cleanup: remove orphaned addon settings page, fix JSON injection risk

- Fix potential JSON injection in HX-Trigger header by using json.Marshal
  instead of string concatenation for error messages
- Remove orphaned /addons/settings route, handler, and full-page template
  (superseded by unified Plugin Hub at /plugins)
- Update ToggleCampaignAddon fallback redirect to /plugins
- Remove dead hx-target/hx-swap on Plugin Hub toggle forms (handler always
  responds with HX-Redirect, making swap targets unused)
- Record ADR-029 for features page consolidation decision

https://claude.ai/code/session_01QJLkgjQDu5qohzJKGV4hj9

Author: claude

.ai/decisions.md

@@ -1019,3 +1019,34 @@ is skipped for trusted built-in plugins but enforced for user extensions via
   (calendar before sessions/timeline).
 - Removed migrate_preflight.go and bandaid lint tests from migrate_test.go.
 - Fresh DB only — no backward compatibility with the old 63-migration sequence.
+
+---
+
+## ADR-029: Features Page Consolidation (Plugin Hub + Addon Settings → Single Page)
+
+**Date:** 2026-03-10
+**Status:** Accepted
+
+**Context:** Campaign feature management was split across two pages:
+1. **Plugin Hub** (`/campaigns/:id/plugins`) — read-only card grid visible to all members.
+2. **Addon Settings** (`/campaigns/:id/addons/settings`) — owner-only toggle list.
+
+This created confusion: owners had two "features" pages with different layouts and
+capabilities. Non-owners could see features but couldn't tell which were enabled.
+
+**Decision:** Consolidate into a single Features page at `/campaigns/:id/plugins`.
+- All members see the card grid with enable/disable status.
+- Owners see inline toggle buttons on each card.
+- The old `/addons/settings` route, handler, and full-page template are removed.
+- The addons fragment route (`/addons/fragment`) remains for the Customization Hub.
+- Toggle forms include `redirect_to=plugins` so the handler redirects back to the
+  unified page after toggling.
+
+**Alternatives considered:**
+- Keep both pages with cross-links: still confusing, maintenance burden.
+- Merge into the Customization Hub: too buried, features deserve top-level access.
+
+**Consequences:**
+- Single source of truth for feature management.
+- Owners can manage features directly from the same page all members see.
+- Future enhancements (per-addon entity usage, "offline" banners) have one target page.

.ai/status.md

@@ -8,6 +8,19 @@
 <!-- ====================================================================== -->
 
 ## Last Updated
+2026-03-10 -- **Cleanup & consolidation pass after bug fixes.**
+
+7. **JSON injection fix**: HX-Trigger header in `CreateEntityType` error path used string concatenation to build JSON. Replaced with `json.Marshal()` to prevent malformed JSON from error messages containing special characters.
+
+8. **Orphaned addon settings page removed**: Deleted `/addons/settings` route, `CampaignAddonsPage` handler, and `CampaignAddonsPageTempl` template — all superseded by the unified Plugin Hub at `/plugins`. Fragment route (`/addons/fragment`) kept for Customization Hub.
+
+9. **Fallback redirect updated**: `ToggleCampaignAddon` non-HTMX fallback now redirects to `/plugins` instead of the removed `/addons/settings`.
+
+10. **Dead HTMX attributes cleaned**: Removed `hx-target`/`hx-swap` from Plugin Hub toggle forms since the handler always responds with `HX-Redirect` (the swap targets were never used).
+
+11. **ADR-029 recorded**: Features page consolidation decision documented in `.ai/decisions.md`.
+
+### Previous Update
 2026-03-10 -- **Bug fixes & UX improvements (navbar, features page, entity templates).**
 
 1. **Drag-and-drop CSRF fix**: `sidebar_tree.js` reorderEntity() was using raw `fetch()` without CSRF token, causing 403 on drag-drop reorder. Added `Chronicle.getCsrf()` header.

internal/plugins/addons/campaign_addons.templ

@@ -1,53 +1,13 @@
-// campaign_addons.templ renders the per-campaign features & content packs page.
-// Campaign owners use this to enable/disable features for their campaign.
+// campaign_addons.templ renders per-campaign addon list fragments.
+// The full features page is now handled by the campaigns plugin's Plugin Hub
+// at /campaigns/:id/plugins. This file provides fragments for the Customization Hub.
 
 package addons
 
 import (
 	"fmt"
-	"github.com/keyxmakerx/chronicle/internal/templates/layouts"
 )
 
