      { strapi },
+    );
 
     return submission;
   },
@@ -91,22 +112,15 @@ module.exports = ({ strapi }) => ({
       },
     });
 
-    if (status === "approved") {
-      // TODO: Trigger n8n "template approved" workflow.
-      // Example: await triggerN8nWorkflow('template-submission-approved', {
-      //   submissionId: documentId,
-      //   ownerEmail: updated.owner_email,
-      //   templateName: updated.template_name,
-      // });
-    } else {
-      // TODO: Trigger n8n "template rejected" workflow.
-      // Example: await triggerN8nWorkflow('template-submission-rejected', {
-      //   submissionId: documentId,
-      //   ownerEmail: updated.owner_email,
-      //   reason,
-      //   feedback,
-      // });
-    }
+    triggerN8nWebhook(
+      status === "approved" ? "template-approved" : "template-declined",
+      buildLifecyclePayload(updated, {
+        reason: reason || null,
+        feedback: feedback || null,
+        notes: notes || null,
+      }),
+      { strapi },
+    );
 
     return updated;
   },
@@ -123,10 +137,106 @@ module.exports = ({ strapi }) => ({
     });
   },
 
+  /**
+   * List submissions whose security scan is stuck in 'running' past a cutoff.
+   * Consumed by the n8n scan-timeout-sweeper workflow.
+   */
+  async listStaleScans({ cutoff }) {
+    if (!cutoff) return [];
+    return strapi.documents(CONTENT_TYPE).findMany({
+      filters: {
+        security_scan_status: { $eq: "running" },
+        security_scan_started_at: { $lt: cutoff },
+      },
+      fields: ["documentId", "template_name", "security_scan_started_at"],
+      pagination: { page: 1, pageSize: 50 },
+    });
+  },
+
   /**
    * Fetch a single template submission by documentId.
    */
   async getSubmission(documentId) {
     return strapi.documents(CONTENT_TYPE).findOne({ documentId });
   },
+
+  /**
+   * Trigger the n8n security-scan workflow for a template submission.
+   * Templates are repo-only (no published artifact); `package_info` is always null
+   * in the webhook payload, and the workflow falls back to repo + AI-only analysis.
+   */
+  async triggerSecurityScan(documentId) {
+    const submission = await strapi.documents(CONTENT_TYPE).findOne({
+      documentId,
+    });
+    if (!submission) throw new Error("Submission not found.");
+
+    if (submission.security_scan_status === "running") {
+      throw new Error(
+        "A security scan is already running for this submission.",
+      );
+    }
+
+    await strapi.documents(CONTENT_TYPE).update({
+      documentId,
+      data: {
+        security_scan_status: "running",
+        security_scan_started_at: new Date().toISOString(),
+      },
+    });
+
+    const payload = {
+      ...buildLifecyclePayload(submission),
+      plugin_name: submission.template_name,
+      package_location: null,
+      readme: submission.description,
+      package_info: null,
+    };
+
+    const result = await triggerN8nWebhook("security-scan", payload, {
+      strapi,
+    });
+    if (!result.ok) {
+      await strapi.documents(CONTENT_TYPE).update({
+        documentId,
+        data: { security_scan_status: "failed" },
+      });
+      throw new Error(result.error || "Failed to trigger n8n security scan.");
+    }
+
+    return { documentId, status: "running" };
+  },
+
+  /**
+   * Write back a single security-scan stage result from n8n.
+   * Stages: dependencies, ai_analysis, summary.
+   * Also accepts status transitions: 'completed' or 'failed' (with no stage result).
+   *
+   * Templates do not have a separate npm_advisories stage (no registry artifact).
+   */
+  async updateSecurityScanResult(documentId, { stage, result, status }) {
+    if (stage && !VALID_SCAN_STAGES.includes(stage)) {
+      throw new Error(
+        `Invalid scan stage '${stage}'. Expected one of: ${VALID_SCAN_STAGES.join(", ")}.`,
+      );
+    }
+
+    const data = {};
+    if (stage === "dependencies")
+      data.security_scan_dependencies = result ?? null;
+    if (stage === "ai_analysis")
+      data.security_scan_ai_analysis = result ?? null;
+    if (stage === "summary") data.security_scan_summary = result ?? null;
+
+    if (status === "completed" || status === "failed") {
+      data.security_scan_status = status;
+      data.security_scan_run_at = new Date().toISOString();
+    }
+
+    if (Object.keys(data).length === 0) {
+      throw new Error("No stage result or status transition provided.");
+    }
+
+    return strapi.documents(CONTENT_TYPE).update({ documentId, data });
+  },
 });
diff --git a/apps/cms/src/seed/email-templates.ts b/apps/cms/src/seed/email-templates.ts
index f9094d9..a9972f3 100644
--- a/apps/cms/src/seed/email-templates.ts
+++ b/apps/cms/src/seed/email-templates.ts
@@ -61,14 +61,59 @@ If you'd like to discuss the decision or address the points raised, reply to thi
     key: "plugin-changes-requested",
     subject: "Changes requested for {{ package_name }}",
     description:
-      "Sent by n8n when business review state becomes 'changes_requested'. Variables: package_name, author_name, reviewer_feedback, dashboard_link.",
+      "Sent by n8n when business review state becomes 'changes_requested'. Variables: package_name, author_name, reviewer_feedback. Note: the dashboard_link variable is internal (Strapi admin) and must never appear in this developer-facing email body.",
     body: `Hi {{ author_name }},
 
 Thanks for submitting **{{ package_name }}**. Before we can publish it, the reviewer has asked for a few changes:
 
 > {{ reviewer_feedback }}
 
-Once you've addressed the feedback, update the repository and we'll re-review. You can track status here: {{ dashboard_link }}
+Once you've addressed the feedback, update the repository and reply to this email — we'll re-review.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "template-submission-received",
+    subject: "We've received your template: {{ package_name }}",
+    description:
+      "Sent by n8n when a template is submitted. Variables: package_name, author_name, git_repository.",
+    body: `Hi {{ author_name }},
+
+Thanks for submitting **{{ package_name }}** to the Strapi community templates.
+
+We've received your submission ({{ git_repository }}) and it's now queued for review. You'll hear from us once a moderator has approved or requested changes.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "template-approved",
+    subject: "Your template is live: {{ package_name }}",
+    description:
+      "Sent by n8n when a template submission is approved. Variables: package_name, author_name, marketplace_link (falls back to the repository URL when no marketplace link is available).",
+    body: `Hi {{ author_name }},
+
+Good news — **{{ package_name }}** has been approved and is now live on the Strapi community templates.
+
+View it: {{ marketplace_link }}
+
+Thanks for contributing to the ecosystem.
+
+— The Strapi Community team`,
+  },
+  {
+    key: "template-declined",
+    subject: "Update on your template submission: {{ package_name }}",
+    description:
+      "Sent by n8n when a template submission is declined. Variables: package_name, author_name, decline_reason.",
+    body: `Hi {{ author_name }},
+
+Thanks again for submitting **{{ package_name }}** to the Strapi community templates.
+
+After review we've decided not to list this template at this time. Here's the specific feedback from the reviewer:
+
+> {{ decline_reason }}
+
+If you'd like to discuss the decision or address the points raised, reply to this email and we'll be in touch.
 
 — The Strapi Community team`,
   },
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index a172e64..8194982 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -2051,7 +2051,6 @@ export interface PluginModerationPluginSubmission
       Schema.Attribute.Private;
     logo_url: Schema.Attribute.String;
     maintainers_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
-    npm_package_name: Schema.Attribute.String;
     overall_status: Schema.Attribute.Enumeration<
       ['submitted', 'under_review', 'changes_requested', 'rejected', 'approved']
     > &
@@ -2059,6 +2058,7 @@ export interface PluginModerationPluginSubmission
       Schema.Attribute.DefaultTo<'submitted'>;
     owner_email: Schema.Attribute.String & Schema.Attribute.Required;
     owner_name: Schema.Attribute.String & Schema.Attribute.Required;
+    package_location: Schema.Attribute.String;
     package_type: Schema.Attribute.Enumeration<
       ['plugin', 'provider', 'sdk', 'tool']
     > &
@@ -2080,6 +2080,15 @@ export interface PluginModerationPluginSubmission
     > &
       Schema.Attribute.Required &
       Schema.Attribute.DefaultTo<'pending'>;
+    security_scan_ai_analysis: Schema.Attribute.JSON;
+    security_scan_dependencies: Schema.Attribute.JSON;
+    security_scan_run_at: Schema.Attribute.DateTime;
+    security_scan_started_at: Schema.Attribute.DateTime;
+    security_scan_status: Schema.Attribute.Enumeration<
+      ['pending', 'running', 'completed', 'failed']
+    > &
+      Schema.Attribute.DefaultTo<'pending'>;
+    security_scan_summary: Schema.Attribute.JSON;
     submission_notes: Schema.Attribute.Text;
     submitter_agreed_to_terms: Schema.Attribute.Boolean &
       Schema.Attribute.Required &
@@ -2137,6 +2146,15 @@ export interface PluginModerationTemplateSubmission
     repository_url: Schema.Attribute.String & Schema.Attribute.Required;
     reviewer_feedback: Schema.Attribute.Text;
     reviewer_notes: Schema.Attribute.Text;
+    security_scan_ai_analysis: Schema.Attribute.JSON;
+    security_scan_dependencies: Schema.Attribute.JSON;
+    security_scan_run_at: Schema.Attribute.DateTime;
+    security_scan_started_at: Schema.Attribute.DateTime;
+    security_scan_status: Schema.Attribute.Enumeration<
+      ['pending', 'running', 'completed', 'failed']
+    > &
+      Schema.Attribute.DefaultTo<'pending'>;
+    security_scan_summary: Schema.Attribute.JSON;
     submission_notes: Schema.Attribute.Text;
     submitter_agreed_to_terms: Schema.Attribute.Boolean &
       Schema.Attribute.Required &

From 8eb58f8cd05caf9aa84114ab59228a704485e093 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 14:30:53 -0700
Subject: [PATCH 11/26] feat(automation): lifecycle + security-scan +
 error-handler workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Rename 4 package-* workflows to plugin-* (folders + workflow name + webhook
  path + Extract Payload reading flat CMS payload instead of Strapi content-type
  lifecycle body.entry.*)
- Add 3 template-* workflows mirroring the plugin-* ones, adapted for the
  template-submission content type
- New security-scan workflow: fires on manual admin trigger, consumes the
  CMS-prefetched package_info, runs OSV vuln scan + repo package.json cross-
  check + install-script flagging + Claude Haiku AI analysis on up to 20 source
  files (npm via jsDelivr / GitHub for repo fallback). Writes back per-stage
  results to Strapi via content-api
- New error-handler workflow (settings.errorWorkflow on all 11 community-hub
  workflows) — Error Trigger -> Scope Check allowlist -> Slack alert to
  #integration-marketplace. Opt-in via wiring + defensive name allowlist
- New scan-timeout-sweeper workflow — runs every 15 min, queries the CMS for
  plugin/template submissions stuck in security_scan_status=running past a 30-
  minute threshold, PATCHes them to failed, Slack-notifies the count
- Code nodes in security-scan wrapped in try/catch with defined fallback
  shapes so a parse error mid-flow produces a typed error item instead of
  aborting the whole workflow
- Drop dashboard_link from plugin-changes-requested email variables (admin URL
  is internal Slack-only — dropped from developer email body + payload
  defence-in-depth)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../cleanup-new-label-after-60d/workflow.json |   3 +-
 .../workflows/error-handler/workflow.json     | 152 +++++
 .../workflow.json                             |  23 +-
 .../workflow.json                             |  23 +-
 .../workflow.json                             |  17 +-
 .../workflow.json                             |  23 +-
 .../workflow.json                             |   3 +-
 .../scan-timeout-sweeper/workflow.json        | 317 ++++++++++
 .../workflows/security-scan/workflow.json     | 568 ++++++++++++++++++
 .../workflows/template-approved/workflow.json | 270 +++++++++
 .../workflows/template-declined/workflow.json | 189 ++++++
 .../workflow.json                             | 271 +++++++++
 12 files changed, 1816 insertions(+), 43 deletions(-)
 create mode 100644 apps/automation/workflows/error-handler/workflow.json
 rename apps/automation/workflows/{package-approved => plugin-approved}/workflow.json (87%)
 rename apps/automation/workflows/{package-changes-requested => plugin-changes-requested}/workflow.json (84%)
 rename apps/automation/workflows/{package-declined => plugin-declined}/workflow.json (87%)
 rename apps/automation/workflows/{package-submission-received => plugin-submission-received}/workflow.json (86%)
 create mode 100644 apps/automation/workflows/scan-timeout-sweeper/workflow.json
 create mode 100644 apps/automation/workflows/security-scan/workflow.json
 create mode 100644 apps/automation/workflows/template-approved/workflow.json
 create mode 100644 apps/automation/workflows/template-declined/workflow.json
 create mode 100644 apps/automation/workflows/template-submission-received/workflow.json

