domma-cms 0.3.0 → 0.5.2

package/admin/js/templates/api-reference.html

@@ -0,0 +1,1411 @@
+<div class="view-header">
+  <h1><span data-icon="code"></span> API Reference</h1>
+</div>
+
+<style>
+    .method-badge {
+        display: inline-block;
+        font-size: 11px;
+        font-weight: 700;
+        letter-spacing: 0.5px;
+        padding: 2px 7px;
+        border-radius: 4px;
+        font-family: var(--dm-font-mono, monospace);
+        margin-right: 6px;
+        vertical-align: middle;
+    }
+
+    .method-get {
+        background: #d1fae5;
+        color: #065f46;
+    }
+
+    .method-post {
+        background: #dbeafe;
+        color: #1e40af;
+    }
+
+    .method-put {
+        background: #fef3c7;
+        color: #92400e;
+    }
+
+    .method-patch {
+        background: #ccfbf1;
+        color: #134e4a;
+    }
+
+    .method-delete {
+        background: #fee2e2;
+        color: #991b1b;
+    }
+
+    .endpoint-path {
+        font-family: var(--dm-font-mono, monospace);
+        font-size: 14px;
+    }
+
+    .auth-note {
+        font-size: 12px;
+        color: var(--dm-color-text-muted, #6b7280);
+        margin: 4px 0 12px;
+    }
+
+    .auth-note code {
+        font-size: 11px;
+    }
+
+    .docs-body h3 {
+        margin-top: 24px;
+        margin-bottom: 8px;
+    }
+
+    .docs-body h3:first-child {
+        margin-top: 0;
+    }
+</style>
+
+<div class="row">
+  <div class="col-12">
+
+    <div class="card mb-4">
+      <div class="card-body docs-body">
+        <p>
+          All admin endpoints are prefixed with <code>/api</code> and require a Bearer token in the
+          <code>Authorization</code> header unless noted otherwise. Content type for request bodies is
+          <code>application/json</code>. Tokens are obtained via <code>POST /api/auth/login</code>.
+        </p>
+        <p>
+          Base URL: <code>http://your-domain/api</code>
+        </p>
+      </div>
+    </div>
+
+    <!-- ─── Authentication ─────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="lock"></span> Authentication</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/auth/setup-status</span>
+        </h3>
+        <p class="auth-note">No authentication required.</p>
+        <p>Check whether the CMS has been set up. Returns <code>{ needsSetup: true }</code> when no users exist.</p>
+        <pre class="code-block"><code>// Response
+{ "needsSetup": false }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/setup</span></h3>
+        <p class="auth-note">No authentication required. Only succeeds when zero users exist.</p>
+        <p>Create the initial admin account. Blocked once any user exists (returns 403).</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>name</code></td>
+            <td>string</td>
+            <td>Display name</td>
+          </tr>
+          <tr>
+            <td><code>email</code></td>
+            <td>string</td>
+            <td>Email address</td>
+          </tr>
+          <tr>
+            <td><code>password</code></td>
+            <td>string</td>
+            <td>Minimum 8 characters</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 201
+{ "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "...", "name": "...", "email": "...", "role": "admin" } }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/login</span></h3>
+        <p class="auth-note">No authentication required.</p>
+        <p>Authenticate with email and password. Returns access and refresh tokens.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>email</code></td>
+            <td>string</td>
+            <td>User email</td>
+          </tr>
+          <tr>
+            <td><code>password</code></td>
+            <td>string</td>
+            <td>User password</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin" } }
+
+// Error 401
+{ "error": "Invalid credentials" }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/auth/me</span></h3>
+        <p class="auth-note">Requires Bearer token.</p>
+        <p>Return the authenticated user's profile.</p>
+        <pre class="code-block"><code>// Response 200
+{ "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/logout</span></h3>
+        <p class="auth-note">No authentication required. Safe to call without a token.</p>
+        <p>Blacklists the provided refresh token. The in-memory blacklist is cleared on server restart.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>refreshToken</code></td>
+            <td>string</td>
+            <td>The refresh token to revoke (optional)</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "ok": true }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/refresh</span></h3>
+        <p class="auth-note">No authentication required. Provide a valid refresh token.</p>
+        <p>Exchange a refresh token for a new access token.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>refreshToken</code></td>
+            <td>string</td>
+            <td>A valid, non-revoked refresh token</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "token": "eyJ..." }
+
+// Error 401
+{ "error": "Invalid or expired refresh token" }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Pages ──────────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="file-text"></span> Pages</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/pages/preview</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>Render Markdown to HTML (shortcodes processed, no frontmatter). Useful for live editor previews.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>markdown</code></td>
+            <td>string</td>
+            <td>Markdown string to render</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "html": "&lt;p&gt;Hello &lt;strong&gt;world&lt;/strong&gt;&lt;/p&gt;" }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/tags</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>Aggregate all unique tags across every page, sorted alphabetically.</p>
+        <pre class="code-block"><code>// Response 200
+{ "tags": ["guide", "news", "tutorial"] }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>List all pages with their metadata. Body content is excluded.</p>
