Feat/v5 support (#102)

* feat: Strapi v5 Support with Dashboard Widget & Mobile-Optimized UI

## Features
- ✅ Strapi v5.3.2 compatibility with @strapi/sdk-plugin
- ✅ Dashboard widget showing real-time Socket.IO statistics
- ✅ Mobile-optimized Monitoring & Settings pages with responsive design
- ✅ Enhanced input fields (48px height, 16px font on mobile)
- ✅ Fixed GitHub Issues #95 (images collection) and #82 (CollectionTypes with relations)
- ✅ Entity Service API instead of deprecated db.query()
- ✅ Multi-language support (EN, DE, ES, FR, PT)

## UI/UX Improvements
- Modern styled-components for responsive layouts
- Touch-friendly inputs with proper sizing
- Hidden number spinners on mobile for better UX
- Gradient stat cards with hover effects
- Auto-refresh every 60 seconds to reduce database load

## Technical Changes
- Uses Entity Service API for proper relation handling
- Transform service for media and relation fields
- Proper sanitization and permission checks
- Redis adapter support for multi-server scaling
- Namespace support for isolated Socket.IO endpoints
- Role-based permissions with content-type granularity

* fix: Security & Transaction Fixes for Strapi v5

🔒 Security:
- Add sanitize-sensitive-fields middleware
- Filters password, tokens, secrets from Socket.IO events
- Recursive deep sanitization for nested objects

🔧 Transaction Fixes:
- Use transactionCtx.onCommit for lifecycle hooks
- Prevent 'Transaction query already complete' errors
- afterDelete uses raw() to avoid sanitization queries
- Disable bulkDeleteMany hooks (Strapi v5 transaction limitations)

✅ Event Matrix:
- Create (single/bulk): Full events with sanitization
- Update (single/bulk): Full events with sanitization
- Delete (single): ID-only events via raw()
- Delete (bulk): Disabled due to transaction conflicts

* fix: Remove eval() from transaction context loading

- Replace eval('require') with lazy-loaded require()
- Cleaner transaction context initialization
- No more build warnings
- Maintains same functionality for post-commit hooks

* refactor: apply Strapi v5 best practices

- Remove emoji from service welcome message
- Convert React default imports to named imports (3 files)
- Document legitimate Query Engine usage for admin::api-token
  * admin::api-token is Core Admin Entity
  * Follows official Strapi Core implementation
  * Source: strapi/strapi/packages/core/admin/server/strategies/api-token.js
- Build clean without warnings

Note: Using strapi.db.query() for admin::api-token is correct
per Strapi Core implementation

* chore: migrate to @strapi-community/plugin-io v5.0.0

- Rename package from strapi-plugin-io to @strapi-community/plugin-io
- Update version from 3.0.0 to 5.0.0 (matching Strapi v5)
- Modernize README with better structure and examples
- Update all documentation references to new package name
- Update repository URLs to strapi-community organization
- Update TypeScript import paths
- Remove internal DOCUMENTATION_UPDATE.md file
- Update migration guide with v5 versioning
- Enhance Getting Started guide
- Build and verify successful for v5.0.0

* fix: remove spinner buttons from number inputs in settings

- Hide increment/decrement buttons for cleaner UI
- Removed browser native spinners and Strapi NumberInput spinners
- Simplified CSS for number inputs
- Better mobile and desktop experience

* feat: improve dark mode support for monitoring page

- Replace hardcoded colors with Strapi theme system
- Use theme.colors.neutral0, neutral100, neutral150 etc.
- Proper background colors for cards and items
- Dark mode compatible shadows
- Better contrast in both light and dark modes
- Keep gradient header with white text for visual impact

* fix: add dark mode support for event type filter select

- Created StyledSelect component with theme-aware colors
- Removed hardcoded white background and border colors
- Added proper hover and focus states
- Dark mode compatible dropdown options