diff --git a/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json b/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
index 288314f..dba400a 100644
--- a/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
+++ b/apps/automation/workflows/cleanup-new-label-after-60d/workflow.json
@@ -211,7 +211,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/error-handler/workflow.json b/apps/automation/workflows/error-handler/workflow.json
new file mode 100644
index 0000000..ff702dd
--- /dev/null
+++ b/apps/automation/workflows/error-handler/workflow.json
@@ -0,0 +1,152 @@
+{
+  "name": "error-handler",
+  "description": null,
+  "nodes": [
+    {
+      "id": "sticky-1",
+      "name": "About",
+      "type": "n8n-nodes-base.stickyNote",
+      "typeVersion": 1,
+      "position": [
+        120,
+        60
+      ],
+      "parameters": {
+        "content": "## Shared Error Handler — Community Hub Scope Only\n\n**Opt-in routing:** this workflow only fires for workflows that explicitly reference its id via `settings.errorWorkflow`. The Error Trigger node does NOT broadcast-receive from other workflows on the same n8n instance.\n\n**Defensive allowlist:** the `Scope Check` node additionally filters on workflow name against the community-hub allowlist below. Any failure from a workflow outside this list is silently dropped — so accidental or copy-paste wiring from unrelated workflows can't spam `#integration-marketplace`. Update the allowlist in the Scope Check node when adding new community-hub workflows.\n\n**Behaviour:** formats a concise Slack message with the failed workflow's name, the failing node, the error message, and a link to the execution in the n8n UI — then posts it to `#integration-marketplace`.\n\nStrapi side-effects (e.g. marking a stuck scan as failed) are handled by `scan-timeout-sweeper`, not here — keeps the error handler's dependencies minimal so it rarely fails itself.",
+        "height": 380,
+        "width": 760,
+        "color": 4
+      }
+    },
+    {
+      "id": "error-trigger-1",
+      "name": "On Workflow Error",
+      "type": "n8n-nodes-base.errorTrigger",
+      "typeVersion": 1,
+      "position": [
+        160,
+        500
+      ],
+      "parameters": {}
+    },
+    {
+      "id": "scope-check-1",
+      "name": "Scope Check",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        380,
+        500
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "// Allowlist of community-hub workflow names. Keep in sync with apps/automation/workflows/*.\n// Failures from any workflow NOT in this list are silently dropped — defensive filter so\n// unrelated workflows on the same n8n instance can't accidentally alert into our channel.\nconst ALLOWLIST = new Set([\n  'security-scan',\n  'scan-timeout-sweeper',\n  'plugin-submission-received',\n  'plugin-approved',\n  'plugin-declined',\n  'plugin-changes-requested',\n  'template-submission-received',\n  'template-approved',\n  'template-declined',\n  'cleanup-new-label-after-60d',\n  'render-email (shared sub-workflow)',\n]);\n\nconst payload = $input.first().json;\nconst name = payload?.workflow?.name;\n\nif (!name || !ALLOWLIST.has(name)) {\n  // Silently drop — return no items, downstream nodes don't run.\n  return [];\n}\nreturn [{ json: payload }];"
+      },
+      "onError": "continueRegularOutput",
+      "notes": "Allowlist filter. Update the ALLOWLIST when adding new workflows to the community-hub scope."
+    },
+    {
+      "id": "format-1",
+      "name": "Format Alert",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        600,
+        500
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "e1",
+              "name": "text",
+              "type": "string",
+              "value": "=:rotating_light: *Workflow failure*: `{{ $json.workflow.name }}`\nNode: `{{ $json.execution.lastNodeExecuted || 'unknown' }}`\nError: {{ $json.execution.error.message || 'no message' }}\nMode: {{ $json.execution.mode }}\nExecution: {{ $json.execution.url }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Post to #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        820,
+        500
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "={{ $json.text }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "If Slack is down the alert is silently dropped — no cascading failures. Execution history in n8n still records the error.",
+      "webhookId": "c3a8e4f1-7d9b-4c2a-b510-6a2e3f5c8b0a"
+    }
+  ],
+  "connections": {
+    "On Workflow Error": {
+      "main": [
+        [
+          {
+            "node": "Scope Check",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Scope Check": {
+      "main": [
+        [
+          {
+            "node": "Format Alert",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Format Alert": {
+      "main": [
+        [
+          {
+            "node": "Post to #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/package-approved/workflow.json b/apps/automation/workflows/plugin-approved/workflow.json
similarity index 87%
rename from apps/automation/workflows/package-approved/workflow.json
rename to apps/automation/workflows/plugin-approved/workflow.json
index 68b217c..b23e03b 100644
--- a/apps/automation/workflows/package-approved/workflow.json
+++ b/apps/automation/workflows/plugin-approved/workflow.json
@@ -1,5 +1,5 @@
 {
-  "name": "package-approved",
+  "name": "plugin-approved",
   "description": null,
   "nodes": [
     {
@@ -13,7 +13,7 @@
       ],
       "parameters": {
         "httpMethod": "POST",
-        "path": "strapi/package-approved",
+        "path": "strapi/plugin-approved",
         "authentication": "headerAuth",
         "responseMode": "onReceived",
         "responseData": "noData",
@@ -21,7 +21,7 @@
       },
       "onError": "continueRegularOutput",
       "alwaysOutputData": true,
-      "notes": "Fires when BOTH business review AND security review reach 'approved'. Strapi lifecycle emits this on state-change transition. Expects body.entry { id, name, author { email, name }, slug }.",
+      "notes": "Fired by the CMS moderation plugin after plugin-submission.promoteToPackage. Payload includes package_id + package_slug (may be null).",
       "webhookId": "5b4adc60-df90-4ca1-aca8-c2ea4ca513d7"
     },
     {
@@ -42,37 +42,37 @@
               "id": "a1",
               "name": "package_id",
               "type": "string",
-              "value": "={{ $json.body.entry.id }}"
+              "value": "={{ $json.body.package_id }}"
             },
             {
               "id": "a2",
               "name": "package_name",
               "type": "string",
-              "value": "={{ $json.body.entry.name }}"
+              "value": "={{ $json.body.plugin_name }}"
             },
             {
               "id": "a3",
               "name": "package_slug",
               "type": "string",
-              "value": "={{ $json.body.entry.slug }}"
+              "value": "={{ $json.body.package_slug || '' }}"
             },
             {
               "id": "a4",
               "name": "author_email",
               "type": "string",
-              "value": "={{ $json.body.entry.author.email }}"
+              "value": "={{ $json.body.owner_email }}"
             },
             {
               "id": "a5",
               "name": "author_name",
               "type": "string",
-              "value": "={{ $json.body.entry.author.name }}"
+              "value": "={{ $json.body.owner_name }}"
             },
             {
               "id": "a6",
               "name": "marketplace_link",
               "type": "string",
-              "value": "=https://strapi.io/community/packages/{{ $json.body.entry.slug }}"
+              "value": "={{ $json.body.marketplace_link || '' }}"
             }
           ]
         },
@@ -165,7 +165,7 @@
               "id": "s1",
               "name": "text",
               "type": "string",
-              "value": "=:white_check_mark: Package approved & published: *{{ $json.package_name }}* by {{ $json.author_name }}\nLive: {{ $json.marketplace_link }}"
+              "value": "=:white_check_mark: *Plugin* approved & published: *{{ $json.package_name }}* by {{ $json.author_name }}\nLive: {{ $json.marketplace_link }}"
             }
           ]
         },
@@ -259,7 +259,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/package-changes-requested/workflow.json b/apps/automation/workflows/plugin-changes-requested/workflow.json
similarity index 84%
rename from apps/automation/workflows/package-changes-requested/workflow.json
rename to apps/automation/workflows/plugin-changes-requested/workflow.json
index 34dcba1..d760800 100644
--- a/apps/automation/workflows/package-changes-requested/workflow.json
+++ b/apps/automation/workflows/plugin-changes-requested/workflow.json
@@ -1,5 +1,5 @@
 {
-  "name": "package-changes-requested",
+  "name": "plugin-changes-requested",
   "description": null,
   "nodes": [
     {
@@ -13,7 +13,7 @@
       ],
       "parameters": {
         "httpMethod": "POST",
-        "path": "strapi/package-changes-requested",
+        "path": "strapi/plugin-changes-requested",
         "authentication": "headerAuth",
         "responseMode": "onReceived",
         "responseData": "noData",
@@ -21,7 +21,7 @@
       },
       "onError": "continueRegularOutput",
       "alwaysOutputData": true,
-      "notes": "Fires when business_review_state transitions to 'changes_requested'. Expects body.entry { id, name, author { email, name }, business_review_feedback }.",
+      "notes": "Fired by the CMS moderation plugin after plugin-submission.rejectOrRequestChanges with status='changes_requested'. Payload: flat { submissionId, plugin_name, owner_email, reason, feedback, dashboard_link, ... }.",
       "webhookId": "2f6e1cec-6e97-4e6d-b9f6-8b3fbda1e310"
     },
     {
@@ -42,37 +42,37 @@
               "id": "a1",
               "name": "package_id",
               "type": "string",
-              "value": "={{ $json.body.entry.id }}"
+              "value": "={{ $json.body.submissionId }}"
             },
             {
               "id": "a2",
               "name": "package_name",
               "type": "string",
-              "value": "={{ $json.body.entry.name }}"
+              "value": "={{ $json.body.plugin_name }}"
             },
             {
               "id": "a3",
               "name": "author_email",
               "type": "string",
-              "value": "={{ $json.body.entry.author.email }}"
+              "value": "={{ $json.body.owner_email }}"
             },
             {
               "id": "a4",
               "name": "author_name",
               "type": "string",
-              "value": "={{ $json.body.entry.author.name }}"
+              "value": "={{ $json.body.owner_name }}"
             },
             {
               "id": "a5",
               "name": "reviewer_feedback",
               "type": "string",
-              "value": "={{ $json.body.entry.business_review_feedback }}"
+              "value": "={{ $json.body.feedback || $json.body.reason || '' }}"
             },
             {
               "id": "a6",
               "name": "dashboard_link",
               "type": "string",
-              "value": "=https://strapi.io/community/admin/content-manager/collectionType/api::package.package/{{ $json.body.entry.id }}"
+              "value": "={{ $json.body.dashboard_link }}"
             }
           ]
         },
@@ -116,7 +116,7 @@
               "id": "b4",
               "name": "variables",
               "type": "object",
-              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, reviewer_feedback: $json.reviewer_feedback, dashboard_link: $json.dashboard_link } }}"
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, reviewer_feedback: $json.reviewer_feedback } }}"
             }
           ]
         },
@@ -190,7 +190,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/package-declined/workflow.json b/apps/automation/workflows/plugin-declined/workflow.json
similarity index 87%
rename from apps/automation/workflows/package-declined/workflow.json
rename to apps/automation/workflows/plugin-declined/workflow.json
index 9cba072..2d59b45 100644
--- a/apps/automation/workflows/package-declined/workflow.json
+++ b/apps/automation/workflows/plugin-declined/workflow.json
@@ -1,5 +1,5 @@
 {
-  "name": "package-declined",
+  "name": "plugin-declined",
   "description": null,
   "nodes": [
     {
@@ -13,7 +13,7 @@
       ],
       "parameters": {
         "httpMethod": "POST",
-        "path": "strapi/package-declined",
+        "path": "strapi/plugin-declined",
         "authentication": "headerAuth",
         "responseMode": "onReceived",
         "responseData": "noData",
@@ -21,7 +21,7 @@
       },
       "onError": "continueRegularOutput",
       "alwaysOutputData": true,
-      "notes": "Fires when business_review_state transitions to 'declined'. Expects body.entry { id, name, author { email, name }, business_review_feedback (decline reason) }.",
+      "notes": "Fired by the CMS moderation plugin after plugin-submission.rejectOrRequestChanges with status='rejected'. Payload: flat { submissionId, plugin_name, owner_email, reason, feedback, ... }.",
       "webhookId": "37f3f735-2a1c-4c22-89e0-237bb2b5a245"
     },
     {
@@ -42,25 +42,25 @@
               "id": "a1",
               "name": "package_name",
               "type": "string",
-              "value": "={{ $json.body.entry.name }}"
+              "value": "={{ $json.body.plugin_name }}"
             },
             {
               "id": "a2",
               "name": "author_email",
               "type": "string",
-              "value": "={{ $json.body.entry.author.email }}"
+              "value": "={{ $json.body.owner_email }}"
             },
             {
               "id": "a3",
               "name": "author_name",
               "type": "string",
-              "value": "={{ $json.body.entry.author.name }}"
+              "value": "={{ $json.body.owner_name }}"
             },
             {
               "id": "a4",
               "name": "decline_reason",
               "type": "string",
-              "value": "={{ $json.body.entry.business_review_feedback }}"
+              "value": "={{ $json.body.reason || $json.body.feedback || '' }}"
             }
           ]
         },
@@ -178,7 +178,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/package-submission-received/workflow.json b/apps/automation/workflows/plugin-submission-received/workflow.json
similarity index 86%
rename from apps/automation/workflows/package-submission-received/workflow.json
rename to apps/automation/workflows/plugin-submission-received/workflow.json
index 5e12ad1..ee83707 100644
--- a/apps/automation/workflows/package-submission-received/workflow.json
+++ b/apps/automation/workflows/plugin-submission-received/workflow.json
@@ -1,5 +1,5 @@
 {
-  "name": "package-submission-received",
+  "name": "plugin-submission-received",
   "description": null,
   "nodes": [
     {
@@ -13,7 +13,7 @@
       ],
       "parameters": {
         "httpMethod": "POST",
-        "path": "strapi/package-submission-received",
+        "path": "strapi/plugin-submission-received",
         "authentication": "headerAuth",
         "responseMode": "onReceived",
         "responseData": "noData",
@@ -21,7 +21,7 @@
       },
       "onError": "continueRegularOutput",
       "alwaysOutputData": true,
-      "notes": "Fires from Strapi package.afterCreate lifecycle. Expects body.entry { id, name, git_repository, author { email, name } }. Requires header-auth credential in n8n.",
+      "notes": "Fired by the CMS moderation plugin after plugin-submission.createSubmission. Payload: flat { submissionId, plugin_name, owner_name, owner_email, repository_url, dashboard_link, ... }.",
       "webhookId": "e9741c13-e5b0-40a4-99a5-9a30031ea8a7"
     },
     {
@@ -42,37 +42,37 @@
               "id": "a1",
               "name": "package_id",
               "type": "string",
-              "value": "={{ $json.body.entry.id }}"
+              "value": "={{ $json.body.submissionId }}"
             },
             {
               "id": "a2",
               "name": "package_name",
               "type": "string",
-              "value": "={{ $json.body.entry.name }}"
+              "value": "={{ $json.body.plugin_name }}"
             },
             {
               "id": "a3",
               "name": "git_repository",
               "type": "string",
-              "value": "={{ $json.body.entry.git_repository }}"
+              "value": "={{ $json.body.repository_url }}"
             },
             {
               "id": "a4",
               "name": "author_email",
               "type": "string",
-              "value": "={{ $json.body.entry.author.email }}"
+              "value": "={{ $json.body.owner_email }}"
             },
             {
               "id": "a5",
               "name": "author_name",
               "type": "string",
-              "value": "={{ $json.body.entry.author.name }}"
+              "value": "={{ $json.body.owner_name }}"
             },
             {
               "id": "a6",
               "name": "dashboard_link",
               "type": "string",
-              "value": "=https://strapi.io/community/admin/content-manager/collectionType/api::package.package/{{ $json.body.entry.id }}"
+              "value": "={{ $json.body.dashboard_link }}"
             }
           ]
         },
@@ -166,7 +166,7 @@
               "id": "s1",
               "name": "text",
               "type": "string",
-              "value": "=:package: New package submission received: *{{ $json.package_name }}* by {{ $json.author_name }}\nRepo: {{ $json.git_repository }}\nReview: {{ $json.dashboard_link }}"
+              "value": "=:package: New *plugin* submission received: *{{ $json.package_name }}* by {{ $json.author_name }}\nRepo: {{ $json.git_repository }}\nReview: {{ $json.dashboard_link }}"
             }
           ]
         },
@@ -260,7 +260,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json b/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json
index d0d7bbb..98ebe58 100644
--- a/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json
+++ b/apps/automation/workflows/render-email-shared-sub-workflow/workflow.json
@@ -182,7 +182,8 @@
     "saveManualExecutions": true,
     "saveExecutionProgress": true,
     "callerPolicy": "workflowsFromSameOwner",
-    "availableInMCP": false
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
   },
   "staticData": null,
   "activeVersionId": null,
diff --git a/apps/automation/workflows/scan-timeout-sweeper/workflow.json b/apps/automation/workflows/scan-timeout-sweeper/workflow.json
new file mode 100644
index 0000000..9fd2448
--- /dev/null
+++ b/apps/automation/workflows/scan-timeout-sweeper/workflow.json
@@ -0,0 +1,317 @@
+{
+  "name": "scan-timeout-sweeper",
+  "description": null,
+  "nodes": [
+    {
+      "id": "sticky-1",
+      "name": "About",
+      "type": "n8n-nodes-base.stickyNote",
+      "typeVersion": 1,
+      "position": [
+        120,
+        60
+      ],
+      "parameters": {
+        "content": "## Scan Timeout Sweeper\n\nRuns every 15 minutes. Finds submissions whose `security_scan_status='running'` with `updatedAt` older than 30 minutes \u2014 assumes they're stuck (workflow killed mid-run, n8n container restart, unrecoverable crash) \u2014 and PATCHes each to `security_scan_status='failed'` via the moderation content-api write-back route.\n\nHandles both plugin-submissions and template-submissions. Posts a Slack summary to `#integration-marketplace` when any stuck scans are swept, silent otherwise.\n\n**Required n8n env vars:**\n- `STRAPI_API_URL`\n\n**Required credentials:**\n- `httpHeaderAuth` \u2014 Strapi API token (shared with security-scan)",
+        "height": 300,
+        "width": 760,
+        "color": 6
+      }
+    },
+    {
+      "id": "schedule-1",
+      "name": "Every 15 Minutes",
+      "type": "n8n-nodes-base.scheduleTrigger",
+      "typeVersion": 1.2,
+      "position": [
+        160,
+        460
+      ],
+      "parameters": {
+        "rule": {
+          "interval": [
+            {
+              "field": "minutes",
+              "minutesInterval": 15
+            }
+          ]
+        }
+      }
+    },
+    {
+      "id": "compute-cutoff-1",
+      "name": "Compute Cutoff",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        380,
+        460
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\n  const cutoff = new Date(Date.now() - 30 * 60 * 1000).toISOString();\n  return [{ json: { cutoff } }];\n} catch (err) {\n  return [{ json: { cutoff: null, _node_error: err.message || String(err) } }];\n}"
+      },
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "fetch-plugins-1",
+      "name": "Find Stale Plugin Scans",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        600,
+        360
+      ],
+      "parameters": {
+        "method": "GET",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/plugin-submissions/stale-scans",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendQuery": true,
+        "queryParameters": {
+          "parameters": [
+            {
+              "name": "cutoff",
+              "value": "={{ $json.cutoff }}"
+            }
+          ]
+        },
+        "options": {
+          "timeout": 15000,
+          "response": {
+            "response": {
+              "neverError": true,
+              "responseFormat": "json"
+            }
+          }
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Content-api route (API-token auth) added to the moderation plugin specifically for the sweeper. Filters by security_scan_status='running' + security_scan_started_at < cutoff."
+    },
+    {
+      "id": "fetch-templates-1",
+      "name": "Find Stale Template Scans",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        600,
+        560
+      ],
+      "parameters": {
+        "method": "GET",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/template-submissions/stale-scans",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendQuery": true,
+        "queryParameters": {
+          "parameters": [
+            {
+              "name": "cutoff",
+              "value": "={{ $('Compute Cutoff').item.json.cutoff }}"
+            }
+          ]
+        },
+        "options": {
+          "timeout": 15000,
+          "response": {
+            "response": {
+              "neverError": true,
+              "responseFormat": "json"
+            }
+          }
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    },
+    {
+      "id": "collect-1",
+      "name": "Collect Stuck Scans",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        820,
+        460
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\n  const pluginRes = $('Find Stale Plugin Scans').first().json || {};\n  const templateRes = $('Find Stale Template Scans').first().json || {};\n\n  function extract(res, kind) {\n    const items = Array.isArray(res?.data) ? res.data : [];\n    return items\n      .map((item) => ({\n        kind,\n        documentId: item.documentId || item.id,\n        name: item.plugin_name || item.template_name || 'unknown',\n        started_at: item.security_scan_started_at || null,\n      }))\n      .filter((x) => x.documentId);\n  }\n\n  const stuck = [\n    ...extract(pluginRes, 'plugin'),\n    ...extract(templateRes, 'template'),\n  ];\n\n  if (stuck.length === 0) return [];\n  return stuck.map((s) => ({ json: s }));\n} catch (err) {\n  return [{ json: { _node_error: err.message || String(err) } }];\n}"
+      },
+      "onError": "continueRegularOutput",
+      "notes": "Returns one item per stuck submission so downstream runs once per. Returns [] (no items) when everything's healthy \u2014 downstream branches short-circuit."
+    },
+    {
+      "id": "mark-failed-1",
+      "name": "Mark Failed in Strapi",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1040,
+        460
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/{{ $json.kind === 'template' ? 'template-submissions' : 'plugin-submissions' }}/{{ $json.documentId }}/security-scan-result",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ stage: 'summary', status: 'failed', result: { runAt: new Date().toISOString(), error: 'Scan exceeded the 30-minute timeout and was reaped by scan-timeout-sweeper.', passed: false, reaped_at: new Date().toISOString(), started_at: $json.started_at } }) }}",
+        "options": {
+          "timeout": 15000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    },
+    {
+      "id": "aggregate-1",
+      "name": "Aggregate Swept Count",
+      "type": "n8n-nodes-base.aggregate",
+      "typeVersion": 1,
+      "position": [
+        1260,
+        460
+      ],
+      "parameters": {
+        "aggregate": "aggregateAllItemData",
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Notify #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        1480,
+        460
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "=:broom: Swept {{ $json.data.length }} stuck security scan(s) past the 30-minute timeout.\n{{ $json.data.map(s => `\u2022 ${s.kind}: ${s.name} (${s.documentId}) \u2014 started ${s.started_at}`).join('\\n') }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "webhookId": "77a3ebc1-9f2d-4e58-b1c3-0fa4d9e7b2c1"
+    }
+  ],
+  "connections": {
+    "Every 15 Minutes": {
+      "main": [
+        [
+          {
+            "node": "Compute Cutoff",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Compute Cutoff": {
+      "main": [
+        [
+          {
+            "node": "Find Stale Plugin Scans",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Find Stale Template Scans",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Find Stale Plugin Scans": {
+      "main": [
+        [
+          {
+            "node": "Collect Stuck Scans",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Find Stale Template Scans": {
+      "main": [
+        [
+          {
+            "node": "Collect Stuck Scans",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Collect Stuck Scans": {
+      "main": [
+        [
+          {
+            "node": "Mark Failed in Strapi",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Mark Failed in Strapi": {
+      "main": [
+        [
+          {
+            "node": "Aggregate Swept Count",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Aggregate Swept Count": {
+      "main": [
+        [
+          {
+            "node": "Notify #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/security-scan/workflow.json b/apps/automation/workflows/security-scan/workflow.json
new file mode 100644
index 0000000..0ba3859
--- /dev/null
+++ b/apps/automation/workflows/security-scan/workflow.json
@@ -0,0 +1,568 @@
+{
+  "name": "security-scan",
+  "description": null,
+  "nodes": [
+    {
+      "id": "sticky-1",
+      "name": "About",
+      "type": "n8n-nodes-base.stickyNote",
+      "typeVersion": 1,
+      "position": [
+        120,
+        60
+      ],
+      "parameters": {
+        "content": "## Security Scan (issue #10)\n\nManually triggered from the Strapi moderation admin (cost control \u2014 not automatic on submit).\n\n**Payload is pre-enriched by the CMS.** The moderation plugin's `get-package-security-info.js` service reuses `package-info`'s registry extract patterns to fetch metadata before firing this webhook \u2014 so this workflow does not hit any registry directly.\n\nSupports both `plugin` and `template` submissions:\n- **plugin:** `package_info` is populated when a registry URL is provided (phase 1 = npm only; packagist/pypi/rubygems/nuget stubbed with `notImplemented: true`)\n- **template:** `package_info` is always null; scan is repo-only + AI\n\nTwo parallel branches:\n1. **Package scan** \u2014 OSV.dev vuln lookup + repo package.json cross-check + install-script flag\n2. **AI analysis** \u2014 Claude Haiku 4.5 reads the published README (falls back to submitted description) and flags supply-chain risks\n\nPer-stage results PATCH back via `POST /api/moderation/<plugin|template>-submissions/:documentId/security-scan-result`. Final summary sets `security_scan_status=completed`.\n\n**Inputs (POST body):**\n`{ submissionId, submission_kind: 'plugin'|'template', plugin_name, package_location, repository_url, readme, package_info | null }`\n\n**Required n8n credentials:**\n- `httpHeaderAuth` for the webhook (matches `N8N_WEBHOOK_AUTH_*` in CMS .env)\n- `httpHeaderAuth` separate for Strapi write-back (Strapi API token as `Authorization: Bearer ...`)\n- `httpHeaderAuth` separate for Anthropic API (`x-api-key: ...`)\n\n**Required n8n env vars:**\n- `STRAPI_API_URL` (base URL of the CMS)",
+        "height": 500,
+        "width": 980,
+        "color": 5
+      }
+    },
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Security Scan",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        160,
+        640
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/security-scan",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fired by the Strapi moderation admin. CMS has already set security_scan_status='running' before this request.",
+      "webhookId": "9f3c2a87-1e4b-4d6c-a2f8-5c6b7d8e9a11"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        380,
+        640
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "submissionId",
+              "type": "string",
+              "value": "={{ $json.body.submissionId }}"
+            },
+            {
+              "id": "a2",
+              "name": "submission_kind",
+              "type": "string",
+              "value": "={{ $json.body.submission_kind || 'plugin' }}"
+            },
+            {
+              "id": "a3",
+              "name": "plugin_name",
+              "type": "string",
+              "value": "={{ $json.body.plugin_name }}"
+            },
+            {
+              "id": "a4",
+              "name": "package_location",
+              "type": "string",
+              "value": "={{ $json.body.package_location || '' }}"
+            },
+            {
+              "id": "a5",
+              "name": "repository_url",
+              "type": "string",
+              "value": "={{ $json.body.repository_url }}"
+            },
+            {
+              "id": "a6",
+              "name": "readme",
+              "type": "string",
+              "value": "={{ $json.body.readme || '' }}"
+            },
+            {
+              "id": "a7",
+              "name": "package_info",
+              "type": "object",
+              "value": "={{ $json.body.package_info }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "parse-repo-1",
+      "name": "Parse Repo URL",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        600,
+        640
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst item = $input.first().json;\nconst raw = (item.repository_url || '').trim();\n\nfunction parse(url) {\n  if (!url) return { provider: 'unknown' };\n  let href = url;\n  if (!/^https?:\\/\\//i.test(href)) href = 'https://' + href;\n  let u;\n  try { u = new URL(href); } catch { return { provider: 'unknown' }; }\n  const host = u.hostname.replace(/^www\\./i, '').toLowerCase();\n  const path = u.pathname.replace(/^\\//, '').replace(/\\.git$/, '').replace(/\\/$/, '');\n  if (host === 'github.com') {\n    const [owner, repo] = path.split('/');\n    if (!owner || !repo) return { provider: 'unknown' };\n    return { provider: 'github', owner, repo };\n  }\n  if (host === 'gitlab.com' || host.endsWith('.gitlab.com')) {\n    if (!path) return { provider: 'unknown' };\n    return { provider: 'gitlab', projectPath: path, encoded: encodeURIComponent(path) };\n  }\n  return { provider: 'unknown' };\n}\n\nreturn [{ json: { ...item, repo_info: parse(raw) } }];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: parse-repo-1\n  return [{ json: { ...$input.first().json, repo_info: { provider: \"unknown\" }, _node_error: errMsg } }];\n}"
+      },
+      "notes": "Parses repository_url to extract provider/owner/repo \u2014 used only by the repo cross-check fetch below. GitLab / unknown providers cause the cross-check to fall through.",
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "deps-fetch-1",
+      "name": "Fetch Repo package.json",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        820,
+        480
+      ],
+      "parameters": {
+        "method": "GET",
+        "url": "=https://raw.githubusercontent.com/{{ $json.repo_info.owner || 'unknown' }}/{{ $json.repo_info.repo || 'unknown' }}/HEAD/package.json",
+        "options": {
+          "timeout": 15000,
+          "response": {
+            "response": {
+              "neverError": true,
+              "responseFormat": "json"
+            }
+          }
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 2000,
+      "notes": "Cross-check only: fetches source repo's package.json to compare against the published artifact. GitLab / unknown providers return null; scan falls back to package-only analysis."
+    },
+    {
+      "id": "osv-build-1",
+      "name": "Build Package Scan Data",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        1040,
+        480
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst repoPkg = $input.first().json;\nconst payload = $('Parse Repo URL').item.json;\nconst info = payload.package_info || null;\nconst kind = payload.submission_kind || 'plugin';\n\nconst repoValid = repoPkg && typeof repoPkg === 'object' && !Array.isArray(repoPkg) && !repoPkg.error && Object.keys(repoPkg).length > 0;\nconst pkgAvailable = !!(info && info.available);\n\n// Dependencies source: published package first, repo fallback.\nconst pkgDeps = pkgAvailable ? { ...(info.dependencies || {}), ...(info.peerDependencies || {}) } : {};\nconst repoDeps = repoValid ? { ...(repoPkg.dependencies || {}), ...(repoPkg.peerDependencies || {}) } : {};\nconst depsSource = pkgAvailable ? 'registry' : (repoValid ? 'repo' : 'none');\nconst deps = depsSource === 'registry' ? pkgDeps : (depsSource === 'repo' ? repoDeps : {});\n\n// OSV ecosystem tag from the pre-detected registry, default to npm.\nconst ecosystem = info?.ecosystem || 'npm';\n\nfunction cleanVersion(raw) {\n  if (typeof raw !== 'string') return null;\n  const match = raw.match(/\\d+\\.\\d+\\.\\d+/);\n  return match ? match[0] : null;\n}\n\nconst queries = Object.entries(deps)\n  .map(([name, version]) => {\n    const v = cleanVersion(version);\n    if (!v) return null;\n    return { package: { name, ecosystem }, version: v };\n  })\n  .filter(Boolean)\n  .slice(0, 100);\n\n// Cross-check published vs repo (only when BOTH are present).\nconst mismatches = [];\nif (pkgAvailable && repoValid) {\n  ['preinstall', 'install', 'postinstall'].forEach((k) => {\n    const pkgVal = info.scripts?.[k] || null;\n    const repoVal = repoPkg.scripts?.[k] || null;\n    if (pkgVal !== repoVal) {\n      mismatches.push({ kind: 'install_script_divergence', script: k, published: pkgVal, repo: repoVal });\n    }\n  });\n  const pkgSet = new Set(Object.keys(pkgDeps));\n  const repoSet = new Set(Object.keys(repoDeps));\n  const onlyInPkg = [...pkgSet].filter((n) => !repoSet.has(n));\n  const onlyInRepo = [...repoSet].filter((n) => !pkgSet.has(n));\n  if (onlyInPkg.length > 0) mismatches.push({ kind: 'deps_only_in_published', names: onlyInPkg.slice(0, 20) });\n  if (onlyInRepo.length > 0) mismatches.push({ kind: 'deps_only_in_repo', names: onlyInRepo.slice(0, 20) });\n  const submitted = (payload.repository_url || '').toLowerCase();\n  const declared = (info.declaredRepository || '').toLowerCase();\n  const owner = payload.repo_info?.owner?.toLowerCase();\n  if (declared && submitted && owner && !declared.includes(owner)) {\n    mismatches.push({ kind: 'declared_repo_vs_submitted', submitted, declared });\n  }\n}\n\nconst hasInstallScripts = pkgAvailable && Object.keys(info.installScripts || {}).length > 0;\n\nreturn [{\n  json: {\n    queries,\n    _skipped: queries.length === 0,\n    _reason: queries.length === 0 ? `No dependencies to scan (source: ${depsSource}).` : null,\n    ecosystem,\n    depsSource,\n    kind,\n    hasInstallScripts,\n    install_scripts: pkgAvailable ? info.installScripts || {} : {},\n    mismatches,\n    registry_available: pkgAvailable,\n    not_implemented: info?.notImplemented === true,\n    registry: info?.registry || null,\n    packageName: info?.packageName || null,\n    version: info?.version || null,\n    dist: info?.dist || null,\n  },\n}];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: osv-build-1\n  return [{ json: { queries: [], _skipped: true, _reason: \"Build Package Scan Data threw: \" + errMsg, ecosystem: \"npm\", depsSource: \"none\", kind: null, hasInstallScripts: false, install_scripts: {}, mismatches: [], registry_available: false, not_implemented: false, registry: null, packageName: null, version: null, dist: null, _node_error: errMsg } }];\n}"
+      },
+      "notes": "Consolidates the pre-fetched package_info with the repo cross-check. Uses the package_info.ecosystem for the OSV ecosystem tag. For template submissions (no package_info), only repo-side deps feed OSV.",
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "osv-http-1",
+      "name": "OSV.dev Batch Query",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1260,
+        480
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "https://api.osv.dev/v1/querybatch",
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ queries: $json.queries }) }}",
+        "options": {
+          "timeout": 30000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Free, unauthenticated. Supports all 5 ecosystems (npm, Packagist, PyPI, RubyGems, NuGet)."
+    },
+    {
+      "id": "deps-format-1",
+      "name": "Format Package Scan Result",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        1480,
+        480
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst osv = $input.first().json || {};\nconst batch = $('Build Package Scan Data').item.json;\nconst results = Array.isArray(osv.results) ? osv.results : [];\n\nconst common = {\n  runAt: new Date().toISOString(),\n  deps_source: batch.depsSource,\n  ecosystem: batch.ecosystem,\n  registry: batch.registry,\n  registry_available: batch.registry_available,\n  not_implemented: batch.not_implemented,\n  package_name: batch.packageName,\n  version: batch.version,\n  dist: batch.dist,\n  install_scripts: batch.install_scripts,\n  has_install_scripts: batch.hasInstallScripts,\n  cross_check_mismatches: batch.mismatches,\n};\n\nif (batch._skipped) {\n  return [{\n    json: {\n      stage: 'dependencies',\n      result: {\n        ...common,\n        skipped: true,\n        message: batch._reason || 'No dependencies to scan.',\n      },\n    },\n  }];\n}\n\nconst vulnerable = [];\nresults.forEach((r, idx) => {\n  if (r && Array.isArray(r.vulns) && r.vulns.length > 0) {\n    const q = batch.queries[idx];\n    vulnerable.push({\n      package: q.package.name,\n      version: q.version,\n      vulnIds: r.vulns.map((v) => v.id),\n    });\n  }\n});\n\nconst passed = vulnerable.length === 0 && !batch.hasInstallScripts && batch.mismatches.length === 0;\n\nreturn [{\n  json: {\n    stage: 'dependencies',\n    result: {\n      ...common,\n      scanned: batch.queries.length,\n      vulnerable_count: vulnerable.length,\n      vulnerable,\n      passed,\n    },\n  },\n}];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: deps-format-1\n  return [{ json: { stage: \"dependencies\", result: { runAt: new Date().toISOString(), error: errMsg, passed: false, skipped: true, message: \"Format Package Scan Result threw: \" + errMsg } } }];\n}"
+      },
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "deps-patch-1",
+      "name": "PATCH Scan Result",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1700,
+        480
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/{{ $('Extract Payload').item.json.submission_kind === 'template' ? 'template-submissions' : 'plugin-submissions' }}/{{ $('Extract Payload').item.json.submissionId }}/security-scan-result",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ stage: $json.stage, result: $json.result }) }}",
+        "options": {
+          "timeout": 15000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Writes the package scan stage result. URL path flips between plugin-submissions and template-submissions based on the submission_kind field."
+    },
+    {
+      "id": "fetch-code-1",
+      "name": "Fetch Package Code",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        820,
+        800
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst payload = $input.first().json;\nconst info = payload.package_info || null;\nconst repo = payload.repo_info || {};\n\nconst ALLOW_EXT = /\\.(js|ts|mjs|cjs|jsx|tsx)$/;\nconst SKIP_PATTERNS = [/node_modules/, /\\.git/, /(^|\\/)test[s]?\\//, /\\.test\\./, /\\.spec\\./, /\\.d\\.ts$/, /\\.min\\.(js|css)$/, /\\.map$/, /(^|\\/)examples?\\//, /(^|\\/)docs?\\//, /(^|\\/)fixtures?\\//];\nconst PER_FILE_CAP = 10000;\nconst TOTAL_BUDGET = 100000;\nconst MAX_FILES = 20;\n\nfunction keepPath(path) {\n  if (!ALLOW_EXT.test(path)) return false;\n  return !SKIP_PATTERNS.some((r) => r.test(path));\n}\n\nfunction escRe(s) {\n  return s.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\n}\n\nasync function loadNpmTree(name, version) {\n  try {\n    const res = await fetch(`https://data.jsdelivr.com/v1/package/npm/${encodeURIComponent(name)}@${encodeURIComponent(version)}`);\n    if (!res.ok) return null;\n    const tree = await res.json();\n    const files = [];\n    function walk(node, prefix) {\n      if (node.type === 'file') {\n        const full = prefix + '/' + node.name;\n        if (keepPath(full)) files.push({ path: full, size: node.size || 0 });\n      } else if (Array.isArray(node.files)) {\n        node.files.forEach((c) => walk(c, prefix + '/' + node.name));\n      }\n    }\n    if (Array.isArray(tree.files)) tree.files.forEach((f) => walk(f, ''));\n    return {\n      source: 'npm:jsdelivr',\n      files,\n      fetchUrl: (p) => `https://cdn.jsdelivr.net/npm/${encodeURIComponent(name)}@${encodeURIComponent(version)}${p}`,\n    };\n  } catch {\n    return null;\n  }\n}\n\nasync function loadGitHubTree(owner, repoName) {\n  try {\n    const res = await fetch(`https://api.github.com/repos/${owner}/${repoName}/git/trees/HEAD?recursive=1`, {\n      headers: { Accept: 'application/vnd.github+json' },\n    });\n    if (!res.ok) return null;\n    const tree = await res.json();\n    const files = (tree.tree || [])\n      .filter((n) => n.type === 'blob')\n      .map((n) => ({ path: '/' + n.path, size: n.size || 0 }))\n      .filter((f) => keepPath(f.path));\n    return {\n      source: 'github:raw',\n      files,\n      fetchUrl: (p) => `https://raw.githubusercontent.com/${owner}/${repoName}/HEAD${p}`,\n    };\n  } catch {\n    return null;\n  }\n}\n\nlet scanner = null;\nif (info?.available && info.registry === 'npm') {\n  scanner = await loadNpmTree(info.packageName, info.version);\n}\nif (!scanner && repo.provider === 'github') {\n  scanner = await loadGitHubTree(repo.owner, repo.repo);\n}\n\nif (!scanner) {\n  return [{ json: { ...payload, package_code: null, files_scanned: 0, files_available: 0, bytes_scanned: 0, scan_source: null } }];\n}\n\n// Prioritisation: install scripts, main entry, bin/, common entry names, src/, then small files.\nconst priorityRegex = [];\nObject.values(info?.installScripts || {}).forEach((s) => {\n  const m = typeof s === 'string' ? s.match(/\\S+\\.(?:js|ts|mjs|cjs)/) : null;\n  if (m) priorityRegex.push(new RegExp(escRe(m[0]) + '$'));\n});\npriorityRegex.push(/\\/bin\\//);\npriorityRegex.push(/^\\/(index|main|entry|cli)\\.(js|ts|mjs|cjs)$/);\npriorityRegex.push(/^\\/src\\//);\n\nfunction priority(p) {\n  for (let i = 0; i < priorityRegex.length; i++) if (priorityRegex[i].test(p)) return i;\n  return 999;\n}\n\nscanner.files.sort((a, b) => priority(a.path) - priority(b.path) || a.size - b.size);\nconst candidates = scanner.files.slice(0, MAX_FILES);\n\nconst contents = await Promise.all(candidates.map(async (f) => {\n  try {\n    const res = await fetch(scanner.fetchUrl(f.path));\n    if (!res.ok) return null;\n    const text = await res.text();\n    return { path: f.path, body: text.slice(0, PER_FILE_CAP), bytes: Math.min(text.length, PER_FILE_CAP) };\n  } catch {\n    return null;\n  }\n}));\n\nconst included = [];\nlet used = 0;\nfor (const c of contents) {\n  if (!c) continue;\n  if (used + c.bytes > TOTAL_BUDGET) break;\n  included.push(c);\n  used += c.bytes;\n}\n\nconst code = included.map((c) => `// ==== ${c.path} (${c.bytes} bytes) ====\\n${c.body}`).join('\\n\\n');\n\nreturn [{\n  json: {\n    ...payload,\n    package_code: code || null,\n    files_scanned: included.length,\n    files_available: scanner.files.length,\n    bytes_scanned: used,\n    scan_source: scanner.source,\n  },\n}];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: fetch-code-1\n  return [{ json: { ...$input.first().json, package_code: null, files_scanned: 0, files_available: 0, bytes_scanned: 0, scan_source: null, _node_error: errMsg } }];\n}"
+      },
+      "onError": "continueRegularOutput",
+      "notes": "Fetches up to 20 source files from the PUBLISHED package (npm via jsDelivr CDN) or the source repo (GitHub for templates / repo fallback). JS/TS only; skips tests / docs / min / node_modules. 10KB per file, 100KB total \u2014 feeds into Claude's user message so the AI can review actual runtime code, not just README/metadata."
+    },
+    {
+      "id": "ai-http-1",
+      "name": "Claude Haiku Security Analysis",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1040,
+        800
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "https://api.anthropic.com/v1/messages",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendHeaders": true,
+        "headerParameters": {
+          "parameters": [
+            {
+              "name": "anthropic-version",
+              "value": "2023-06-01"
+            }
+          ]
+        },
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ model: 'claude-haiku-4-5', max_tokens: 1024, system: 'You are a security auditor reviewing a Strapi community submission. You are given package metadata, install-time scripts, the README, and ACTUAL SOURCE FILES from the published package (or source repo for templates). Read the source files carefully \u2014 runtime exfiltration, credential theft, obfuscation, and suspicious network calls often hide in main entry files or bin scripts, not the README. Prioritise supply-chain signals: install-time scripts, typosquatting, mismatches between the published artifact and its source repo, obfuscated or minified code, dynamic eval / Function constructor use, network calls to unknown hosts, filesystem writes outside package dir. Respond ONLY with valid JSON matching this schema: {\"risk_level\":\"low|medium|high\",\"summary\":\"<one-sentence verdict>\",\"concerns\":[\"<concern>\",...],\"red_flags\":[\"<flag>\",...],\"recommendation\":\"approve|request_changes|reject\"}. Do not include explanation text outside the JSON.', messages: [{ role: 'user', content: `Submission kind: ${$json.submission_kind}\\nName: ${$json.plugin_name}\\npackage_location: ${$json.package_location || '(none \u2014 template or no registry URL)'}\\nregistry: ${$json.package_info?.registry || 'n/a'}\\nregistry_available: ${$json.package_info?.available ? 'yes' : 'no'}${$json.package_info?.notImplemented ? ' (deep scan not yet implemented for this registry)' : ''}\\nVersion: ${$json.package_info?.version || 'n/a'}\\nSubmitted repo: ${$json.repository_url}\\nDeclared repo on published artifact: ${$json.package_info?.declaredRepository || '(none declared)'}\\n\\nInstall-time scripts on the published artifact (immediate red flag if any are non-trivial):\\n${JSON.stringify($json.package_info?.installScripts || {}, null, 2)}\\n\\nSource files scanned: ${$json.files_scanned} of ${$json.files_available} (${$json.bytes_scanned} bytes, source: ${$json.scan_source || 'none'}).\\n\\nREADME:\\n---\\n${(($json.package_info?.readme || $json.readme) || '(no README available)').toString().slice(0, 8000)}\\n---\\n\\nSOURCE FILES (truncated per-file + overall):\\n---\\n${$json.package_code || '(no source files could be fetched)'}\\n---\\n\\nReview the code above against the schema. Output JSON only.` }] }) }}",
+        "options": {
+          "timeout": 45000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 5000,
+      "notes": "Uses Claude Haiku 4.5 (claude-haiku-4-5). Prompt includes supply-chain context: install scripts, published vs submitted repo, package version. Structured JSON parsed in the next node."
+    },
+    {
+      "id": "ai-format-1",
+      "name": "Format AI Result",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        1260,
+        800
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst res = $input.first().json || {};\nconst fetchCodeOut = $('Fetch Package Code').item.json;\nconst text = res?.content?.[0]?.text || '';\nlet parsed = null;\nlet parseError = null;\ntry {\n  const match = text.match(/\\{[\\s\\S]*\\}/);\n  if (match) parsed = JSON.parse(match[0]);\n} catch (err) {\n  parseError = err.message;\n}\n\nreturn [{\n  json: {\n    stage: 'ai_analysis',\n    result: {\n      runAt: new Date().toISOString(),\n      model: 'claude-haiku-4-5',\n      raw_text: text,\n      parsed,\n      parse_error: parseError,\n      usage: res?.usage || null,\n      files_scanned: fetchCodeOut?.files_scanned ?? 0,\n      files_available: fetchCodeOut?.files_available ?? 0,\n      bytes_scanned: fetchCodeOut?.bytes_scanned ?? 0,\n      scan_source: fetchCodeOut?.scan_source || null,\n    },\n  },\n}];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: ai-format-1\n  return [{ json: { stage: \"ai_analysis\", result: { runAt: new Date().toISOString(), error: errMsg, parsed: null, parse_error: errMsg, model: \"claude-haiku-4-5\", raw_text: null } } }];\n}"
+      },
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "ai-patch-1",
+      "name": "PATCH AI Result",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        1480,
+        800
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/{{ $('Extract Payload').item.json.submission_kind === 'template' ? 'template-submissions' : 'plugin-submissions' }}/{{ $('Extract Payload').item.json.submissionId }}/security-scan-result",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ stage: $json.stage, result: $json.result }) }}",
+        "options": {
+          "timeout": 15000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    },
+    {
+      "id": "merge-1",
+      "name": "Wait for All Stages",
+      "type": "n8n-nodes-base.merge",
+      "typeVersion": 3.2,
+      "position": [
+        1920,
+        640
+      ],
+      "parameters": {
+        "mode": "combine",
+        "combineBy": "combineByPosition",
+        "numberInputs": 2,
+        "options": {
+          "includeUnpaired": true
+        }
+      },
+      "notes": "Waits for both branches (package scan + AI) to emit per-stage results, then combines them into one item with fields from each branch."
+    },
+    {
+      "id": "summary-1",
+      "name": "Build Summary",
+      "type": "n8n-nodes-base.code",
+      "typeVersion": 2,
+      "position": [
+        2140,
+        640
+      ],
+      "parameters": {
+        "language": "javaScript",
+        "jsCode": "try {\nconst merged = $input.first().json;\n\nfunction pick(stageName) {\n  const stages = Array.isArray(merged.stage) ? merged.stage : [merged.stage];\n  const results = Array.isArray(merged.result) ? merged.result : [merged.result];\n  for (let i = 0; i < stages.length; i++) {\n    if (stages[i] === stageName) return results[i];\n  }\n  return null;\n}\n\nconst depsR = pick('dependencies');\nconst aiR = pick('ai_analysis');\n\nfunction stagePassed(r) {\n  if (!r) return null;\n  if (r.skipped) return null;\n  if (typeof r.passed === 'boolean') return r.passed;\n  return null;\n}\n\nconst summary = {\n  runAt: new Date().toISOString(),\n  dependencies_passed: stagePassed(depsR),\n  ai_risk_level: aiR?.parsed?.risk_level ?? null,\n  ai_recommendation: aiR?.parsed?.recommendation ?? null,\n  ai_files_scanned: aiR?.files_scanned ?? null,\n  ai_files_available: aiR?.files_available ?? null,\n  ai_scan_source: aiR?.scan_source ?? null,\n  ai_bytes_scanned: aiR?.bytes_scanned ?? null,\n  vulnerable_dep_count: depsR?.vulnerable_count ?? null,\n  ai_concern_count: Array.isArray(aiR?.parsed?.concerns) ? aiR.parsed.concerns.length : null,\n  registry: depsR?.registry ?? null,\n  registry_available: depsR?.registry_available ?? null,\n  not_implemented: depsR?.not_implemented ?? null,\n  package_name: depsR?.package_name ?? null,\n  version: depsR?.version ?? null,\n  has_install_scripts: depsR?.has_install_scripts ?? null,\n  install_scripts: depsR?.install_scripts ?? null,\n  cross_check_mismatch_count: Array.isArray(depsR?.cross_check_mismatches) ? depsR.cross_check_mismatches.length : null,\n};\n\nreturn [{ json: { stage: 'summary', result: summary, status: 'completed' } }];\n} catch (err) {\n  const errMsg = err && err.message ? err.message : String(err);\n  // Fallback shape so downstream nodes can proceed.\n  // Stage: summary-1\n  return [{ json: { stage: \"summary\", result: { runAt: new Date().toISOString(), error: errMsg, passed: false }, status: \"failed\" } }];\n}"
+      },
+      "onError": "continueRegularOutput"
+    },
+    {
+      "id": "summary-patch-1",
+      "name": "PATCH Summary + Complete",
+      "type": "n8n-nodes-base.httpRequest",
+      "typeVersion": 4.2,
+      "position": [
+        2360,
+        640
+      ],
+      "parameters": {
+        "method": "POST",
+        "url": "={{ $env.STRAPI_API_URL }}/api/moderation/{{ $('Extract Payload').item.json.submission_kind === 'template' ? 'template-submissions' : 'plugin-submissions' }}/{{ $('Extract Payload').item.json.submissionId }}/security-scan-result",
+        "authentication": "genericCredentialType",
+        "genericAuthType": "httpHeaderAuth",
+        "sendBody": true,
+        "contentType": "json",
+        "specifyBody": "json",
+        "jsonBody": "={{ JSON.stringify({ stage: $json.stage, result: $json.result, status: $json.status }) }}",
+        "options": {
+          "timeout": 15000
+        }
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Final write-back: stores summary blob and flips security_scan_status to 'completed'."
+    }
+  ],
+  "connections": {
+    "Webhook: Security Scan": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Parse Repo URL",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Parse Repo URL": {
+      "main": [
+        [
+          {
+            "node": "Fetch Repo package.json",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Fetch Package Code",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Fetch Package Code": {
+      "main": [
+        [
+          {
+            "node": "Claude Haiku Security Analysis",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Fetch Repo package.json": {
+      "main": [
+        [
+          {
+            "node": "Build Package Scan Data",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Package Scan Data": {
+      "main": [
+        [
+          {
+            "node": "OSV.dev Batch Query",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "OSV.dev Batch Query": {
+      "main": [
+        [
+          {
+            "node": "Format Package Scan Result",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Format Package Scan Result": {
+      "main": [
+        [
+          {
+            "node": "PATCH Scan Result",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "PATCH Scan Result": {
+      "main": [
+        [
+          {
+            "node": "Wait for All Stages",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Claude Haiku Security Analysis": {
+      "main": [
+        [
+          {
+            "node": "Format AI Result",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Format AI Result": {
+      "main": [
+        [
+          {
+            "node": "PATCH AI Result",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "PATCH AI Result": {
+      "main": [
+        [
+          {
+            "node": "Wait for All Stages",
+            "type": "main",
+            "index": 1
+          }
+        ]
+      ]
+    },
+    "Wait for All Stages": {
+      "main": [
+        [
+          {
+            "node": "Build Summary",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Summary": {
+      "main": [
+        [
+          {
+            "node": "PATCH Summary + Complete",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/template-approved/workflow.json b/apps/automation/workflows/template-approved/workflow.json
new file mode 100644
index 0000000..7262f18
--- /dev/null
+++ b/apps/automation/workflows/template-approved/workflow.json
@@ -0,0 +1,270 @@
+{
+  "name": "template-approved",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Package Approved",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/template-approved",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fired by the CMS moderation plugin after template-submission.decide with status='approved'.",
+      "webhookId": "b6fa08e1-08dc-4a91-beaa-0aab4b4f39f8"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_id",
+              "type": "string",
+              "value": "={{ $json.body.submissionId }}"
+            },
+            {
+              "id": "a2",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.template_name }}"
+            },
+            {
+              "id": "a3",
+              "name": "package_slug",
+              "type": "string",
+              "value": ""
+            },
+            {
+              "id": "a4",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.owner_email }}"
+            },
+            {
+              "id": "a5",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.owner_name }}"
+            },
+            {
+              "id": "a6",
+              "name": "marketplace_link",
+              "type": "string",
+              "value": "={{ $json.body.demo_url || $json.body.repository_url }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        200
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "template-approved"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, marketplace_link: $json.marketplace_link } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        200
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    },
+    {
+      "id": "build-slack-1",
+      "name": "Build Slack Message",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        400
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "s1",
+              "name": "text",
+              "type": "string",
+              "value": "=:white_check_mark: *Template* approved: *{{ $json.package_name }}* by {{ $json.author_name }}\nLive: {{ $json.marketplace_link }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Notify #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        900,
+        400
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "={{ $json.text }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "webhookId": "a41686e3-5d7a-4d21-b75b-09698c7fb293"
+    }
+  ],
+  "connections": {
+    "Webhook: Package Approved": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Build Slack Message",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Slack Message": {
+      "main": [
+        [
+          {
+            "node": "Notify #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/template-declined/workflow.json b/apps/automation/workflows/template-declined/workflow.json
new file mode 100644
index 0000000..aa48783
--- /dev/null
+++ b/apps/automation/workflows/template-declined/workflow.json
@@ -0,0 +1,189 @@
+{
+  "name": "template-declined",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Package Declined",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/template-declined",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fired by the CMS moderation plugin after template-submission.decide with status='rejected'. Payload: flat { submissionId, template_name, owner_email, reason, feedback, ... }.",
+      "webhookId": "7caa3379-0c9e-42cb-8dc2-40c77b17e800"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.template_name }}"
+            },
+            {
+              "id": "a2",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.owner_email }}"
+            },
+            {
+              "id": "a3",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.owner_name }}"
+            },
+            {
+              "id": "a4",
+              "name": "decline_reason",
+              "type": "string",
+              "value": "={{ $json.body.reason || $json.body.feedback || '' }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "template-declined"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, decline_reason: $json.decline_reason } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        300
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000
+    }
+  ],
+  "connections": {
+    "Webhook: Package Declined": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}
diff --git a/apps/automation/workflows/template-submission-received/workflow.json b/apps/automation/workflows/template-submission-received/workflow.json
new file mode 100644
index 0000000..a3aa193
--- /dev/null
+++ b/apps/automation/workflows/template-submission-received/workflow.json
@@ -0,0 +1,271 @@
+{
+  "name": "template-submission-received",
+  "description": null,
+  "nodes": [
+    {
+      "id": "webhook-1",
+      "name": "Webhook: Submission Received",
+      "type": "n8n-nodes-base.webhook",
+      "typeVersion": 2.1,
+      "position": [
+        240,
+        300
+      ],
+      "parameters": {
+        "httpMethod": "POST",
+        "path": "strapi/template-submission-received",
+        "authentication": "headerAuth",
+        "responseMode": "onReceived",
+        "responseData": "noData",
+        "options": {}
+      },
+      "onError": "continueRegularOutput",
+      "alwaysOutputData": true,
+      "notes": "Fired by the CMS moderation plugin after template-submission.createSubmission. Payload: flat { submissionId, template_name, owner_name, owner_email, repository_url, dashboard_link, ... }.",
+      "webhookId": "5d81dc37-06f1-44c7-a80b-df2d1e38ee1f"
+    },
+    {
+      "id": "extract-1",
+      "name": "Extract Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        460,
+        300
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "a1",
+              "name": "package_id",
+              "type": "string",
+              "value": "={{ $json.body.submissionId }}"
+            },
+            {
+              "id": "a2",
+              "name": "package_name",
+              "type": "string",
+              "value": "={{ $json.body.template_name }}"
+            },
+            {
+              "id": "a3",
+              "name": "git_repository",
+              "type": "string",
+              "value": "={{ $json.body.repository_url }}"
+            },
+            {
+              "id": "a4",
+              "name": "author_email",
+              "type": "string",
+              "value": "={{ $json.body.owner_email }}"
+            },
+            {
+              "id": "a5",
+              "name": "author_name",
+              "type": "string",
+              "value": "={{ $json.body.owner_name }}"
+            },
+            {
+              "id": "a6",
+              "name": "dashboard_link",
+              "type": "string",
+              "value": "={{ $json.body.dashboard_link }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "build-email-1",
+      "name": "Build Email Payload",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        200
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "b1",
+              "name": "template_key",
+              "type": "string",
+              "value": "template-submission-received"
+            },
+            {
+              "id": "b2",
+              "name": "to_email",
+              "type": "string",
+              "value": "={{ $json.author_email }}"
+            },
+            {
+              "id": "b3",
+              "name": "to_name",
+              "type": "string",
+              "value": "={{ $json.author_name }}"
+            },
+            {
+              "id": "b4",
+              "name": "variables",
+              "type": "object",
+              "value": "={{ { package_name: $json.package_name, author_name: $json.author_name, git_repository: $json.git_repository } }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "send-email-1",
+      "name": "Send Developer Email",
+      "type": "n8n-nodes-base.executeWorkflow",
+      "typeVersion": 1.1,
+      "position": [
+        900,
+        200
+      ],
+      "parameters": {
+        "source": "database",
+        "workflowId": {
+          "__rl": true,
+          "mode": "id",
+          "value": "1MgLRIjI37T2Kd5W"
+        },
+        "mode": "once",
+        "options": {}
+      },
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "notes": "Calls render-email sub-workflow. TODO when n8n UI available: bump to typeVersion 1.3 and use resourceMapper for typed inputs."
+    },
+    {
+      "id": "build-slack-1",
+      "name": "Build Slack Message",
+      "type": "n8n-nodes-base.set",
+      "typeVersion": 3.4,
+      "position": [
+        680,
+        400
+      ],
+      "parameters": {
+        "mode": "manual",
+        "duplicateItem": false,
+        "assignments": {
+          "assignments": [
+            {
+              "id": "s1",
+              "name": "text",
+              "type": "string",
+              "value": "=:clipboard: New *template* submission received: *{{ $json.package_name }}* by {{ $json.author_name }}\nRepo: {{ $json.git_repository }}\nReview: {{ $json.dashboard_link }}"
+            }
+          ]
+        },
+        "includeOtherFields": false,
+        "options": {}
+      }
+    },
+    {
+      "id": "slack-1",
+      "name": "Notify #integration-marketplace",
+      "type": "n8n-nodes-base.slack",
+      "typeVersion": 2.4,
+      "position": [
+        900,
+        400
+      ],
+      "parameters": {
+        "resource": "message",
+        "operation": "post",
+        "select": "channel",
+        "channelId": {
+          "__rl": true,
+          "mode": "name",
+          "value": "integration-marketplace"
+        },
+        "text": "={{ $json.text }}",
+        "otherOptions": {}
+      },
+      "onError": "continueRegularOutput",
+      "retryOnFail": true,
+      "maxTries": 2,
+      "waitBetweenTries": 3000,
+      "webhookId": "693a18d9-9d21-43bc-b24e-4397280404dd"
+    }
+  ],
+  "connections": {
+    "Webhook: Submission Received": {
+      "main": [
+        [
+          {
+            "node": "Extract Payload",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Extract Payload": {
+      "main": [
+        [
+          {
+            "node": "Build Email Payload",
+            "type": "main",
+            "index": 0
+          },
+          {
+            "node": "Build Slack Message",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Email Payload": {
+      "main": [
+        [
+          {
+            "node": "Send Developer Email",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    },
+    "Build Slack Message": {
+      "main": [
+        [
+          {
+            "node": "Notify #integration-marketplace",
+            "type": "main",
+            "index": 0
+          }
+        ]
+      ]
+    }
+  },
+  "settings": {
+    "executionOrder": "v1",
+    "saveDataErrorExecution": "all",
+    "saveDataSuccessExecution": "all",
+    "saveManualExecutions": true,
+    "saveExecutionProgress": true,
+    "callerPolicy": "workflowsFromSameOwner",
+    "availableInMCP": false,
+    "errorWorkflow": "SYm72hu6NXus7iah"
+  },
+  "staticData": null,
+  "activeVersionId": null,
+  "versionCounter": 1,
+  "tags": [],
+  "activeVersion": null
+}

