domma-cms 0.23.0 → 0.24.0

package/server/routes/api/collections.js

@@ -22,6 +22,20 @@
  * POST   /collections/:slug/public       - Create entry (if api.create enabled)
  * PUT    /collections/:slug/public/:id   - Update entry (if api.update enabled)
  * DELETE /collections/:slug/public/:id   - Delete entry (if api.delete enabled)
+ *
+ * External versioned alias (same handlers, stable URL for API consumers):
+ * GET    /v1/:slug          ≡ GET    /collections/:slug/public
+ * GET    /v1/:slug/:id      ≡ GET    /collections/:slug/public/:id
+ * POST   /v1/:slug          ≡ POST   /collections/:slug/public
+ * PUT    /v1/:slug/:id      ≡ PUT    /collections/:slug/public/:id
+ * DELETE /v1/:slug/:id      ≡ DELETE /collections/:slug/public/:id
+ *
+ * Access modes per verb (`schema.api.<verb>.access`): 'public', a role name
+ * (JWT + role level), or 'token' (project-scoped API token — see
+ * services/apiTokens.js). A token is ONLY accepted when the mode is 'token';
+ * it is never a substitute for a role, and a JWT is never accepted in token
+ * mode. `schema.api.read.fields` optionally whitelists which data fields the
+ * public/external read endpoints return.
  */
 import {
     clearEntries,
@@ -45,6 +59,8 @@ import {getConfig, saveConfig} from '../../config.js';
 import {PRESET_COLLECTION_SLUGS} from '../../services/presetCollections.js';
 import {ensureFormForCollection} from '../../services/forms.js';
 import {hooks} from '../../services/hooks.js';
+import {scopeAllows, validateToken} from '../../services/apiTokens.js';
+import {resolveArtefactProject} from '../../services/projects.js';
 
 const ALL_PRESET_SLUGS = new Set(['roles', 'user-profiles', ...PRESET_COLLECTION_SLUGS]);
 
@@ -82,6 +98,43 @@ function extractBracketed(query, prefix) {
     return out;
 }
 
+/**
+ * Redact the stored token hash from an api-tokens entry. The generic admin
+ * entry endpoints would otherwise expose it to anyone with collections.read.
+ * (SHA-256 of 32 random bytes is not reversible, but there is no reason to
+ * show it.) Token management belongs to /api/api-tokens.
+ *
+ * @param {object} entry
+ * @returns {object}
+ */
+function redactTokenHash(entry) {
+    if (!entry?.data || entry.data.tokenHash === undefined) return entry;
+    const { tokenHash, ...data } = entry.data;
+    return { ...entry, data };
+}
+
+/**
+ * Apply the read-field allowlist (`schema.api.read.fields`) to a public read
+ * payload. Absent or empty allowlist = all fields. Handles both list payloads
+ * ({entries: [...]}) and single entries. Only entry.data is filtered —
+ * `_refs` from resolveRefs is not (refs of stripped fields may still appear;
+ * documented v1 behaviour).
+ *
+ * @param {object} schema
+ * @param {object} payload - listEntries() result or a single entry
+ * @returns {object}
+ */
+function applyReadFieldAllowlist(schema, payload) {
+    const fields = schema.api?.read?.fields;
+    if (!Array.isArray(fields) || fields.length === 0) return payload;
+    const strip = (e) => ({
+        ...e,
+        data: Object.fromEntries(Object.entries(e.data || {}).filter(([k]) => fields.includes(k)))
+    });
+    if (Array.isArray(payload?.entries)) return { ...payload, entries: payload.entries.map(strip) };
+    return strip(payload);
+}
+
 /**
  * Check public collection API access.
  * Returns an error reply if access is denied, otherwise resolves (returns undefined).
@@ -100,6 +153,28 @@ async function checkPublicAccess(schema, operation, request, reply) {
 