+        <pre class="code-block"><code>// Response 200
+[
+  {
+    "urlPath": "/about",
+    "title": "About Us",
+    "slug": "about",
+    "status": "published",
+    "layout": "default",
+    "showInNav": true,
+    "sortOrder": 1,
+    "category": null,
+    "visibility": "public",
+    "tags": [],
+    "updatedAt": "2024-01-15T10:30:00.000Z",
+    "createdAt": "2024-01-01T09:00:00.000Z"
+  }
+]</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/*</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission. The <code>*</code> is the URL path,
+          e.g. <code>/api/pages/about</code> or <code>/api/pages/blog/post-1</code>.</p>
+        <p>Retrieve a single page including its frontmatter and full body content.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "urlPath": "/about",
+  "title": "About Us",
+  "body": "## Our Story\n\nWe started...",
+  "status": "published",
+  ...
+}
+
+// Error 404
+{ "error": "Page not found" }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/pages</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>Create a new page. Fails with 409 if a page already exists at the given path.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>urlPath</code></td>
+            <td>string</td>
+            <td>Required. Public URL path e.g. <code>/about</code></td>
+          </tr>
+          <tr>
+            <td><code>frontmatter</code></td>
+            <td>object</td>
+            <td>YAML frontmatter fields (title, status, etc.)</td>
+          </tr>
+          <tr>
+            <td><code>body</code></td>
+            <td>string</td>
+            <td>Markdown content</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 201 — returns the created page object</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/pages/*</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>Update an existing page. Optionally rename it to a new URL path (navigation links are rewritten
+          automatically).</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>frontmatter</code></td>
+            <td>object</td>
+            <td>Updated frontmatter fields</td>
+          </tr>
+          <tr>
+            <td><code>body</code></td>
+            <td>string</td>
+            <td>Updated Markdown content</td>
+          </tr>
+          <tr>
+            <td><code>newUrlPath</code></td>
+            <td>string</td>
+            <td>Optional. Rename the page to a different URL path</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200 — returns the updated page object
+
+// Error 404
+{ "error": "Page not found" }
+
+// Error 409
+{ "error": "A page already exists at that path" }</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/pages/*</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+        <p>Delete a page and its source file.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }
+
+// Error 404
+{ "error": "Page not found" }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Settings ───────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="settings"></span> Settings</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+        <p>Return the full site settings object from <code>config/site.json</code>.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "siteName": "My Site",
+  "adminTheme": "charcoal-dark",
+  "smtp": { "host": "smtp.example.com", "port": 587, ... },
+  ...
+}</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+        <p>Replace the site settings object. Send the full merged object — partial updates overwrite the entire
+          config.</p>
+        <pre class="code-block"><code>// Request body — full site settings object
+{ "siteName": "My Site", "adminTheme": "ocean-dark", ... }
+
+// Response 200
+{ "success": true }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span
+            class="endpoint-path">/api/settings/test-email</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+        <p>Send a test email using the stored SMTP configuration. Fails if SMTP host is not configured.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>to</code></td>
+            <td>string</td>
+            <td>Optional. Recipient address. Defaults to the configured From Address.</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "success": true, "message": "Test email sent to alice@example.com" }
+
+// Error 400
+{ "error": "SMTP is not configured. Save your SMTP settings first." }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings/custom-css</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+        <p>Return the current custom CSS from <code>content/custom.css</code>. Returns an empty string if the file does
+          not exist.</p>
+        <pre class="code-block"><code>// Response 200
+{ "css": "body { font-family: sans-serif; }" }</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings/custom-css</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+        <p>Write CSS to <code>content/custom.css</code>. Maximum size is 100 KB.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>css</code></td>
+            <td>string</td>
+            <td>CSS string (max 100 KB)</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Layouts ────────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="layout"></span> Layouts</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/layouts</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+        <p>Return all layout presets from <code>config/presets.json</code>.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "default": { "label": "Default", "sections": [...] },
+  "full-width": { "label": "Full Width", "sections": [...] }
+}</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/layouts</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+        <p>Replace the entire layout presets object.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/layouts/options</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+        <p>Return layout display options (e.g. spacer size) stored in <code>config/site.json</code> under <code>layoutOptions</code>.