From b67bfa64f020ce1d374709a23632adba76092ee7 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 14:31:00 -0700
Subject: [PATCH 12/26] feat(web): submit form accepts multi-registry package
 URL
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace npm_package_name field with package_location (URL) on the plugin
  submission form + Next.js proxy route — matches the renamed CMS field
- Label "NPM Package Name" -> "Registry URL", hint generalised to cover npm,
  Packagist, PyPI, RubyGems, NuGet

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/web/src/app/api/submit-plugin/route.ts |  2 +-
 apps/web/src/app/submit/plugin/page.tsx     | 21 +++++++++++----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/apps/web/src/app/api/submit-plugin/route.ts b/apps/web/src/app/api/submit-plugin/route.ts
index c04cbdb..b5f26bd 100644
--- a/apps/web/src/app/api/submit-plugin/route.ts
+++ b/apps/web/src/app/api/submit-plugin/route.ts
@@ -226,7 +226,7 @@ export async function POST(req: NextRequest) {
   // --- Build submission payload ---
   const payload = {
     plugin_name,
-    npm_package_name: str(formData.get("npm_package_name")),
+    package_location: str(formData.get("package_location")),
     description,
     repository_url,
     logo_url,
diff --git a/apps/web/src/app/submit/plugin/page.tsx b/apps/web/src/app/submit/plugin/page.tsx
index a19236e..96c17d8 100644
--- a/apps/web/src/app/submit/plugin/page.tsx
+++ b/apps/web/src/app/submit/plugin/page.tsx
@@ -270,7 +270,7 @@ function CategoryPill({
 
 interface FormFields {
   plugin_name: string;
-  npm_package_name: string;
+  package_location: string;
   repository_url: string;
   description: string;
   logo_file: File | null;
@@ -284,7 +284,7 @@ interface FormFields {
 
 const INITIAL: FormFields = {
   plugin_name: "",
-  npm_package_name: "",
+  package_location: "",
   repository_url: "",
   description: "",
   logo_file: null,
@@ -433,7 +433,7 @@ export default function SubmitPluginPage() {
 
       const form = new FormData();
       form.append("plugin_name", fields.plugin_name.trim());
-      form.append("npm_package_name", fields.npm_package_name.trim());
+      form.append("package_location", fields.package_location.trim());
       form.append("repository_url", fields.repository_url.trim());
       form.append("description", fields.description.trim());
       form.append("readme", fields.readme.trim());
@@ -610,18 +610,19 @@ export default function SubmitPluginPage() {
                   <FieldError message={errors.plugin_name} />
                 </div>
 
-                {/* NPM Package Name */}
+                {/* Registry URL */}
                 <div className="mb-5">
-                  <Label htmlFor="npm_package_name">NPM Package Name</Label>
+                  <Label htmlFor="package_location">Registry URL</Label>
                   <Input
-                    id="npm_package_name"
-                    value={fields.npm_package_name}
-                    onChange={(e) => set("npm_package_name", e.target.value)}
-                    placeholder="@scope/strapi-plugin-name"
+                    id="package_location"
+                    value={fields.package_location}
+                    onChange={(e) => set("package_location", e.target.value)}
+                    placeholder="https://www.npmjs.com/package/your-plugin"
                     autoComplete="off"
                   />
                   <Hint>
-                    Package name as it appears on npm, if already published.
+                    Full URL to your published package on npm, Packagist, PyPI,
+                    RubyGems, or NuGet. Leave blank if not yet published.
                   </Hint>
                 </div>
 

From 76d689ce75fb499710e109462ce1dc80151c3951 Mon Sep 17 00:00:00 2001
From: derrickmehaffy <derrickmehaffy@gmail.com>
Date: Fri, 17 Apr 2026 14:31:21 -0700
Subject: [PATCH 13/26] chore(dev): pnpm bootstrap, compose idempotency,
 engine-agnostic search
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- New ./scripts/setup.sh (run via `pnpm bootstrap` — pnpm setup is shadowed
  by pnpm's own built-in). Installs deps, seeds .env from .env.example, warns
  on 'tobemodified' placeholders, reports compose engine, flags low
  fs.inotify.max_user_instances (Linux) that would crash Turbopack's watcher
- Add idempotency to apps/automation/scripts/compose.sh — 'up' detects already-
  running services and exits 0 instead of reconciling, so turbo dev doesn't
  conflict when the stack is already up
- Give apps/search its own copy of the engine-agnostic compose wrapper (was
  hardcoded to docker-compose which fails on podman-only boxes); add
  stop/logs/ps scripts for parity with automation
- Switch automation + search dev scripts to `up -d` so turbo doesn't hang
  attaching to container logs while trying to run cms + web in parallel
- Root package.json shortcuts: n8n:start/stop + search:start/stop

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/automation/package.json       |   2 +-
 apps/automation/scripts/compose.sh |  15 ++++
 apps/search/package.json           |   7 +-
 apps/search/scripts/compose.sh     |  52 ++++++++++++++
 package.json                       |   5 ++
 scripts/setup.sh                   | 111 +++++++++++++++++++++++++++++
 6 files changed, 189 insertions(+), 3 deletions(-)
 create mode 100755 apps/search/scripts/compose.sh
 create mode 100755 scripts/setup.sh

diff --git a/apps/automation/package.json b/apps/automation/package.json
index c9ac117..5e207c1 100644
--- a/apps/automation/package.json
+++ b/apps/automation/package.json
@@ -4,7 +4,7 @@
   "private": true,
   "description": "Local n8n instance and workflow version control for the Strapi community hub. Engine-agnostic (Docker or Podman).",
   "scripts": {
-    "dev": "./scripts/compose.sh up",
+    "dev": "./scripts/compose.sh up -d",
     "start": "./scripts/compose.sh up -d",
     "n8n:up": "./scripts/compose.sh up -d",
     "n8n:up:mcp": "./scripts/compose.sh --profile mcp up -d",
diff --git a/apps/automation/scripts/compose.sh b/apps/automation/scripts/compose.sh
index b07f004..8b84d63 100755
--- a/apps/automation/scripts/compose.sh
+++ b/apps/automation/scripts/compose.sh
@@ -33,5 +33,20 @@ EOF
 
 ENGINE="$(resolve_engine)"
 
+# Idempotency guard: if the user is running `up` (or `up -d`) and at least one
+# service in this compose file is already running, report and exit 0 instead of
+# triggering a redundant reconcile (which can conflict with a foreground `dev`
+# task that's already tailing logs).
+if [[ "${1:-}" == "up" ]]; then
+  # shellcheck disable=SC2086
+  RUNNING_IDS="$($ENGINE -f "$COMPOSE_FILE" ps -q 2>/dev/null || true)"
+  if [[ -n "$RUNNING_IDS" ]]; then
+    echo "[compose.sh] Stack is already running — skipping 'up'."
+    # shellcheck disable=SC2086
+    $ENGINE -f "$COMPOSE_FILE" ps
+    exit 0
+  fi
+fi
+
 # shellcheck disable=SC2086
 exec $ENGINE -f "$COMPOSE_FILE" "$@"
diff --git a/apps/search/package.json b/apps/search/package.json
index 6c0750d..ccc9afc 100644
--- a/apps/search/package.json
+++ b/apps/search/package.json
@@ -3,7 +3,10 @@
   "version": "0.0.0",
   "description": "Meilisearch service for marketplace",
   "scripts": {
-    "dev": "docker-compose up",
-    "start": "docker-compose up"
+    "dev": "./scripts/compose.sh up -d",
+    "start": "./scripts/compose.sh up -d",
+    "stop": "./scripts/compose.sh down",
+    "logs": "./scripts/compose.sh logs -f",
+    "ps": "./scripts/compose.sh ps"
   }
 }
diff --git a/apps/search/scripts/compose.sh b/apps/search/scripts/compose.sh
new file mode 100755
index 0000000..8b84d63
--- /dev/null
+++ b/apps/search/scripts/compose.sh
@@ -0,0 +1,52 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Engine-agnostic compose wrapper. Resolves compose file relative to this script
+# so it works regardless of the caller's CWD.
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+COMPOSE_FILE="$SCRIPT_DIR/../docker-compose.yml"
+
+resolve_engine() {
+  if command -v podman-compose >/dev/null 2>&1 && command -v podman >/dev/null 2>&1; then
+    echo "podman-compose"
+    return
+  fi
+  if command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
+    echo "docker compose"
+    return
+  fi
+  if command -v docker-compose >/dev/null 2>&1; then
+    echo "docker-compose"
+    return
+  fi
+  cat >&2 <<'EOF'
+Error: no compose engine found.
+
+Install one of:
+  - Docker Desktop (includes the "docker compose" v2 plugin)
+  - Podman + podman-compose:
+      pip install --user podman-compose
+EOF
+  exit 1
+}
+
+ENGINE="$(resolve_engine)"
+
+# Idempotency guard: if the user is running `up` (or `up -d`) and at least one
+# service in this compose file is already running, report and exit 0 instead of
+# triggering a redundant reconcile (which can conflict with a foreground `dev`
+# task that's already tailing logs).
+if [[ "${1:-}" == "up" ]]; then
+  # shellcheck disable=SC2086
+  RUNNING_IDS="$($ENGINE -f "$COMPOSE_FILE" ps -q 2>/dev/null || true)"
+  if [[ -n "$RUNNING_IDS" ]]; then
+    echo "[compose.sh] Stack is already running — skipping 'up'."
+    # shellcheck disable=SC2086
+    $ENGINE -f "$COMPOSE_FILE" ps
+    exit 0
+  fi
+fi
+
+# shellcheck disable=SC2086
+exec $ENGINE -f "$COMPOSE_FILE" "$@"
diff --git a/package.json b/package.json
index 82943c6..423afb0 100644
--- a/package.json
+++ b/package.json
@@ -2,11 +2,16 @@
   "name": "strapi-marketplace",
   "private": true,
   "scripts": {
+    "bootstrap": "./scripts/setup.sh",
     "build": "turbo build",
     "dev": "turbo dev",
     "lint": "turbo lint",
     "test": "turbo test",
     "check-types": "turbo check-types",
+    "n8n:start": "pnpm --filter automation start",
+    "n8n:stop": "pnpm --filter automation n8n:down",
+    "search:start": "pnpm --filter search start",
+    "search:stop": "pnpm --filter search stop",
     "update-dependencies": "pnpm --recursive --interactive --latest update",
     "prepare": "husky"
   },
diff --git a/scripts/setup.sh b/scripts/setup.sh
new file mode 100755
index 0000000..5fc840e
--- /dev/null
+++ b/scripts/setup.sh
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# First-time setup for the Strapi community hub monorepo.
+# Idempotent: safe to re-run.
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+cd "$ROOT_DIR"
+
+echo "=== Strapi community hub setup ==="
+echo ""
+
+# -----------------------------------------------------------------------------
+# 1. Dependencies
+# -----------------------------------------------------------------------------
+echo "-> Installing workspace dependencies (pnpm install)..."
+pnpm install
+echo ""
+
+# -----------------------------------------------------------------------------
+# 2. Seed .env files from .env.example
+# -----------------------------------------------------------------------------
+echo "-> Checking .env files..."
+
+seed_env() {
+  local dir="$1"
+  if [[ ! -f "$dir/.env.example" ]]; then
+    return
+  fi
+  if [[ -f "$dir/.env" ]]; then
+    echo "   $dir/.env already exists — skipped"
+    return
+  fi
+  cp "$dir/.env.example" "$dir/.env"
+  echo "   $dir/.env created from .env.example"
+}
+
+for dir in apps/cms apps/web apps/automation; do
+  seed_env "$dir"
+done
+echo ""
+
+# -----------------------------------------------------------------------------
+# 3. Warn about placeholder secrets
+# -----------------------------------------------------------------------------
+echo "-> Checking for placeholder values..."
+placeholder_found=0
+while IFS= read -r -d '' env_file; do
+  if grep -Eq '(^|=)(tobemodified|toBeModified)' "$env_file" 2>/dev/null; then
+    echo "   !! $env_file has placeholder values — set real secrets before 'pnpm dev'"
+    placeholder_found=1
+  fi
+done < <(find apps -maxdepth 2 -name .env -not -path "*/node_modules/*" -print0)
+
+if [[ "$placeholder_found" -eq 0 ]]; then
+  echo "   no placeholder values detected"
+fi
+echo ""
+
+# -----------------------------------------------------------------------------
+# 4. Compose engine check (informational)
+# -----------------------------------------------------------------------------
+echo "-> Checking container engine..."
+if command -v podman-compose >/dev/null 2>&1 && command -v podman >/dev/null 2>&1; then
+  echo "   podman-compose found"
+elif command -v docker >/dev/null 2>&1 && docker compose version >/dev/null 2>&1; then
+  echo "   docker compose (v2 plugin) found"
+elif command -v docker-compose >/dev/null 2>&1; then
+  echo "   docker-compose found"
+else
+  echo "   !! no compose engine detected — install Docker Desktop or podman-compose"
+fi
+echo ""
+
+# -----------------------------------------------------------------------------
+# 5. inotify instance limit (Linux only) — Turbopack needs many watchers
+# -----------------------------------------------------------------------------
+if [[ "$(uname)" == "Linux" ]]; then
+  echo "-> Checking inotify limits..."
+  INSTANCES_FILE=/proc/sys/fs/inotify/max_user_instances
+  if [[ -r "$INSTANCES_FILE" ]]; then
+    INSTANCES=$(cat "$INSTANCES_FILE")
+    if [[ "$INSTANCES" -lt 256 ]]; then
+      cat <<EOF
+   !! fs.inotify.max_user_instances = $INSTANCES (too low for Turbopack / Next.js watchers)
+      Next.js dev will crash with "Too many open files (os error 24)".
+      Temporary:  sudo sysctl -w fs.inotify.max_user_instances=512
+      Permanent:  echo 'fs.inotify.max_user_instances=512' | sudo tee -a /etc/sysctl.conf
+                  sudo sysctl -p
+EOF
+    else
+      echo "   fs.inotify.max_user_instances = $INSTANCES (ok)"
+    fi
+  fi
+  echo ""
+fi
+
+# -----------------------------------------------------------------------------
+# Next steps
+# -----------------------------------------------------------------------------
+cat <<'EOF'
+=== Setup complete ===
+
+Next:
+  - Fill any placeholder secrets flagged above in apps/*/.env
+  - pnpm dev           # start everything (n8n + meilisearch detached; cms + web in foreground)
+  - pnpm n8n:start     # just the automation stack
+  - pnpm search:start  # just the meilisearch stack
+
+(Re-run this setup anytime with `pnpm bootstrap`.)
+EOF

From 92c59d4f57fceb647282b22b143f2c92d3fa9556 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 01:42:47 +0100
Subject: [PATCH 14/26] feat(cms): add moderation fields to Package and
 Template schemas

---
 apps/cms/config/plugins.ts                    | 23 +++----
 .../package/content-types/package/schema.json | 62 +++++++++++++++++++
 .../content-types/template/schema.json        | 62 +++++++++++++++++++
 apps/cms/types/generated/contentTypes.d.ts    | 52 ++++++++++++++++
 4 files changed, 185 insertions(+), 14 deletions(-)

diff --git a/apps/cms/config/plugins.ts b/apps/cms/config/plugins.ts
index fd0b446..166d49e 100644
--- a/apps/cms/config/plugins.ts
+++ b/apps/cms/config/plugins.ts
@@ -3,9 +3,16 @@ export default ({ env }) => ({
     config:
       env("NODE_ENV") === "production"
         ? {
+            provider: "sendgrid",
+            providerOptions: {
+              apiKey: env("SENDGRID_API_KEY"),
+            },
             settings: {
-              defaultFrom: env("EMAIL_FROM", "noreply@strapi.io"),
-              defaultReplyTo: env("EMAIL_FROM", "noreply@strapi.io"),
+              defaultFrom: env("EMAIL_DEFAULT_FROM", "community@strapi.io"),
+              defaultReplyTo: env(
+                "EMAIL_DEFAULT_REPLY_TO",
+                "community@strapi.io",
+              ),
             },
           }
         : {
@@ -26,18 +33,6 @@ export default ({ env }) => ({
       },
     },
   },
-  email: {
-    config: {
-      provider: "sendgrid",
-      providerOptions: {
-        apiKey: env("SENDGRID_API_KEY"),
-      },
-      settings: {
-        defaultFrom: env("EMAIL_DEFAULT_FROM", "community@strapi.io"),
-        defaultReplyTo: env("EMAIL_DEFAULT_REPLY_TO", "community@strapi.io"),
-      },
-    },
-  },
   "owner-selector": {
     enabled: true,
     resolve: "./src/plugins/owner-selector",
diff --git a/apps/cms/src/api/package/content-types/package/schema.json b/apps/cms/src/api/package/content-types/package/schema.json
index b75464f..9da7c3f 100644
--- a/apps/cms/src/api/package/content-types/package/schema.json
+++ b/apps/cms/src/api/package/content-types/package/schema.json
@@ -101,6 +101,68 @@
       "targetField": "name",
       "required": true,
       "regex": "^[A-Za-z0-9-_.~@]*$"
+    },
+    "overall_status": {
+      "type": "enumeration",
+      "enum": [
+        "submitted",
+        "under_review",
+        "changes_requested",
+        "rejected",
+        "approved"
+      ]
+    },
+    "business_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"]
+    },
+    "security_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"]
+    },
+    "reviewer_feedback": {
+      "type": "text"
+    },
+    "rejection_reason": {
+      "type": "text"
+    },
+    "business_review_notes": {
+      "type": "text"
+    },
+    "security_review_notes": {
+      "type": "text"
+    },
+    "automated_check_results": {
+      "type": "json"
+    },
+    "security_scan_status": {
+      "type": "enumeration",
+      "enum": ["pending", "running", "completed", "failed"]
+    },
+    "security_scan_started_at": {
+      "type": "datetime"
+    },
+    "security_scan_run_at": {
+      "type": "datetime"
+    },
+    "security_scan_dependencies": {
+      "type": "json"
+    },
+    "security_scan_ai_analysis": {
+      "type": "json"
+    },
+    "security_scan_summary": {
+      "type": "json"
+    },
+    "submitter_ip": {
+      "type": "string"
+    },
+    "submitter_agreed_to_terms": {
+      "type": "boolean",
+      "default": false
+    },
+    "submission_notes": {
+      "type": "text"
     }
   }
 }
diff --git a/apps/cms/src/api/template/content-types/template/schema.json b/apps/cms/src/api/template/content-types/template/schema.json
index 1a8981e..d435984 100644
--- a/apps/cms/src/api/template/content-types/template/schema.json
+++ b/apps/cms/src/api/template/content-types/template/schema.json
@@ -90,6 +90,68 @@
       "targetField": "name",
       "required": true,
       "regex": "^[A-Za-z0-9-_.~@]*$"
+    },
+    "overall_status": {
+      "type": "enumeration",
+      "enum": [
+        "submitted",
+        "under_review",
+        "changes_requested",
+        "rejected",
+        "approved"
+      ]
+    },
+    "business_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"]
+    },
+    "security_review_status": {
+      "type": "enumeration",
+      "enum": ["pending", "approved", "rejected"]
+    },
+    "reviewer_feedback": {
+      "type": "text"
+    },
+    "rejection_reason": {
+      "type": "text"
+    },
+    "business_review_notes": {
+      "type": "text"
+    },
+    "security_review_notes": {
+      "type": "text"
+    },
+    "automated_check_results": {
+      "type": "json"
+    },
+    "security_scan_status": {
+      "type": "enumeration",
+      "enum": ["pending", "running", "completed", "failed"]
+    },
+    "security_scan_started_at": {
+      "type": "datetime"
+    },
+    "security_scan_run_at": {
+      "type": "datetime"
+    },
+    "security_scan_dependencies": {
+      "type": "json"
+    },
+    "security_scan_ai_analysis": {
+      "type": "json"
+    },
+    "security_scan_summary": {
+      "type": "json"
+    },
+    "submitter_ip": {
+      "type": "string"
+    },
+    "submitter_agreed_to_terms": {
+      "type": "boolean",
+      "default": false
+    },
+    "submission_notes": {
+      "type": "text"
     }
   }
 }
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index 8194982..045dc5a 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -887,6 +887,32 @@ export interface ApiPackagePackage extends Struct.CollectionTypeSchema {
     > &
       Schema.Attribute.Unique;
     version_info: Schema.Attribute.Component<'shared.version-info', false>;
+    overall_status: Schema.Attribute.Enumeration<
+      ['submitted', 'under_review', 'changes_requested', 'rejected', 'approved']
+    >;
+    business_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    >;
+    security_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    >;
+    reviewer_feedback: Schema.Attribute.Text;
+    rejection_reason: Schema.Attribute.Text;
+    business_review_notes: Schema.Attribute.Text;
+    security_review_notes: Schema.Attribute.Text;
+    automated_check_results: Schema.Attribute.JSON;
+    security_scan_status: Schema.Attribute.Enumeration<
+      ['pending', 'running', 'completed', 'failed']
+    >;
+    security_scan_started_at: Schema.Attribute.DateTime;
+    security_scan_run_at: Schema.Attribute.DateTime;
+    security_scan_dependencies: Schema.Attribute.JSON;
+    security_scan_ai_analysis: Schema.Attribute.JSON;
+    security_scan_summary: Schema.Attribute.JSON;
+    submitter_ip: Schema.Attribute.String;
+    submitter_agreed_to_terms: Schema.Attribute.Boolean &
+      Schema.Attribute.DefaultTo<false>;
+    submission_notes: Schema.Attribute.Text;
   };
 }
 
@@ -1225,6 +1251,32 @@ export interface ApiTemplateTemplate extends Struct.CollectionTypeSchema {
       'plugin::webtools.url-alias'
     > &
       Schema.Attribute.Unique;
+    overall_status: Schema.Attribute.Enumeration<
+      ['submitted', 'under_review', 'changes_requested', 'rejected', 'approved']
+    >;
+    business_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    >;
+    security_review_status: Schema.Attribute.Enumeration<
+      ['pending', 'approved', 'rejected']
+    >;
+    reviewer_feedback: Schema.Attribute.Text;
+    rejection_reason: Schema.Attribute.Text;
+    business_review_notes: Schema.Attribute.Text;
+    security_review_notes: Schema.Attribute.Text;
+    automated_check_results: Schema.Attribute.JSON;
+    security_scan_status: Schema.Attribute.Enumeration<
+      ['pending', 'running', 'completed', 'failed']
+    >;
+    security_scan_started_at: Schema.Attribute.DateTime;
+    security_scan_run_at: Schema.Attribute.DateTime;
+    security_scan_dependencies: Schema.Attribute.JSON;
+    security_scan_ai_analysis: Schema.Attribute.JSON;
+    security_scan_summary: Schema.Attribute.JSON;
+    submitter_ip: Schema.Attribute.String;
+    submitter_agreed_to_terms: Schema.Attribute.Boolean &
+      Schema.Attribute.DefaultTo<false>;
+    submission_notes: Schema.Attribute.Text;
   };
 }
 

From 1dbfc973d021efd3bcf1104a40cc77b7c7638a51 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 01:49:31 +0100
Subject: [PATCH 15/26] refactor(cms/moderation): remove plugin content types;
 plugin now operates on Package/Template directly

---
 .../moderation/server/content-types/index.js  |   4 -
 .../content-types/plugin-submission/index.js  |   3 -
 .../plugin-submission/schema.json             | 138 ------------------
 .../template-submission/index.js              |   3 -
 .../template-submission/schema.json           |  95 ------------
 .../src/plugins/moderation/server/index.js    |   1 -
 .../src/plugins/moderation/strapi-server.js   |  11 +-
 7 files changed, 4 insertions(+), 251 deletions(-)
 delete mode 100644 apps/cms/src/plugins/moderation/server/content-types/index.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
 delete mode 100644 apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json

diff --git a/apps/cms/src/plugins/moderation/server/content-types/index.js b/apps/cms/src/plugins/moderation/server/content-types/index.js
deleted file mode 100644
index b29a911..0000000
--- a/apps/cms/src/plugins/moderation/server/content-types/index.js
+++ /dev/null
@@ -1,4 +0,0 @@
-module.exports = {
-  "plugin-submission": require("./plugin-submission"),
-  "template-submission": require("./template-submission"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
deleted file mode 100644
index 2fb2f3b..0000000
--- a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/index.js
+++ /dev/null
@@ -1,3 +0,0 @@
-module.exports = {
-  schema: require("./schema.json"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
deleted file mode 100644
index 155492d..0000000
--- a/apps/cms/src/plugins/moderation/server/content-types/plugin-submission/schema.json
+++ /dev/null
@@ -1,138 +0,0 @@
-{
-  "kind": "collectionType",
-  "collectionName": "plugin_submissions",
-  "info": {
-    "singularName": "plugin-submission",
-    "pluralName": "plugin-submissions",
-    "displayName": "Plugin Submission",
-    "description": "Incoming plugin submissions awaiting moderation before publication"
-  },
-  "options": {
-    "draftAndPublish": false
-  },
-  "pluginOptions": {
-    "content-manager": { "visible": false },
-    "content-type-builder": { "visible": false }
-  },
-  "attributes": {
-    "plugin_name": {
-      "type": "string",
-      "required": true
-    },
-    "package_location": {
-      "type": "string",
-      "description": "URL to the published package (npm / packagist / pypi / rubygems / nuget). Registry is inferred from the hostname at scan time. Optional — plugins without a published artifact are scanned from their source repo only."
-    },
-    "description": {
-      "type": "text",
-      "required": true
-    },
-    "repository_url": {
-      "type": "string",
-      "required": true
-    },
-    "logo_url": {
-      "type": "string"
-    },
-    "package_type": {
-      "type": "enumeration",
-      "enum": ["plugin", "provider", "sdk", "tool"],
-      "default": "plugin",
-      "required": true
-    },
-    "categories_list": {
-      "type": "json",
-      "default": []
-    },
-    "owner_name": {
-      "type": "string",
-      "required": true
-    },
-    "owner_email": {
-      "type": "string",
-      "required": true
-    },
-    "maintainers_list": {
-      "type": "json",
-      "default": []
-    },
-    "readme": {
-      "type": "richtext"
-    },
-    "submission_notes": {
-      "type": "text"
-    },
-    "submitter_agreed_to_terms": {
-      "type": "boolean",
-      "default": false,
-      "required": true
-    },
-    "submitter_ip": {
-      "type": "string"
-    },
-    "overall_status": {
-      "type": "enumeration",
-      "enum": [
-        "submitted",
-        "under_review",
-        "changes_requested",
-        "rejected",
-        "approved"
-      ],
-      "default": "submitted",
-      "required": true
-    },
-    "business_review_status": {
-      "type": "enumeration",
-      "enum": ["pending", "approved", "rejected"],
-      "default": "pending",
-      "required": true
-    },
-    "security_review_status": {
-      "type": "enumeration",
-      "enum": ["pending", "approved", "rejected"],
-      "default": "pending",
-      "required": true
-    },
-    "reviewer_feedback": {
-      "type": "text"
-    },
-    "rejection_reason": {
-      "type": "text"
-    },
-    "business_review_notes": {
-      "type": "text"
-    },
-    "security_review_notes": {
-      "type": "text"
-    },
-    "automated_check_results": {
-      "type": "json"
-    },
-    "security_scan_status": {
-      "type": "enumeration",
-      "enum": ["pending", "running", "completed", "failed"],
-      "default": "pending"
-    },
-    "security_scan_started_at": {
-      "type": "datetime"
-    },
-    "security_scan_run_at": {
-      "type": "datetime"
-    },
-    "security_scan_dependencies": {
-      "type": "json"
-    },
-    "security_scan_ai_analysis": {
-      "type": "json"
-    },
-    "security_scan_summary": {
-      "type": "json"
-    },
-    "promoted_package": {
-      "type": "relation",
-      "relation": "oneToOne",
-      "target": "api::package.package"
-    }
-  }
-}
diff --git a/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js b/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
deleted file mode 100644
index 2fb2f3b..0000000
--- a/apps/cms/src/plugins/moderation/server/content-types/template-submission/index.js
+++ /dev/null
@@ -1,3 +0,0 @@
-module.exports = {
-  schema: require("./schema.json"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json b/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
deleted file mode 100644
index aa336ec..0000000
--- a/apps/cms/src/plugins/moderation/server/content-types/template-submission/schema.json
+++ /dev/null
@@ -1,95 +0,0 @@
-{
-  "kind": "collectionType",
-  "collectionName": "template_submissions",
-  "info": {
-    "singularName": "template-submission",
-    "pluralName": "template-submissions",
-    "displayName": "Template Submission",
-    "description": "Incoming template submissions awaiting approval before publication"
-  },
-  "options": {
-    "draftAndPublish": false
-  },
-  "pluginOptions": {
-    "content-manager": { "visible": false },
-    "content-type-builder": { "visible": false }
-  },
-  "attributes": {
-    "template_name": {
-      "type": "string",
-      "required": true
-    },
-    "description": {
-      "type": "text",
-      "required": true
-    },
-    "repository_url": {
-      "type": "string",
-      "required": true
-    },
-    "demo_url": {
-      "type": "string"
-    },
-    "logo_url": {
-      "type": "string"
-    },
-    "categories_list": {
-      "type": "json",
-      "default": []
-    },
-    "owner_name": {
-      "type": "string",
-      "required": true
-    },
-    "owner_email": {
-      "type": "string",
-      "required": true
-    },
-    "submission_notes": {
-      "type": "text"
-    },
-    "submitter_agreed_to_terms": {
-      "type": "boolean",
-      "default": false,
-      "required": true
-    },
-    "submitter_ip": {
-      "type": "string"
-    },
-    "security_scan_status": {
-      "type": "enumeration",
-      "enum": ["pending", "running", "completed", "failed"],
-      "default": "pending"
-    },
-    "security_scan_started_at": {
-      "type": "datetime"
-    },
-    "security_scan_run_at": {
-      "type": "datetime"
-    },
-    "security_scan_dependencies": {
-      "type": "json"
-    },
-    "security_scan_ai_analysis": {
-      "type": "json"
-    },
-    "security_scan_summary": {
-      "type": "json"
-    },
-    "overall_status": {
-      "type": "enumeration",
-      "enum": ["submitted", "approved", "rejected"],
-      "default": "submitted",
-      "required": true
-    },
-    "reviewer_feedback": {
-      "type": "text"
-    },
-    "reviewer_notes": {
-      "type": "text"
-    },
-    "rejection_reason": {
-      "type": "text"
-    }
-  }
-}
diff --git a/apps/cms/src/plugins/moderation/server/index.js b/apps/cms/src/plugins/moderation/server/index.js
index 5a88cd4..285bbc3 100644
--- a/apps/cms/src/plugins/moderation/server/index.js
+++ b/apps/cms/src/plugins/moderation/server/index.js
@@ -1,5 +1,4 @@
 module.exports = {
-  contentTypes: require("./content-types"),
   controllers: require("./controllers"),
   services: require("./services"),
   routes: require("./routes"),
diff --git a/apps/cms/src/plugins/moderation/strapi-server.js b/apps/cms/src/plugins/moderation/strapi-server.js
index 9c7c784..6cf8f5d 100644
--- a/apps/cms/src/plugins/moderation/strapi-server.js
+++ b/apps/cms/src/plugins/moderation/strapi-server.js
@@ -3,12 +3,10 @@ const server = require("./server");
 /**
  * Moderation plugin for the Strapi Marketplace.
  *
- * Architecture: Option B — separate moderation content type.
- *
- * Incoming plugin submissions are stored as plugin::moderation.plugin-submission
- * records. They go through two independent review tracks (business + security)
- * before a moderator can promote them to a real api::package.package entry.
- * This keeps unapproved content completely isolated from the live catalogue.
+ * Architecture: submissions create draft Package / Template records directly.
+ * This plugin owns no content types — it provides the admin UI, routes,
+ * controllers, and services that operate on api::package.package and
+ * api::template.template. See docs/adr/0001-moderation-fields-on-package-not-intermediary.md.
  */
 module.exports = {
   register() {
@@ -17,7 +15,6 @@ module.exports = {
 
   bootstrap() {},
 
-  contentTypes: server.contentTypes,
   controllers: server.controllers,
   services: server.services,
   routes: server.routes,

From 8319d991852ac66759109e5728e807117562adac Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 01:53:00 +0100
Subject: [PATCH 16/26] refactor(cms/moderation): rewrite package service to
 operate on api::package.package

Submissions now create draft api::package.package records directly.
Moderation fields live on Package; approval = publish the draft.
Routes updated to /packages/submit and /packages/:id paths.
Controller promote handler renamed to publish, calling publishPackage().