     if (access.access === 'public') return; // No auth needed
 
+    // Token mode — project-scoped API token, strict: a token is the ONLY
+    // accepted credential here (a JWT never satisfies token mode, and a
+    // token never satisfies a role mode).
+    if (access.access === 'token') {
+        const match = (request.headers.authorization || '').match(/^Bearer (dcms_[a-f0-9]{64})$/);
+        if (!match) {
+            return reply.status(401).send({ error: 'API token required' });
+        }
+        const token = await validateToken(match[1]);
+        if (!token) {
+            return reply.status(401).send({ error: 'Invalid, disabled or expired API token' });
+        }
+        if (token.project !== resolveArtefactProject(schema)) {
+            return reply.status(403).send({ error: "Token is not valid for this collection's project" });
+        }
+        if (!scopeAllows(token.scopes, schema.slug, operation)) {
+            return reply.status(403).send({ error: 'Token scope does not permit this operation' });
+        }
+        request.apiToken = token;
+        return;
+    }
+
     // Auth required — try to verify JWT
     try {
         await request.jwtVerify();
@@ -240,7 +315,7 @@ export async function collectionsRoutes(fastify) {
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
         const { page, limit, sort, order, search } = request.query;
         const filter = extractBracketed(request.query, 'filter');
-        return listEntries(request.params.slug, {
+        const result = await listEntries(request.params.slug, {
             page:   parseInt(page, 10)  || 1,
             limit:  parseInt(limit, 10) || 50,
             sort:   sort   || 'createdAt',
@@ -248,12 +323,16 @@ export async function collectionsRoutes(fastify) {
             search: search || undefined,
             filter: Object.keys(filter).length ? filter : undefined
         });
+        if (request.params.slug === 'api-tokens') {
+            result.entries = result.entries.map(redactTokenHash);
+        }
+        return result;
     });
 
     fastify.get('/collections/:slug/entries/:id', canRead, async (request, reply) => {
         const entry = await getEntry(request.params.slug, request.params.id);
         if (!entry) return reply.status(404).send({ error: 'Entry not found' });
-        return entry;
+        return request.params.slug === 'api-tokens' ? redactTokenHash(entry) : entry;
     });
 
     fastify.post('/collections/:slug/entries', canCreate, async (request, reply) => {
@@ -415,7 +494,7 @@ export async function collectionsRoutes(fastify) {
      *                  `[collection scope="mine"]` shortcode for per-user
      *                  client-side hydration (e.g. "My Applications").
      */
-    fastify.get('/collections/:slug/public', async (request, reply) => {
+    async function publicListEntries(request, reply) {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
@@ -442,7 +521,7 @@ export async function collectionsRoutes(fastify) {
             if (denied !== undefined) return;
         }
 
-        return listEntries(request.params.slug, {
+        const result = await listEntries(request.params.slug, {
             page:   parseInt(page, 10)  || 1,
             limit:  parseInt(limit, 10) || 50,
             sort:   sort   || 'createdAt',
@@ -451,9 +530,10 @@ export async function collectionsRoutes(fastify) {
             filter: Object.keys(filter).length ? filter : undefined,
             resolveRefs: resolveRefs === 'true' || resolveRefs === '1'
         });
-    });
+        return applyReadFieldAllowlist(schema, result);
+    }
 
-    fastify.get('/collections/:slug/public/:id', async (request, reply) => {
+    async function publicGetEntry(request, reply) {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
@@ -462,8 +542,11 @@ export async function collectionsRoutes(fastify) {
 
         const entry = await getEntry(request.params.slug, request.params.id);
         if (!entry) return reply.status(404).send({ error: 'Entry not found' });
-        return entry;
-    });
+        return applyReadFieldAllowlist(schema, entry);
+    }
+
+    fastify.get('/collections/:slug/public', publicListEntries);
+    fastify.get('/collections/:slug/public/:id', publicGetEntry);
 
     /*
      * POST /api/collections/render-scope
@@ -567,7 +650,7 @@ export async function collectionsRoutes(fastify) {
         return { html };
     });
 