* docs: add comprehensive CHANGELOG.md

- Document v5.0.0 release with all breaking changes
- Include migration path from v2 to v5
- List all new features and improvements
- Document UI/UX improvements
- Add version support matrix
- Include deprecation notices
- Add upcoming features roadmap

* docs: comprehensive README documentation update

- Fix broken documentation links to non-existent files
- Remove invalid 'populate' option from contentTypes config examples
- Document all 12 helper functions with examples
- Add complete Monitoring Service documentation
- Add Entity Subscription helpers documentation
- Clarify admin panel structure and widget requirements (Strapi v5.13+)
- Update types.d.ts with entity subscription interfaces
- Update api-reference.json with new methods
- Update docs/api/io-class.md with entity subscription section
- Fix version references (3.x -> 5.x)

* ci: fix npm publish workflow

- Remove npm ci (not needed, dist is pre-built)
- Update actions to v4
- Use Node 20
- Add --access public for scoped package
- Include dist/ in repository for direct publish

* feat: add populate option for content type events

- Add populate configuration to content type schema (Zod)
- Implement refetch logic in lifecycle hooks for create/update events
- Support multiple populate formats: '*', true, string[], object
- Add TypeScript types for PopulateConfig
- Document populate option in README with examples
- Update npm-publish workflow to build before publish

Populate allows including relations in emitted Socket.IO events.
When configured, the plugin refetches entities with populated
relations after create/update operations before emitting.

* security: add sensitive fields protection for all emitted data

- Add recursive removal of sensitive fields (password, token, apiKey, etc.)
- Support custom sensitiveFields in plugin config
- Apply sanitization to both emit() and raw() methods
- Update TypeScript types and documentation

Default blocked fields: password, resetPasswordToken, confirmationToken,
refreshToken, accessToken, secret, apiKey, privateKey, token, salt, hash

* ci: improve npm publish workflow with best practices

- Add build job for PR/push validation
- Add npm cache for faster CI
- Verify plugin structure before publish
- Check version matches release tag
- Support npm tags: latest, beta, alpha, next
- Add post-publish verification
- Upload build artifacts between jobs

* fix: correct peerDependencies and remove legacy-peer-deps workaround

- Remove @strapi/sdk-plugin from peerDependencies (build-only dep)
- Use flexible version ranges for peerDependencies
- Mark design-system and icons as optional peers
- Remove --legacy-peer-deps from CI workflow

* chore: update devDependencies to latest compatible versions

- @strapi/strapi: 5.3.2 -> 5.33.0
- @strapi/design-system: 2.0.0-rc.30 -> 2.0.2
- @strapi/icons: 2.0.0-rc.30 -> 2.0.2
- prettier: 3.6.2 -> 3.7.4
- eslint: 8.57.0 -> 8.57.1
- eslint-config-prettier: 9.1.0 -> 9.1.2

Note: React 18, react-router-dom 6, zod 3 kept for Strapi v5 compatibility

Author: Schero94

.github/workflows/npm-publish.yml

@@ -1,28 +1,162 @@
-# This workflow will publish a package to NPM when a release is created
+# Strapi Plugin CI/CD Pipeline
+# Best Practices workflow for building, testing, and publishing Strapi v5 plugins
 
-name: Publish to NPM
+name: CI/CD
 
 on:
+  push:
+    branches: [main, feat/v5-support]
+  pull_request:
+    branches: [main]
   release:
     types: [published]
 
+env:
+  NODE_VERSION: '20.x'
+
 jobs:
-  publish-npm:
+  # ============================================
+  # Build & Verify Job
+  # Runs on every push and PR to validate the plugin
+  # ============================================
+  build:
+    name: Build & Verify
     runs-on: ubuntu-latest
+    
     steps:
-      - name: Checkout branch
-        uses: actions/checkout@v2
+      - name: Checkout repository
+        uses: actions/checkout@v4
 
-      - name: Install Node v18
-        uses: actions/setup-node@v2
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
-          registry-url: 'https://registry.npmjs.org'
+          node-version: ${{ env.NODE_VERSION }}
+          cache: 'npm'
 