-// CampaignAddonsPageTempl renders the full campaign addons settings page.
-templ CampaignAddonsPageTempl(campaignID string, addons []CampaignAddon, csrfToken string) {
-	@layouts.App("Features & Content Packs") {
-		<div class="max-w-3xl mx-auto space-y-6">
-			<div class="flex items-center justify-between">
-				<div>
-					<h1 class="text-2xl font-bold text-fg">Features & Content Packs</h1>
-					<p class="text-sm text-fg-secondary mt-1">
-						Enable or disable features and content packs for this campaign.
-					</p>
-				</div>
-				<a href={ templ.SafeURL(fmt.Sprintf("/campaigns/%s/edit", campaignID)) } class="btn-secondary text-sm">
-					Back to Settings
-				</a>
-			</div>
-
-			<div id="addons-list">
-				@CampaignAddonsListFragment(campaignID, addons, csrfToken)
-			</div>
-
-			// Info panel.
-			<div class="card p-6">
-				<div class="flex items-start gap-4">
-					<span class="w-10 h-10 rounded-lg bg-accent/10 flex items-center justify-center shrink-0">
-						<i class="fa-solid fa-circle-info text-accent"></i>
-					</span>
-					<div>
-						<h3 class="text-sm font-semibold text-fg mb-1">About Features & Content Packs</h3>
-						<p class="text-sm text-fg-secondary leading-relaxed">
-							Features add optional capabilities to your campaign like calendars, maps, and timelines.
-							Content packs provide pre-made entity types, tag sets, and reference data.
-							Toggle them on or off at any time — disabling does not delete your data.
-						</p>
-					</div>
-				</div>
-			</div>
-		</div>
-	}
-}
-
 // CampaignAddonsListFragment renders just the addon list (for HTMX swaps).
 templ CampaignAddonsListFragment(campaignID string, addons []CampaignAddon, csrfToken string) {
 	// Group by category.

internal/plugins/addons/handler.go

@@ -130,22 +130,6 @@ func (h *Handler) CampaignAddonsAPI(c echo.Context) error {
 	return c.JSON(http.StatusOK, addons)
 }
 
-// CampaignAddonsPage renders the campaign addons settings section (GET /campaigns/:id/addons/settings).
-func (h *Handler) CampaignAddonsPage(c echo.Context) error {
-	cc := campaigns.GetCampaignContext(c)
-	if cc == nil {
-		return apperror.NewForbidden("campaign context required")
-	}
-
-	addons, err := h.service.ListForCampaign(c.Request().Context(), cc.Campaign.ID)
-	if err != nil {
-		return err
-	}
-
-	csrfToken := middleware.GetCSRFToken(c)
-	return middleware.Render(c, http.StatusOK, CampaignAddonsPageTempl(cc.Campaign.ID, addons, csrfToken))
-}
-
 // CampaignAddonsFragment returns the addons list fragment for embedding in the
 // Customization Hub Extensions tab (GET /campaigns/:id/addons/fragment).
 func (h *Handler) CampaignAddonsFragment(c echo.Context) error {
@@ -210,5 +194,5 @@ func (h *Handler) ToggleCampaignAddon(c echo.Context) error {
 		return middleware.Render(c, http.StatusOK, CampaignAddonsListFragment(cc.Campaign.ID, addons, csrfToken))
 	}
 
-	return c.Redirect(http.StatusSeeOther, "/campaigns/"+cc.Campaign.ID+"/addons/settings")
+	return c.Redirect(http.StatusSeeOther, "/campaigns/"+cc.Campaign.ID+"/plugins")
 }

internal/plugins/addons/routes.go

@@ -24,9 +24,6 @@ func RegisterCampaignRoutes(e *echo.Echo, h *Handler, campaignSvc campaigns.Camp
 		campaigns.RequireCampaignAccess(campaignSvc),
 	)
 
-	// Addon settings page (campaign owner only).
-	cg.GET("/addons/settings", h.CampaignAddonsPage, campaigns.RequireRole(campaigns.RoleOwner))
-
 	// Addon list fragment for Customization Hub Extensions tab (HTMX).
 	cg.GET("/addons/fragment", h.CampaignAddonsFragment, campaigns.RequireRole(campaigns.RoleOwner))
 

internal/plugins/campaigns/settings.templ

@@ -516,8 +516,6 @@ templ pluginHubCard(cc *CampaignContext, addon PluginHubAddon, isOwner bool, csr
 				<form
 					method="POST"
 					hx-put={ fmt.Sprintf("/campaigns/%s/addons/%s/toggle", cc.Campaign.ID, strconv.Itoa(addon.AddonID)) }
-					hx-target="#plugin-hub-list"
-					hx-swap="innerHTML"
 					class="shrink-0"
 				>
 					<input type="hidden" name="csrf_token" value={ csrfToken }/>

internal/plugins/entities/handler.go

@@ -1527,7 +1527,12 @@ func (h *Handler) CreateEntityType(c echo.Context) error {
 		if middleware.IsHTMX(c) {
 			c.Response().Header().Set("HX-Retarget", "#entity-type-list")
 			c.Response().Header().Set("HX-Reswap", "innerHTML")
-			c.Response().Header().Set("HX-Trigger", `{"chronicle:notify":{"message":"`+errMsg+`","type":"error"}}`)
+			triggerData := map[string]any{
+				"chronicle:notify": map[string]string{"message": errMsg, "type": "error"},
+			}
+			if triggerJSON, err := json.Marshal(triggerData); err == nil {
+				c.Response().Header().Set("HX-Trigger", string(triggerJSON))
+			}
 			return middleware.Render(c, http.StatusOK,
 				EntityTypeListContent(cc, entityTypes, counts, csrfToken))
 		}