-    fastify.post('/collections/:slug/public', async (request, reply) => {
+    async function publicCreateEntry(request, reply) {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
@@ -575,18 +658,17 @@ export async function collectionsRoutes(fastify) {
         if (denied !== undefined) return;
 
         try {
-            const user  = request.user;
             const entry = await createEntry(request.params.slug, request.body?.data || {}, {
-                createdBy: user?.id || null,
+                createdBy: request.apiToken ? `token:${request.apiToken.id}` : (request.user?.id || null),
                 source:    'api'
             });
             return reply.status(201).send(entry);
         } catch (err) {
             return reply.status(400).send({ error: err.message });
         }
-    });
+    }
 
-    fastify.put('/collections/:slug/public/:id', async (request, reply) => {
+    async function publicUpdateEntry(request, reply) {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
@@ -599,9 +681,9 @@ export async function collectionsRoutes(fastify) {
             const status = err.message === 'Entry not found' ? 404 : 400;
             return reply.status(status).send({ error: err.message });
         }
-    });
+    }
 
-    fastify.delete('/collections/:slug/public/:id', async (request, reply) => {
+    async function publicDeleteEntry(request, reply) {
         const schema = await getCollection(request.params.slug);
         if (!schema) return reply.status(404).send({ error: 'Collection not found' });
 
@@ -614,5 +696,20 @@ export async function collectionsRoutes(fastify) {
         } catch (err) {
             return reply.status(404).send({ error: err.message });
         }
-    });
+    }
+
+    fastify.post('/collections/:slug/public', publicCreateEntry);
+    fastify.put('/collections/:slug/public/:id', publicUpdateEntry);
+    fastify.delete('/collections/:slug/public/:id', publicDeleteEntry);
+
+    // -------------------------------------------------------------------------
+    // External versioned API — stable alias of the public endpoints above.
+    // Documented surface for external consumers (docs/api-reference.md).
+    // -------------------------------------------------------------------------
+
+    fastify.get('/v1/:slug', publicListEntries);
+    fastify.get('/v1/:slug/:id', publicGetEntry);
+    fastify.post('/v1/:slug', publicCreateEntry);
+    fastify.put('/v1/:slug/:id', publicUpdateEntry);
+    fastify.delete('/v1/:slug/:id', publicDeleteEntry);
 }

package/server/routes/api/navigation.js

@@ -1,42 +1,42 @@
-/**
- * Navigation API
- * GET /api/navigation    - get navigation config
- * PUT /api/navigation    - save navigation config
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-import * as cache from '../../services/cache/index.js';
-
-export async function navigationRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('navigation', 'update')]};
-
-    fastify.get('/navigation', canRead, async () => {
-        return getConfig('navigation');
-    });
-
-    fastify.put('/navigation', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid navigation data' });
-        }
-        if (!Array.isArray(data.items) && !Array.isArray(data)) {
-            return reply.status(400).send({ error: 'Navigation must be an array of items' });
-        }
-        // Normalise child key: Domma navbar expects `items`, not `children`
-        if (Array.isArray(data.items)) {
-            data.items = data.items.map(item => {
-                const children = item.items || item.children;
-                if (children?.length) {
-                    const { children: _c, ...rest } = item;
-                    return { ...rest, items: children };
-                }
-                const { children: _c, ...rest } = item;
-                return rest;
-            });
-        }
-        saveConfig('navigation', data);
-        await cache.invalidateTags(['nav']);
-        return { success: true };
-    });
-}
+/**
+ * Navigation API
+ * GET /api/navigation    - get navigation config
+ * PUT /api/navigation    - save navigation config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import * as cache from '../../services/cache/index.js';
+
+export async function navigationRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('navigation', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('navigation', 'update')]};
+
+    fastify.get('/navigation', canRead, async () => {
+        return getConfig('navigation');
+    });
+
+    fastify.put('/navigation', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid navigation data' });
+        }
+        if (!Array.isArray(data.items) && !Array.isArray(data)) {
+            return reply.status(400).send({ error: 'Navigation must be an array of items' });
+        }
+        // Normalise child key: Domma navbar expects `items`, not `children`
+        if (Array.isArray(data.items)) {
+            data.items = data.items.map(item => {
+                const children = item.items || item.children;
+                if (children?.length) {
+                    const { children: _c, ...rest } = item;
+                    return { ...rest, items: children };
+                }
+                const { children: _c, ...rest } = item;
+                return rest;
+            });
+        }
+        saveConfig('navigation', data);
+        await cache.invalidateTags(['nav']);
+        return { success: true };
+    });
+}