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../server/controllers/plugin-submission.js   |  16 +-
 .../server/routes/plugin-submission.js        |  26 +-
 .../server/services/plugin-submission.js      | 340 ++++++++----------
 3 files changed, 171 insertions(+), 211 deletions(-)

diff --git a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
index 95267a7..4eaf731 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
@@ -11,7 +11,7 @@ const service = (strapi) =>
 
 module.exports = ({ strapi }) => ({
   /**
-   * POST /api/moderation/plugin-submissions
+   * POST /api/moderation/packages/submit
    * Accepts a new plugin submission from the public.
    * Called by the Next.js proxy, never directly from the browser.
    */
@@ -93,14 +93,14 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * POST /moderation/submissions/:documentId/promote
-   * Promote an approved submission to a real package entry (admin only).
+   * POST /moderation/submissions/:documentId/publish
+   * Publish an approved draft Package (admin only).
    */
-  async promote(ctx) {
+  async publish(ctx) {
     const { documentId } = ctx.params;
 
     try {
-      const pkg = await service(strapi).promoteToPackage(documentId);
+      const pkg = await service(strapi).publishPackage(documentId);
       ctx.body = { data: pkg };
     } catch (err) {
       ctx.badRequest(err.message);
@@ -144,8 +144,8 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * GET /api/moderation/plugin-submissions/stale-scans?cutoff=<ISO timestamp>
-   * Content-api + API-token: returns plugin submissions whose scan has been
+   * GET /api/moderation/packages/stale-scans?cutoff=<ISO timestamp>
+   * Content-api + API-token: returns packages whose scan has been
    * 'running' since before `cutoff`. Consumed by the n8n scan-timeout-sweeper.
    */
   async listStaleScans(ctx) {
@@ -160,7 +160,7 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * POST /api/moderation/plugin-submissions/:documentId/security-scan-result
+   * POST /api/moderation/packages/:documentId/security-scan-result
    * Called by n8n (with a Strapi API token) to write back per-stage scan results.
    */
   async updateSecurityScan(ctx) {
diff --git a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
index 5399314..55b63fa 100644
--- a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
@@ -4,33 +4,25 @@ module.exports = {
     routes: [
       {
         method: "POST",
-        path: "/plugin-submissions",
+        path: "/packages/submit",
         handler: "plugin-submission.create",
         config: {
-          // Public endpoint — auth is handled at the Next.js proxy layer.
-          // The proxy must include a valid API token via Authorization header.
-          auth: false,
+          // Next.js proxy sends a valid API token — auth must be true.
+          auth: true,
           policies: [],
         },
       },
       {
         method: "POST",
-        path: "/plugin-submissions/:documentId/security-scan-result",
+        path: "/packages/:documentId/security-scan-result",
         handler: "plugin-submission.updateSecurityScan",
-        config: {
-          // Called by n8n over the public API using a Strapi API token.
-          // Strapi's content-api token middleware enforces the token.
-          policies: [],
-        },
+        config: { policies: [] },
       },
       {
         method: "GET",
-        path: "/plugin-submissions/stale-scans",
+        path: "/packages/stale-scans",
         handler: "plugin-submission.listStaleScans",
-        config: {
-          // Called by the scan-timeout-sweeper n8n workflow over API token.
-          policies: [],
-        },
+        config: { policies: [] },
       },
     ],
   },
@@ -57,8 +49,8 @@ module.exports = {
       },
       {
         method: "POST",
-        path: "/submissions/:documentId/promote",
-        handler: "plugin-submission.promote",
+        path: "/submissions/:documentId/publish",
+        handler: "plugin-submission.publish",
         config: { policies: [] },
       },
       {
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
index 067d209..69d8158 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -1,46 +1,80 @@
 /**
- * Plugin submission service.
+ * Package submission service.
  *
- * Architecture choice: Option B — separate moderation content type.
- *
- * Incoming submissions are stored as `plugin::moderation.plugin-submission`
- * records and go through two independent review tracks (business + security)
- * before a moderator can promote them to a real `api::package.package` entry.
- *
- * This keeps unapproved submissions completely isolated from the live package
- * catalogue and supports full review auditability.
+ * Submissions create a draft api::package.package record directly.
+ * Moderation fields (overall_status, review statuses, scan results) live on Package.
+ * Approval = publish the draft. No data copy needed.
+ * See docs/adr/0001-moderation-fields-on-package-not-intermediary.md.
  */
 
 const { runAutomatedChecks } = require("./automated-checks");
 const { getPackageSecurityInfo } = require("./get-package-security-info");
 const { triggerN8nWebhook } = require("./n8n-webhook");
 
-const CONTENT_TYPE = "plugin::moderation.plugin-submission";
+const CONTENT_TYPE = "api::package.package";
 
 /**
- * Build the standard payload sent to every plugin-* lifecycle webhook.
- * Centralised so n8n workflows can rely on a stable shape across events.
- *
- * `dashboard_link` is the absolute URL to the submission in the Strapi admin.
- * Only used in INTERNAL Slack messages (#integration-marketplace) — never in
- * outbound emails to submitters. Base URL comes from CLOUD_APP_URL, which
- * Strapi Cloud injects automatically; dev falls back to localhost:1337.
+ * Find a Better Auth user by email, or create a minimal record.
+ * Blocking — caller must await this before creating the Package.
  */
-function buildLifecyclePayload(submission, extras = {}) {
+async function findOrCreateUser(strapi, { email, name }) {
+  const existing = await strapi.documents("plugin::better-auth.user").findMany({
+    filters: { email: { $eq: email } },
+    pagination: { pageSize: 1 },
+  });
+
+  if (existing?.length > 0) return existing[0].documentId;
+
+  const created = await strapi
+    .documents("plugin::better-auth.user")
+    .create({ data: { email, name } });
+
+  return created.documentId;
+}
+
+/**
+ * Resolve an array of { email, name } maintainer objects to Better Auth user documentIds.
+ */
+async function resolveMaintainers(strapi, maintainersList) {
+  if (!Array.isArray(maintainersList) || maintainersList.length === 0)
+    return [];
+  const ids = await Promise.all(
+    maintainersList
+      .filter((m) => m?.email)
+      .map((m) =>
+        findOrCreateUser(strapi, { email: m.email, name: m.name || m.email }),
+      ),
+  );
+  return ids.filter(Boolean);
+}
+
+/**
+ * Resolve category name strings to package-category documentIds.
+ * Unknown categories are silently dropped — Package schema is the authority.
+ */
+async function resolveCategories(strapi, categoryNames) {
+  if (!Array.isArray(categoryNames) || categoryNames.length === 0) return [];
+  const results = await strapi
+    .documents("api::package-category.package-category")
+    .findMany({
+      filters: { name: { $in: categoryNames } },
+      pagination: { pageSize: 100 },
+    });
+  return (results ?? []).map((c) => ({ documentId: c.documentId }));
+}
+
+function buildLifecyclePayload(pkg, extras = {}) {
   const adminBase = (
     process.env.CLOUD_APP_URL || "http://localhost:1337"
   ).replace(/\/$/, "");
-  const adminPath = `/admin/plugins/moderation/submissions/${submission.documentId}`;
   return {
-    submissionId: submission.documentId,
+    packageId: pkg.documentId,
     submission_kind: "plugin",
-    plugin_name: submission.plugin_name,
-    package_location: submission.package_location || null,
-    package_type: submission.package_type,
-    repository_url: submission.repository_url,
-    owner_name: submission.owner_name,
-    owner_email: submission.owner_email,
-    dashboard_link: `${adminBase}${adminPath}`,
+    name: pkg.name,
+    package_location: pkg.package_location || null,
+    type: pkg.type,
+    git_repository: pkg.git_repository,
+    dashboard_link: `${adminBase}/admin/content-manager/collection-types/api::package.package/${pkg.documentId}`,
     ...extras,
   };
 }
@@ -49,63 +83,82 @@ const VALID_SCAN_STAGES = ["dependencies", "ai_analysis", "summary"];
 
 module.exports = ({ strapi }) => ({
   /**
-   * Create a new submission and immediately kick off automated checks.
-   * Called by the public-facing API endpoint proxied through Next.js.
+   * Create a draft Package from a public submission.
+   * Owner and maintainers are resolved to Better Auth users (blocking).
    */
   async createSubmission(data, submitterIp) {
-    const submission = await strapi.documents(CONTENT_TYPE).create({
+    // Resolve owner (blocking — required relation)
+    const ownerDocumentId = await findOrCreateUser(strapi, {
+      email: data.owner_email,
+      name: data.owner_name,
+    });
+
+    // Resolve maintainers
+    const maintainerIds = await resolveMaintainers(
+      strapi,
+      data.maintainers_list || [],
+    );
+
+    // Resolve categories
+    const categoryConnect = await resolveCategories(
+      strapi,
+      data.categories_list || [],
+    );
+
+    const pkg = await strapi.documents(CONTENT_TYPE).create({
       data: {
-        plugin_name: data.plugin_name,
-        package_location: data.package_location || null,
+        name: data.plugin_name,
         description: data.description,
-        repository_url: data.repository_url,
-        logo_url: data.logo_url || null,
-        package_type: data.package_type || "plugin",
-        categories_list: data.categories_list || [],
-        owner_name: data.owner_name,
-        owner_email: data.owner_email,
-        maintainers_list: data.maintainers_list || [],
+        git_repository: data.repository_url,
+        package_location: data.package_location || null,
+        type: data.package_type || "plugin",
         readme: data.readme || null,
-        submission_notes: data.submission_notes || null,
-        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
-        submitter_ip: submitterIp || null,
+        labels: { official: false, featured: false, paid: false },
+        owner: {
+          connect: [
+            { documentId: ownerDocumentId, __type: "plugin::better-auth.user" },
+          ],
+        },
+        maintainers: {
+          connect: maintainerIds.map((id) => ({ documentId: id })),
+        },
+        categories: { connect: categoryConnect },
+        ...(data.logo_documentId
+          ? { icon: { connect: [{ documentId: data.logo_documentId }] } }
+          : {}),
+        // Moderation fields
         overall_status: "submitted",
         business_review_status: "pending",
         security_review_status: "pending",
-        automated_check_results: null,
+        submitter_ip: submitterIp || null,
+        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
+        submission_notes: data.submission_notes || null,
       },
     });
 
-    // Run checks asynchronously so the submission response is fast.
-    // Results are saved back to the record once available.
-    this.runChecksAsync(submission.documentId, {
-      repository_url: data.repository_url,
+    // Run business checks async — do not block the response
+    this.runChecksAsync(pkg.documentId, {
+      git_repository: data.repository_url,
       package_location: data.package_location,
     }).catch((err) => {
       strapi.log.error(
-        `[moderation] Async checks failed for submission ${submission.documentId}: ${err.message}`,
+        `[moderation] Async checks failed for ${pkg.documentId}: ${err.message}`,
       );
     });
 
-    // Fire-and-forget: notify n8n. A transient n8n failure must not block submission creation.
+    // Fire-and-forget n8n notification
     triggerN8nWebhook(
       "plugin-submission-received",
-      buildLifecyclePayload(submission),
+      buildLifecyclePayload(pkg),
       { strapi },
     );
 
-    return submission;
+    return pkg;
   },
 
-  /**
-   * Run automated business-side checks (repo public, README, MIT license, Strapi peer dep)
-   * and save results to the submission. Security scanning is NOT run here — it is driven
-   * manually by a moderator via `triggerSecurityScan` to avoid running costly scans
-   * (AI analysis in particular) on every submission, including potential spam.
-   */
-  async runChecksAsync(documentId, { repository_url, package_location }) {
+  async runChecksAsync(documentId, { git_repository, package_location }) {
     const businessChecks = await runAutomatedChecks({
-      repository_url,
+      repository_url: git_repository,
       package_location,
     }).catch(() => null);
 
@@ -118,27 +171,11 @@ module.exports = ({ strapi }) => ({
     });
   },
 
-  /**
-   * Trigger the n8n security-scan workflow for a submission.
-   * Fire-and-forget: n8n writes per-stage results back via the content-api write-back route.
-   *
-   * Called by an admin action, not automatically on submission. Guarded against re-triggering
-   * while a scan is already in progress.
-   *
-   * Fetches registry metadata up-front (reusing package-info's extract patterns) so the n8n
-   * workflow does not duplicate registry lookups. When the submission points at an unsupported
-   * or unpublished package, `package_info` is sent as null and n8n falls back to repo-only scan.
-   */
   async triggerSecurityScan(documentId) {
-    const submission = await strapi.documents(CONTENT_TYPE).findOne({
-      documentId,
-    });
-    if (!submission) throw new Error("Submission not found.");
-
-    if (submission.security_scan_status === "running") {
-      throw new Error(
-        "A security scan is already running for this submission.",
-      );
+    const pkg = await strapi.documents(CONTENT_TYPE).findOne({ documentId });
+    if (!pkg) throw new Error("Package not found.");
+    if (pkg.security_scan_status === "running") {
+      throw new Error("A security scan is already running for this package.");
     }
 
     await strapi.documents(CONTENT_TYPE).update({
@@ -149,21 +186,20 @@ module.exports = ({ strapi }) => ({
       },
     });
 
-    const packageInfo = submission.package_location
-      ? await getPackageSecurityInfo(submission.package_location).catch(
-          () => null,
-        )
+    const packageInfo = pkg.package_location
+      ? await getPackageSecurityInfo(pkg.package_location).catch(() => null)
       : null;
 
-    const payload = {
-      ...buildLifecyclePayload(submission),
-      readme: submission.readme,
-      package_info: packageInfo,
-    };
+    const result = await triggerN8nWebhook(
+      "security-scan",
+      {
+        ...buildLifecyclePayload(pkg),
+        readme: pkg.readme,
+        package_info: packageInfo,
+      },
+      { strapi },
+    );
 
-    const result = await triggerN8nWebhook("security-scan", payload, {
-      strapi,
-    });
     if (!result.ok) {
       await strapi.documents(CONTENT_TYPE).update({
         documentId,
@@ -175,11 +211,6 @@ module.exports = ({ strapi }) => ({
     return { documentId, status: "running" };
   },
 
-  /**
-   * Write back a single security-scan stage result from n8n.
-   * Stages: npm_advisories, dependencies, ai_analysis, summary.
-   * Also accepts status transitions: 'completed' or 'failed' (with no stage result).
-   */
   async updateSecurityScanResult(documentId, { stage, result, status }) {
     if (stage && !VALID_SCAN_STAGES.includes(stage)) {
       throw new Error(
@@ -206,10 +237,6 @@ module.exports = ({ strapi }) => ({
     return strapi.documents(CONTENT_TYPE).update({ documentId, data });
   },
 
-  /**
-   * Update review status fields for a submission.
-   * Enforces the rule: overall approval requires BOTH review tracks to pass.
-   */
   async updateReview(documentId, reviewData) {
     const {
       business_review_status,
@@ -221,25 +248,21 @@ module.exports = ({ strapi }) => ({
       overall_status,
     } = reviewData;
 
-    // Derive computed overall status if both review tracks have a result.
     let computedOverall = overall_status;
     if (business_review_status && security_review_status) {
       if (
         business_review_status === "approved" &&
         security_review_status === "approved"
       ) {
-        // Both passed — moderator may set to approved, but keep any explicit override.
-        if (!overall_status || overall_status === "under_review") {
+        if (!overall_status || overall_status === "under_review")
           computedOverall = "approved";
-        }
       } else if (
         business_review_status === "rejected" ||
         security_review_status === "rejected"
       ) {
-        // At least one review failed — cannot be approved regardless.
         if (overall_status === "approved") {
           throw new Error(
-            "Cannot approve a submission when either business or security review has been rejected.",
+            "Cannot approve when either review track is rejected.",
           );
         }
       }
@@ -260,78 +283,28 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * Promote an approved submission to a real package entry.
-   * Can only be called when both review tracks have passed and overall_status is 'approved'.
-   *
-   * The promoted package is created in draft state. A moderator publishes it manually
-   * in the content manager, giving a final human sign-off before it goes live.
+   * Approve a submission by publishing the draft Package.
+   * No data copy — the draft IS the package.
    */
-  async promoteToPackage(documentId) {
-    const submission = await strapi.documents(CONTENT_TYPE).findOne({
-      documentId,
-    });
-
-    if (!submission) {
-      throw new Error("Submission not found.");
-    }
-
-    if (submission.overall_status !== "approved") {
-      throw new Error("Submission must be approved before promotion.");
-    }
-    if (submission.business_review_status !== "approved") {
-      throw new Error("Business review must be approved before promotion.");
-    }
-    if (submission.security_review_status !== "approved") {
-      throw new Error("Security review must be approved before promotion.");
-    }
-    if (submission.promoted_package) {
-      throw new Error("Submission has already been promoted to a package.");
-    }
+  async publishPackage(documentId) {
+    const pkg = await strapi.documents(CONTENT_TYPE).findOne({ documentId });
+    if (!pkg) throw new Error("Package not found.");
+    if (pkg.overall_status !== "approved")
+      throw new Error("Package must be approved before publishing.");
 
-    // Create the package entry in draft state. Publish step is manual.
-    const pkg = await strapi.documents("api::package.package").create({
-      data: {
-        name: submission.plugin_name,
-        description: submission.description,
-        repository_url: submission.repository_url,
-        package_location: submission.package_location || null,
-        type: submission.package_type,
-        readme: submission.readme || null,
-        labels: {
-          official: false,
-          featured: false,
-          paid: false,
-        },
-      },
-    });
+    const published = await strapi
+      .documents(CONTENT_TYPE)
+      .publish({ documentId });
 
-    // Link the submission to the new package.
-    await strapi.documents(CONTENT_TYPE).update({
-      documentId,
-      data: { promoted_package: { connect: [{ documentId: pkg.documentId }] } },
-    });
-
-    // Fire-and-forget: notify n8n so it can email the submitter + post to Slack.
-    // Package content-type uses a `url_alias` relation (webtools plugin) for slugs,
-    // which is populated out-of-band — don't guess. Pass null; n8n workflow falls back
-    // to the repo URL in the email.
     triggerN8nWebhook(
       "plugin-approved",
-      buildLifecyclePayload(submission, {
-        package_id: pkg.documentId,
-        package_slug: null,
-        marketplace_link: null,
-      }),
+      buildLifecyclePayload(published, { package_slug: published.slug }),
       { strapi },
     );
 
-    return pkg;
+    return published;
   },
 
-  /**
-   * Mark a submission as rejected or changes-requested and store reviewer feedback.
-   * Triggers the appropriate n8n workflow (TODO).
-   */
   async rejectOrRequestChanges(documentId, { status, reason, feedback }) {
     if (!["rejected", "changes_requested"].includes(status)) {
       throw new Error("Status must be 'rejected' or 'changes_requested'.");
@@ -346,10 +319,8 @@ module.exports = ({ strapi }) => ({
       },
     });
 
-    const lifecycleKey =
-      status === "rejected" ? "plugin-declined" : "plugin-changes-requested";
     triggerN8nWebhook(
-      lifecycleKey,
+      status === "rejected" ? "plugin-declined" : "plugin-changes-requested",
       buildLifecyclePayload(updated, {
         reason: reason || null,
         feedback: feedback || null,
@@ -360,23 +331,20 @@ module.exports = ({ strapi }) => ({
     return updated;
   },
 
-  /**
-   * List submissions with optional status filter and pagination.
-   */
   async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
-    const filters = status ? { overall_status: { $eq: status } } : {};
+    const baseFilter = {
+      overall_status: status
+        ? { $eq: status }
+        : { $in: ["submitted", "under_review", "changes_requested"] },
+    };
     return strapi.documents(CONTENT_TYPE).findMany({
-      filters,
+      filters: baseFilter,
       sort: { createdAt: "desc" },
       pagination: { page, pageSize },
+      status: "draft",
     });
   },
 
-  /**
-   * List submissions whose security scan is stuck in 'running' past a cutoff.
-   * Consumed by the n8n scan-timeout-sweeper workflow. Content-api + API-token
-   * guarded so the sweeper does not need an admin session.
-   */
   async listStaleScans({ cutoff }) {
     if (!cutoff) return [];
     return strapi.documents(CONTENT_TYPE).findMany({
@@ -384,15 +352,15 @@ module.exports = ({ strapi }) => ({
         security_scan_status: { $eq: "running" },
         security_scan_started_at: { $lt: cutoff },
       },
-      fields: ["documentId", "plugin_name", "security_scan_started_at"],
+      fields: ["documentId", "name", "security_scan_started_at"],
       pagination: { page: 1, pageSize: 50 },
+      status: "draft",
     });
   },
 
-  /**
-   * Fetch a single submission by documentId.
-   */
   async getSubmission(documentId) {
-    return strapi.documents(CONTENT_TYPE).findOne({ documentId });
+    return strapi
+      .documents(CONTENT_TYPE)
+      .findOne({ documentId, status: "draft" });
   },
 });

From 0c41b0dd61d45879c9a5d87de935d0ed9e380af2 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 01:54:49 +0100
Subject: [PATCH 17/26] fix(cms/moderation): use findOne result for
 publishPackage webhook payload

---
 .../src/plugins/moderation/server/services/plugin-submission.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
index 69d8158..3ea35ba 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -298,7 +298,7 @@ module.exports = ({ strapi }) => ({
 
     triggerN8nWebhook(
       "plugin-approved",
-      buildLifecyclePayload(published, { package_slug: published.slug }),
+      buildLifecyclePayload(pkg, { package_slug: published.slug }),
       { strapi },
     );
 

From b2d18525cc95a8a9842559b32daed894a79eac0d Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 01:56:32 +0100
Subject: [PATCH 18/26] refactor(cms/moderation): rewrite template service to
 operate on api::template.template

Mirror the plugin-submission pattern: submissions create draft api::template.template
records directly, approval publishes the draft, no intermediary collection type.
Removes security scanning (not applicable to templates), updates n8n event names,
routes, and controller to align with the new content type.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../server/controllers/template-submission.js |  71 ++---
 .../server/routes/template-submission.js      |  31 +-
 .../server/services/template-submission.js    | 283 ++++++++----------
 3 files changed, 155 insertions(+), 230 deletions(-)

diff --git a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
index 27e1c9e..617aa2f 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
@@ -11,7 +11,7 @@ const service = (strapi) =>
 
 module.exports = ({ strapi }) => ({
   /**
-   * POST /api/moderation/template-submissions
+   * POST /api/moderation/templates/submit
    * Accepts a new template submission from the public.
    * Called by the Next.js proxy, never directly from the browser.
    */
@@ -54,7 +54,7 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * GET /moderation/template-submissions
+   * GET /api/moderation/template-submissions
    * List all template submissions (admin only).
    */
   async find(ctx) {
@@ -68,7 +68,7 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * GET /moderation/template-submissions/:documentId
+   * GET /api/moderation/template-submissions/:documentId
    * Fetch a single template submission (admin only).
    */
   async findOne(ctx) {
@@ -79,7 +79,7 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * PUT /moderation/template-submissions/:documentId/review
+   * PUT /api/moderation/template-submissions/:documentId/review
    * Save draft review fields (admin only).
    */
   async updateReview(ctx) {
@@ -95,35 +95,13 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * POST /moderation/template-submissions/:documentId/decide
-   * Approve or reject a template submission (admin only).
+   * POST /api/moderation/template-submissions/:documentId/publish
+   * Publish an approved template submission (admin only).
    */
-  async decide(ctx) {
-    const { documentId } = ctx.params;
-    const body = ctx.request.body?.data || ctx.request.body;
-    const { status, feedback, notes, reason } = body;
-
-    try {
-      const updated = await service(strapi).decide(documentId, {
-        status,
-        feedback,
-        notes,
-        reason,
-      });
-      ctx.body = { data: updated };
-    } catch (err) {
-      ctx.badRequest(err.message);
-    }
-  },
-
-  /**
-   * POST /moderation/template-submissions/:documentId/run-security-scan
-   * Manually trigger the n8n security-scan workflow for a template submission (admin only).
-   */
-  async runSecurityScan(ctx) {
+  async publish(ctx) {
     const { documentId } = ctx.params;
     try {
-      const result = await service(strapi).triggerSecurityScan(documentId);
+      const result = await service(strapi).publishTemplate(documentId);
       ctx.body = { data: result };
     } catch (err) {
       ctx.badRequest(err.message);
@@ -131,35 +109,20 @@ module.exports = ({ strapi }) => ({
   },
 
   /**
-   * GET /api/moderation/template-submissions/stale-scans?cutoff=<ISO timestamp>
-   * Content-api + API-token: returns template submissions whose scan has been
-   * 'running' since before `cutoff`. Consumed by the n8n scan-timeout-sweeper.
+   * POST /api/moderation/template-submissions/:documentId/decide
+   * Reject or request changes on a template submission (admin only).
    */
-  async listStaleScans(ctx) {
-    const { cutoff } = ctx.query;
-    if (!cutoff) return ctx.badRequest("cutoff query param is required");
-    try {
-      const results = await service(strapi).listStaleScans({ cutoff });
-      ctx.body = { data: results };
-    } catch (err) {
-      ctx.internalServerError(err.message);
-    }
-  },
-
-  /**
-   * POST /api/moderation/template-submissions/:documentId/security-scan-result
-   * Called by n8n (with a Strapi API token) to write back per-stage scan results.
-   */
-  async updateSecurityScan(ctx) {
+  async decide(ctx) {
     const { documentId } = ctx.params;
     const body = ctx.request.body?.data || ctx.request.body;
-    const { stage, result, status } = body || {};
+    const { status, feedback, reason } = body;
 
     try {
-      const updated = await service(strapi).updateSecurityScanResult(
-        documentId,
-        { stage, result, status },
-      );
+      const updated = await service(strapi).rejectOrRequestChanges(documentId, {
+        status,
+        feedback,
+        reason,
+      });
       ctx.body = { data: updated };
     } catch (err) {
       ctx.badRequest(err.message);
diff --git a/apps/cms/src/plugins/moderation/server/routes/template-submission.js b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
index 169a8bc..ccfbb69 100644
--- a/apps/cms/src/plugins/moderation/server/routes/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/routes/template-submission.js
@@ -4,29 +4,10 @@ module.exports = {
     routes: [
       {
         method: "POST",
-        path: "/template-submissions",
+        path: "/templates/submit",
         handler: "template-submission.create",
         config: {
-          // Public endpoint — auth is handled at the Next.js proxy layer.
-          // The proxy must include a valid API token via Authorization header.
-          auth: false,
-          policies: [],
-        },
-      },
-      {
-        method: "POST",
-        path: "/template-submissions/:documentId/security-scan-result",
-        handler: "template-submission.updateSecurityScan",
-        config: {
-          // Called by n8n over the public API using a Strapi API token.
-          policies: [],
-        },
-      },
-      {
-        method: "GET",
-        path: "/template-submissions/stale-scans",
-        handler: "template-submission.listStaleScans",
-        config: {
+          auth: true,
           policies: [],
         },
       },
@@ -55,14 +36,14 @@ module.exports = {
       },
       {
         method: "POST",
-        path: "/template-submissions/:documentId/decide",
-        handler: "template-submission.decide",
+        path: "/template-submissions/:documentId/publish",
+        handler: "template-submission.publish",
         config: { policies: [] },
       },
       {
         method: "POST",
-        path: "/template-submissions/:documentId/run-security-scan",
-        handler: "template-submission.runSecurityScan",
+        path: "/template-submissions/:documentId/decide",
+        handler: "template-submission.decide",
         config: { policies: [] },
       },
     ],
diff --git a/apps/cms/src/plugins/moderation/server/services/template-submission.js b/apps/cms/src/plugins/moderation/server/services/template-submission.js
index ed486ab..940d88f 100644
--- a/apps/cms/src/plugins/moderation/server/services/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/template-submission.js
@@ -1,66 +1,145 @@
 /**
  * Template submission service.
  *
- * Templates have a simple single-track review: submitted → approved | rejected.
- * There are no automated checks and no two-track review process.
- *
- * Feedback to the submitter is delivered via n8n workflows (see TODO comments).
+ * Submissions create a draft api::template.template record directly.
+ * Moderation fields (overall_status, review statuses) live on Template.
+ * Approval = publish the draft. No data copy needed.
  */
 
 const { triggerN8nWebhook } = require("./n8n-webhook");
 
-const CONTENT_TYPE = "plugin::moderation.template-submission";
+const CONTENT_TYPE = "api::template.template";
+
+/**
+ * Find a Better Auth user by email, or create a minimal record.
+ * Blocking — caller must await this before creating the Template.
+ */
+async function findOrCreateUser(strapi, { email, name }) {
+  const existing = await strapi.documents("plugin::better-auth.user").findMany({
+    filters: { email: { $eq: email } },
+    pagination: { pageSize: 1 },
+  });
+
+  if (existing?.length > 0) return existing[0].documentId;
 
-const VALID_SCAN_STAGES = ["dependencies", "ai_analysis", "summary"];
+  const created = await strapi
+    .documents("plugin::better-auth.user")
+    .create({ data: { email, name } });
 
-function buildLifecyclePayload(submission, extras = {}) {
+  return created.documentId;
+}
+
+/**
+ * Resolve category name strings to template-category documentIds.
+ * Unknown categories are silently dropped — Template schema is the authority.
+ */
+async function resolveCategories(strapi, categoryNames) {
+  if (!Array.isArray(categoryNames) || categoryNames.length === 0) return [];
+  const results = await strapi
+    .documents("api::template-category.template-category")
+    .findMany({
+      filters: { name: { $in: categoryNames } },
+      pagination: { pageSize: 100 },
+    });
+  return (results ?? []).map((c) => ({ documentId: c.documentId }));
+}
+
+function buildLifecyclePayload(template, extras = {}) {
   const adminBase = (
     process.env.CLOUD_APP_URL || "http://localhost:1337"
   ).replace(/\/$/, "");
-  const adminPath = `/admin/plugins/moderation/template-submissions/${submission.documentId}`;
   return {
-    submissionId: submission.documentId,
+    templateId: template.documentId,
     submission_kind: "template",
-    template_name: submission.template_name,
-    repository_url: submission.repository_url,
-    demo_url: submission.demo_url || null,
-    owner_name: submission.owner_name,
-    owner_email: submission.owner_email,
-    dashboard_link: `${adminBase}${adminPath}`,
+    name: template.name,
+    git_repository: template.git_repository,
+    preview_link: template.preview_link || null,
+    dashboard_link: `${adminBase}/admin/content-manager/collection-types/api::template.template/${template.documentId}`,
     ...extras,
   };
 }
 
 module.exports = ({ strapi }) => ({
   /**
-   * Create a new template submission.
-   * Called by the public-facing API endpoint proxied through Next.js.
+   * Create a draft Template from a public submission.
+   * Owner is resolved to a Better Auth user (blocking).
    */
   async createSubmission(data, submitterIp) {
-    const submission = await strapi.documents(CONTENT_TYPE).create({
+    // Resolve owner (blocking — required relation)
+    const ownerDocumentId = await findOrCreateUser(strapi, {
+      email: data.owner_email,
+      name: data.owner_name,
+    });
+
+    // Resolve categories
+    const categoryConnect = await resolveCategories(
+      strapi,
+      data.categories_list || [],
+    );
+
+    const template = await strapi.documents(CONTENT_TYPE).create({
       data: {
-        template_name: data.template_name,
+        name: data.template_name,
         description: data.description,
-        repository_url: data.repository_url,
-        demo_url: data.demo_url || null,
-        logo_url: data.logo_url || null,
-        categories_list: data.categories_list || [],
-        owner_name: data.owner_name,
-        owner_email: data.owner_email,
-        submission_notes: data.submission_notes || null,
-        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
-        submitter_ip: submitterIp || null,
+        git_repository: data.repository_url,
+        preview_link: data.demo_url || null,
+        readme: data.readme || null,
+        labels: { official: false, featured: false, paid: false },
+        owner: {
+          connect: [
+            { documentId: ownerDocumentId, __type: "plugin::better-auth.user" },
+          ],
+        },
+        categories: { connect: categoryConnect },
+        ...(data.logo_documentId
+          ? {
+              preview_image: {
+                connect: [{ documentId: data.logo_documentId }],
+              },
+            }
+          : {}),
+        // Moderation fields
         overall_status: "submitted",
+        business_review_status: "pending",
+        submitter_ip: submitterIp || null,
+        submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
+        submission_notes: data.submission_notes || null,
       },
     });
 
+    // Fire-and-forget n8n notification
     triggerN8nWebhook(
       "template-submission-received",
-      buildLifecyclePayload(submission),
+      buildLifecyclePayload(template),
+      { strapi },
+    );
+
+    return template;
+  },
+
+  /**
+   * Approve a submission by publishing the draft Template.
+   * No data copy — the draft IS the template.
+   */
+  async publishTemplate(documentId) {
+    const template = await strapi
+      .documents(CONTENT_TYPE)
+      .findOne({ documentId });
+    if (!template) throw new Error("Template not found.");
+    if (template.overall_status !== "approved")
+      throw new Error("Template must be approved before publishing.");
+
+    const published = await strapi
+      .documents(CONTENT_TYPE)
+      .publish({ documentId });
+
+    triggerN8nWebhook(
+      "template-approved",
+      buildLifecyclePayload(template, { template_slug: published.slug }),
       { strapi },
     );
 
-    return submission;
+    return published;
   },
 
   /**
@@ -69,55 +148,46 @@ module.exports = ({ strapi }) => ({
    */
   async updateReview(documentId, reviewData) {
     const {
-      overall_status,
+      business_review_status,
       reviewer_feedback,
-      reviewer_notes,
       rejection_reason,
+      business_review_notes,
+      overall_status,
     } = reviewData;
 
-    if (
-      overall_status &&
-      !["submitted", "approved", "rejected"].includes(overall_status)
-    ) {
-      throw new Error("Invalid overall_status value.");
-    }
-
     return strapi.documents(CONTENT_TYPE).update({
       documentId,
       data: {
-        ...(overall_status && { overall_status }),
+        ...(business_review_status && { business_review_status }),
         ...(reviewer_feedback !== undefined && { reviewer_feedback }),
-        ...(reviewer_notes !== undefined && { reviewer_notes }),
         ...(rejection_reason !== undefined && { rejection_reason }),
+        ...(business_review_notes !== undefined && { business_review_notes }),
+        ...(overall_status && { overall_status }),
       },
     });
   },
 
-  /**
-   * Approve or reject a template submission.
-   * Triggers the appropriate n8n workflow (TODO).
-   */
-  async decide(documentId, { status, feedback, notes, reason }) {
-    if (!["approved", "rejected"].includes(status)) {
-      throw new Error("Status must be 'approved' or 'rejected'.");
+  async rejectOrRequestChanges(documentId, { status, reason, feedback }) {
+    if (!["rejected", "changes_requested"].includes(status)) {
+      throw new Error("Status must be 'rejected' or 'changes_requested'.");
     }
 
     const updated = await strapi.documents(CONTENT_TYPE).update({
       documentId,
       data: {
         overall_status: status,
-        reviewer_feedback: feedback || null,
-        reviewer_notes: notes || null,
         rejection_reason: reason || null,
+        reviewer_feedback: feedback || null,
       },
     });
 
     triggerN8nWebhook(
-      status === "approved" ? "template-approved" : "template-declined",
+      status === "rejected"
+        ? "template-declined"
+        : "template-changes-requested",
       buildLifecyclePayload(updated, {
         reason: reason || null,
         feedback: feedback || null,
-        notes: notes || null,
       }),
       { strapi },
     );
@@ -129,27 +199,16 @@ module.exports = ({ strapi }) => ({
    * List template submissions with optional status filter and pagination.
    */
   async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
-    const filters = status ? { overall_status: { $eq: status } } : {};
+    const baseFilter = {
+      overall_status: status
+        ? { $eq: status }
+        : { $in: ["submitted", "under_review", "changes_requested"] },
+    };
     return strapi.documents(CONTENT_TYPE).findMany({
-      filters,
+      filters: baseFilter,
       sort: { createdAt: "desc" },
       pagination: { page, pageSize },
-    });
-  },
-
-  /**
-   * List submissions whose security scan is stuck in 'running' past a cutoff.
-   * Consumed by the n8n scan-timeout-sweeper workflow.
-   */
-  async listStaleScans({ cutoff }) {
-    if (!cutoff) return [];
-    return strapi.documents(CONTENT_TYPE).findMany({
-      filters: {
-        security_scan_status: { $eq: "running" },
-        security_scan_started_at: { $lt: cutoff },
-      },
-      fields: ["documentId", "template_name", "security_scan_started_at"],
-      pagination: { page: 1, pageSize: 50 },
+      status: "draft",
     });
   },
 
@@ -157,86 +216,8 @@ module.exports = ({ strapi }) => ({
    * Fetch a single template submission by documentId.
    */
   async getSubmission(documentId) {
-    return strapi.documents(CONTENT_TYPE).findOne({ documentId });
-  },
-
-  /**
-   * Trigger the n8n security-scan workflow for a template submission.
-   * Templates are repo-only (no published artifact); `package_info` is always null
-   * in the webhook payload, and the workflow falls back to repo + AI-only analysis.
-   */
-  async triggerSecurityScan(documentId) {
-    const submission = await strapi.documents(CONTENT_TYPE).findOne({
-      documentId,
-    });
-    if (!submission) throw new Error("Submission not found.");
-
-    if (submission.security_scan_status === "running") {
-      throw new Error(
-        "A security scan is already running for this submission.",
-      );
-    }
-
-    await strapi.documents(CONTENT_TYPE).update({
-      documentId,
-      data: {
-        security_scan_status: "running",
-        security_scan_started_at: new Date().toISOString(),
-      },
-    });
-
-    const payload = {
-      ...buildLifecyclePayload(submission),
-      plugin_name: submission.template_name,
-      package_location: null,
-      readme: submission.description,
-      package_info: null,
-    };
-
-    const result = await triggerN8nWebhook("security-scan", payload, {
-      strapi,
-    });
-    if (!result.ok) {
-      await strapi.documents(CONTENT_TYPE).update({
-        documentId,
-        data: { security_scan_status: "failed" },
-      });
-      throw new Error(result.error || "Failed to trigger n8n security scan.");
-    }
-
-    return { documentId, status: "running" };
-  },
-
-  /**
-   * Write back a single security-scan stage result from n8n.
-   * Stages: dependencies, ai_analysis, summary.
-   * Also accepts status transitions: 'completed' or 'failed' (with no stage result).
-   *
-   * Templates do not have a separate npm_advisories stage (no registry artifact).
-   */
-  async updateSecurityScanResult(documentId, { stage, result, status }) {
-    if (stage && !VALID_SCAN_STAGES.includes(stage)) {
-      throw new Error(
-        `Invalid scan stage '${stage}'. Expected one of: ${VALID_SCAN_STAGES.join(", ")}.`,
-      );
-    }
-
-    const data = {};
-    if (stage === "dependencies")
-      data.security_scan_dependencies = result ?? null;
-    if (stage === "ai_analysis")
-      data.security_scan_ai_analysis = result ?? null;
-    if (stage === "summary") data.security_scan_summary = result ?? null;
-
-    if (status === "completed" || status === "failed") {
-      data.security_scan_status = status;
-      data.security_scan_run_at = new Date().toISOString();
-    }
-
-    if (Object.keys(data).length === 0) {
-      throw new Error("No stage result or status transition provided.");
-    }
-
-    return strapi.documents(CONTENT_TYPE).update({ documentId, data });
+    return strapi
+      .documents(CONTENT_TYPE)
+      .findOne({ documentId, status: "draft" });
   },
 });

From c5bee19700474ab7e4593123a0453286bbba2925 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:41:44 +0100
Subject: [PATCH 19/26] refactor(cms/moderation): update admin pages to use
 Package/Template types and field names
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace hand-written PluginSubmissionDetail interface with Data.ContentType<"api::package.package">,
update field name references (plugin_name→name, repository_url→git_repository, package_type→type),
and use optional chaining for owner relation fields (owner_name/owner_email removed in favour of
submission.owner?.name / submission.owner?.email).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/pages/SubmissionDetail/index.tsx      | 180 +++++++-----------
 .../admin/src/pages/SubmissionList/index.tsx  |  28 +--
 2 files changed, 77 insertions(+), 131 deletions(-)

diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
index 697f7bb..ffe6c08 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
@@ -7,11 +7,15 @@ import {
   Typography,
 } from "@strapi/design-system";
 import { ArrowLeft, ExternalLink } from "@strapi/icons";
+import type { Data } from "@strapi/strapi";
 import { useFetchClient, useNotification } from "@strapi/strapi/admin";
 import { useEffect, useState } from "react";
 import { useNavigate, useParams } from "react-router-dom";
 import { ReviewPanel } from "../../components/ReviewPanel";
 