+        </p>
+        <pre class="code-block"><code>// Response 200
+{ "spacerSize": 8 }</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/layouts/options</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+        <p>Merge layout option updates into the existing options. Existing keys not included in the request are
+          preserved.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>spacerSize</code></td>
+            <td>number</td>
+            <td>Default spacer block size in pixels</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Navigation ─────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="menu"></span> Navigation</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/navigation</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
+        <p>Return the navigation configuration from <code>config/navigation.json</code>.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "items": [
+    { "label": "Home", "url": "/" },
+    { "label": "About", "url": "/about" },
+    {
+      "label": "Resources",
+      "items": [
+        { "label": "Blog", "url": "/blog" }
+      ]
+    }
+  ]
+}</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/navigation</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
+        <p>Replace the navigation config. Sub-items must use the <code>items</code> key (the server normalises <code>children</code>
+          to <code>items</code> automatically).</p>
+        <pre class="code-block"><code>// Request body
+{
+  "items": [
+    { "label": "Home", "url": "/" },
+    { "label": "About", "url": "/about" }
+  ]
+}
+
+// Response 200
+{ "success": true }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Media ──────────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="image"></span> Media</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/media</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+        <p>List all media files in the uploads directory.</p>
+        <pre class="code-block"><code>// Response 200
+[
+  { "name": "hero.jpg", "url": "/media/hero.jpg", "size": 204800, "mime": "image/jpeg" }
+]</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/media</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission. Content-Type: <code>multipart/form-data</code>.
+        </p>
+        <p>Upload one or more files. Filenames are sanitised (only alphanumeric, dot, underscore, hyphen allowed).
+          Returns a single object for one file, or an array for multiple.</p>
+        <pre class="code-block"><code>// Response 201 (single file)
+{ "name": "photo.jpg", "url": "/media/photo.jpg", "size": 98304, "mime": "image/jpeg" }
+
+// Response 201 (multiple files)
+[
+  { "name": "photo1.jpg", "url": "/media/photo1.jpg", ... },
+  { "name": "photo2.jpg", "url": "/media/photo2.jpg", ... }
+]</code></pre>
+
+        <h3><span class="method-badge method-patch">PATCH</span><span class="endpoint-path">/api/media/:name</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+        <p>Rename a media file. Returns the updated file info. Fails with 409 if the new name already exists.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>newName</code></td>
+            <td>string</td>
+            <td>New filename (will be sanitised)</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "name": "new-photo.jpg", "url": "/media/new-photo.jpg", ... }</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/media/:name</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+        <p>Delete a media file from the uploads directory.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/media/:name/info</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+        <p>Return image metadata (dimensions, format, file size) for editable image formats (JPEG, PNG, WebP, GIF,
+          TIFF).</p>
+        <pre class="code-block"><code>// Response 200
+{ "width": 1920, "height": 1080, "format": "jpeg", "size": 204800 }
+
+// Error 400
+{ "error": "Not an editable image format" }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span
+            class="endpoint-path">/api/media/:name/transform</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+        <p>Apply image transformations (resize, crop, rotate, watermark, etc.) and optionally save to a new
+          filename.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>operations</code></td>
+            <td>object</td>
+            <td>Transformation operations to apply</td>
+          </tr>
+          <tr>
+            <td><code>saveAs</code></td>
+            <td>string</td>
+            <td>Optional. Output filename. Defaults to overwriting the source.</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Request body example
+{
+  "operations": { "resize": { "width": 800, "height": 600 }, "format": "webp" },
+  "saveAs": "hero-800.webp"
+}
+
+// Response 200
+{ "name": "hero-800.webp", "url": "/media/hero-800.webp", ... }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Users ──────────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="users"></span> Users</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <p>Role hierarchy governs which users can manage other users. A manager cannot create, edit, or delete an admin.