package/server/routes/api/settings.js

@@ -1,141 +1,141 @@
-/**
- * Settings API
- * GET  /api/settings            - get site settings
- * PUT  /api/settings            - save site settings
- * POST /api/settings/test-email - send a test email using stored SMTP config
- */
-import {getConfig, saveConfig} from '../../config.js';
-import {authenticate, requirePermission} from '../../middleware/auth.js';
-import nodemailer from 'nodemailer';
-import fs from 'fs/promises';
-import path from 'path';
-import {fileURLToPath} from 'url';
-import * as cache from '../../services/cache/index.js';
-
-const __dirname = path.dirname(fileURLToPath(import.meta.url));
-const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
-const CONNECTIONS_FILE = path.resolve(__dirname, '../../../config/connections.json');
-const CUSTOM_CSS_MAX = 100 * 1024; // 100 KB
-
-export async function settingsRoutes(fastify) {
-    const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
-    const canUpdate = {preHandler: [authenticate, requirePermission('settings', 'update')]};
-
-    fastify.get('/settings', canRead, async (request, reply) => {
-        const config = getConfig('site');
-        const safeConfig = { ...config };
-        if (safeConfig.smtp) {
-            safeConfig.smtp = { ...safeConfig.smtp, pass: '' };
-        }
-        return reply.send(safeConfig);
-    });
-
-    fastify.put('/settings', canUpdate, async (request, reply) => {
-        const data = request.body;
-        if (!data || typeof data !== 'object') {
-            return reply.status(400).send({ error: 'Invalid settings data' });
-        }
-        const ALLOWED_KEYS = new Set([
-            'title', 'tagline', 'description', 'logo', 'favicon',
-            'theme', 'adminTheme', 'fontFamily', 'fontSize',
-            'smtp', 'footer', 'analytics', 'social', 'locale',
-            'layoutOptions', 'seo', 'backToTop', 'cookieConsent', 'breadcrumbs', 'autoTheme',
-            'adminBrand'
-        ]);
-        const unknownKeys = Object.keys(data).filter(k => !ALLOWED_KEYS.has(k));
-        if (unknownKeys.length > 0) {
-            return reply.status(400).send({ error: `Unknown settings keys: ${unknownKeys.join(', ')}` });
-        }
-        // Merge incoming data with existing config so partial updates (e.g. just adminBrand)
-        // don't wipe unrelated keys. Nested objects get a shallow merge so sub-fields are
-        // preserved even when only some sub-fields are sent.
-        const existing = getConfig('site');
-        const merged = {...existing};
-        for (const [k, v] of Object.entries(data)) {
-            const isPlainObject = v !== null && typeof v === 'object' && !Array.isArray(v);
-            const existingIsPlainObject = existing[k] !== null && typeof existing[k] === 'object' && !Array.isArray(existing[k]);
-            if (isPlainObject && existingIsPlainObject) {
-                merged[k] = {...existing[k], ...v};
-            } else {
-                merged[k] = v;
-            }
-        }
-        // Never erase smtp.pass with the empty string that the GET endpoint injects for safety
-        if (merged.smtp && merged.smtp.pass === '' && existing.smtp?.pass) {
-            merged.smtp = {...merged.smtp, pass: existing.smtp.pass};
-        }
-        saveConfig('site', merged);
-        await cache.invalidateTags(['site']);
-        return { success: true };
-    });
-
-    fastify.post('/settings/test-email', canRead, async (request, reply) => {
-        const smtp = getConfig('site')?.smtp;
-        if (!smtp?.host) {
-            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
-        }
-
-        const transporter = nodemailer.createTransport({
-            host:   smtp.host,
-            port:   smtp.port || 587,
-            secure: smtp.secure || false,
-            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
-        });
-
-        const to = request.body?.to || smtp.fromAddress;
-        if (!to) {
-            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
-        }
-
-        try {
-            await transporter.sendMail({
-                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
-                to,