+// Inferred from generated types — no manual sync needed.
+type PackageSubmissionDetail = Data.ContentType<"api::package.package">;
+
 interface AutomatedCheckResult {
   passed: boolean | null;
   skipped?: boolean;
@@ -25,32 +29,6 @@ interface AutomatedChecks {
   checks?: Record<string, AutomatedCheckResult>;
 }
 
-interface PluginSubmissionDetail {
-  documentId: string;
-  plugin_name: string;
-  package_location: string | null;
-  description: string;
-  repository_url: string;
-  logo_url: string | null;
-  package_type: string;
-  categories_list: string[];
-  owner_name: string;
-  owner_email: string;
-  maintainers_list: Array<{ name: string; email?: string }>;
-  readme: string | null;
-  submission_notes: string | null;
-  overall_status: string;
-  business_review_status: "pending" | "approved" | "rejected";
-  security_review_status: "pending" | "approved" | "rejected";
-  reviewer_feedback: string | null;
-  rejection_reason: string | null;
-  business_review_notes: string | null;
-  security_review_notes: string | null;
-  automated_check_results: AutomatedChecks | null;
-  promoted_package: { documentId: string } | null;
-  createdAt: string;
-}
-
 const STATUS_STYLES: Record<
   string,
   { bg: string; color: string; label: string }
@@ -276,7 +254,7 @@ export const SubmissionDetail = () => {
   const { get } = useFetchClient();
   const { toggleNotification } = useNotification();
 
-  const [submission, setSubmission] = useState<PluginSubmissionDetail | null>(
+  const [submission, setSubmission] = useState<PackageSubmissionDetail | null>(
     null,
   );
   const [loading, setLoading] = useState(true);
@@ -346,26 +324,8 @@ export const SubmissionDetail = () => {
           background="neutral200"
           style={{ width: 1, height: 20, flexShrink: 0 }}
         />
-        {submission.logo_url && (
-          <Box
-            style={{
-              width: 36,
-              height: 36,
-              borderRadius: 8,
-              overflow: "hidden",
-              border: "1px solid #e3e9ef",
-              flexShrink: 0,
-            }}
-          >
-            <img
-              src={submission.logo_url}
-              alt=""
-              style={{ width: "100%", height: "100%", objectFit: "cover" }}
-            />
-          </Box>
-        )}
         <Typography variant="alpha" style={{ lineHeight: 1 }}>
-          {submission.plugin_name}
+          {submission.name}
         </Typography>
         <StatusBadge status={submission.overall_status} />
       </Flex>
@@ -407,62 +367,48 @@ export const SubmissionDetail = () => {
               <Box style={{ width: "100%" }}>
                 <Card title="Plugin Info">
                   <Box>
-                    <InfoRow
-                      label="Plugin Name"
-                      value={submission.plugin_name}
-                    />
+                    <InfoRow label="Plugin Name" value={submission.name} />
                     <Divider />
                     <InfoRow
                       label="Registry URL"
                       value={submission.package_location ?? "—"}
                     />
                     <Divider />
-                    <InfoRow
-                      label="Package Type"
-                      value={submission.package_type}
-                    />
-                    <Divider />
-                    <InfoRow
-                      label="Repository URL"
-                      value={
-                        <a
-                          href={submission.repository_url}
-                          target="_blank"
-                          rel="noreferrer"
-                          style={{ color: "inherit", textDecoration: "none" }}
-                        >
-                          <Flex as="span" gap={1} alignItems="flex-start">
-                            <Typography
-                              textColor="primary600"
-                              style={{
-                                wordBreak: "break-all",
-                                display: "inline",
-                                textAlign: "left",
-                              }}
-                            >
-                              {submission.repository_url}
-                            </Typography>
-                            <Box style={{ flexShrink: 0, marginTop: 2 }}>
-                              <ExternalLink
-                                aria-hidden
-                                style={{ width: 12, height: 12 }}
-                              />
-                            </Box>
-                          </Flex>
-                        </a>
-                      }
-                    />
-                    {submission.categories_list?.length > 0 && (
+                    <InfoRow label="Package Type" value={submission.type} />
+                    {submission.git_repository && (
                       <>
                         <Divider />
                         <InfoRow
-                          label="Categories"
+                          label="Repository URL"
                           value={
-                            <Flex gap={1} flexWrap="wrap">
-                              {submission.categories_list.map((c) => (
-                                <CategoryPill key={c} label={c} />
-                              ))}
-                            </Flex>
+                            <a
+                              href={submission.git_repository}
+                              target="_blank"
+                              rel="noreferrer"
+                              style={{
+                                color: "inherit",
+                                textDecoration: "none",
+                              }}
+                            >
+                              <Flex as="span" gap={1} alignItems="flex-start">
+                                <Typography
+                                  textColor="primary600"
+                                  style={{
+                                    wordBreak: "break-all",
+                                    display: "inline",
+                                    textAlign: "left",
+                                  }}
+                                >
+                                  {submission.git_repository}
+                                </Typography>
+                                <Box style={{ flexShrink: 0, marginTop: 2 }}>
+                                  <ExternalLink
+                                    aria-hidden
+                                    style={{ width: 12, height: 12 }}
+                                  />
+                                </Box>
+                              </Flex>
+                            </a>
                           }
                         />
                       </>
@@ -492,26 +438,32 @@ export const SubmissionDetail = () => {
                 <Box style={{ flex: 1, minWidth: 0 }}>
                   <Card title="Owner">
                     <Flex gap={3} alignItems="center">
-                      <Box
-                        background="primary100"
-                        style={{
-                          width: 40,
-                          height: 40,
-                          borderRadius: "50%",
-                          display: "flex",
-                          alignItems: "center",
-                          justifyContent: "center",
-                          flexShrink: 0,
-                        }}
-                      >
-                        <Typography
-                          fontWeight="bold"
-                          textColor="primary600"
-                          variant="beta"
+                      {(submission.owner as { name?: string } | null)?.name && (
+                        <Box
+                          background="primary100"
+                          style={{
+                            width: 40,
+                            height: 40,
+                            borderRadius: "50%",
+                            display: "flex",
+                            alignItems: "center",
+                            justifyContent: "center",
+                            flexShrink: 0,
+                          }}
                         >
-                          {submission.owner_name.charAt(0).toUpperCase()}
-                        </Typography>
-                      </Box>
+                          <Typography
+                            fontWeight="bold"
+                            textColor="primary600"
+                            variant="beta"
+                          >
+                            {(
+                              submission.owner as { name?: string } | null
+                            )?.name
+                              ?.charAt(0)
+                              .toUpperCase()}
+                          </Typography>
+                        </Box>
+                      )}
                       <Box style={{ minWidth: 0 }}>
                         <Typography
                           fontWeight="semiBold"
@@ -524,7 +476,8 @@ export const SubmissionDetail = () => {
                             textOverflow: "ellipsis",
                           }}
                         >
-                          {submission.owner_name}
+                          {(submission.owner as { name?: string } | null)
+                            ?.name ?? "—"}
                         </Typography>
                         <Typography
                           variant="pi"
@@ -537,7 +490,8 @@ export const SubmissionDetail = () => {
                             textOverflow: "ellipsis",
                           }}
                         >
-                          {submission.owner_email}
+                          {(submission.owner as { email?: string } | null)
+                            ?.email ?? ""}
                         </Typography>
                       </Box>
                     </Flex>
diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
index 0e74904..1c33967 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionList/index.tsx
@@ -25,11 +25,9 @@ export type SubmissionStatus =
 
 export interface PluginSubmission {
   documentId: string;
-  plugin_name: string;
+  name: string;
   package_location: string | null;
-  repository_url: string;
-  owner_name: string;
-  owner_email: string;
+  owner?: { name?: string; email?: string } | null;
   overall_status: SubmissionStatus;
   business_review_status: "pending" | "approved" | "rejected";
   security_review_status: "pending" | "approved" | "rejected";
@@ -38,10 +36,8 @@ export interface PluginSubmission {
 
 export interface TemplateSubmission {
   documentId: string;
-  template_name: string;
-  repository_url: string;
-  owner_name: string;
-  owner_email: string;
+  name: string;
+  owner?: { name?: string; email?: string } | null;
   overall_status: "submitted" | "approved" | "rejected";
   createdAt: string;
 }
@@ -234,9 +230,7 @@ export const SubmissionList = () => {
                 <Tr key={s.documentId}>
                   <Td>
                     <Flex direction="column" alignItems="flex-start" gap={1}>
-                      <Typography fontWeight="semiBold">
-                        {s.plugin_name}
-                      </Typography>
+                      <Typography fontWeight="semiBold">{s.name}</Typography>
                       {s.package_location && (
                         <Typography variant="pi" textColor="neutral600">
                           {s.package_location}
@@ -246,9 +240,9 @@ export const SubmissionList = () => {
                   </Td>
                   <Td>
                     <Flex direction="column" alignItems="flex-start" gap={1}>
-                      <Typography>{s.owner_name}</Typography>
+                      <Typography>{s.owner?.name ?? "—"}</Typography>
                       <Typography variant="pi" textColor="neutral600">
-                        {s.owner_email}
+                        {s.owner?.email ?? ""}
                       </Typography>
                     </Flex>
                   </Td>
@@ -330,15 +324,13 @@ export const SubmissionList = () => {
             {templates.map((s) => (
               <Tr key={s.documentId}>
                 <Td>
-                  <Typography fontWeight="semiBold">
-                    {s.template_name}
-                  </Typography>
+                  <Typography fontWeight="semiBold">{s.name}</Typography>
                 </Td>
                 <Td>
                   <Flex direction="column" alignItems="flex-start" gap={1}>
-                    <Typography>{s.owner_name}</Typography>
+                    <Typography>{s.owner?.name ?? "—"}</Typography>
                     <Typography variant="pi" textColor="neutral600">
-                      {s.owner_email}
+                      {s.owner?.email ?? ""}
                     </Typography>
                   </Flex>
                 </Td>

From 96fb5f97d9ffa82f338a8b58f30f575e10a767b1 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:44:51 +0100
Subject: [PATCH 20/26] fix(web): update submit-plugin proxy to use Package
 schema field names and media documentId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/web/src/app/api/submit-plugin/route.ts | 40 +++++++--------------
 1 file changed, 13 insertions(+), 27 deletions(-)

diff --git a/apps/web/src/app/api/submit-plugin/route.ts b/apps/web/src/app/api/submit-plugin/route.ts
index b5f26bd..b5b7643 100644
--- a/apps/web/src/app/api/submit-plugin/route.ts
+++ b/apps/web/src/app/api/submit-plugin/route.ts
@@ -83,7 +83,7 @@ function str(value: FormDataEntryValue | null): string | null {
 
 /**
  * Upload a logo file to Strapi's media library.
- * Returns the public URL of the uploaded file, or null on failure.
+ * Returns the documentId of the uploaded file, or null on failure.
  */
 async function uploadLogoToStrapi(file: File): Promise<string | null> {
   const form = new FormData();
@@ -92,27 +92,13 @@ async function uploadLogoToStrapi(file: File): Promise<string | null> {
   try {
     const res = await fetch(`${CMS_URL}/api/upload`, {
       method: "POST",
-      headers: {
-        ...(CMS_BEARER_TOKEN
-          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
-          : {}),
-      },
+      headers: CMS_BEARER_TOKEN ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` } : {},
       body: form,
     });
-
-    if (!res.ok) {
-      console.error(`[submit-plugin] Logo upload failed: ${res.status}`);
-      return null;
-    }
-
-    const data = (await res.json()) as Array<{ url: string }>;
-    const url = data[0]?.url;
-    if (!url) return null;
-
-    // Strapi returns a relative URL for local uploads — make it absolute.
-    return url.startsWith("http") ? url : `${CMS_URL}${url}`;
-  } catch (err) {
-    console.error("[submit-plugin] Logo upload error:", err);
+    if (!res.ok) return null;
+    const data = (await res.json()) as Array<{ documentId: string }>;
+    return data[0]?.documentId ?? null;
+  } catch {
     return null;
   }
 }
@@ -180,7 +166,7 @@ export async function POST(req: NextRequest) {
   }
 
   // --- Logo upload ---
-  let logo_url: string | null = null;
+  let logoDocumentId: string | null = null;
   const logoFile = formData.get("logo_file");
   if (logoFile instanceof File && logoFile.size > 0) {
     if (
@@ -203,9 +189,9 @@ export async function POST(req: NextRequest) {
         { status: 422 },
       );
     }
-    logo_url = await uploadLogoToStrapi(logoFile);
+    logoDocumentId = await uploadLogoToStrapi(logoFile);
     // Non-fatal: submission proceeds even if upload fails; reviewer can add logo later.
-    if (!logo_url) {
+    if (!logoDocumentId) {
       console.warn(
         "[submit-plugin] Logo upload failed — submission will proceed without logo.",
       );
@@ -226,11 +212,10 @@ export async function POST(req: NextRequest) {
   // --- Build submission payload ---
   const payload = {
     plugin_name,
-    package_location: str(formData.get("package_location")),
     description,
     repository_url,
-    logo_url,
-    package_type: "plugin",
+    package_location: str(formData.get("package_location")),
+    package_type: str(formData.get("package_type")) || "plugin",
     categories_list,
     owner_name,
     owner_email,
@@ -238,6 +223,7 @@ export async function POST(req: NextRequest) {
     readme: str(formData.get("readme")),
     submission_notes: str(formData.get("submission_notes")),
     submitter_agreed_to_terms: true,
+    logo_documentId: logoDocumentId ?? null,
   };
 
   // --- Proxy to Strapi ---
@@ -249,7 +235,7 @@ export async function POST(req: NextRequest) {
 
   let strapiRes: Response;
   try {
-    strapiRes = await fetch(`${CMS_URL}/api/moderation/plugin-submissions`, {
+    strapiRes = await fetch(`${CMS_URL}/api/moderation/packages/submit`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",

From bec7b23ddb5322fd6f6a553660e270a611d5e5c8 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:46:45 +0100
Subject: [PATCH 21/26] fix(web): update submit-template proxy to use Template
 schema field names and media documentId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/web/src/app/api/submit-template/route.ts | 29 +++++++------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/apps/web/src/app/api/submit-template/route.ts b/apps/web/src/app/api/submit-template/route.ts
index 48642b1..c720f6c 100644
--- a/apps/web/src/app/api/submit-template/route.ts
+++ b/apps/web/src/app/api/submit-template/route.ts
@@ -78,11 +78,7 @@ async function uploadLogoToStrapi(file: File): Promise<string | null> {
   try {
     const res = await fetch(`${CMS_URL}/api/upload`, {
       method: "POST",
-      headers: {
-        ...(CMS_BEARER_TOKEN
-          ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
-          : {}),
-      },
+      headers: CMS_BEARER_TOKEN ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` } : {},
       body: form,
     });
 
@@ -91,11 +87,8 @@ async function uploadLogoToStrapi(file: File): Promise<string | null> {
       return null;
     }
 
-    const data = (await res.json()) as Array<{ url: string }>;
-    const url = data[0]?.url;
-    if (!url) return null;
-
-    return url.startsWith("http") ? url : `${CMS_URL}${url}`;
+    const data = (await res.json()) as Array<{ documentId: string }>;
+    return data[0]?.documentId ?? null;
   } catch (err) {
     console.error("[submit-template] Logo upload error:", err);
     return null;
@@ -168,7 +161,7 @@ export async function POST(req: NextRequest) {
   }
 
   // --- Logo upload ---
-  let logo_url: string | null = null;
+  let logoDocumentId: string | null = null;
   const logoFile = formData.get("logo_file");
   if (logoFile instanceof File && logoFile.size > 0) {
     if (
@@ -191,8 +184,8 @@ export async function POST(req: NextRequest) {
         { status: 422 },
       );
     }
-    logo_url = await uploadLogoToStrapi(logoFile);
-    if (!logo_url) {
+    logoDocumentId = await uploadLogoToStrapi(logoFile);
+    if (!logoDocumentId) {
       console.warn(
         "[submit-template] Logo upload failed — submission will proceed without logo.",
       );
@@ -216,12 +209,13 @@ export async function POST(req: NextRequest) {
     description,
     repository_url,
     demo_url,
-    logo_url,
     categories_list,
     owner_name,
     owner_email,
+    maintainers_list: [],
     submission_notes: str(formData.get("submission_notes")),
     submitter_agreed_to_terms: true,
+    logo_documentId: logoDocumentId ?? null,
   };
 
   // --- Proxy to Strapi ---
@@ -233,7 +227,7 @@ export async function POST(req: NextRequest) {
 
   let strapiRes: Response;
   try {
-    strapiRes = await fetch(`${CMS_URL}/api/moderation/template-submissions`, {
+    strapiRes = await fetch(`${CMS_URL}/api/moderation/templates/submit`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -255,9 +249,8 @@ export async function POST(req: NextRequest) {
   }
 
   if (!strapiRes.ok) {
-    console.error(
-      `[submit-template] Strapi returned status ${strapiRes.status}`,
-    );
+    const body = await strapiRes.text();
+    console.error(`[submit-template] Strapi ${strapiRes.status}: ${body}`);
     return NextResponse.json(
       { error: "Submission failed. Please try again." },
       { status: 500 },

From 085cbe121c4a83be5c23dde116bf0448abdd4abf Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:53:08 +0100
Subject: [PATCH 22/26] refactor(web): replace categories proxy with
 server-component cmsClient fetch

- Delete the /api/categories proxy route
- Extract client-side form logic into SubmitPluginForm and SubmitTemplateForm
  components ("use client") receiving initialCategories as props
- Convert submit/plugin/page.tsx and submit/template/page.tsx to async server
  components that fetch categories via cmsClient and pass them as props
- Fix pre-existing incorrect imports: Container and Button now imported from
  @repo/strapi-ui (were pointing to non-existent local paths), size="large"
  corrected to size="lg" to match ButtonProps type

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/web/src/app/api/categories/route.ts      |  34 -
 .../app/submit/plugin/SubmitPluginForm.tsx    | 834 +++++++++++++++++
 apps/web/src/app/submit/plugin/page.tsx       | 859 +-----------------
 .../submit/template/SubmitTemplateForm.tsx    | 812 +++++++++++++++++
 apps/web/src/app/submit/template/page.tsx     | 836 +----------------
 5 files changed, 1684 insertions(+), 1691 deletions(-)
 delete mode 100644 apps/web/src/app/api/categories/route.ts
 create mode 100644 apps/web/src/app/submit/plugin/SubmitPluginForm.tsx
 create mode 100644 apps/web/src/app/submit/template/SubmitTemplateForm.tsx

diff --git a/apps/web/src/app/api/categories/route.ts b/apps/web/src/app/api/categories/route.ts
deleted file mode 100644
index 5104a63..0000000
--- a/apps/web/src/app/api/categories/route.ts
+++ /dev/null
@@ -1,34 +0,0 @@
-import { NextResponse } from "next/server";
-
-const CMS_URL = process.env.NEXT_PUBLIC_CMS_URL ?? "http://localhost:1337";
-const CMS_BEARER_TOKEN = process.env.CMS_BEARER_TOKEN;
-
-/**
- * GET /api/categories
- * Server-side proxy that fetches published categories from Strapi.
- * Avoids CORS issues and keeps the CMS token out of the browser.
- */
-export async function GET() {
-  try {
-    const res = await fetch(
-      `${CMS_URL}/api/categories?pagination[pageSize]=100&sort=name:asc&fields[0]=name&status=published`,
-      {
-        headers: {
-          ...(CMS_BEARER_TOKEN
-            ? { Authorization: `Bearer ${CMS_BEARER_TOKEN}` }
-            : {}),
-        },
-        next: { revalidate: 300 },
-      },
-    );
-
-    if (!res.ok) {
-      return NextResponse.json({ data: [] }, { status: 200 });
-    }
-
-    const json = await res.json();
-    return NextResponse.json(json);
-  } catch {
-    return NextResponse.json({ data: [] }, { status: 200 });
-  }
-}
diff --git a/apps/web/src/app/submit/plugin/SubmitPluginForm.tsx b/apps/web/src/app/submit/plugin/SubmitPluginForm.tsx
new file mode 100644
index 0000000..1623e96
--- /dev/null
+++ b/apps/web/src/app/submit/plugin/SubmitPluginForm.tsx
@@ -0,0 +1,834 @@
+"use client";
+
+// TODO: Set NEXT_PUBLIC_RECAPTCHA_SITE_KEY in .env (v3 site key from https://www.google.com/recaptcha/admin)
+
+import { Button, Container } from "@repo/strapi-ui";
+import Image from "next/image";
+import Link from "next/link";
+import Script from "next/script";
+import { useRef, useState } from "react";
+import { Navigation } from "@/components/layout/navigation";
+import { Checkbox } from "@/components/ui/checkbox";
+import { Input } from "@/components/ui/input";
+import { cn } from "@/lib/utils";
+
+declare global {
+  interface Window {
+    // reCAPTCHA Enterprise exposes grecaptcha.enterprise, not grecaptcha directly
+    grecaptcha: {
+      enterprise: {
+        ready: (cb: () => void) => void;
+        execute: (
+          siteKey: string,
+          options: { action: string },
+        ) => Promise<string>;
+      };
+    };
+  }
+}
+
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
+
+// ---------------------------------------------------------------------------
+// Small UI helpers
+// ---------------------------------------------------------------------------
+
+function Label({
+  htmlFor,
+  children,
+  required,
+}: {
+  htmlFor: string;
+  children: React.ReactNode;
+  required?: boolean;
+}) {
+  return (
+    <label
+      htmlFor={htmlFor}
+      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
+    >
+      {children}
+      {required && (
+        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
+          *
+        </span>
+      )}
+    </label>
+  );
+}
+
+function FieldError({ message }: { message?: string }) {
+  if (!message) return null;
+  return (
+    <p role="alert" className="mt-1 text-xs text-red-600">
+      {message}
+    </p>
+  );
+}
+
+function Hint({ children }: { children: React.ReactNode }) {
+  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
+}
+
+function Textarea({
+  id,
+  value,
+  onChange,
+  placeholder,
+  rows = 5,
+  hasError,
+}: {
+  id?: string;
+  value: string;
+  onChange: (v: string) => void;
+  placeholder?: string;
+  rows?: number;
+  hasError?: boolean;
+}) {
+  return (
+    <textarea
+      id={id}
+      value={value}
+      onChange={(e) => onChange(e.target.value)}
+      placeholder={placeholder}
+      rows={rows}
+      className={cn(
+        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
+        hasError ? "border-red-400" : "border-(--color-neutral150)",
+      )}
+    />
+  );
+}
+
+function SectionDivider({ label }: { label: string }) {
+  return (
+    <div className="relative my-6">
+      <div className="absolute inset-0 flex items-center">
+        <div className="w-full border-t border-(--color-neutral150)" />
+      </div>
+      <div className="relative flex justify-start">
+        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
+          {label}
+        </span>
+      </div>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Logo upload field
+// ---------------------------------------------------------------------------
+
+function LogoUpload({
+  file,
+  onChange,
+  hasError,
+}: {
+  file: File | null;
+  onChange: (f: File | null) => void;
+  hasError?: boolean;
+}) {
+  const inputRef = useRef<HTMLInputElement>(null);
+  const [dragOver, setDragOver] = useState(false);
+  const preview = file ? URL.createObjectURL(file) : null;
+
+  const handleFiles = (files: FileList | null) => {
+    const f = files?.[0] ?? null;
+    onChange(f);
+  };
+
+  return (
+    <div>
+      <input
+        ref={inputRef}
+        id="logo_file"
+        type="file"
+        accept="image/png,image/jpeg,image/svg+xml,image/webp"
+        className="sr-only"
+        onChange={(e) => handleFiles(e.target.files)}
+      />
+
+      {/* Drop zone */}
+      <button
+        type="button"
+        onClick={() => inputRef.current?.click()}
+        onDragOver={(e) => {
+          e.preventDefault();
+          setDragOver(true);
+        }}
+        onDragLeave={() => setDragOver(false)}
+        onDrop={(e) => {
+          e.preventDefault();
+          setDragOver(false);
+          handleFiles(e.dataTransfer.files);
+        }}
+        className={cn(
+          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
+          dragOver
+            ? "border-(--color-primary600) bg-(--color-primary100)"
+            : hasError
+              ? "border-red-400 bg-red-50"
+              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
+        )}
+      >
+        {preview ? (
+          <div className="flex flex-col items-center gap-3">
+            <Image
+              src={preview}
+              alt="Logo preview"
+              width={64}
+              height={64}
+              className="h-16 w-16 rounded-lg object-contain"
+              unoptimized
+            />
+            <span className="text-xs text-(--color-neutral600)">
+              {file?.name}{" "}
+              <span className="text-(--color-primary600) underline">
+                Change
+              </span>
+            </span>
+          </div>
+        ) : (
+          <>
+            {/* Upload icon */}
+            <svg
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              className="h-8 w-8 text-(--color-neutral400)"
+            >
+              <title>Upload a File</title>
+              <path
+                d="M12 16V8m0 0-3 3m3-3 3 3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+              <path
+                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+            </svg>
+            <span className="font-medium text-(--color-neutral700)">
+              Upload a File
+            </span>
+            <span className="text-xs text-(--color-neutral500)">
+              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
+            </span>
+          </>
+        )}
+      </button>
+
+      {/* Clear button */}
+      {file && (
+        <button
+          type="button"
+          onClick={() => {
+            onChange(null);
+            if (inputRef.current) inputRef.current.value = "";
+          }}
+          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
+        >
+          Remove logo
+        </button>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Category pills
+// ---------------------------------------------------------------------------
+
+function CategoryPill({
+  label,
+  onRemove,
+}: {
+  label: string;
+  onRemove: () => void;
+}) {
+  return (
+    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
+      {label}
+      <button
+        type="button"
+        onClick={onRemove}
+        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
+        aria-label={`Remove ${label}`}
+      >
+        ×
+      </button>
+    </span>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form state
+// ---------------------------------------------------------------------------
+
+interface FormFields {
+  plugin_name: string;
+  package_location: string;
+  repository_url: string;
+  description: string;
+  logo_file: File | null;
+  categories_list: string[];
+  readme: string;
+  submission_notes: string;
+  owner_name: string;
+  owner_email: string;
+  agreed: boolean;
+}
+
+const INITIAL: FormFields = {
+  plugin_name: "",
+  package_location: "",
+  repository_url: "",
+  description: "",
+  logo_file: null,
+  categories_list: [],
+  readme: "",
+  submission_notes: "",
+  owner_name: "",
+  owner_email: "",
+  agreed: false,
+};
+
+type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
+
+function validate(f: FormFields): FieldErrors {
+  const e: FieldErrors = {};
+  if (!f.plugin_name.trim()) e.plugin_name = "Plugin name is required.";
+  if (!f.description.trim()) e.description = "Description is required.";
+  if (!f.repository_url.trim()) {
+    e.repository_url = "Repository URL is required.";
+  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
+    e.repository_url = "Must be a valid https:// URL.";
+  }
+  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
+  if (!f.owner_email.trim()) {
+    e.owner_email = "Contact email is required.";
+  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
+    e.owner_email = "Must be a valid email address.";
+  }
+  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
+  return e;
+}
+
+// ---------------------------------------------------------------------------
+// Success screen
+// ---------------------------------------------------------------------------
+
+function SuccessScreen() {
+  return (
+    <>
+      <Navigation theme="light" />
+      <main>
+        <Container>
+          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
+            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-8 w-8 text-(--color-primary600)"
+              >
+                <title>Submission received</title>
+                <polyline points="20 6 9 17 4 12" />
+              </svg>
+            </div>
+            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
+              Submission received!
+            </h1>
+            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
+              Thank you for submitting your plugin. Our team will review it and
+              reach out at the email address you provided.
+            </p>
+            <Button href="/" variant="secondary">
+              Back to Marketplace
+            </Button>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form
+// ---------------------------------------------------------------------------
+
+export function SubmitPluginForm({
+  initialCategories,
+}: {
+  initialCategories: string[];
+}) {
+  const [fields, setFields] = useState<FormFields>(INITIAL);
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [success, setSuccess] = useState(false);
+  const [categories] = useState<string[]>(initialCategories);
+
+  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
+    setFields((f) => ({ ...f, [key]: value }));
+    setErrors((e) => ({ ...e, [key]: undefined }));
+  };
+
+  const addCategory = (cat: string) => {
+    if (cat && !fields.categories_list.includes(cat)) {
+      set("categories_list", [...fields.categories_list, cat]);
+    }
+  };
+
+  const removeCategory = (cat: string) => {
+    set(
+      "categories_list",
+      fields.categories_list.filter((c) => c !== cat),
+    );
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    const errs = validate(fields);
+    if (Object.keys(errs).length > 0) {
+      setErrors(errs);
+      const firstKey = Object.keys(errs)[0];
+      document.getElementById(firstKey as string)?.focus();
+      return;
+    }
+
+    setSubmitting(true);
+    setErrors({});
+
+    try {
+      let recaptchaToken = "";
+      if (
+        RECAPTCHA_SITE_KEY &&
+        typeof window !== "undefined" &&
+        window.grecaptcha?.enterprise
+      ) {
+        await new Promise<void>((resolve) =>
+          window.grecaptcha.enterprise.ready(resolve),
+        );
+        recaptchaToken = await window.grecaptcha.enterprise.execute(
+          RECAPTCHA_SITE_KEY,
+          {
+            action: "submit_plugin",
+          },
+        );
+      }
+
+      const form = new FormData();
+      form.append("plugin_name", fields.plugin_name.trim());
+      form.append("package_location", fields.package_location.trim());
+      form.append("repository_url", fields.repository_url.trim());
+      form.append("description", fields.description.trim());
+      form.append("readme", fields.readme.trim());
+      form.append("submission_notes", fields.submission_notes.trim());
+      form.append("owner_name", fields.owner_name.trim());
+      form.append("owner_email", fields.owner_email.trim());
+      form.append("categories_list", JSON.stringify(fields.categories_list));
+      form.append("submitter_agreed_to_terms", "true");
+      form.append("recaptcha_token", recaptchaToken);
+      if (fields.logo_file) {
+        form.append("logo_file", fields.logo_file, fields.logo_file.name);
+      }
+
+      const res = await fetch("/api/submit-plugin", {
+        method: "POST",
+        body: form,
+      });
+      const data = (await res.json()) as {
+        success?: boolean;
+        error?: string;
+        errors?: string[];
+      };
+
+      if (!res.ok) {
+        setErrors({
+          _form:
+            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
+            "Something went wrong. Please try again.",
+        });
+        return;
+      }
+
+      setSuccess(true);
+    } catch {
+      setErrors({
+        _form:
+          "Could not submit your plugin. Please check your connection and try again.",
+      });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (success) return <SuccessScreen />;
+
+  const availableCategories = categories.filter(
+    (c) => !fields.categories_list.includes(c),
+  );
+
+  return (
+    <>
+      {RECAPTCHA_SITE_KEY && (
+        <Script
+          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
+          strategy="lazyOnload"
+        />
+      )}
+
+      <Navigation theme="light" />
+
+      <main className="pb-24">
+        <Container>
+          {/* Back link */}
+          <div className="py-6">
+            <Link
+              href="/"
+              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
+            >
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-4 w-4"
+              >
+                <title>Back to submissions</title>
+                <polyline points="15 18 9 12 15 6" />
+              </svg>
+              Submit other content
+            </Link>
+          </div>
+
+          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
+            {/* ── Left: intro ── */}
+            <div className="lg:col-span-2 lg:pt-2">
+              <p className="mb-2 text-sm text-(--color-neutral600)">
+                Submit your content
+              </p>
+              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
+                Submit a Plugin
+              </h1>
+              <p className="text-sm leading-7 text-(--color-neutral700)">
+                Share your Strapi plugin with the community. All submissions go
+                through a business and security review before being listed in
+                the marketplace. We&rsquo;ll reach out if we need more
+                information.{" "}
+                <Link
+                  href="/community"
+                  className="underline underline-offset-2 hover:text-(--color-primary600)"
+                >
+                  Community Guidelines
+                </Link>
+              </p>
+
+              <div className="mt-8 space-y-3">
+                {[
+                  {
+                    title: "Business review",
+                    body: "We check your repo is public, MIT-licensed, has a README, and lists Strapi as a peer dependency.",
+                  },
+                  {
+                    title: "Security review",
+                    body: "We scan dependencies for known vulnerabilities and flag security concerns before listing.",
+                  },
+                ].map(({ title, body }) => (
+                  <div
+                    key={title}
+                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
+                  >
+                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
+                      <svg
+                        viewBox="0 0 24 24"
+                        fill="none"
+                        stroke="currentColor"
+                        strokeWidth="2.5"
+                        className="h-3 w-3"
+                      >
+                        <title>Business review</title>
+                        <polyline points="20 6 9 17 4 12" />
+                      </svg>
+                    </div>
+                    <div>
+                      <p className="text-sm font-semibold text-(--color-neutral800)">
+                        {title}
+                      </p>
+                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
+                        {body}
+                      </p>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            {/* ── Right: form ── */}
+            <div className="lg:col-span-3">
+              <form
+                onSubmit={handleSubmit}
+                noValidate
+                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
+              >
+                {errors._form && (
+                  <div
+                    role="alert"
+                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
+                  >
+                    {errors._form}
+                  </div>
+                )}
+
+                {/* Plugin Name */}
+                <div className="mb-5">
+                  <Label htmlFor="plugin_name" required>
+                    Plugin Name
+                  </Label>
+                  <Input
+                    id="plugin_name"
+                    value={fields.plugin_name}
+                    onChange={(e) => set("plugin_name", e.target.value)}
+                    placeholder="e.g. Strapi Plugin SEO"
+                    className={errors.plugin_name ? "border-red-400" : ""}
+                    autoComplete="off"
+                  />
+                  <FieldError message={errors.plugin_name} />
+                </div>
+
+                {/* Registry URL */}
+                <div className="mb-5">
+                  <Label htmlFor="package_location">Registry URL</Label>
+                  <Input
+                    id="package_location"
+                    value={fields.package_location}
+                    onChange={(e) => set("package_location", e.target.value)}
+                    placeholder="https://www.npmjs.com/package/your-plugin"
+                    autoComplete="off"
+                  />
+                  <Hint>
+                    Full URL to your published package on npm, Packagist, PyPI,
+                    RubyGems, or NuGet. Leave blank if not yet published.
+                  </Hint>
+                </div>
+
+                {/* Repository URL */}
+                <div className="mb-5">
+                  <Label htmlFor="repository_url" required>
+                    Repository URL
+                  </Label>
+                  <Input
+                    id="repository_url"
+                    type="url"
+                    value={fields.repository_url}
+                    onChange={(e) => set("repository_url", e.target.value)}
+                    placeholder="https://github.com/org/repo or https://gitlab.com/org/repo"
+                    className={errors.repository_url ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.repository_url} />
+                  <Hint>
+                    GitHub, GitLab, Bitbucket, or any public repository URL.
+                  </Hint>
+                </div>
+
+                {/* Description */}
+                <div className="mb-5">
+                  <Label htmlFor="description" required>
+                    Plugin Description
+                  </Label>
+                  <Textarea
+                    id="description"
+                    value={fields.description}
+                    onChange={(v) => set("description", v)}
+                    placeholder="Tell us about your plugin — what it does and why it's useful."
+                    rows={4}
+                    hasError={!!errors.description}
+                  />
+                  <FieldError message={errors.description} />
+                </div>
+
+                {/* Logo upload */}
+                <div className="mb-5">
+                  <Label htmlFor="logo_file">Plugin Logo / Icon</Label>
+                  <LogoUpload
+                    file={fields.logo_file}
+                    onChange={(f) => set("logo_file", f)}
+                    hasError={!!errors.logo_file}
+                  />
+                  <FieldError message={errors.logo_file as string} />
+                </div>
+
+                {/* Categories */}
+                <div className="mb-5">
+                  <Label htmlFor="category_select">Categories</Label>
+                  {fields.categories_list.length > 0 && (
+                    <div className="mb-2 flex flex-wrap gap-2">
+                      {fields.categories_list.map((c) => (
+                        <CategoryPill
+                          key={c}
+                          label={c}
+                          onRemove={() => removeCategory(c)}
+                        />
+                      ))}
+                    </div>
+                  )}
+                  <select
+                    id="category_select"
+                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
+                    value=""
+                    onChange={(e) => {
+                      addCategory(e.target.value);
+                      e.target.value = "";
+                    }}
+                  >
+                    <option value="">
+                      {categories.length === 0
+                        ? "No categories available"
+                        : availableCategories.length === 0
+                          ? "All categories selected"
+                          : "Select a category to add…"}
+                    </option>
+                    {availableCategories.map((c) => (
+                      <option key={c} value={c}>
+                        {c}
+                      </option>
+                    ))}
+                  </select>
+                </div>
+
+                {/* README */}
+                <div className="mb-5">
+                  <Label htmlFor="readme">README / Documentation</Label>
+                  <Textarea
+                    id="readme"
+                    value={fields.readme}
+                    onChange={(v) => set("readme", v)}
+                    placeholder="Paste your plugin's README or any additional documentation here."
+                    rows={6}
+                  />
+                </div>
+
+                <SectionDivider label="Owner" />
+
+                {/* Owner */}
+                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
+                  <div>
+                    <Label htmlFor="owner_name" required>
+                      Owner / Author Name
+                    </Label>
+                    <Input
+                      id="owner_name"
+                      value={fields.owner_name}
+                      onChange={(e) => set("owner_name", e.target.value)}
+                      placeholder="Your name or organisation"
+                      className={errors.owner_name ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_name} />
+                  </div>
+                  <div>
+                    <Label htmlFor="owner_email" required>
+                      Contact Email
+                    </Label>
+                    <Input
+                      id="owner_email"
+                      type="email"
+                      value={fields.owner_email}
+                      onChange={(e) => set("owner_email", e.target.value)}
+                      placeholder="you@example.com"
+                      className={errors.owner_email ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_email} />
+                  </div>
+                </div>
+
+                {/* Notes */}
+                <div className="mb-5">
+                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
+                  <Textarea
+                    id="submission_notes"
+                    value={fields.submission_notes}
+                    onChange={(v) => set("submission_notes", v)}
+                    placeholder="Anything you'd like the review team to know."
+                    rows={3}
+                  />
+                </div>
+
+                <SectionDivider label="Terms" />
+
+                {/* Terms */}
+                <div className="mb-6">
+                  <label
+                    className="flex cursor-pointer items-start gap-3"
+                    htmlFor="agreed"
+                  >
+                    <Checkbox
+                      id="agreed"
+                      checked={fields.agreed}
+                      onCheckedChange={(checked) =>
+                        set("agreed", checked === true)
+                      }
+                      className={errors.agreed ? "border-red-400" : ""}
+                    />
+                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
+                      I confirm this plugin is open-source, MIT-licensed, and
+                      compliant with the{" "}
+                      <Link
+                        href="/community"
+                        className="underline underline-offset-2 hover:text-(--color-primary600)"
+                      >
+                        Community Guidelines
+                      </Link>
+                      .
+                    </span>
+                  </label>
+                  <FieldError message={errors.agreed} />
+                </div>
+
+                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
+                  By submitting you agree to our review process. We will contact
+                  you if we need additional information. Submissions are
+                  reviewed manually and may take a few business days.
+                </p>
+
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="lg"
+                  className="w-full"
+                  disabled={submitting}
+                >
+                  {submitting ? "Submitting…" : "Submit Plugin"}
+                </Button>
+
+                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
+                  Protected by reCAPTCHA —{" "}
+                  <a
+                    href="https://policies.google.com/privacy"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Privacy
+                  </a>{" "}
+                  &amp;{" "}
+                  <a
+                    href="https://policies.google.com/terms"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Terms
+                  </a>
+                </p>
+              </form>
+            </div>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
diff --git a/apps/web/src/app/submit/plugin/page.tsx b/apps/web/src/app/submit/plugin/page.tsx
index 96c17d8..8905e67 100644
--- a/apps/web/src/app/submit/plugin/page.tsx
+++ b/apps/web/src/app/submit/plugin/page.tsx
@@ -1,844 +1,23 @@
-"use client";
-
-// TODO: Set NEXT_PUBLIC_RECAPTCHA_SITE_KEY in .env (v3 site key from https://www.google.com/recaptcha/admin)
-
-import Image from "next/image";
-import Link from "next/link";
-import Script from "next/script";
-import { useEffect, useRef, useState } from "react";
-import { Container } from "@/components/layout/container";
-import { Navigation } from "@/components/layout/navigation";
-import { Button } from "@/components/ui/button";
-import { Checkbox } from "@/components/ui/checkbox";
-import { Input } from "@/components/ui/input";
-import { cn } from "@/lib/utils";
-
-declare global {
-  interface Window {
-    // reCAPTCHA Enterprise exposes grecaptcha.enterprise, not grecaptcha directly
-    grecaptcha: {
-      enterprise: {
-        ready: (cb: () => void) => void;
-        execute: (
-          siteKey: string,
-          options: { action: string },
-        ) => Promise<string>;
-      };
-    };
+import { cmsClient } from "@/features/cms/lib/strapi";
+import { SubmitPluginForm } from "./SubmitPluginForm";
+
+async function fetchCategories(): Promise<string[]> {
+  try {
+    const res = await cmsClient
+      .collection("api::package-category.package-category")
+      .find({
+        pagination: { pageSize: 100 },
+        sort: ["name:asc"],
+        fields: ["name"],
+      } as object);
+    const data = (res as { data: Array<{ name?: string }> }).data ?? [];
+    return data.map((c) => c.name).filter((n): n is string => Boolean(n));
+  } catch {
+    return [];
   }
 }
 