+          Self-deletion is always blocked.</p>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>users</code> permission (admin or manager).</p>
+        <p>Return all users. Passwords are stripped from the response.</p>
+        <pre class="code-block"><code>// Response 200
+[
+  { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }
+]</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users/:id</span></h3>
+        <p class="auth-note">Requires Bearer token. Accessible to the user themselves, or a user with <code>users</code>
+          permission.</p>
+        <p>Return a single user by ID.</p>
+        <pre class="code-block"><code>// Response 200
+{ "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }
+
+// Error 404
+{ "error": "User not found" }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/users</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+        <p>Create a new user. The actor cannot assign a role higher than their own level.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>name</code></td>
+            <td>string</td>
+            <td>Display name</td>
+          </tr>
+          <tr>
+            <td><code>email</code></td>
+            <td>string</td>
+            <td>Unique email address</td>
+          </tr>
+          <tr>
+            <td><code>password</code></td>
+            <td>string</td>
+            <td>Minimum 8 characters</td>
+          </tr>
+          <tr>
+            <td><code>role</code></td>
+            <td>string</td>
+            <td>Optional. Defaults to <code>editor</code>.</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 201
+{ "id": "uuid", "name": "Bob", "email": "bob@example.com", "role": "editor", "isActive": true }
+
+// Error 409
+{ "error": "Email already in use" }</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/users/:id</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+        <p>Update a user's details. Managers cannot edit admins. Role escalation beyond the actor's own level is
+          blocked.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>name</code></td>
+            <td>string</td>
+            <td>New display name</td>
+          </tr>
+          <tr>
+            <td><code>email</code></td>
+            <td>string</td>
+            <td>New email address</td>
+          </tr>
+          <tr>
+            <td><code>password</code></td>
+            <td>string</td>
+            <td>New password (min 8 chars)</td>
+          </tr>
+          <tr>
+            <td><code>role</code></td>
+            <td>string</td>
+            <td>New role</td>
+          </tr>
+          <tr>
+            <td><code>isActive</code></td>
+            <td>boolean</td>
+            <td>Enable or disable the account</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200 — returns the updated user object</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/users/:id</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+        <p>Delete a user. Cannot delete your own account or a user with a higher role level.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }
+
+// Error 403
+{ "error": "You cannot delete your own account" }</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Plugins ────────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="package"></span> Plugins</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins</span></h3>
+        <p class="auth-note">Requires Bearer token + admin role.</p>
+        <p>List all discovered plugins with their current enabled state and settings.</p>
+        <pre class="code-block"><code>// Response 200
+[
+  {
+    "name": "form-builder",
+    "displayName": "Form Builder",
+    "version": "1.0.0",
+    "description": "Build and manage contact forms.",
+    "author": "Domma Team",
+    "date": "2024-01-01",
+    "icon": "clipboard",
+    "enabled": true,
+    "settings": {}
+  }
+]</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/plugins/:name</span></h3>
+        <p class="auth-note">Requires Bearer token + admin role.</p>
+        <p>Enable or disable a plugin, or update its settings. Plugin must exist in the <code>plugins/</code> directory.
+        </p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>enabled</code></td>
+            <td>boolean</td>
+            <td>Whether the plugin is active</td>
+          </tr>
+          <tr>
+            <td><code>settings</code></td>
+            <td>object</td>
+            <td>Plugin-specific settings object</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }
+
+// Error 404
+{ "error": "Plugin not found" }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins/admin-config</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token (any role).</p>
+        <p>Return the merged admin configuration for all enabled plugins — sidebar items, SPA routes, and view entry
+          points. Used by the admin SPA on startup to inject plugin UI.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "sidebar": [
+    { "id": "form-builder", "text": "Form Settings", "icon": "clipboard", "url": "#/form-settings" }
+  ],
+  "routes": [
+    { "path": "/form-settings", "view": "formSettings", "title": "Form Settings - Domma CMS" }
+  ],
+  "views": {
+    "formSettings": { "entry": "form-builder/admin/views/settings.js", "exportName": "formSettingsView" }
+  }
+}</code></pre>
+
+      </div>
+    </div>
+
+    <!-- ─── Collections ────────────────────────────────────────────── -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content"><h2><span data-icon="database"></span> Collections</h2></div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+
+        <p>Collections have two access planes: <strong>admin endpoints</strong> (authenticated, role-gated) and <strong>public
+          endpoints</strong> (access level configured per collection).</p>
+
+        <h3 style="margin-top:16px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Schema
+          Management</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>List all collection schemas (metadata only, no entries).</p>
+        <pre class="code-block"><code>// Response 200
+[
+  { "slug": "blog", "title": "Blog Posts", "description": "...", "fields": [...] }
+]</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span
+            class="endpoint-path">/api/collections/pro-status</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Check whether the Pro (MongoDB) storage adapter is available. Returns named connections if configured.</p>
+        <pre class="code-block"><code>// Response 200 (free)
+{ "pro": false, "connections": [] }
+
+// Response 200 (pro)
+{ "pro": true, "connections": ["default", "analytics"] }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span
+            class="endpoint-path">/api/collections/connections</span></h3>
+        <p class="auth-note">Requires Bearer token + admin role.</p>
+        <p>Return configured MongoDB connections from <code>config/connections.json</code>.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "default": { "type": "mongodb", "uri": "mongodb://localhost:27017", "database": "my_cms" }
+}</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span
+            class="endpoint-path">/api/collections/connections</span></h3>
+        <p class="auth-note">Requires Bearer token + admin role.</p>
+        <p>Save MongoDB connection definitions. Each connection requires <code>type</code>, <code>uri</code>, and <code>database</code>.