-                subject: 'Domma CMS — Test Email',
-                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
-                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
-            });
-            return { success: true, message: `Test email sent to ${to}` };
-        } catch (err) {
-            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
-        }
-    });
-
-    // GET /api/settings/db-status — returns whether MongoDB connections are configured
-    fastify.get('/settings/db-status', canRead, async () => {
-        try {
-            const raw = await fs.readFile(CONNECTIONS_FILE, 'utf8');
-            const connections = JSON.parse(raw);
-            const names = Object.keys(connections).filter(k =>
-                connections[k]?.type === 'mongodb' && connections[k]?.uri
-            );
-            return {configured: names.length > 0, connections: names};
-        } catch {
-            return {configured: false, connections: []};
-        }
-    });
-
-    // GET /api/settings/custom-css — return current CSS as JSON
-    fastify.get('/settings/custom-css', canUpdate, async () => {
-        try {
-            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
-            return { css };
-        } catch {
-            return { css: '' };
-        }
-    });
-
-    // PUT /api/settings/custom-css — save CSS to content/custom.css
-    fastify.put('/settings/custom-css', canUpdate, async (request, reply) => {
-        const { css } = request.body || {};
-        if (typeof css !== 'string') {
-            return reply.status(400).send({ error: 'css must be a string.' });
-        }
-        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
-            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
-        }
-        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
-        await cache.invalidateTags(['site']);
-        return { success: true };
-    });
-}
+/**
+ * Settings API
+ * GET  /api/settings            - get site settings
+ * PUT  /api/settings            - save site settings
+ * POST /api/settings/test-email - send a test email using stored SMTP config
+ */
+import {getConfig, saveConfig} from '../../config.js';
+import {authenticate, requirePermission} from '../../middleware/auth.js';
+import nodemailer from 'nodemailer';
+import fs from 'fs/promises';
+import path from 'path';
+import {fileURLToPath} from 'url';
+import * as cache from '../../services/cache/index.js';
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const CUSTOM_CSS_FILE = path.resolve(__dirname, '../../../content/custom.css');
+const CONNECTIONS_FILE = path.resolve(__dirname, '../../../config/connections.json');
+const CUSTOM_CSS_MAX = 100 * 1024; // 100 KB
+
+export async function settingsRoutes(fastify) {
+    const canRead = {preHandler: [authenticate, requirePermission('settings', 'read')]};
+    const canUpdate = {preHandler: [authenticate, requirePermission('settings', 'update')]};
+
+    fastify.get('/settings', canRead, async (request, reply) => {
+        const config = getConfig('site');
+        const safeConfig = { ...config };
+        if (safeConfig.smtp) {
+            safeConfig.smtp = { ...safeConfig.smtp, pass: '' };
+        }
+        return reply.send(safeConfig);
+    });
+
+    fastify.put('/settings', canUpdate, async (request, reply) => {
+        const data = request.body;
+        if (!data || typeof data !== 'object') {
+            return reply.status(400).send({ error: 'Invalid settings data' });
+        }
+        const ALLOWED_KEYS = new Set([
+            'title', 'tagline', 'description', 'logo', 'favicon',
+            'theme', 'adminTheme', 'fontFamily', 'fontSize',
+            'smtp', 'footer', 'analytics', 'social', 'locale',
+            'layoutOptions', 'seo', 'backToTop', 'cookieConsent', 'breadcrumbs', 'autoTheme',
+            'adminBrand'
+        ]);
+        const unknownKeys = Object.keys(data).filter(k => !ALLOWED_KEYS.has(k));
+        if (unknownKeys.length > 0) {
+            return reply.status(400).send({ error: `Unknown settings keys: ${unknownKeys.join(', ')}` });
+        }