-const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
-
-// ---------------------------------------------------------------------------
-// Small UI helpers
-// ---------------------------------------------------------------------------
-
-function Label({
-  htmlFor,
-  children,
-  required,
-}: {
-  htmlFor: string;
-  children: React.ReactNode;
-  required?: boolean;
-}) {
-  return (
-    <label
-      htmlFor={htmlFor}
-      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
-    >
-      {children}
-      {required && (
-        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
-          *
-        </span>
-      )}
-    </label>
-  );
-}
-
-function FieldError({ message }: { message?: string }) {
-  if (!message) return null;
-  return (
-    <p role="alert" className="mt-1 text-xs text-red-600">
-      {message}
-    </p>
-  );
-}
-
-function Hint({ children }: { children: React.ReactNode }) {
-  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
-}
-
-function Textarea({
-  id,
-  value,
-  onChange,
-  placeholder,
-  rows = 5,
-  hasError,
-}: {
-  id?: string;
-  value: string;
-  onChange: (v: string) => void;
-  placeholder?: string;
-  rows?: number;
-  hasError?: boolean;
-}) {
-  return (
-    <textarea
-      id={id}
-      value={value}
-      onChange={(e) => onChange(e.target.value)}
-      placeholder={placeholder}
-      rows={rows}
-      className={cn(
-        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
-        hasError ? "border-red-400" : "border-(--color-neutral150)",
-      )}
-    />
-  );
-}
-
-function SectionDivider({ label }: { label: string }) {
-  return (
-    <div className="relative my-6">
-      <div className="absolute inset-0 flex items-center">
-        <div className="w-full border-t border-(--color-neutral150)" />
-      </div>
-      <div className="relative flex justify-start">
-        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
-          {label}
-        </span>
-      </div>
-    </div>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Logo upload field
-// ---------------------------------------------------------------------------
-
-function LogoUpload({
-  file,
-  onChange,
-  hasError,
-}: {
-  file: File | null;
-  onChange: (f: File | null) => void;
-  hasError?: boolean;
-}) {
-  const inputRef = useRef<HTMLInputElement>(null);
-  const [dragOver, setDragOver] = useState(false);
-  const preview = file ? URL.createObjectURL(file) : null;
-
-  const handleFiles = (files: FileList | null) => {
-    const f = files?.[0] ?? null;
-    onChange(f);
-  };
-
-  return (
-    <div>
-      <input
-        ref={inputRef}
-        id="logo_file"
-        type="file"
-        accept="image/png,image/jpeg,image/svg+xml,image/webp"
-        className="sr-only"
-        onChange={(e) => handleFiles(e.target.files)}
-      />
-
-      {/* Drop zone */}
-      <button
-        type="button"
-        onClick={() => inputRef.current?.click()}
-        onDragOver={(e) => {
-          e.preventDefault();
-          setDragOver(true);
-        }}
-        onDragLeave={() => setDragOver(false)}
-        onDrop={(e) => {
-          e.preventDefault();
-          setDragOver(false);
-          handleFiles(e.dataTransfer.files);
-        }}
-        className={cn(
-          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
-          dragOver
-            ? "border-(--color-primary600) bg-(--color-primary100)"
-            : hasError
-              ? "border-red-400 bg-red-50"
-              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
-        )}
-      >
-        {preview ? (
-          <div className="flex flex-col items-center gap-3">
-            <Image
-              src={preview}
-              alt="Logo preview"
-              width={64}
-              height={64}
-              className="h-16 w-16 rounded-lg object-contain"
-              unoptimized
-            />
-            <span className="text-xs text-(--color-neutral600)">
-              {file?.name}{" "}
-              <span className="text-(--color-primary600) underline">
-                Change
-              </span>
-            </span>
-          </div>
-        ) : (
-          <>
-            {/* Upload icon */}
-            <svg
-              viewBox="0 0 24 24"
-              fill="none"
-              stroke="currentColor"
-              strokeWidth="1.5"
-              className="h-8 w-8 text-(--color-neutral400)"
-            >
-              <title>Upload a File</title>
-              <path
-                d="M12 16V8m0 0-3 3m3-3 3 3"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-              />
-              <path
-                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-              />
-            </svg>
-            <span className="font-medium text-(--color-neutral700)">
-              Upload a File
-            </span>
-            <span className="text-xs text-(--color-neutral500)">
-              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
-            </span>
-          </>
-        )}
-      </button>
-
-      {/* Clear button */}
-      {file && (
-        <button
-          type="button"
-          onClick={() => {
-            onChange(null);
-            if (inputRef.current) inputRef.current.value = "";
-          }}
-          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
-        >
-          Remove logo
-        </button>
-      )}
-    </div>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Category pills
-// ---------------------------------------------------------------------------
-
-function CategoryPill({
-  label,
-  onRemove,
-}: {
-  label: string;
-  onRemove: () => void;
-}) {
-  return (
-    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
-      {label}
-      <button
-        type="button"
-        onClick={onRemove}
-        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
-        aria-label={`Remove ${label}`}
-      >
-        ×
-      </button>
-    </span>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Form state
-// ---------------------------------------------------------------------------
-
-interface FormFields {
-  plugin_name: string;
-  package_location: string;
-  repository_url: string;
-  description: string;
-  logo_file: File | null;
-  categories_list: string[];
-  readme: string;
-  submission_notes: string;
-  owner_name: string;
-  owner_email: string;
-  agreed: boolean;
-}
-
-const INITIAL: FormFields = {
-  plugin_name: "",
-  package_location: "",
-  repository_url: "",
-  description: "",
-  logo_file: null,
-  categories_list: [],
-  readme: "",
-  submission_notes: "",
-  owner_name: "",
-  owner_email: "",
-  agreed: false,
-};
-
-type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
-
-function validate(f: FormFields): FieldErrors {
-  const e: FieldErrors = {};
-  if (!f.plugin_name.trim()) e.plugin_name = "Plugin name is required.";
-  if (!f.description.trim()) e.description = "Description is required.";
-  if (!f.repository_url.trim()) {
-    e.repository_url = "Repository URL is required.";
-  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
-    e.repository_url = "Must be a valid https:// URL.";
-  }
-  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
-  if (!f.owner_email.trim()) {
-    e.owner_email = "Contact email is required.";
-  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
-    e.owner_email = "Must be a valid email address.";
-  }
-  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
-  return e;
-}
-
-// ---------------------------------------------------------------------------
-// Success screen
-// ---------------------------------------------------------------------------
-
-function SuccessScreen() {
-  return (
-    <>
-      <Navigation theme="light" />
-      <main>
-        <Container>
-          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
-            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
-              <svg
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                className="h-8 w-8 text-(--color-primary600)"
-              >
-                <title>Submission received</title>
-                <polyline points="20 6 9 17 4 12" />
-              </svg>
-            </div>
-            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
-              Submission received!
-            </h1>
-            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
-              Thank you for submitting your plugin. Our team will review it and
-              reach out at the email address you provided.
-            </p>
-            <Button href="/" variant="secondary">
-              Back to Marketplace
-            </Button>
-          </div>
-        </Container>
-      </main>
-    </>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Page
-// ---------------------------------------------------------------------------
-
-export default function SubmitPluginPage() {
-  const [fields, setFields] = useState<FormFields>(INITIAL);
-  const [errors, setErrors] = useState<FieldErrors>({});
-  const [submitting, setSubmitting] = useState(false);
-  const [success, setSuccess] = useState(false);
-  const [categories, setCategories] = useState<string[]>([]);
-
-  // Fetch categories from server-side proxy (avoids CORS + keeps token out of browser)
-  useEffect(() => {
-    fetch("/api/categories")
-      .then((r) => (r.ok ? r.json() : null))
-      .then((json) => {
-        const names: string[] = (json?.data ?? [])
-          .map((c: { name?: string }) => c.name)
-          .filter(Boolean) as string[];
-        setCategories(names);
-      })
-      .catch(() => {});
-  }, []);
-
-  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
-    setFields((f) => ({ ...f, [key]: value }));
-    setErrors((e) => ({ ...e, [key]: undefined }));
-  };
-
-  const addCategory = (cat: string) => {
-    if (cat && !fields.categories_list.includes(cat)) {
-      set("categories_list", [...fields.categories_list, cat]);
-    }
-  };
-
-  const removeCategory = (cat: string) => {
-    set(
-      "categories_list",
-      fields.categories_list.filter((c) => c !== cat),
-    );
-  };
-
-  const handleSubmit = async (e: React.FormEvent) => {
-    e.preventDefault();
-
-    const errs = validate(fields);
-    if (Object.keys(errs).length > 0) {
-      setErrors(errs);
-      const firstKey = Object.keys(errs)[0];
-      document.getElementById(firstKey as string)?.focus();
-      return;
-    }
-
-    setSubmitting(true);
-    setErrors({});
-
-    try {
-      let recaptchaToken = "";
-      if (
-        RECAPTCHA_SITE_KEY &&
-        typeof window !== "undefined" &&
-        window.grecaptcha?.enterprise
-      ) {
-        await new Promise<void>((resolve) =>
-          window.grecaptcha.enterprise.ready(resolve),
-        );
-        recaptchaToken = await window.grecaptcha.enterprise.execute(
-          RECAPTCHA_SITE_KEY,
-          {
-            action: "submit_plugin",
-          },
-        );
-      }
-
-      const form = new FormData();
-      form.append("plugin_name", fields.plugin_name.trim());
-      form.append("package_location", fields.package_location.trim());
-      form.append("repository_url", fields.repository_url.trim());
-      form.append("description", fields.description.trim());
-      form.append("readme", fields.readme.trim());
-      form.append("submission_notes", fields.submission_notes.trim());
-      form.append("owner_name", fields.owner_name.trim());
-      form.append("owner_email", fields.owner_email.trim());
-      form.append("categories_list", JSON.stringify(fields.categories_list));
-      form.append("submitter_agreed_to_terms", "true");
-      form.append("recaptcha_token", recaptchaToken);
-      if (fields.logo_file) {
-        form.append("logo_file", fields.logo_file, fields.logo_file.name);
-      }
-
-      const res = await fetch("/api/submit-plugin", {
-        method: "POST",
-        body: form,
-      });
-      const data = (await res.json()) as {
-        success?: boolean;
-        error?: string;
-        errors?: string[];
-      };
-
-      if (!res.ok) {
-        setErrors({
-          _form:
-            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
-            "Something went wrong. Please try again.",
-        });
-        return;
-      }
-
-      setSuccess(true);
-    } catch {
-      setErrors({
-        _form:
-          "Could not submit your plugin. Please check your connection and try again.",
-      });
-    } finally {
-      setSubmitting(false);
-    }
-  };
-
-  if (success) return <SuccessScreen />;
-
-  const availableCategories = categories.filter(
-    (c) => !fields.categories_list.includes(c),
-  );
-
-  return (
-    <>
-      {RECAPTCHA_SITE_KEY && (
-        <Script
-          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
-          strategy="lazyOnload"
-        />
-      )}
-
-      <Navigation theme="light" />
-
-      <main className="pb-24">
-        <Container>
-          {/* Back link */}
-          <div className="py-6">
-            <Link
-              href="/"
-              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
-            >
-              <svg
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                className="h-4 w-4"
-              >
-                <title>Back to submissions</title>
-                <polyline points="15 18 9 12 15 6" />
-              </svg>
-              Submit other content
-            </Link>
-          </div>
-
-          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
-            {/* ── Left: intro ── */}
-            <div className="lg:col-span-2 lg:pt-2">
-              <p className="mb-2 text-sm text-(--color-neutral600)">
-                Submit your content
-              </p>
-              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
-                Submit a Plugin
-              </h1>
-              <p className="text-sm leading-7 text-(--color-neutral700)">
-                Share your Strapi plugin with the community. All submissions go
-                through a business and security review before being listed in
-                the marketplace. We&rsquo;ll reach out if we need more
-                information.{" "}
-                <Link
-                  href="/community"
-                  className="underline underline-offset-2 hover:text-(--color-primary600)"
-                >
-                  Community Guidelines
-                </Link>
-              </p>
-
-              <div className="mt-8 space-y-3">
-                {[
-                  {
-                    title: "Business review",
-                    body: "We check your repo is public, MIT-licensed, has a README, and lists Strapi as a peer dependency.",
-                  },
-                  {
-                    title: "Security review",
-                    body: "We scan dependencies for known vulnerabilities and flag security concerns before listing.",
-                  },
-                ].map(({ title, body }) => (
-                  <div
-                    key={title}
-                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
-                  >
-                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
-                      <svg
-                        viewBox="0 0 24 24"
-                        fill="none"
-                        stroke="currentColor"
-                        strokeWidth="2.5"
-                        className="h-3 w-3"
-                      >
-                        <title>Business review</title>
-                        <polyline points="20 6 9 17 4 12" />
-                      </svg>
-                    </div>
-                    <div>
-                      <p className="text-sm font-semibold text-(--color-neutral800)">
-                        {title}
-                      </p>
-                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
-                        {body}
-                      </p>
-                    </div>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            {/* ── Right: form ── */}
-            <div className="lg:col-span-3">
-              <form
-                onSubmit={handleSubmit}
-                noValidate
-                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
-              >
-                {errors._form && (
-                  <div
-                    role="alert"
-                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
-                  >
-                    {errors._form}
-                  </div>
-                )}
-
-                {/* Plugin Name */}
-                <div className="mb-5">
-                  <Label htmlFor="plugin_name" required>
-                    Plugin Name
-                  </Label>
-                  <Input
-                    id="plugin_name"
-                    value={fields.plugin_name}
-                    onChange={(e) => set("plugin_name", e.target.value)}
-                    placeholder="e.g. Strapi Plugin SEO"
-                    className={errors.plugin_name ? "border-red-400" : ""}
-                    autoComplete="off"
-                  />
-                  <FieldError message={errors.plugin_name} />
-                </div>
-
-                {/* Registry URL */}
-                <div className="mb-5">
-                  <Label htmlFor="package_location">Registry URL</Label>
-                  <Input
-                    id="package_location"
-                    value={fields.package_location}
-                    onChange={(e) => set("package_location", e.target.value)}
-                    placeholder="https://www.npmjs.com/package/your-plugin"
-                    autoComplete="off"
-                  />
-                  <Hint>
-                    Full URL to your published package on npm, Packagist, PyPI,
-                    RubyGems, or NuGet. Leave blank if not yet published.
-                  </Hint>
-                </div>
-
-                {/* Repository URL */}
-                <div className="mb-5">
-                  <Label htmlFor="repository_url" required>
-                    Repository URL
-                  </Label>
-                  <Input
-                    id="repository_url"
-                    type="url"
-                    value={fields.repository_url}
-                    onChange={(e) => set("repository_url", e.target.value)}
-                    placeholder="https://github.com/org/repo or https://gitlab.com/org/repo"
-                    className={errors.repository_url ? "border-red-400" : ""}
-                  />
-                  <FieldError message={errors.repository_url} />
-                  <Hint>
-                    GitHub, GitLab, Bitbucket, or any public repository URL.
-                  </Hint>
-                </div>
-
-                {/* Description */}
-                <div className="mb-5">
-                  <Label htmlFor="description" required>
-                    Plugin Description
-                  </Label>
-                  <Textarea
-                    id="description"
-                    value={fields.description}
-                    onChange={(v) => set("description", v)}
-                    placeholder="Tell us about your plugin — what it does and why it's useful."
-                    rows={4}
-                    hasError={!!errors.description}
-                  />
-                  <FieldError message={errors.description} />
-                </div>
-
-                {/* Logo upload */}
-                <div className="mb-5">
-                  <Label htmlFor="logo_file">Plugin Logo / Icon</Label>
-                  <LogoUpload
-                    file={fields.logo_file}
-                    onChange={(f) => set("logo_file", f)}
-                    hasError={!!errors.logo_file}
-                  />
-                  <FieldError message={errors.logo_file as string} />
-                </div>
-
-                {/* Categories */}
-                <div className="mb-5">
-                  <Label htmlFor="category_select">Categories</Label>
-                  {fields.categories_list.length > 0 && (
-                    <div className="mb-2 flex flex-wrap gap-2">
-                      {fields.categories_list.map((c) => (
-                        <CategoryPill
-                          key={c}
-                          label={c}
-                          onRemove={() => removeCategory(c)}
-                        />
-                      ))}
-                    </div>
-                  )}
-                  <select
-                    id="category_select"
-                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
-                    value=""
-                    onChange={(e) => {
-                      addCategory(e.target.value);
-                      e.target.value = "";
-                    }}
-                  >
-                    <option value="">
-                      {categories.length === 0
-                        ? "Loading categories…"
-                        : availableCategories.length === 0
-                          ? "All categories selected"
-                          : "Select a category to add…"}
-                    </option>
-                    {availableCategories.map((c) => (
-                      <option key={c} value={c}>
-                        {c}
-                      </option>
-                    ))}
-                  </select>
-                </div>
-
-                {/* README */}
-                <div className="mb-5">
-                  <Label htmlFor="readme">README / Documentation</Label>
-                  <Textarea
-                    id="readme"
-                    value={fields.readme}
-                    onChange={(v) => set("readme", v)}
-                    placeholder="Paste your plugin's README or any additional documentation here."
-                    rows={6}
-                  />
-                </div>
-
-                <SectionDivider label="Owner" />
-
-                {/* Owner */}
-                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
-                  <div>
-                    <Label htmlFor="owner_name" required>
-                      Owner / Author Name
-                    </Label>
-                    <Input
-                      id="owner_name"
-                      value={fields.owner_name}
-                      onChange={(e) => set("owner_name", e.target.value)}
-                      placeholder="Your name or organisation"
-                      className={errors.owner_name ? "border-red-400" : ""}
-                    />
-                    <FieldError message={errors.owner_name} />
-                  </div>
-                  <div>
-                    <Label htmlFor="owner_email" required>
-                      Contact Email
-                    </Label>
-                    <Input
-                      id="owner_email"
-                      type="email"
-                      value={fields.owner_email}
-                      onChange={(e) => set("owner_email", e.target.value)}
-                      placeholder="you@example.com"
-                      className={errors.owner_email ? "border-red-400" : ""}
-                    />
-                    <FieldError message={errors.owner_email} />
-                  </div>
-                </div>
-
-                {/* Notes */}
-                <div className="mb-5">
-                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
-                  <Textarea
-                    id="submission_notes"
-                    value={fields.submission_notes}
-                    onChange={(v) => set("submission_notes", v)}
-                    placeholder="Anything you'd like the review team to know."
-                    rows={3}
-                  />
-                </div>
-
-                <SectionDivider label="Terms" />
-
-                {/* Terms */}
-                <div className="mb-6">
-                  <label
-                    className="flex cursor-pointer items-start gap-3"
-                    htmlFor="agreed"
-                  >
-                    <Checkbox
-                      id="agreed"
-                      checked={fields.agreed}
-                      onCheckedChange={(checked) =>
-                        set("agreed", checked === true)
-                      }
-                      className={errors.agreed ? "border-red-400" : ""}
-                    />
-                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
-                      I confirm this plugin is open-source, MIT-licensed, and
-                      compliant with the{" "}
-                      <Link
-                        href="/community"
-                        className="underline underline-offset-2 hover:text-(--color-primary600)"
-                      >
-                        Community Guidelines
-                      </Link>
-                      .
-                    </span>
-                  </label>
-                  <FieldError message={errors.agreed} />
-                </div>
-
-                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
-                  By submitting you agree to our review process. We will contact
-                  you if we need additional information. Submissions are
-                  reviewed manually and may take a few business days.
-                </p>
-
-                <Button
-                  type="submit"
-                  variant="primary"
-                  size="large"
-                  className="w-full"
-                  disabled={submitting}
-                >
-                  {submitting ? "Submitting…" : "Submit Plugin"}
-                </Button>
-
-                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
-                  Protected by reCAPTCHA —{" "}
-                  <a
-                    href="https://policies.google.com/privacy"
-                    target="_blank"
-                    rel="noreferrer"
-                    className="underline"
-                  >
-                    Privacy
-                  </a>{" "}
-                  &amp;{" "}
-                  <a
-                    href="https://policies.google.com/terms"
-                    target="_blank"
-                    rel="noreferrer"
-                    className="underline"
-                  >
-                    Terms
-                  </a>
-                </p>
-              </form>
-            </div>
-          </div>
-        </Container>
-      </main>
-    </>
-  );
+export default async function SubmitPluginPage() {
+  const categories = await fetchCategories();
+  return <SubmitPluginForm initialCategories={categories} />;
 }
diff --git a/apps/web/src/app/submit/template/SubmitTemplateForm.tsx b/apps/web/src/app/submit/template/SubmitTemplateForm.tsx
new file mode 100644
index 0000000..297be35
--- /dev/null
+++ b/apps/web/src/app/submit/template/SubmitTemplateForm.tsx
@@ -0,0 +1,812 @@
+"use client";
+
+import { Button, Container } from "@repo/strapi-ui";
+import Image from "next/image";
+import Link from "next/link";
+import Script from "next/script";
+import { useRef, useState } from "react";
+import { Navigation } from "@/components/layout/navigation";
+import { Checkbox } from "@/components/ui/checkbox";
+import { Input } from "@/components/ui/input";
+import { cn } from "@/lib/utils";
+
+declare global {
+  interface Window {
+    grecaptcha: {
+      enterprise: {
+        ready: (cb: () => void) => void;
+        execute: (
+          siteKey: string,
+          options: { action: string },
+        ) => Promise<string>;
+      };
+    };
+  }
+}
+
+const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
+
+// ---------------------------------------------------------------------------
+// Small UI helpers
+// ---------------------------------------------------------------------------
+
+function Label({
+  htmlFor,
+  children,
+  required,
+}: {
+  htmlFor: string;
+  children: React.ReactNode;
+  required?: boolean;
+}) {
+  return (
+    <label
+      htmlFor={htmlFor}
+      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
+    >
+      {children}
+      {required && (
+        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
+          *
+        </span>
+      )}
+    </label>
+  );
+}
+
+function FieldError({ message }: { message?: string }) {
+  if (!message) return null;
+  return (
+    <p role="alert" className="mt-1 text-xs text-red-600">
+      {message}
+    </p>
+  );
+}
+
+function Hint({ children }: { children: React.ReactNode }) {
+  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
+}
+
+function Textarea({
+  id,
+  value,
+  onChange,
+  placeholder,
+  rows = 5,
+  hasError,
+}: {
+  id?: string;
+  value: string;
+  onChange: (v: string) => void;
+  placeholder?: string;
+  rows?: number;
+  hasError?: boolean;
+}) {
+  return (
+    <textarea
+      id={id}
+      value={value}
+      onChange={(e) => onChange(e.target.value)}
+      placeholder={placeholder}
+      rows={rows}
+      className={cn(
+        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
+        hasError ? "border-red-400" : "border-(--color-neutral150)",
+      )}
+    />
+  );
+}
+
+function SectionDivider({ label }: { label: string }) {
+  return (
+    <div className="relative my-6">
+      <div className="absolute inset-0 flex items-center">
+        <div className="w-full border-t border-(--color-neutral150)" />
+      </div>
+      <div className="relative flex justify-start">
+        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
+          {label}
+        </span>
+      </div>
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Logo upload field
+// ---------------------------------------------------------------------------
+
+function LogoUpload({
+  file,
+  onChange,
+  hasError,
+}: {
+  file: File | null;
+  onChange: (f: File | null) => void;
+  hasError?: boolean;
+}) {
+  const inputRef = useRef<HTMLInputElement>(null);
+  const [dragOver, setDragOver] = useState(false);
+  const preview = file ? URL.createObjectURL(file) : null;
+
+  const handleFiles = (files: FileList | null) => {
+    const f = files?.[0] ?? null;
+    onChange(f);
+  };
+
+  return (
+    <div>
+      <input
+        ref={inputRef}
+        id="logo_file"
+        type="file"
+        accept="image/png,image/jpeg,image/svg+xml,image/webp"
+        className="sr-only"
+        onChange={(e) => handleFiles(e.target.files)}
+      />
+
+      <button
+        type="button"
+        onClick={() => inputRef.current?.click()}
+        onDragOver={(e) => {
+          e.preventDefault();
+          setDragOver(true);
+        }}
+        onDragLeave={() => setDragOver(false)}
+        onDrop={(e) => {
+          e.preventDefault();
+          setDragOver(false);
+          handleFiles(e.dataTransfer.files);
+        }}
+        className={cn(
+          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
+          dragOver
+            ? "border-(--color-primary600) bg-(--color-primary100)"
+            : hasError
+              ? "border-red-400 bg-red-50"
+              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
+        )}
+      >
+        {preview ? (
+          <div className="flex flex-col items-center gap-3">
+            <Image
+              src={preview}
+              alt="Logo preview"
+              width={64}
+              height={64}
+              className="h-16 w-16 rounded-lg object-contain"
+              unoptimized
+            />
+            <span className="text-xs text-(--color-neutral600)">
+              {file?.name}{" "}
+              <span className="text-(--color-primary600) underline">
+                Change
+              </span>
+            </span>
+          </div>
+        ) : (
+          <>
+            <svg
+              viewBox="0 0 24 24"
+              fill="none"
+              stroke="currentColor"
+              strokeWidth="1.5"
+              className="h-8 w-8 text-(--color-neutral400)"
+              aria-hidden="true"
+            >
+              <path
+                d="M12 16V8m0 0-3 3m3-3 3 3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+              <path
+                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
+                strokeLinecap="round"
+                strokeLinejoin="round"
+              />
+            </svg>
+            <span className="font-medium text-(--color-neutral700)">
+              Upload a File
+            </span>
+            <span className="text-xs text-(--color-neutral500)">
+              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
+            </span>
+          </>
+        )}
+      </button>
+
+      {file && (
+        <button
+          type="button"
+          onClick={() => {
+            onChange(null);
+            if (inputRef.current) inputRef.current.value = "";
+          }}
+          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
+        >
+          Remove logo
+        </button>
+      )}
+    </div>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Category pills
+// ---------------------------------------------------------------------------
+
+function CategoryPill({
+  label,
+  onRemove,
+}: {
+  label: string;
+  onRemove: () => void;
+}) {
+  return (
+    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
+      {label}
+      <button
+        type="button"
+        onClick={onRemove}
+        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
+        aria-label={`Remove ${label}`}
+      >
+        ×
+      </button>
+    </span>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form state
+// ---------------------------------------------------------------------------
+
+interface FormFields {
+  template_name: string;
+  repository_url: string;
+  demo_url: string;
+  description: string;
+  logo_file: File | null;
+  categories_list: string[];
+  submission_notes: string;
+  owner_name: string;
+  owner_email: string;
+  agreed: boolean;
+}
+
+const INITIAL: FormFields = {
+  template_name: "",
+  repository_url: "",
+  demo_url: "",
+  description: "",
+  logo_file: null,
+  categories_list: [],
+  submission_notes: "",
+  owner_name: "",
+  owner_email: "",
+  agreed: false,
+};
+
+type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
+
+function validate(f: FormFields): FieldErrors {
+  const e: FieldErrors = {};
+  if (!f.template_name.trim()) e.template_name = "Template name is required.";
+  if (!f.description.trim()) e.description = "Description is required.";
+  if (!f.repository_url.trim()) {
+    e.repository_url = "Repository URL is required.";
+  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
+    e.repository_url = "Must be a valid https:// URL.";
+  }
+  if (f.demo_url.trim() && !/^https?:\/\//i.test(f.demo_url.trim())) {
+    e.demo_url = "Must be a valid https:// URL.";
+  }
+  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
+  if (!f.owner_email.trim()) {
+    e.owner_email = "Contact email is required.";
+  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
+    e.owner_email = "Must be a valid email address.";
+  }
+  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
+  return e;
+}
+
+// ---------------------------------------------------------------------------
+// Success screen
+// ---------------------------------------------------------------------------
+
+function SuccessScreen() {
+  return (
+    <>
+      <Navigation theme="light" />
+      <main>
+        <Container>
+          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
+            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-8 w-8 text-(--color-primary600)"
+                aria-hidden="true"
+              >
+                <polyline points="20 6 9 17 4 12" />
+              </svg>
+            </div>
+            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
+              Submission received!
+            </h1>
+            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
+              Thank you for submitting your template. Our team will review it
+              and reach out at the email address you provided.
+            </p>
+            <Button href="/" variant="secondary">
+              Back to Marketplace
+            </Button>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Form
+// ---------------------------------------------------------------------------
+
+export function SubmitTemplateForm({
+  initialCategories,
+}: {
+  initialCategories: string[];
+}) {
+  const [fields, setFields] = useState<FormFields>(INITIAL);
+  const [errors, setErrors] = useState<FieldErrors>({});
+  const [submitting, setSubmitting] = useState(false);
+  const [success, setSuccess] = useState(false);
+  const [categories] = useState<string[]>(initialCategories);
+
+  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
+    setFields((f) => ({ ...f, [key]: value }));
+    setErrors((e) => ({ ...e, [key]: undefined }));
+  };
+
+  const addCategory = (cat: string) => {
+    if (cat && !fields.categories_list.includes(cat)) {
+      set("categories_list", [...fields.categories_list, cat]);
+    }
+  };
+
+  const removeCategory = (cat: string) => {
+    set(
+      "categories_list",
+      fields.categories_list.filter((c) => c !== cat),
+    );
+  };
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+
+    const errs = validate(fields);
+    if (Object.keys(errs).length > 0) {
+      setErrors(errs);
+      const firstKey = Object.keys(errs)[0];
+      document.getElementById(firstKey as string)?.focus();
+      return;
+    }
+
+    setSubmitting(true);
+    setErrors({});
+
+    try {
+      let recaptchaToken = "";
+      if (
+        RECAPTCHA_SITE_KEY &&
+        typeof window !== "undefined" &&
+        window.grecaptcha?.enterprise
+      ) {
+        await new Promise<void>((resolve) =>
+          window.grecaptcha.enterprise.ready(resolve),
+        );
+        recaptchaToken = await window.grecaptcha.enterprise.execute(
+          RECAPTCHA_SITE_KEY,
+          { action: "submit_template" },
+        );
+      }
+
+      const form = new FormData();
+      form.append("template_name", fields.template_name.trim());
+      form.append("repository_url", fields.repository_url.trim());
+      form.append("demo_url", fields.demo_url.trim());
+      form.append("description", fields.description.trim());
+      form.append("submission_notes", fields.submission_notes.trim());
+      form.append("owner_name", fields.owner_name.trim());
+      form.append("owner_email", fields.owner_email.trim());
+      form.append("categories_list", JSON.stringify(fields.categories_list));
+      form.append("submitter_agreed_to_terms", "true");
+      form.append("recaptcha_token", recaptchaToken);
+      if (fields.logo_file) {
+        form.append("logo_file", fields.logo_file, fields.logo_file.name);
+      }
+
+      const res = await fetch("/api/submit-template", {
+        method: "POST",
+        body: form,
+      });
+      const data = (await res.json()) as {
+        success?: boolean;
+        error?: string;
+        errors?: string[];
+      };
+
+      if (!res.ok) {
+        setErrors({
+          _form:
+            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
+            "Something went wrong. Please try again.",
+        });
+        return;
+      }
+
+      setSuccess(true);
+    } catch {
+      setErrors({
+        _form:
+          "Could not submit your template. Please check your connection and try again.",
+      });
+    } finally {
+      setSubmitting(false);
+    }
+  };
+
+  if (success) return <SuccessScreen />;
+
+  const availableCategories = categories.filter(
+    (c) => !fields.categories_list.includes(c),
+  );
+
+  return (
+    <>
+      {RECAPTCHA_SITE_KEY && (
+        <Script
+          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
+          strategy="lazyOnload"
+        />
+      )}
+
+      <Navigation theme="light" />
+
+      <main className="pb-24">
+        <Container>
+          {/* Back link */}
+          <div className="py-6">
+            <Link
+              href="/"
+              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
+            >
+              <svg
+                viewBox="0 0 24 24"
+                fill="none"
+                stroke="currentColor"
+                strokeWidth="2"
+                className="h-4 w-4"
+                aria-hidden="true"
+              >
+                <polyline points="15 18 9 12 15 6" />
+              </svg>
+              Submit other content
+            </Link>
+          </div>
+
+          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
+            {/* Left: intro */}
+            <div className="lg:col-span-2 lg:pt-2">
+              <p className="mb-2 text-sm text-(--color-neutral600)">
+                Submit your content
+              </p>
+              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
+                Submit a Template
+              </h1>
+              <p className="text-sm leading-7 text-(--color-neutral700)">
+                Share your Strapi starter template with the community. All
+                submissions are reviewed before being listed in the marketplace.
+                We&rsquo;ll reach out if we need more information.{" "}
+                <Link
+                  href="/community"
+                  className="underline underline-offset-2 hover:text-(--color-primary600)"
+                >
+                  Community Guidelines
+                </Link>
+              </p>
+
+              <div className="mt-8 space-y-3">
+                {[
+                  {
+                    title: "Quick review",
+                    body: "Templates go through a simplified review process — no automated checks, just a manual approval.",
+                  },
+                  {
+                    title: "Get discovered",
+                    body: "Approved templates are listed in the marketplace and discoverable by the Strapi community.",
+                  },
+                ].map(({ title, body }) => (
+                  <div
+                    key={title}
+                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
+                  >
+                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
+                      <svg
+                        viewBox="0 0 24 24"
+                        fill="none"
+                        stroke="currentColor"
+                        strokeWidth="2.5"
+                        className="h-3 w-3"
+                        aria-hidden="true"
+                      >
+                        <polyline points="20 6 9 17 4 12" />
+                      </svg>
+                    </div>
+                    <div>
+                      <p className="text-sm font-semibold text-(--color-neutral800)">
+                        {title}
+                      </p>
+                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
+                        {body}
+                      </p>
+                    </div>
+                  </div>
+                ))}
+              </div>
+            </div>
+
+            {/* Right: form */}
+            <div className="lg:col-span-3">
+              <form
+                onSubmit={handleSubmit}
+                noValidate
+                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
+              >
+                {errors._form && (
+                  <div
+                    role="alert"
+                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
+                  >
+                    {errors._form}
+                  </div>
+                )}
+
+                {/* Template Name */}
+                <div className="mb-5">
+                  <Label htmlFor="template_name" required>
+                    Template Name
+                  </Label>
+                  <Input
+                    id="template_name"
+                    value={fields.template_name}
+                    onChange={(e) => set("template_name", e.target.value)}
+                    placeholder="e.g. Strapi Blog Starter"
+                    className={errors.template_name ? "border-red-400" : ""}
+                    autoComplete="off"
+                  />
+                  <FieldError message={errors.template_name} />
+                </div>
+
+                {/* Repository URL */}
+                <div className="mb-5">
+                  <Label htmlFor="repository_url" required>
+                    Repository URL
+                  </Label>
+                  <Input
+                    id="repository_url"
+                    type="url"
+                    value={fields.repository_url}
+                    onChange={(e) => set("repository_url", e.target.value)}
+                    placeholder="https://github.com/org/repo"
+                    className={errors.repository_url ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.repository_url} />
+                  <Hint>
+                    GitHub, GitLab, Bitbucket, or any public repository URL.
+                  </Hint>
+                </div>
+
+                {/* Demo URL */}
+                <div className="mb-5">
+                  <Label htmlFor="demo_url">Live Demo URL</Label>
+                  <Input
+                    id="demo_url"
+                    type="url"
+                    value={fields.demo_url}
+                    onChange={(e) => set("demo_url", e.target.value)}
+                    placeholder="https://my-template-demo.com"
+                    className={errors.demo_url ? "border-red-400" : ""}
+                  />
+                  <FieldError message={errors.demo_url} />
+                  <Hint>A live preview URL, if available.</Hint>
+                </div>
+
+                {/* Description */}
+                <div className="mb-5">
+                  <Label htmlFor="description" required>
+                    Template Description
+                  </Label>
+                  <Textarea
+                    id="description"
+                    value={fields.description}
+                    onChange={(v) => set("description", v)}
+                    placeholder="Tell us about your template — what it includes and what use cases it covers."
+                    rows={4}
+                    hasError={!!errors.description}
+                  />
+                  <FieldError message={errors.description} />
+                </div>
+
+                {/* Logo upload */}
+                <div className="mb-5">
+                  <Label htmlFor="logo_file">Template Logo / Screenshot</Label>
+                  <LogoUpload
+                    file={fields.logo_file}
+                    onChange={(f) => set("logo_file", f)}
+                    hasError={!!errors.logo_file}
+                  />
+                  <FieldError message={errors.logo_file as string} />
+                </div>
+
+                {/* Categories */}
+                <div className="mb-5">
+                  <Label htmlFor="category_select">Categories</Label>
+                  {fields.categories_list.length > 0 && (
+                    <div className="mb-2 flex flex-wrap gap-2">
+                      {fields.categories_list.map((c) => (
+                        <CategoryPill
+                          key={c}
+                          label={c}
+                          onRemove={() => removeCategory(c)}
+                        />
+                      ))}
+                    </div>
+                  )}
+                  <select
+                    id="category_select"
+                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
+                    value=""
+                    onChange={(e) => {
+                      addCategory(e.target.value);
+                      e.target.value = "";
+                    }}
+                  >
+                    <option value="">
+                      {categories.length === 0
+                        ? "No categories available"
+                        : availableCategories.length === 0
+                          ? "All categories selected"
+                          : "Select a category to add…"}
+                    </option>
+                    {availableCategories.map((c) => (
+                      <option key={c} value={c}>
+                        {c}
+                      </option>
+                    ))}
+                  </select>
+                </div>
+
+                <SectionDivider label="Owner" />
+
+                {/* Owner */}
+                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
+                  <div>
+                    <Label htmlFor="owner_name" required>
+                      Owner / Author Name
+                    </Label>
+                    <Input
+                      id="owner_name"
+                      value={fields.owner_name}
+                      onChange={(e) => set("owner_name", e.target.value)}
+                      placeholder="Your name or organisation"
+                      className={errors.owner_name ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_name} />
+                  </div>
+                  <div>
+                    <Label htmlFor="owner_email" required>
+                      Contact Email
+                    </Label>
+                    <Input
+                      id="owner_email"
+                      type="email"
+                      value={fields.owner_email}
+                      onChange={(e) => set("owner_email", e.target.value)}
+                      placeholder="you@example.com"
+                      className={errors.owner_email ? "border-red-400" : ""}
+                    />
+                    <FieldError message={errors.owner_email} />
+                  </div>
+                </div>
+
+                {/* Notes */}
+                <div className="mb-5">
+                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
+                  <Textarea
+                    id="submission_notes"
+                    value={fields.submission_notes}
+                    onChange={(v) => set("submission_notes", v)}
+                    placeholder="Anything you'd like the review team to know."
+                    rows={3}
+                  />
+                </div>
+
+                <SectionDivider label="Terms" />
+
+                {/* Terms */}
+                <div className="mb-6">
+                  <label
+                    htmlFor="agreed"
+                    className="flex cursor-pointer items-start gap-3"
+                  >
+                    <Checkbox
+                      id="agreed"
+                      checked={fields.agreed}
+                      onCheckedChange={(checked) =>
+                        set("agreed", checked === true)
+                      }
+                      className={errors.agreed ? "border-red-400" : ""}
+                    />
+                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
+                      I confirm this template is open-source and compliant with
+                      the{" "}
+                      <Link
+                        href="/community"
+                        className="underline underline-offset-2 hover:text-(--color-primary600)"
+                      >
+                        Community Guidelines
+                      </Link>
+                      .
+                    </span>
+                  </label>
+                  <FieldError message={errors.agreed} />
+                </div>
+
+                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
+                  By submitting you agree to our review process. We will contact
+                  you if we need additional information. Submissions are
+                  reviewed manually and may take a few business days.
+                </p>
+
+                <Button
+                  type="submit"
+                  variant="primary"
+                  size="lg"
+                  className="w-full"
+                  disabled={submitting}
+                >
+                  {submitting ? "Submitting…" : "Submit Template"}
+                </Button>
+
+                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
+                  Protected by reCAPTCHA —{" "}
+                  <a
+                    href="https://policies.google.com/privacy"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Privacy
+                  </a>{" "}
+                  &amp;{" "}
+                  <a
+                    href="https://policies.google.com/terms"
+                    target="_blank"
+                    rel="noreferrer"
+                    className="underline"
+                  >
+                    Terms
+                  </a>
+                </p>
+              </form>
+            </div>
+          </div>
+        </Container>
+      </main>
+    </>
+  );
+}
diff --git a/apps/web/src/app/submit/template/page.tsx b/apps/web/src/app/submit/template/page.tsx
index edc2226..6406c00 100644
--- a/apps/web/src/app/submit/template/page.tsx
+++ b/apps/web/src/app/submit/template/page.tsx
@@ -1,821 +1,23 @@
-"use client";
-
-import Image from "next/image";
-import Link from "next/link";
-import Script from "next/script";
-import { useEffect, useRef, useState } from "react";
-import { Container } from "@/components/layout/container";
-import { Navigation } from "@/components/layout/navigation";
-import { Button } from "@/components/ui/button";
-import { Checkbox } from "@/components/ui/checkbox";
-import { Input } from "@/components/ui/input";
-import { cn } from "@/lib/utils";
-
-declare global {
-  interface Window {
-    grecaptcha: {
-      enterprise: {
-        ready: (cb: () => void) => void;
-        execute: (
-          siteKey: string,
-          options: { action: string },
-        ) => Promise<string>;
-      };
-    };
-  }
-}
-
-const RECAPTCHA_SITE_KEY = process.env.NEXT_PUBLIC_RECAPTCHA_SITE_KEY ?? "";
-
-// ---------------------------------------------------------------------------
-// Small UI helpers
-// ---------------------------------------------------------------------------
-
-function Label({
-  htmlFor,
-  children,
-  required,
-}: {
-  htmlFor: string;
-  children: React.ReactNode;
-  required?: boolean;
-}) {
-  return (
-    <label
-      htmlFor={htmlFor}
-      className="mb-1.5 block text-sm font-medium text-(--color-neutral800)"
-    >
-      {children}
-      {required && (
-        <span className="ml-0.5 text-(--color-primary600)" aria-hidden>
-          *
-        </span>
-      )}
-    </label>
-  );
-}
-
-function FieldError({ message }: { message?: string }) {
-  if (!message) return null;
-  return (
-    <p role="alert" className="mt-1 text-xs text-red-600">
-      {message}
-    </p>
-  );
-}
-
-function Hint({ children }: { children: React.ReactNode }) {
-  return <p className="mt-1 text-xs text-(--color-neutral600)">{children}</p>;
-}
-
-function Textarea({
-  id,
-  value,
-  onChange,
-  placeholder,
-  rows = 5,
-  hasError,
-}: {
-  id?: string;
-  value: string;
-  onChange: (v: string) => void;
-  placeholder?: string;
-  rows?: number;
-  hasError?: boolean;
-}) {
-  return (
-    <textarea
-      id={id}
-      value={value}
-      onChange={(e) => onChange(e.target.value)}
-      placeholder={placeholder}
-      rows={rows}
-      className={cn(
-        "flex w-full resize-y rounded-md border bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none placeholder:text-(--color-neutral600) focus-visible:border-(--color-primary200)",
-        hasError ? "border-red-400" : "border-(--color-neutral150)",
-      )}
-    />
-  );
-}
-
-function SectionDivider({ label }: { label: string }) {
-  return (
-    <div className="relative my-6">
-      <div className="absolute inset-0 flex items-center">
-        <div className="w-full border-t border-(--color-neutral150)" />
-      </div>
-      <div className="relative flex justify-start">
-        <span className="bg-white pr-3 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600)">
-          {label}
-        </span>
-      </div>
-    </div>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Logo upload field
-// ---------------------------------------------------------------------------
-
-function LogoUpload({
-  file,
-  onChange,
-  hasError,
-}: {
-  file: File | null;
-  onChange: (f: File | null) => void;
-  hasError?: boolean;
-}) {
-  const inputRef = useRef<HTMLInputElement>(null);
-  const [dragOver, setDragOver] = useState(false);
-  const preview = file ? URL.createObjectURL(file) : null;
-
-  const handleFiles = (files: FileList | null) => {
-    const f = files?.[0] ?? null;
-    onChange(f);
-  };
-
-  return (
-    <div>
-      <input
-        ref={inputRef}
-        id="logo_file"
-        type="file"
-        accept="image/png,image/jpeg,image/svg+xml,image/webp"
-        className="sr-only"
-        onChange={(e) => handleFiles(e.target.files)}
-      />
-
-      <button
-        type="button"
-        onClick={() => inputRef.current?.click()}
-        onDragOver={(e) => {
-          e.preventDefault();
-          setDragOver(true);
-        }}
-        onDragLeave={() => setDragOver(false)}
-        onDrop={(e) => {
-          e.preventDefault();
-          setDragOver(false);
-          handleFiles(e.dataTransfer.files);
-        }}
-        className={cn(
-          "flex w-full flex-col items-center justify-center gap-2 rounded-md border-2 border-dashed px-4 py-8 text-sm transition-colors",
-          dragOver
-            ? "border-(--color-primary600) bg-(--color-primary100)"
-            : hasError
-              ? "border-red-400 bg-red-50"
-              : "border-(--color-neutral150) bg-(--color-neutral100) hover:border-(--color-primary200) hover:bg-(--color-primary100)",
-        )}
-      >
-        {preview ? (
-          <div className="flex flex-col items-center gap-3">
-            <Image
-              src={preview}
-              alt="Logo preview"
-              width={64}
-              height={64}
-              className="h-16 w-16 rounded-lg object-contain"
-              unoptimized
-            />
-            <span className="text-xs text-(--color-neutral600)">
-              {file?.name}{" "}
-              <span className="text-(--color-primary600) underline">
-                Change
-              </span>
-            </span>
-          </div>
-        ) : (
-          <>
-            <svg
-              viewBox="0 0 24 24"
-              fill="none"
-              stroke="currentColor"
-              strokeWidth="1.5"
-              className="h-8 w-8 text-(--color-neutral400)"
-              aria-hidden="true"
-            >
-              <path
-                d="M12 16V8m0 0-3 3m3-3 3 3"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-              />
-              <path
-                d="M20.39 18.39A5 5 0 0 0 18 9h-1.26A8 8 0 1 0 3 16.3"
-                strokeLinecap="round"
-                strokeLinejoin="round"
-              />
-            </svg>
-            <span className="font-medium text-(--color-neutral700)">
-              Upload a File
-            </span>
-            <span className="text-xs text-(--color-neutral500)">
-              Drag and drop or click to browse — PNG, JPEG, SVG, WebP · max 2 MB
-            </span>
-          </>
-        )}
-      </button>
-
-      {file && (
-        <button
-          type="button"
-          onClick={() => {
-            onChange(null);
-            if (inputRef.current) inputRef.current.value = "";
-          }}
-          className="mt-1 text-xs text-(--color-neutral600) hover:text-red-600"
-        >
-          Remove logo
-        </button>
-      )}
-    </div>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Category pills
-// ---------------------------------------------------------------------------
-
-function CategoryPill({
-  label,
-  onRemove,
-}: {
-  label: string;
-  onRemove: () => void;
-}) {
-  return (
-    <span className="inline-flex items-center gap-1 rounded-full bg-(--color-primary100) px-3 py-1 text-xs font-medium text-(--color-primary700)">
-      {label}
-      <button
-        type="button"
-        onClick={onRemove}
-        className="ml-1 rounded-full p-0.5 hover:bg-(--color-primary200)"
-        aria-label={`Remove ${label}`}
-      >
-        ×
-      </button>
-    </span>
-  );
-}
-
-// ---------------------------------------------------------------------------
-// Form state
-// ---------------------------------------------------------------------------
-
-interface FormFields {
-  template_name: string;
-  repository_url: string;
-  demo_url: string;
-  description: string;
-  logo_file: File | null;
-  categories_list: string[];
-  submission_notes: string;
-  owner_name: string;
-  owner_email: string;
-  agreed: boolean;
-}
-
-const INITIAL: FormFields = {
-  template_name: "",
-  repository_url: "",
-  demo_url: "",
-  description: "",
-  logo_file: null,
-  categories_list: [],
-  submission_notes: "",
-  owner_name: "",
-  owner_email: "",
-  agreed: false,
-};
-
-type FieldErrors = Partial<Record<keyof FormFields | "_form", string>>;
-
-function validate(f: FormFields): FieldErrors {
-  const e: FieldErrors = {};
-  if (!f.template_name.trim()) e.template_name = "Template name is required.";
-  if (!f.description.trim()) e.description = "Description is required.";
-  if (!f.repository_url.trim()) {
-    e.repository_url = "Repository URL is required.";
-  } else if (!/^https?:\/\//i.test(f.repository_url.trim())) {
-    e.repository_url = "Must be a valid https:// URL.";
+import { cmsClient } from "@/features/cms/lib/strapi";
+import { SubmitTemplateForm } from "./SubmitTemplateForm";
+
+async function fetchCategories(): Promise<string[]> {
+  try {
+    const res = await cmsClient
+      .collection("api::template-category.template-category")
+      .find({
+        pagination: { pageSize: 100 },
+        sort: ["name:asc"],
+        fields: ["name"],
+      } as object);
+    const data = (res as { data: Array<{ name?: string }> }).data ?? [];
+    return data.map((c) => c.name).filter((n): n is string => Boolean(n));
+  } catch {
+    return [];
   }
-  if (f.demo_url.trim() && !/^https?:\/\//i.test(f.demo_url.trim())) {
-    e.demo_url = "Must be a valid https:// URL.";
-  }
-  if (!f.owner_name.trim()) e.owner_name = "Owner name is required.";
-  if (!f.owner_email.trim()) {
-    e.owner_email = "Contact email is required.";
-  } else if (!/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(f.owner_email.trim())) {
-    e.owner_email = "Must be a valid email address.";
-  }
-  if (!f.agreed) e.agreed = "You must agree to the terms to continue.";
-  return e;
-}
-
-// ---------------------------------------------------------------------------
-// Success screen
-// ---------------------------------------------------------------------------
-
-function SuccessScreen() {
-  return (
-    <>
-      <Navigation theme="light" />
-      <main>
-        <Container>
-          <div className="flex min-h-[60vh] flex-col items-center justify-center py-24 text-center">
-            <div className="mb-6 flex h-16 w-16 items-center justify-center rounded-full bg-(--color-primary100)">
-              <svg
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                className="h-8 w-8 text-(--color-primary600)"
-                aria-hidden="true"
-              >
-                <polyline points="20 6 9 17 4 12" />
-              </svg>
-            </div>
-            <h1 className="mb-3 text-2xl font-bold text-(--color-primary800)">
-              Submission received!
-            </h1>
-            <p className="mb-8 max-w-md text-sm leading-relaxed text-(--color-neutral600)">
-              Thank you for submitting your template. Our team will review it
-              and reach out at the email address you provided.
-            </p>
-            <Button href="/" variant="secondary">
-              Back to Marketplace
-            </Button>
-          </div>
-        </Container>
-      </main>
-    </>
-  );
 }
 