-      - name: Clean install deps
+      - name: Install dependencies
         run: npm ci
 
+      - name: Build plugin
+        run: npm run build
+
+      - name: Verify plugin structure
+        run: npm run verify
+
+      - name: Check package.json exports
+        run: |
+          echo "[INFO] Checking package exports..."
+          node -e "
+            const pkg = require('./package.json');
+            const required = ['./strapi-admin', './strapi-server'];
+            for (const exp of required) {
+              if (!pkg.exports[exp]) {
+                console.error('[ERROR] Missing export:', exp);
+                process.exit(1);
+              }
+            }
+            console.log('[SUCCESS] All required exports present');
+          "
+
+      - name: Upload build artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+          retention-days: 7
+
+  # ============================================
+  # Publish to NPM Job
+  # Only runs when a GitHub Release is published
+  # ============================================
+  publish:
+    name: Publish to NPM
+    runs-on: ubuntu-latest
+    needs: build
+    if: github.event_name == 'release'
+    
+    permissions:
+      contents: read
+      id-token: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ env.NODE_VERSION }}
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Verify version matches release tag
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          RELEASE_TAG="${{ github.event.release.tag_name }}"
+          # Remove 'v' prefix if present
+          RELEASE_VERSION="${RELEASE_TAG#v}"
+          
+          echo "[INFO] Package version: $PKG_VERSION"
+          echo "[INFO] Release tag: $RELEASE_TAG (version: $RELEASE_VERSION)"
+          
+          if [ "$PKG_VERSION" != "$RELEASE_VERSION" ]; then
+            echo "[ERROR] Version mismatch! Package: $PKG_VERSION, Release: $RELEASE_VERSION"
+            echo "[INFO] Please update package.json version to match the release tag."
+            exit 1
+          fi
+          
+          echo "[SUCCESS] Version match confirmed"
+
+      - name: Determine npm tag
+        id: npm-tag
+        run: |
+          RELEASE_TAG="${{ github.event.release.tag_name }}"
+          
+          # Determine npm dist-tag based on release type
+          if [[ "$RELEASE_TAG" == *"-beta"* ]]; then
+            echo "tag=beta" >> $GITHUB_OUTPUT
+          elif [[ "$RELEASE_TAG" == *"-alpha"* ]]; then
+            echo "tag=alpha" >> $GITHUB_OUTPUT
+          elif [[ "$RELEASE_TAG" == *"-rc"* ]]; then
+            echo "tag=next" >> $GITHUB_OUTPUT
+          else
+            echo "tag=latest" >> $GITHUB_OUTPUT
+          fi
+          
+          echo "[INFO] NPM tag: $(cat $GITHUB_OUTPUT | grep tag | cut -d= -f2)"
+
       - name: Publish to NPM
-        run: npm publish
+        run: |
+          echo "[INFO] Publishing with tag: ${{ steps.npm-tag.outputs.tag }}"
+          npm publish --access public --tag ${{ steps.npm-tag.outputs.tag }}
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Post-publish verification
+        run: |
+          PKG_NAME=$(node -p "require('./package.json').name")
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          
+          echo "[INFO] Waiting for NPM registry to update..."
+          sleep 10
+          
+          echo "[INFO] Verifying package on NPM..."
+          npm view "$PKG_NAME@$PKG_VERSION" version || echo "[WARNING] Package may take a few minutes to appear on NPM"
+          
+          echo ""
+          echo "============================================"
+          echo "[SUCCESS] Published $PKG_NAME@$PKG_VERSION"
+          echo "============================================"
+          echo ""
+          echo "Install with:"
+          echo "  npm install $PKG_NAME@$PKG_VERSION"
+          echo ""
+          echo "View on NPM:"
+          echo "  https://www.npmjs.com/package/$PKG_NAME"
+          echo ""