+        // Merge incoming data with existing config so partial updates (e.g. just adminBrand)
+        // don't wipe unrelated keys. Nested objects get a shallow merge so sub-fields are
+        // preserved even when only some sub-fields are sent.
+        const existing = getConfig('site');
+        const merged = {...existing};
+        for (const [k, v] of Object.entries(data)) {
+            const isPlainObject = v !== null && typeof v === 'object' && !Array.isArray(v);
+            const existingIsPlainObject = existing[k] !== null && typeof existing[k] === 'object' && !Array.isArray(existing[k]);
+            if (isPlainObject && existingIsPlainObject) {
+                merged[k] = {...existing[k], ...v};
+            } else {
+                merged[k] = v;
+            }
+        }
+        // Never erase smtp.pass with the empty string that the GET endpoint injects for safety
+        if (merged.smtp && merged.smtp.pass === '' && existing.smtp?.pass) {
+            merged.smtp = {...merged.smtp, pass: existing.smtp.pass};
+        }
+        saveConfig('site', merged);
+        await cache.invalidateTags(['site']);
+        return { success: true };
+    });
+
+    fastify.post('/settings/test-email', canRead, async (request, reply) => {
+        const smtp = getConfig('site')?.smtp;
+        if (!smtp?.host) {
+            return reply.status(400).send({ error: 'SMTP is not configured. Save your SMTP settings first.' });
+        }
+
+        const transporter = nodemailer.createTransport({
+            host:   smtp.host,
+            port:   smtp.port || 587,
+            secure: smtp.secure || false,
+            auth:   smtp.user ? { user: smtp.user, pass: smtp.pass } : undefined
+        });
+
+        const to = request.body?.to || smtp.fromAddress;
+        if (!to) {
+            return reply.status(400).send({ error: 'No recipient address. Provide "to" in the request body or set a From Address.' });
+        }
+
+        try {
+            await transporter.sendMail({
+                from:    smtp.fromName ? `"${smtp.fromName}" <${smtp.fromAddress}>` : smtp.fromAddress,
+                to,
+                subject: 'Domma CMS — Test Email',
+                text:    'This is a test email sent from Domma CMS to verify your SMTP configuration.',
+                html:    '<p>This is a test email sent from <strong>Domma CMS</strong> to verify your SMTP configuration.</p>'
+            });
+            return { success: true, message: `Test email sent to ${to}` };
+        } catch (err) {
+            return reply.status(500).send({ error: `Failed to send email: ${err.message}` });
+        }
+    });
+
+    // GET /api/settings/db-status — returns whether MongoDB connections are configured
+    fastify.get('/settings/db-status', canRead, async () => {
+        try {
+            const raw = await fs.readFile(CONNECTIONS_FILE, 'utf8');
+            const connections = JSON.parse(raw);
+            const names = Object.keys(connections).filter(k =>
+                connections[k]?.type === 'mongodb' && connections[k]?.uri
+            );
+            return {configured: names.length > 0, connections: names};
+        } catch {
+            return {configured: false, connections: []};
+        }
+    });
+
+    // GET /api/settings/custom-css — return current CSS as JSON
+    fastify.get('/settings/custom-css', canUpdate, async () => {
+        try {
+            const css = await fs.readFile(CUSTOM_CSS_FILE, 'utf8');
+            return { css };
+        } catch {
+            return { css: '' };
+        }
+    });
+
+    // PUT /api/settings/custom-css — save CSS to content/custom.css
+    fastify.put('/settings/custom-css', canUpdate, async (request, reply) => {
+        const { css } = request.body || {};
+        if (typeof css !== 'string') {
+            return reply.status(400).send({ error: 'css must be a string.' });
+        }
+        if (Buffer.byteLength(css, 'utf8') > CUSTOM_CSS_MAX) {
+            return reply.status(400).send({ error: 'CSS exceeds the 100 KB limit.' });
+        }
+        await fs.writeFile(CUSTOM_CSS_FILE, css, 'utf8');
+        await cache.invalidateTags(['site']);
+        return { success: true };
+    });
+}