-// ---------------------------------------------------------------------------
-// Page
-// ---------------------------------------------------------------------------
-
-export default function SubmitTemplatePage() {
-  const [fields, setFields] = useState<FormFields>(INITIAL);
-  const [errors, setErrors] = useState<FieldErrors>({});
-  const [submitting, setSubmitting] = useState(false);
-  const [success, setSuccess] = useState(false);
-  const [categories, setCategories] = useState<string[]>([]);
-
-  useEffect(() => {
-    fetch("/api/categories")
-      .then((r) => (r.ok ? r.json() : null))
-      .then((json) => {
-        const names: string[] = (json?.data ?? [])
-          .map((c: { name?: string }) => c.name)
-          .filter(Boolean) as string[];
-        setCategories(names);
-      })
-      .catch(() => {});
-  }, []);
-
-  const set = <K extends keyof FormFields>(key: K, value: FormFields[K]) => {
-    setFields((f) => ({ ...f, [key]: value }));
-    setErrors((e) => ({ ...e, [key]: undefined }));
-  };
-
-  const addCategory = (cat: string) => {
-    if (cat && !fields.categories_list.includes(cat)) {
-      set("categories_list", [...fields.categories_list, cat]);
-    }
-  };
-
-  const removeCategory = (cat: string) => {
-    set(
-      "categories_list",
-      fields.categories_list.filter((c) => c !== cat),
-    );
-  };
-
-  const handleSubmit = async (e: React.FormEvent) => {
-    e.preventDefault();
-
-    const errs = validate(fields);
-    if (Object.keys(errs).length > 0) {
-      setErrors(errs);
-      const firstKey = Object.keys(errs)[0];
-      document.getElementById(firstKey as string)?.focus();
-      return;
-    }
-
-    setSubmitting(true);
-    setErrors({});
-
-    try {
-      let recaptchaToken = "";
-      if (
-        RECAPTCHA_SITE_KEY &&
-        typeof window !== "undefined" &&
-        window.grecaptcha?.enterprise
-      ) {
-        await new Promise<void>((resolve) =>
-          window.grecaptcha.enterprise.ready(resolve),
-        );
-        recaptchaToken = await window.grecaptcha.enterprise.execute(
-          RECAPTCHA_SITE_KEY,
-          { action: "submit_template" },
-        );
-      }
-
-      const form = new FormData();
-      form.append("template_name", fields.template_name.trim());
-      form.append("repository_url", fields.repository_url.trim());
-      form.append("demo_url", fields.demo_url.trim());
-      form.append("description", fields.description.trim());
-      form.append("submission_notes", fields.submission_notes.trim());
-      form.append("owner_name", fields.owner_name.trim());
-      form.append("owner_email", fields.owner_email.trim());
-      form.append("categories_list", JSON.stringify(fields.categories_list));
-      form.append("submitter_agreed_to_terms", "true");
-      form.append("recaptcha_token", recaptchaToken);
-      if (fields.logo_file) {
-        form.append("logo_file", fields.logo_file, fields.logo_file.name);
-      }
-
-      const res = await fetch("/api/submit-template", {
-        method: "POST",
-        body: form,
-      });
-      const data = (await res.json()) as {
-        success?: boolean;
-        error?: string;
-        errors?: string[];
-      };
-
-      if (!res.ok) {
-        setErrors({
-          _form:
-            (Array.isArray(data.errors) ? data.errors.join(" ") : data.error) ||
-            "Something went wrong. Please try again.",
-        });
-        return;
-      }
-
-      setSuccess(true);
-    } catch {
-      setErrors({
-        _form:
-          "Could not submit your template. Please check your connection and try again.",
-      });
-    } finally {
-      setSubmitting(false);
-    }
-  };
-
-  if (success) return <SuccessScreen />;
-
-  const availableCategories = categories.filter(
-    (c) => !fields.categories_list.includes(c),
-  );
-
-  return (
-    <>
-      {RECAPTCHA_SITE_KEY && (
-        <Script
-          src={`https://www.google.com/recaptcha/enterprise.js?render=${RECAPTCHA_SITE_KEY}`}
-          strategy="lazyOnload"
-        />
-      )}
-
-      <Navigation theme="light" />
-
-      <main className="pb-24">
-        <Container>
-          {/* Back link */}
-          <div className="py-6">
-            <Link
-              href="/"
-              className="inline-flex items-center gap-2 text-xs font-semibold uppercase tracking-widest text-(--color-neutral600) transition-colors hover:text-(--color-primary600)"
-            >
-              <svg
-                viewBox="0 0 24 24"
-                fill="none"
-                stroke="currentColor"
-                strokeWidth="2"
-                className="h-4 w-4"
-                aria-hidden="true"
-              >
-                <polyline points="15 18 9 12 15 6" />
-              </svg>
-              Submit other content
-            </Link>
-          </div>
-
-          <div className="grid grid-cols-1 gap-12 lg:grid-cols-5">
-            {/* Left: intro */}
-            <div className="lg:col-span-2 lg:pt-2">
-              <p className="mb-2 text-sm text-(--color-neutral600)">
-                Submit your content
-              </p>
-              <h1 className="mb-4 text-4xl font-bold leading-tight text-(--color-primary800)">
-                Submit a Template
-              </h1>
-              <p className="text-sm leading-7 text-(--color-neutral700)">
-                Share your Strapi starter template with the community. All
-                submissions are reviewed before being listed in the marketplace.
-                We&rsquo;ll reach out if we need more information.{" "}
-                <Link
-                  href="/community"
-                  className="underline underline-offset-2 hover:text-(--color-primary600)"
-                >
-                  Community Guidelines
-                </Link>
-              </p>
-
-              <div className="mt-8 space-y-3">
-                {[
-                  {
-                    title: "Quick review",
-                    body: "Templates go through a simplified review process — no automated checks, just a manual approval.",
-                  },
-                  {
-                    title: "Get discovered",
-                    body: "Approved templates are listed in the marketplace and discoverable by the Strapi community.",
-                  },
-                ].map(({ title, body }) => (
-                  <div
-                    key={title}
-                    className="flex gap-3 rounded-lg border border-(--color-neutral150) bg-(--color-neutral100) px-4 py-3"
-                  >
-                    <div className="mt-0.5 flex h-5 w-5 shrink-0 items-center justify-center rounded-full bg-(--color-primary600) text-white">
-                      <svg
-                        viewBox="0 0 24 24"
-                        fill="none"
-                        stroke="currentColor"
-                        strokeWidth="2.5"
-                        className="h-3 w-3"
-                        aria-hidden="true"
-                      >
-                        <polyline points="20 6 9 17 4 12" />
-                      </svg>
-                    </div>
-                    <div>
-                      <p className="text-sm font-semibold text-(--color-neutral800)">
-                        {title}
-                      </p>
-                      <p className="mt-0.5 text-xs leading-relaxed text-(--color-neutral600)">
-                        {body}
-                      </p>
-                    </div>
-                  </div>
-                ))}
-              </div>
-            </div>
-
-            {/* Right: form */}
-            <div className="lg:col-span-3">
-              <form
-                onSubmit={handleSubmit}
-                noValidate
-                className="rounded-xl border border-(--color-neutral150) bg-white p-8 shadow-sm"
-              >
-                {errors._form && (
-                  <div
-                    role="alert"
-                    className="mb-6 rounded-md border border-red-200 bg-red-50 px-4 py-3 text-sm text-red-700"
-                  >
-                    {errors._form}
-                  </div>
-                )}
-
-                {/* Template Name */}
-                <div className="mb-5">
-                  <Label htmlFor="template_name" required>
-                    Template Name
-                  </Label>
-                  <Input
-                    id="template_name"
-                    value={fields.template_name}
-                    onChange={(e) => set("template_name", e.target.value)}
-                    placeholder="e.g. Strapi Blog Starter"
-                    className={errors.template_name ? "border-red-400" : ""}
-                    autoComplete="off"
-                  />
-                  <FieldError message={errors.template_name} />
-                </div>
-
-                {/* Repository URL */}
-                <div className="mb-5">
-                  <Label htmlFor="repository_url" required>
-                    Repository URL
-                  </Label>
-                  <Input
-                    id="repository_url"
-                    type="url"
-                    value={fields.repository_url}
-                    onChange={(e) => set("repository_url", e.target.value)}
-                    placeholder="https://github.com/org/repo"
-                    className={errors.repository_url ? "border-red-400" : ""}
-                  />
-                  <FieldError message={errors.repository_url} />
-                  <Hint>
-                    GitHub, GitLab, Bitbucket, or any public repository URL.
-                  </Hint>
-                </div>
-
-                {/* Demo URL */}
-                <div className="mb-5">
-                  <Label htmlFor="demo_url">Live Demo URL</Label>
-                  <Input
-                    id="demo_url"
-                    type="url"
-                    value={fields.demo_url}
-                    onChange={(e) => set("demo_url", e.target.value)}
-                    placeholder="https://my-template-demo.com"
-                    className={errors.demo_url ? "border-red-400" : ""}
-                  />
-                  <FieldError message={errors.demo_url} />
-                  <Hint>A live preview URL, if available.</Hint>
-                </div>
-
-                {/* Description */}
-                <div className="mb-5">
-                  <Label htmlFor="description" required>
-                    Template Description
-                  </Label>
-                  <Textarea
-                    id="description"
-                    value={fields.description}
-                    onChange={(v) => set("description", v)}
-                    placeholder="Tell us about your template — what it includes and what use cases it covers."
-                    rows={4}
-                    hasError={!!errors.description}
-                  />
-                  <FieldError message={errors.description} />
-                </div>
-
-                {/* Logo upload */}
-                <div className="mb-5">
-                  <Label htmlFor="logo_file">Template Logo / Screenshot</Label>
-                  <LogoUpload
-                    file={fields.logo_file}
-                    onChange={(f) => set("logo_file", f)}
-                    hasError={!!errors.logo_file}
-                  />
-                  <FieldError message={errors.logo_file as string} />
-                </div>
-
-                {/* Categories */}
-                <div className="mb-5">
-                  <Label htmlFor="category_select">Categories</Label>
-                  {fields.categories_list.length > 0 && (
-                    <div className="mb-2 flex flex-wrap gap-2">
-                      {fields.categories_list.map((c) => (
-                        <CategoryPill
-                          key={c}
-                          label={c}
-                          onRemove={() => removeCategory(c)}
-                        />
-                      ))}
-                    </div>
-                  )}
-                  <select
-                    id="category_select"
-                    className="flex h-10 w-full rounded-md border border-(--color-neutral150) bg-white px-3 py-2 text-sm text-(--color-neutral900) shadow-[0_1px_2px_rgba(0,0,0,0.05)] outline-none focus:border-(--color-primary200)"
-                    value=""
-                    onChange={(e) => {
-                      addCategory(e.target.value);
-                      e.target.value = "";
-                    }}
-                  >
-                    <option value="">
-                      {categories.length === 0
-                        ? "Loading categories…"
-                        : availableCategories.length === 0
-                          ? "All categories selected"
-                          : "Select a category to add…"}
-                    </option>
-                    {availableCategories.map((c) => (
-                      <option key={c} value={c}>
-                        {c}
-                      </option>
-                    ))}
-                  </select>
-                </div>
-
-                <SectionDivider label="Owner" />
-
-                {/* Owner */}
-                <div className="mb-5 grid grid-cols-1 gap-4 sm:grid-cols-2">
-                  <div>
-                    <Label htmlFor="owner_name" required>
-                      Owner / Author Name
-                    </Label>
-                    <Input
-                      id="owner_name"
-                      value={fields.owner_name}
-                      onChange={(e) => set("owner_name", e.target.value)}
-                      placeholder="Your name or organisation"
-                      className={errors.owner_name ? "border-red-400" : ""}
-                    />
-                    <FieldError message={errors.owner_name} />
-                  </div>
-                  <div>
-                    <Label htmlFor="owner_email" required>
-                      Contact Email
-                    </Label>
-                    <Input
-                      id="owner_email"
-                      type="email"
-                      value={fields.owner_email}
-                      onChange={(e) => set("owner_email", e.target.value)}
-                      placeholder="you@example.com"
-                      className={errors.owner_email ? "border-red-400" : ""}
-                    />
-                    <FieldError message={errors.owner_email} />
-                  </div>
-                </div>
-
-                {/* Notes */}
-                <div className="mb-5">
-                  <Label htmlFor="submission_notes">Notes for Reviewers</Label>
-                  <Textarea
-                    id="submission_notes"
-                    value={fields.submission_notes}
-                    onChange={(v) => set("submission_notes", v)}
-                    placeholder="Anything you'd like the review team to know."
-                    rows={3}
-                  />
-                </div>
-
-                <SectionDivider label="Terms" />
-
-                {/* Terms */}
-                <div className="mb-6">
-                  <label
-                    htmlFor="agreed"
-                    className="flex cursor-pointer items-start gap-3"
-                  >
-                    <Checkbox
-                      id="agreed"
-                      checked={fields.agreed}
-                      onCheckedChange={(checked) =>
-                        set("agreed", checked === true)
-                      }
-                      className={errors.agreed ? "border-red-400" : ""}
-                    />
-                    <span className="text-sm leading-relaxed text-(--color-neutral700)">
-                      I confirm this template is open-source and compliant with
-                      the{" "}
-                      <Link
-                        href="/community"
-                        className="underline underline-offset-2 hover:text-(--color-primary600)"
-                      >
-                        Community Guidelines
-                      </Link>
-                      .
-                    </span>
-                  </label>
-                  <FieldError message={errors.agreed} />
-                </div>
-
-                <p className="mb-6 text-xs leading-relaxed text-(--color-neutral600)">
-                  By submitting you agree to our review process. We will contact
-                  you if we need additional information. Submissions are
-                  reviewed manually and may take a few business days.
-                </p>
-
-                <Button
-                  type="submit"
-                  variant="primary"
-                  size="large"
-                  className="w-full"
-                  disabled={submitting}
-                >
-                  {submitting ? "Submitting…" : "Submit Template"}
-                </Button>
-
-                <p className="mt-4 text-center text-xs text-(--color-neutral600)">
-                  Protected by reCAPTCHA —{" "}
-                  <a
-                    href="https://policies.google.com/privacy"
-                    target="_blank"
-                    rel="noreferrer"
-                    className="underline"
-                  >
-                    Privacy
-                  </a>{" "}
-                  &amp;{" "}
-                  <a
-                    href="https://policies.google.com/terms"
-                    target="_blank"
-                    rel="noreferrer"
-                    className="underline"
-                  >
-                    Terms
-                  </a>
-                </p>
-              </form>
-            </div>
-          </div>
-        </Container>
-      </main>
-    </>
-  );
+export default async function SubmitTemplatePage() {
+  const categories = await fetchCategories();
+  return <SubmitTemplateForm initialCategories={categories} />;
 }

From 11c44a36f08a2bdcf7683b7075508e01e615ce5a Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:54:56 +0100
Subject: [PATCH 23/26] chore: fix strapi-client indentation; remove n8n/search
 convenience scripts from root

---
 package.json | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/package.json b/package.json
index 423afb0..c12b094 100644
--- a/package.json
+++ b/package.json
@@ -8,10 +8,6 @@
     "lint": "turbo lint",
     "test": "turbo test",
     "check-types": "turbo check-types",
-    "n8n:start": "pnpm --filter automation start",
-    "n8n:stop": "pnpm --filter automation n8n:down",
-    "search:start": "pnpm --filter search start",
-    "search:stop": "pnpm --filter search stop",
     "update-dependencies": "pnpm --recursive --interactive --latest update",
     "prepare": "husky"
   },