README.md

@@ -165,15 +165,24 @@ module.exports = {
   io: {
     enabled: true,
     config: {
-      // Content types with specific actions
+      // Content types with specific actions and populate
       contentTypes: [
         {
           uid: 'api::article.article',
-          actions: ['create', 'update']  // Only these events
+          actions: ['create', 'update'],  // Only these events
+          populate: '*'                    // Include all relations
         },
         {
           uid: 'api::comment.comment',
-          actions: ['create', 'delete']
+          actions: ['create', 'delete'],
+          populate: ['author', 'article']  // Only specific relations
+        },
+        {
+          uid: 'api::order.order',
+          populate: {                      // Strapi populate syntax
+            customer: { fields: ['name', 'email'] },
+            items: { populate: ['product'] }
+          }
         }
       ],
 
@@ -217,7 +226,105 @@ module.exports = {
 };
 ```
 
-> **Note**: Relations are included globally via the admin panel settings (`Settings > Socket.IO > Events > Include Relations`), not per content type in the config file.
+### Populate Configuration
+
+Include relations in emitted events by adding the `populate` option to content types. When configured, the plugin refetches entities with populated relations after create/update operations.
+
+#### Populate Formats
+
+| Format | Example | Description |
+|--------|---------|-------------|
+| `'*'` or `true` | `populate: '*'` | Include all relations (1 level deep) |
+| String array | `populate: ['author', 'category']` | Only specific relations |
+| Object | `populate: { author: { fields: ['name'] } }` | Full Strapi populate syntax |
+
+#### Examples
+
+```javascript
+contentTypes: [
+  // All relations with wildcard
+  { uid: 'api::article.article', populate: '*' },
+  
+  // Specific relations only
+  { 
+    uid: 'api::comment.comment', 
+    populate: ['author', 'post'] 
+  },
+  
+  // Strapi populate syntax with field selection
+  { 
+    uid: 'api::order.order', 
+    populate: { 
+      customer: { fields: ['username', 'email'] },
+      items: { 
+        populate: { product: { fields: ['name', 'price'] } }
+      }
+    } 
+  },
+  
+  // No populate (only base fields)
+  { uid: 'api::log.log' }  // populate not set = no relations
+]
+```
+
+> **Note**: The `populate` option only affects `create` and `update` events. Delete events always contain minimal data (id, documentId) since the entity no longer exists.
+
+### Sensitive Fields Protection
+
+The plugin automatically removes sensitive fields from all emitted data for security. This works in addition to Strapi's built-in `private: true` field filtering.
+
+#### Default Blocked Fields
+
+The following fields are **always removed** from emitted data:
+
+- `password`, `salt`, `hash`
+- `resetPasswordToken`, `confirmationToken`
+- `refreshToken`, `accessToken`, `token`
+- `secret`, `apiKey`, `api_key`
+- `privateKey`, `private_key`
+
+#### Custom Sensitive Fields
+
+Add your own sensitive fields to the block list:
+
+```javascript
+// config/plugins.js
+module.exports = {
+  io: {
+    enabled: true,
+    config: {
+      contentTypes: ['api::user.user'],
+      
+      // Additional fields to never emit
+      sensitiveFields: [
+        'creditCard',
+        'ssn',
+        'socialSecurityNumber',
+        'bankAccount',
+        'internalNotes'
+      ]
+    }
+  }
+};
+```
+
+#### How It Works
+
+1. **Schema-level filtering**: Strapi's `sanitize.contentAPI` removes `private: true` fields
+2. **Blocklist filtering**: Plugin removes all sensitive field names recursively
+3. **Applies to all emits**: Both `emit()` and `raw()` methods are protected
+
+```javascript
+// Even with populate, sensitive fields are stripped
+contentTypes: [
+  {
+    uid: 'api::user.user',
+    populate: '*'  // Relations included, but passwords etc. still removed
+  }
+]
+```
+
+> **Security Note**: Fields are matched case-insensitively and also partial matches work (e.g., `apiKey` blocks `myApiKey`, `user_api_key`, etc.)
 
 ### Environment Variables