From 49f550688cd102e50b771323ed8c4383daa7c4ff Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 09:58:55 +0100
Subject: [PATCH 24/26] =?UTF-8?q?fix(cms/moderation):=20address=20final=20?=
 =?UTF-8?q?review=20issues=20=E2=80=94=20draft=20guard,=20auth,=20template?=
 =?UTF-8?q?=20status,=20dead=20code=20cleanup?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../src/pages/SubmissionDetail/index.tsx      |  35 ----
 .../server/routes/plugin-submission.js        |   4 +-
 .../server/services/plugin-submission.js      |   4 +-
 .../server/services/template-submission.js    |   3 +-
 apps/cms/types/generated/contentTypes.d.ts    | 159 ------------------
 5 files changed, 7 insertions(+), 198 deletions(-)

diff --git a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
index ffe6c08..dfcb03c 100644
--- a/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
+++ b/apps/cms/src/plugins/moderation/admin/src/pages/SubmissionDetail/index.tsx
@@ -668,41 +668,6 @@ export const SubmissionDetail = () => {
             initialSecurityNotes={submission.security_review_notes || ""}
             onSaved={load}
           />
-
-          {submission.promoted_package && (
-            <Box
-              marginTop={4}
-              background="success100"
-              padding={5}
-              hasRadius
-              borderColor="success200"
-              borderWidth="1px"
-              borderStyle="solid"
-            >
-              <Flex direction="column" alignItems="flex-start" gap={3}>
-                <Typography
-                  fontWeight="semiBold"
-                  textColor="success700"
-                  variant="omega"
-                >
-                  Promoted to Package
-                </Typography>
-                <Button
-                  variant="tertiary"
-                  size="S"
-                  endIcon={<ExternalLink />}
-                  onClick={() =>
-                    window.open(
-                      `${window.strapi.backendURL}/admin/content-manager/collection-types/api::package.package/${submission.promoted_package!.documentId}`,
-                      "_blank",
-                    )
-                  }
-                >
-                  Open in Content Manager
-                </Button>
-              </Flex>
-            </Box>
-          )}
         </Box>
       </Flex>
     </Box>
diff --git a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
index 55b63fa..7c363dc 100644
--- a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
@@ -16,13 +16,13 @@ module.exports = {
         method: "POST",
         path: "/packages/:documentId/security-scan-result",
         handler: "plugin-submission.updateSecurityScan",
-        config: { policies: [] },
+        config: { auth: true, policies: [] },
       },
       {
         method: "GET",
         path: "/packages/stale-scans",
         handler: "plugin-submission.listStaleScans",
-        config: { policies: [] },
+        config: { auth: true, policies: [] },
       },
     ],
   },
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
index 3ea35ba..452cab9 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
@@ -287,7 +287,9 @@ module.exports = ({ strapi }) => ({
    * No data copy — the draft IS the package.
    */
   async publishPackage(documentId) {
-    const pkg = await strapi.documents(CONTENT_TYPE).findOne({ documentId });
+    const pkg = await strapi
+      .documents(CONTENT_TYPE)
+      .findOne({ documentId, status: "draft" });
     if (!pkg) throw new Error("Package not found.");
     if (pkg.overall_status !== "approved")
       throw new Error("Package must be approved before publishing.");
diff --git a/apps/cms/src/plugins/moderation/server/services/template-submission.js b/apps/cms/src/plugins/moderation/server/services/template-submission.js
index 940d88f..b16bf26 100644
--- a/apps/cms/src/plugins/moderation/server/services/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/services/template-submission.js
@@ -101,6 +101,7 @@ module.exports = ({ strapi }) => ({
         // Moderation fields
         overall_status: "submitted",
         business_review_status: "pending",
+        security_review_status: "pending",
         submitter_ip: submitterIp || null,
         submitter_agreed_to_terms: data.submitter_agreed_to_terms === true,
         submission_notes: data.submission_notes || null,
@@ -124,7 +125,7 @@ module.exports = ({ strapi }) => ({
   async publishTemplate(documentId) {
     const template = await strapi
       .documents(CONTENT_TYPE)
-      .findOne({ documentId });
+      .findOne({ documentId, status: "draft" });
     if (!template) throw new Error("Template not found.");
     if (template.overall_status !== "approved")
       throw new Error("Template must be approved before publishing.");
diff --git a/apps/cms/types/generated/contentTypes.d.ts b/apps/cms/types/generated/contentTypes.d.ts
index 045dc5a..4ad26ec 100644
--- a/apps/cms/types/generated/contentTypes.d.ts
+++ b/apps/cms/types/generated/contentTypes.d.ts
@@ -2062,163 +2062,6 @@ export interface PluginI18NLocale extends Struct.CollectionTypeSchema {
   };
 }
 
-export interface PluginModerationPluginSubmission
-  extends Struct.CollectionTypeSchema {
-  collectionName: 'plugin_submissions';
-  info: {
-    description: 'Incoming plugin submissions awaiting moderation before publication';
-    displayName: 'Plugin Submission';
-    pluralName: 'plugin-submissions';
-    singularName: 'plugin-submission';
-  };
-  options: {
-    draftAndPublish: false;
-  };
-  pluginOptions: {
-    'content-manager': {
-      visible: false;
-    };
-    'content-type-builder': {
-      visible: false;
-    };
-  };
-  attributes: {
-    automated_check_results: Schema.Attribute.JSON;
-    business_review_notes: Schema.Attribute.Text;
-    business_review_status: Schema.Attribute.Enumeration<
-      ['pending', 'approved', 'rejected']
-    > &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<'pending'>;
-    categories_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
-    createdAt: Schema.Attribute.DateTime;
-    createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
-      Schema.Attribute.Private;
-    description: Schema.Attribute.Text & Schema.Attribute.Required;
-    locale: Schema.Attribute.String & Schema.Attribute.Private;
-    localizations: Schema.Attribute.Relation<
-      'oneToMany',
-      'plugin::moderation.plugin-submission'
-    > &
-      Schema.Attribute.Private;
-    logo_url: Schema.Attribute.String;
-    maintainers_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
-    overall_status: Schema.Attribute.Enumeration<
-      ['submitted', 'under_review', 'changes_requested', 'rejected', 'approved']
-    > &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<'submitted'>;
-    owner_email: Schema.Attribute.String & Schema.Attribute.Required;
-    owner_name: Schema.Attribute.String & Schema.Attribute.Required;
-    package_location: Schema.Attribute.String;
-    package_type: Schema.Attribute.Enumeration<
-      ['plugin', 'provider', 'sdk', 'tool']
-    > &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<'plugin'>;
-    plugin_name: Schema.Attribute.String & Schema.Attribute.Required;
-    promoted_package: Schema.Attribute.Relation<
-      'oneToOne',
-      'api::package.package'
-    >;
-    publishedAt: Schema.Attribute.DateTime;
-    readme: Schema.Attribute.RichText;
-    rejection_reason: Schema.Attribute.Text;
-    repository_url: Schema.Attribute.String & Schema.Attribute.Required;
-    reviewer_feedback: Schema.Attribute.Text;
-    security_review_notes: Schema.Attribute.Text;
-    security_review_status: Schema.Attribute.Enumeration<
-      ['pending', 'approved', 'rejected']
-    > &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<'pending'>;
-    security_scan_ai_analysis: Schema.Attribute.JSON;
-    security_scan_dependencies: Schema.Attribute.JSON;
-    security_scan_run_at: Schema.Attribute.DateTime;
-    security_scan_started_at: Schema.Attribute.DateTime;
-    security_scan_status: Schema.Attribute.Enumeration<
-      ['pending', 'running', 'completed', 'failed']
-    > &
-      Schema.Attribute.DefaultTo<'pending'>;
-    security_scan_summary: Schema.Attribute.JSON;
-    submission_notes: Schema.Attribute.Text;
-    submitter_agreed_to_terms: Schema.Attribute.Boolean &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<false>;
-    submitter_ip: Schema.Attribute.String;
-    updatedAt: Schema.Attribute.DateTime;
-    updatedBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
-      Schema.Attribute.Private;
-  };
-}
-
-export interface PluginModerationTemplateSubmission
-  extends Struct.CollectionTypeSchema {
-  collectionName: 'template_submissions';
-  info: {
-    description: 'Incoming template submissions awaiting approval before publication';
-    displayName: 'Template Submission';
-    pluralName: 'template-submissions';
-    singularName: 'template-submission';
-  };
-  options: {
-    draftAndPublish: false;
-  };
-  pluginOptions: {
-    'content-manager': {
-      visible: false;
-    };
-    'content-type-builder': {
-      visible: false;
-    };
-  };
-  attributes: {
-    categories_list: Schema.Attribute.JSON & Schema.Attribute.DefaultTo<[]>;
-    createdAt: Schema.Attribute.DateTime;
-    createdBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
-      Schema.Attribute.Private;
-    demo_url: Schema.Attribute.String;
-    description: Schema.Attribute.Text & Schema.Attribute.Required;
-    locale: Schema.Attribute.String & Schema.Attribute.Private;
-    localizations: Schema.Attribute.Relation<
-      'oneToMany',
-      'plugin::moderation.template-submission'
-    > &
-      Schema.Attribute.Private;
-    logo_url: Schema.Attribute.String;
-    overall_status: Schema.Attribute.Enumeration<
-      ['submitted', 'approved', 'rejected']
-    > &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<'submitted'>;
-    owner_email: Schema.Attribute.String & Schema.Attribute.Required;
-    owner_name: Schema.Attribute.String & Schema.Attribute.Required;
-    publishedAt: Schema.Attribute.DateTime;
-    rejection_reason: Schema.Attribute.Text;
-    repository_url: Schema.Attribute.String & Schema.Attribute.Required;
-    reviewer_feedback: Schema.Attribute.Text;
-    reviewer_notes: Schema.Attribute.Text;
-    security_scan_ai_analysis: Schema.Attribute.JSON;
-    security_scan_dependencies: Schema.Attribute.JSON;
-    security_scan_run_at: Schema.Attribute.DateTime;
-    security_scan_started_at: Schema.Attribute.DateTime;
-    security_scan_status: Schema.Attribute.Enumeration<
-      ['pending', 'running', 'completed', 'failed']
-    > &
-      Schema.Attribute.DefaultTo<'pending'>;
-    security_scan_summary: Schema.Attribute.JSON;
-    submission_notes: Schema.Attribute.Text;
-    submitter_agreed_to_terms: Schema.Attribute.Boolean &
-      Schema.Attribute.Required &
-      Schema.Attribute.DefaultTo<false>;
-    submitter_ip: Schema.Attribute.String;
-    template_name: Schema.Attribute.String & Schema.Attribute.Required;
-    updatedAt: Schema.Attribute.DateTime;
-    updatedBy: Schema.Attribute.Relation<'oneToOne', 'admin::user'> &
-      Schema.Attribute.Private;
-  };
-}
-
 export interface PluginReviewWorkflowsWorkflow
   extends Struct.CollectionTypeSchema {
   collectionName: 'strapi_workflows';
@@ -2562,8 +2405,6 @@ declare module '@strapi/strapi' {
       'plugin::content-releases.release': PluginContentReleasesRelease;
       'plugin::content-releases.release-action': PluginContentReleasesReleaseAction;
       'plugin::i18n.locale': PluginI18NLocale;
-      'plugin::moderation.plugin-submission': PluginModerationPluginSubmission;
-      'plugin::moderation.template-submission': PluginModerationTemplateSubmission;
       'plugin::review-workflows.workflow': PluginReviewWorkflowsWorkflow;
       'plugin::review-workflows.workflow-stage': PluginReviewWorkflowsWorkflowStage;
       'plugin::upload.file': PluginUploadFile;

From e4ecc78c5c56d1a6b46ceb605b6ce3997a819753 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 10:32:59 +0100
Subject: [PATCH 25/26] refactor(cms/moderation): convert server-side JS to
 TypeScript

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 apps/cms/src/plugins/moderation/package.json  |  2 +-
 .../moderation/server/controllers/index.js    |  4 --
 .../src/plugins/moderation/server/index.js    |  5 ---
 .../moderation/server/services/index.js       |  4 --
 .../server/src/controllers/index.ts           |  7 ++++
 .../controllers/plugin-submission.ts}         |  2 +-
 .../controllers/template-submission.ts}       |  2 +-
 .../plugins/moderation/server/src/index.ts    | 15 +++++++
 .../{routes/index.js => src/routes/index.ts}  | 10 ++---
 .../routes/plugin-submission.ts}              |  2 +-
 .../routes/template-submission.ts}            |  2 +-
 .../services/automated-checks.ts}             | 14 ++++---
 .../services/get-package-security-info.ts}    | 40 +++++++++----------
 .../moderation/server/src/services/index.ts   |  7 ++++
 .../services/n8n-webhook.ts}                  | 14 ++++---
 .../services/plugin-submission.ts}            | 20 +++++++---
 .../services/template-submission.ts}          | 14 +++++--
 .../src/plugins/moderation/strapi-server.js   | 21 ----------
 18 files changed, 99 insertions(+), 86 deletions(-)
 delete mode 100644 apps/cms/src/plugins/moderation/server/controllers/index.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/index.js
 delete mode 100644 apps/cms/src/plugins/moderation/server/services/index.js
 create mode 100644 apps/cms/src/plugins/moderation/server/src/controllers/index.ts
 rename apps/cms/src/plugins/moderation/server/{controllers/plugin-submission.js => src/controllers/plugin-submission.ts} (99%)
 rename apps/cms/src/plugins/moderation/server/{controllers/template-submission.js => src/controllers/template-submission.ts} (99%)
 create mode 100644 apps/cms/src/plugins/moderation/server/src/index.ts
 rename apps/cms/src/plugins/moderation/server/{routes/index.js => src/routes/index.ts} (58%)
 rename apps/cms/src/plugins/moderation/server/{routes/plugin-submission.js => src/routes/plugin-submission.ts} (98%)
 rename apps/cms/src/plugins/moderation/server/{routes/template-submission.js => src/routes/template-submission.ts} (98%)
 rename apps/cms/src/plugins/moderation/server/{services/automated-checks.js => src/services/automated-checks.ts} (97%)
 rename apps/cms/src/plugins/moderation/server/{services/get-package-security-info.js => src/services/get-package-security-info.ts} (80%)
 create mode 100644 apps/cms/src/plugins/moderation/server/src/services/index.ts
 rename apps/cms/src/plugins/moderation/server/{services/n8n-webhook.js => src/services/n8n-webhook.ts} (91%)
 rename apps/cms/src/plugins/moderation/server/{services/plugin-submission.js => src/services/plugin-submission.ts} (96%)
 rename apps/cms/src/plugins/moderation/server/{services/template-submission.js => src/services/template-submission.ts} (96%)
 delete mode 100644 apps/cms/src/plugins/moderation/strapi-server.js

diff --git a/apps/cms/src/plugins/moderation/package.json b/apps/cms/src/plugins/moderation/package.json
index 98f7287..b3eb818 100644
--- a/apps/cms/src/plugins/moderation/package.json
+++ b/apps/cms/src/plugins/moderation/package.json
@@ -9,7 +9,7 @@
   },
   "exports": {
     "./strapi-server": {
-      "require": "./strapi-server.js"
+      "require": "../../../dist/src/plugins/moderation/server/src/index.js"
     },
     "./strapi-admin": {
       "source": "./admin/src/index.tsx",
diff --git a/apps/cms/src/plugins/moderation/server/controllers/index.js b/apps/cms/src/plugins/moderation/server/controllers/index.js
deleted file mode 100644
index b29a911..0000000
--- a/apps/cms/src/plugins/moderation/server/controllers/index.js
+++ /dev/null
@@ -1,4 +0,0 @@
-module.exports = {
-  "plugin-submission": require("./plugin-submission"),
-  "template-submission": require("./template-submission"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/index.js b/apps/cms/src/plugins/moderation/server/index.js
deleted file mode 100644
index 285bbc3..0000000
--- a/apps/cms/src/plugins/moderation/server/index.js
+++ /dev/null
@@ -1,5 +0,0 @@
-module.exports = {
-  controllers: require("./controllers"),
-  services: require("./services"),
-  routes: require("./routes"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/services/index.js b/apps/cms/src/plugins/moderation/server/services/index.js
deleted file mode 100644
index b29a911..0000000
--- a/apps/cms/src/plugins/moderation/server/services/index.js
+++ /dev/null
@@ -1,4 +0,0 @@
-module.exports = {
-  "plugin-submission": require("./plugin-submission"),
-  "template-submission": require("./template-submission"),
-};
diff --git a/apps/cms/src/plugins/moderation/server/src/controllers/index.ts b/apps/cms/src/plugins/moderation/server/src/controllers/index.ts
new file mode 100644
index 0000000..e0665d0
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/src/controllers/index.ts
@@ -0,0 +1,7 @@
+import pluginSubmission from "./plugin-submission";
+import templateSubmission from "./template-submission";
+
+export default {
+  "plugin-submission": pluginSubmission,
+  "template-submission": templateSubmission,
+};
diff --git a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js b/apps/cms/src/plugins/moderation/server/src/controllers/plugin-submission.ts
similarity index 99%
rename from apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
rename to apps/cms/src/plugins/moderation/server/src/controllers/plugin-submission.ts
index 4eaf731..4500068 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/controllers/plugin-submission.ts
@@ -9,7 +9,7 @@
 const service = (strapi) =>
   strapi.plugin("moderation").service("plugin-submission");
 
-module.exports = ({ strapi }) => ({
+export default ({ strapi }) => ({
   /**
    * POST /api/moderation/packages/submit
    * Accepts a new plugin submission from the public.
diff --git a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js b/apps/cms/src/plugins/moderation/server/src/controllers/template-submission.ts
similarity index 99%
rename from apps/cms/src/plugins/moderation/server/controllers/template-submission.js
rename to apps/cms/src/plugins/moderation/server/src/controllers/template-submission.ts
index 617aa2f..2174319 100644
--- a/apps/cms/src/plugins/moderation/server/controllers/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/controllers/template-submission.ts
@@ -9,7 +9,7 @@
 const service = (strapi) =>
   strapi.plugin("moderation").service("template-submission");
 
-module.exports = ({ strapi }) => ({
+export default ({ strapi }) => ({
   /**
    * POST /api/moderation/templates/submit
    * Accepts a new template submission from the public.
diff --git a/apps/cms/src/plugins/moderation/server/src/index.ts b/apps/cms/src/plugins/moderation/server/src/index.ts
new file mode 100644
index 0000000..7bc69f2
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/src/index.ts
@@ -0,0 +1,15 @@
+import controllers from "./controllers";
+import routes from "./routes";
+import services from "./services";
+
+export default {
+  register() {
+    strapi.log.info("[moderation] plugin registered");
+  },
+
+  bootstrap() {},
+
+  controllers,
+  services,
+  routes,
+};
diff --git a/apps/cms/src/plugins/moderation/server/routes/index.js b/apps/cms/src/plugins/moderation/server/src/routes/index.ts
similarity index 58%
rename from apps/cms/src/plugins/moderation/server/routes/index.js
rename to apps/cms/src/plugins/moderation/server/src/routes/index.ts
index 855dbc3..2f99c16 100644
--- a/apps/cms/src/plugins/moderation/server/routes/index.js
+++ b/apps/cms/src/plugins/moderation/server/src/routes/index.ts
@@ -1,16 +1,16 @@
-const pluginSubmission = require("./plugin-submission");
-const templateSubmission = require("./template-submission");
+import pluginSubmission from "./plugin-submission";
+import templateSubmission from "./template-submission";
 
-module.exports = {
+export default {
   "content-api": {
-    type: "content-api",
+    type: "content-api" as const,
     routes: [
       ...pluginSubmission["content-api"].routes,
       ...templateSubmission["content-api"].routes,
     ],
   },
   admin: {
-    type: "admin",
+    type: "admin" as const,
     routes: [
       ...pluginSubmission.admin.routes,
       ...templateSubmission.admin.routes,
diff --git a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js b/apps/cms/src/plugins/moderation/server/src/routes/plugin-submission.ts
similarity index 98%
rename from apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
rename to apps/cms/src/plugins/moderation/server/src/routes/plugin-submission.ts
index 7c363dc..27c408e 100644
--- a/apps/cms/src/plugins/moderation/server/routes/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/routes/plugin-submission.ts
@@ -1,4 +1,4 @@
-module.exports = {
+export default {
   "content-api": {
     type: "content-api",
     routes: [
diff --git a/apps/cms/src/plugins/moderation/server/routes/template-submission.js b/apps/cms/src/plugins/moderation/server/src/routes/template-submission.ts
similarity index 98%
rename from apps/cms/src/plugins/moderation/server/routes/template-submission.js
rename to apps/cms/src/plugins/moderation/server/src/routes/template-submission.ts
index ccfbb69..eab45a1 100644
--- a/apps/cms/src/plugins/moderation/server/routes/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/routes/template-submission.ts
@@ -1,4 +1,4 @@
-module.exports = {
+export default {
   "content-api": {
     type: "content-api",
     routes: [
diff --git a/apps/cms/src/plugins/moderation/server/services/automated-checks.js b/apps/cms/src/plugins/moderation/server/src/services/automated-checks.ts
similarity index 97%
rename from apps/cms/src/plugins/moderation/server/services/automated-checks.js
rename to apps/cms/src/plugins/moderation/server/src/services/automated-checks.ts
index c71f201..ca5d825 100644
--- a/apps/cms/src/plugins/moderation/server/services/automated-checks.js
+++ b/apps/cms/src/plugins/moderation/server/src/services/automated-checks.ts
@@ -68,7 +68,9 @@ function parseRepoInfo(gitRepository) {
 // ---------------------------------------------------------------------------
 
 function githubHeaders() {
-  const headers = { Accept: "application/vnd.github+json" };
+  const headers: Record<string, string> = {
+    Accept: "application/vnd.github+json",
+  };
   if (process.env.GITHUB_TOKEN) {
     headers.Authorization = `Bearer ${process.env.GITHUB_TOKEN}`;
   }
@@ -84,7 +86,7 @@ async function githubFetch(path) {
 // ---------------------------------------------------------------------------
 
 function gitlabHeaders() {
-  const headers = { Accept: "application/json" };
+  const headers: Record<string, string> = { Accept: "application/json" };
   if (process.env.GITLAB_TOKEN) {
     // GitLab supports both header styles; PRIVATE-TOKEN is more universally supported.
     headers["PRIVATE-TOKEN"] = process.env.GITLAB_TOKEN;
@@ -141,7 +143,7 @@ async function checkRepoPublic(gitRepository) {
       if (!res.ok) {
         return { passed: null, message: `GitHub API returned ${res.status}.` };
       }
-      const data = await res.json();
+      const data = (await res.json()) as { private: boolean };
       const isPublic = !data.private;
       return {
         passed: isPublic,
@@ -164,7 +166,7 @@ async function checkRepoPublic(gitRepository) {
       if (!res.ok) {
         return { passed: null, message: `GitLab API returned ${res.status}.` };
       }
-      const data = await res.json();
+      const data = (await res.json()) as { visibility: string };
       const isPublic = data.visibility === "public";
       return {
         passed: isPublic,
@@ -271,7 +273,7 @@ function extractNpmNameFromLocation(packageLocation) {
   if (!packageLocation) return null;
   let href = packageLocation.toString().trim();
   if (!/^https?:\/\//i.test(href)) href = `https://${href}`;
-  let url;
+  let url: URL;
   try {
     url = new URL(href);
   } catch {
@@ -408,4 +410,4 @@ async function runAutomatedChecks({ repository_url, package_location }) {
   };
 }
 
-module.exports = { runAutomatedChecks };
+export { runAutomatedChecks };
diff --git a/apps/cms/src/plugins/moderation/server/services/get-package-security-info.js b/apps/cms/src/plugins/moderation/server/src/services/get-package-security-info.ts
similarity index 80%
rename from apps/cms/src/plugins/moderation/server/services/get-package-security-info.js
rename to apps/cms/src/plugins/moderation/server/src/services/get-package-security-info.ts
index e076565..4df08e2 100644
--- a/apps/cms/src/plugins/moderation/server/services/get-package-security-info.js
+++ b/apps/cms/src/plugins/moderation/server/src/services/get-package-security-info.ts
@@ -13,21 +13,11 @@
  *    downstream scan branches fall back to repo-only analysis.
  */
 
-const {
-  extractNpmPackageName,
-} = require("../../../package-info/server/services/registries/npm");
-const {
-  extractPypiPackageName,
-} = require("../../../package-info/server/services/registries/pypi");
-const {
-  extractRubyGemsPackageName,
-} = require("../../../package-info/server/services/registries/rubygems");
-const {
-  extractPackagistPackageName,
-} = require("../../../package-info/server/services/registries/packagist");
-const {
-  extractNugetPackageName,
-} = require("../../../package-info/server/services/registries/nuget");
+import { extractNpmPackageName } from "../../../../package-info/server/src/services/registries/npm";
+import { extractNugetPackageName } from "../../../../package-info/server/src/services/registries/nuget";
+import { extractPackagistPackageName } from "../../../../package-info/server/src/services/registries/packagist";
+import { extractPypiPackageName } from "../../../../package-info/server/src/services/registries/pypi";
+import { extractRubyGemsPackageName } from "../../../../package-info/server/src/services/registries/rubygems";
 
 const INSTALL_SCRIPT_KEYS = ["preinstall", "install", "postinstall"];
 
@@ -85,7 +75,7 @@ function detectRegistry(packageLocation) {
   }
 }
 
-async function fetchNpmSecurity(packageName) {
+async function fetchNpmSecurity(packageName: string) {
   const res = await fetch(
     `https://registry.npmjs.org/${encodeURIComponent(packageName)}`,
     { headers: { Accept: "application/json" } },
@@ -93,7 +83,11 @@ async function fetchNpmSecurity(packageName) {
   if (!res.ok) {
     return { available: false, reason: `npm registry returned ${res.status}` };
   }
-  const data = await res.json();
+  const data = (await res.json()) as Record<string, unknown> & {
+    "dist-tags"?: { latest?: string };
+    versions?: Record<string, Record<string, unknown>>;
+    readme?: string;
+  };
   const latestVersion = data["dist-tags"]?.latest;
   const versionMeta = data.versions?.[latestVersion];
   if (!versionMeta) {
@@ -101,15 +95,17 @@ async function fetchNpmSecurity(packageName) {
   }
 
   const scripts = versionMeta.scripts || {};
-  const installScripts = {};
+  const installScripts: Record<string, string> = {};
   for (const key of INSTALL_SCRIPT_KEYS) {
     if (scripts[key]) installScripts[key] = scripts[key];
   }
 
+  const repository = versionMeta.repository as
+    | string
+    | { url?: string }
+    | undefined;
   const declaredRepository =
-    typeof versionMeta.repository === "string"
-      ? versionMeta.repository
-      : versionMeta.repository?.url || null;
+    typeof repository === "string" ? repository : repository?.url || null;
 
   const readme =
     (typeof data.readme === "string" && data.readme) ||
@@ -164,4 +160,4 @@ async function getPackageSecurityInfo(packageLocation) {
   }
 }
 
-module.exports = { getPackageSecurityInfo, detectRegistry };
+export { detectRegistry, getPackageSecurityInfo };
diff --git a/apps/cms/src/plugins/moderation/server/src/services/index.ts b/apps/cms/src/plugins/moderation/server/src/services/index.ts
new file mode 100644
index 0000000..e0665d0
--- /dev/null
+++ b/apps/cms/src/plugins/moderation/server/src/services/index.ts
@@ -0,0 +1,7 @@
+import pluginSubmission from "./plugin-submission";
+import templateSubmission from "./template-submission";
+
+export default {
+  "plugin-submission": pluginSubmission,
+  "template-submission": templateSubmission,
+};
diff --git a/apps/cms/src/plugins/moderation/server/services/n8n-webhook.js b/apps/cms/src/plugins/moderation/server/src/services/n8n-webhook.ts
similarity index 91%
rename from apps/cms/src/plugins/moderation/server/services/n8n-webhook.js
rename to apps/cms/src/plugins/moderation/server/src/services/n8n-webhook.ts
index 2a3460f..87c5383 100644
--- a/apps/cms/src/plugins/moderation/server/services/n8n-webhook.js
+++ b/apps/cms/src/plugins/moderation/server/src/services/n8n-webhook.ts
@@ -17,7 +17,7 @@
  * Keep paths aligned with the `path` parameter on each workflow's Webhook node
  * under apps/automation/workflows/{slug}/workflow.json.
  */
-const WEBHOOK_PATHS = {
+const WEBHOOK_PATHS: Record<string, string> = {
   "security-scan": "strapi/security-scan",
   "plugin-submission-received": "strapi/plugin-submission-received",
   "plugin-approved": "strapi/plugin-approved",
@@ -28,7 +28,7 @@ const WEBHOOK_PATHS = {
   "template-declined": "strapi/template-declined",
 };
 
-function getWebhookUrl(key) {
+function getWebhookUrl(key: string) {
   const base = process.env.N8N_WEBHOOK_BASE_URL;
   const mode = (process.env.N8N_WEBHOOK_MODE || "production").toLowerCase();
   const path = WEBHOOK_PATHS[key];
@@ -57,8 +57,12 @@ function getWebhookUrl(key) {
  * POST a payload to the named n8n webhook. Returns `{ ok, url, error? }` —
  * never throws, so callers control failure behaviour.
  */
-async function triggerN8nWebhook(key, payload, { strapi } = {}) {
-  let url;
+async function triggerN8nWebhook(
+  key,
+  payload,
+  { strapi }: { strapi?: { log?: { warn?: (msg: string) => void } } } = {},
+) {
+  let url: string;
   try {
     url = getWebhookUrl(key);
   } catch (err) {
@@ -92,4 +96,4 @@ async function triggerN8nWebhook(key, payload, { strapi } = {}) {
   }
 }
 
-module.exports = { triggerN8nWebhook, getWebhookUrl, WEBHOOK_PATHS };
+export { getWebhookUrl, triggerN8nWebhook, WEBHOOK_PATHS };
diff --git a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js b/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
similarity index 96%
rename from apps/cms/src/plugins/moderation/server/services/plugin-submission.js
rename to apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
index 452cab9..3f82fe5 100644
--- a/apps/cms/src/plugins/moderation/server/services/plugin-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
@@ -7,9 +7,9 @@
  * See docs/adr/0001-moderation-fields-on-package-not-intermediary.md.
  */
 
-const { runAutomatedChecks } = require("./automated-checks");
-const { getPackageSecurityInfo } = require("./get-package-security-info");
-const { triggerN8nWebhook } = require("./n8n-webhook");
+import { runAutomatedChecks } from "./automated-checks";
+import { getPackageSecurityInfo } from "./get-package-security-info";
+import { triggerN8nWebhook } from "./n8n-webhook";
 
 const CONTENT_TYPE = "api::package.package";
 
@@ -81,7 +81,7 @@ function buildLifecyclePayload(pkg, extras = {}) {
 
 const VALID_SCAN_STAGES = ["dependencies", "ai_analysis", "summary"];
 
-module.exports = ({ strapi }) => ({
+export default ({ strapi }) => ({
   /**
    * Create a draft Package from a public submission.
    * Owner and maintainers are resolved to Better Auth users (blocking).
@@ -218,7 +218,7 @@ module.exports = ({ strapi }) => ({
       );
     }
 
-    const data = {};
+    const data: Record<string, unknown> = {};
     if (stage === "dependencies")
       data.security_scan_dependencies = result ?? null;
     if (stage === "ai_analysis")
@@ -333,7 +333,15 @@ module.exports = ({ strapi }) => ({
     return updated;
   },
 
-  async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
+  async listSubmissions({
+    status,
+    page = 1,
+    pageSize = 25,
+  }: {
+    status?: string;
+    page?: number;
+    pageSize?: number;
+  } = {}) {
     const baseFilter = {
       overall_status: status
         ? { $eq: status }
diff --git a/apps/cms/src/plugins/moderation/server/services/template-submission.js b/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
similarity index 96%
rename from apps/cms/src/plugins/moderation/server/services/template-submission.js
rename to apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
index b16bf26..e4eaec8 100644
--- a/apps/cms/src/plugins/moderation/server/services/template-submission.js
+++ b/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
@@ -6,7 +6,7 @@
  * Approval = publish the draft. No data copy needed.
  */
 
-const { triggerN8nWebhook } = require("./n8n-webhook");
+import { triggerN8nWebhook } from "./n8n-webhook";
 
 const CONTENT_TYPE = "api::template.template";
 
@@ -59,7 +59,7 @@ function buildLifecyclePayload(template, extras = {}) {
   };
 }
 
-module.exports = ({ strapi }) => ({
+export default ({ strapi }) => ({
   /**
    * Create a draft Template from a public submission.
    * Owner is resolved to a Better Auth user (blocking).
@@ -199,7 +199,15 @@ module.exports = ({ strapi }) => ({
   /**
    * List template submissions with optional status filter and pagination.
    */
-  async listSubmissions({ status, page = 1, pageSize = 25 } = {}) {
+  async listSubmissions({
+    status,
+    page = 1,
+    pageSize = 25,
+  }: {
+    status?: string;
+    page?: number;
+    pageSize?: number;
+  } = {}) {
     const baseFilter = {
       overall_status: status
         ? { $eq: status }
diff --git a/apps/cms/src/plugins/moderation/strapi-server.js b/apps/cms/src/plugins/moderation/strapi-server.js
deleted file mode 100644
index 6cf8f5d..0000000
--- a/apps/cms/src/plugins/moderation/strapi-server.js
+++ /dev/null
@@ -1,21 +0,0 @@
-const server = require("./server");
-
-/**
- * Moderation plugin for the Strapi Marketplace.
- *
- * Architecture: submissions create draft Package / Template records directly.
- * This plugin owns no content types — it provides the admin UI, routes,
- * controllers, and services that operate on api::package.package and
- * api::template.template. See docs/adr/0001-moderation-fields-on-package-not-intermediary.md.
- */
-module.exports = {
-  register() {
-    strapi.log.info("[moderation] plugin registered");
-  },
-
-  bootstrap() {},
-
-  controllers: server.controllers,
-  services: server.services,
-  routes: server.routes,
-};

From c8618df2c0b59c51b97c029bf0ec5e479d6b5624 Mon Sep 17 00:00:00 2001
From: alex-strapi <alex.bennett@strapi.io>
Date: Tue, 19 May 2026 12:38:26 +0100
Subject: [PATCH 26/26] fix(cms/moderation): create BA users via
 auth.api.signUpEmail, not Document Service

---
 .../server/src/services/plugin-submission.ts  | 20 ++++++++++++++-----
 .../src/services/template-submission.ts       | 20 ++++++++++++++-----
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts b/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
index 3f82fe5..c7deb7f 100644
--- a/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
+++ b/apps/cms/src/plugins/moderation/server/src/services/plugin-submission.ts
@@ -7,6 +7,7 @@
  * See docs/adr/0001-moderation-fields-on-package-not-intermediary.md.
  */
 
+import { auth } from "../../../../../lib/auth";
 import { runAutomatedChecks } from "./automated-checks";
 import { getPackageSecurityInfo } from "./get-package-security-info";
 import { triggerN8nWebhook } from "./n8n-webhook";
@@ -14,7 +15,10 @@ import { triggerN8nWebhook } from "./n8n-webhook";
 const CONTENT_TYPE = "api::package.package";
 
 /**
- * Find a Better Auth user by email, or create a minimal record.
+ * Find a Better Auth user by email, or create one via the BA API.
+ * Creating through auth.api.signUpEmail ensures the related account record
+ * and any BA lifecycle hooks run correctly. Document Service is used for
+ * lookups only — never for creating BA users.
  * Blocking — caller must await this before creating the Package.
  */
 async function findOrCreateUser(strapi, { email, name }) {
@@ -25,11 +29,17 @@ async function findOrCreateUser(strapi, { email, name }) {
 
   if (existing?.length > 0) return existing[0].documentId;
 
-  const created = await strapi
-    .documents("plugin::better-auth.user")
-    .create({ data: { email, name } });
+  // Create via BA API so the account record and lifecycle hooks are handled correctly.
+  await auth.api.signUpEmail({
+    body: { email, name, password: crypto.randomUUID() },
+  });
+
+  const created = await strapi.documents("plugin::better-auth.user").findMany({
+    filters: { email: { $eq: email } },
+    pagination: { pageSize: 1 },
+  });
 
-  return created.documentId;
+  return created[0]?.documentId ?? null;
 }
 
 /**
diff --git a/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts b/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
index e4eaec8..7a3a051 100644
--- a/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
+++ b/apps/cms/src/plugins/moderation/server/src/services/template-submission.ts
@@ -6,12 +6,16 @@
  * Approval = publish the draft. No data copy needed.
  */
 
+import { auth } from "../../../../../lib/auth";
 import { triggerN8nWebhook } from "./n8n-webhook";
 
 const CONTENT_TYPE = "api::template.template";
 
 /**
- * Find a Better Auth user by email, or create a minimal record.
+ * Find a Better Auth user by email, or create one via the BA API.
+ * Creating through auth.api.signUpEmail ensures the related account record
+ * and any BA lifecycle hooks run correctly. Document Service is used for
+ * lookups only — never for creating BA users.
  * Blocking — caller must await this before creating the Template.
  */
 async function findOrCreateUser(strapi, { email, name }) {
@@ -22,11 +26,17 @@ async function findOrCreateUser(strapi, { email, name }) {
 
   if (existing?.length > 0) return existing[0].documentId;
 
-  const created = await strapi
-    .documents("plugin::better-auth.user")
-    .create({ data: { email, name } });
+  // Create via BA API so the account record and lifecycle hooks are handled correctly.
+  await auth.api.signUpEmail({
+    body: { email, name, password: crypto.randomUUID() },
+  });
+
+  const created = await strapi.documents("plugin::better-auth.user").findMany({
+    filters: { email: { $eq: email } },
+    pagination: { pageSize: 1 },
+  });
 
-  return created.documentId;
+  return created[0]?.documentId ?? null;
 }
 
 /**