+        </p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>{name}</code></td>
+            <td>object</td>
+            <td>Named connection with <code>type</code>, <code>uri</code>, <code>database</code></td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }
+
+// Error 400
+{ "error": "Connection \"default\" requires type, uri, and database" }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/collections</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Create a new collection. A <code>slug</code> is auto-generated from the title if not provided.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>title</code></td>
+            <td>string</td>
+            <td>Required. Human-readable collection name</td>
+          </tr>
+          <tr>
+            <td><code>slug</code></td>
+            <td>string</td>
+            <td>Optional. URL-safe identifier. Auto-generated if omitted.</td>
+          </tr>
+          <tr>
+            <td><code>description</code></td>
+            <td>string</td>
+            <td>Optional description</td>
+          </tr>
+          <tr>
+            <td><code>fields</code></td>
+            <td>array</td>
+            <td>Field definitions</td>
+          </tr>
+          <tr>
+            <td><code>api</code></td>
+            <td>object</td>
+            <td>Public API access config per operation</td>
+          </tr>
+          <tr>
+            <td><code>storage</code></td>
+            <td>object</td>
+            <td>Optional. Pro: <code>{ "adapter": "mongodb", "connection": "default" }</code></td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 201 — returns the created schema object
+
+// Error 409
+{ "error": "A collection with that slug already exists" }</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Return the schema for a single collection by slug.</p>
+        <pre class="code-block"><code>// Response 200
+{
+  "slug": "blog",
+  "title": "Blog Posts",
+  "fields": [
+    { "name": "title", "type": "text", "required": true },
+    { "name": "body",  "type": "richtext" }
+  ],
+  "api": { "read": { "enabled": true, "access": "public" }, ... }
+}
+
+// Error 404
+{ "error": "Collection not found" }</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Update a collection schema.</p>
+        <pre class="code-block"><code>// Response 200 — returns the updated schema
+
+// Error 404
+{ "error": "Collection not found" }</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span
+            class="endpoint-path">/api/collections/:slug</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+          <p>Delete a collection and all its entries. Preset collections (e.g. <code>roles</code>) cannot be deleted.
+        </p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }
+
+// Error 403
+{ "error": "Cannot delete a preset collection" }</code></pre>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Admin Entry
+          CRUD</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span
+            class="endpoint-path">/api/collections/:slug/entries</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>List entries with pagination, sorting, and full-text search.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Query param</th>
+            <th>Default</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>page</code></td>
+            <td>1</td>
+            <td>Page number</td>
+          </tr>
+          <tr>
+            <td><code>limit</code></td>
+            <td>50</td>
+            <td>Entries per page</td>
+          </tr>
+          <tr>
+            <td><code>sort</code></td>
+            <td>createdAt</td>
+            <td>Field to sort by</td>
+          </tr>
+          <tr>
+            <td><code>order</code></td>
+            <td>desc</td>
+            <td><code>asc</code> or <code>desc</code></td>
+          </tr>
+          <tr>
+            <td><code>search</code></td>
+            <td>—</td>
+            <td>Full-text search query</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200
+{
+  "entries": [ { "id": "uuid", "data": { ... }, "createdAt": "...", "updatedAt": "..." } ],
+  "total": 42,
+  "page": 1,
+  "limit": 50
+}</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Return a single entry by ID.</p>
+        <pre class="code-block"><code>// Response 200
+{ "id": "uuid", "data": { "title": "Hello World", "body": "..." }, "createdAt": "...", "updatedAt": "..." }
+
+// Error 404
+{ "error": "Entry not found" }</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span
+            class="endpoint-path">/api/collections/:slug/entries</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Create a new entry. Data is validated against the collection schema.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>data</code></td>
+            <td>object</td>
+            <td>Entry field values keyed by field name</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 201 — returns the created entry</code></pre>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Update an entry. Data is validated against the schema.</p>
+        <pre class="code-block"><code>// Response 200 — returns the updated entry
+
+// Error 404
+{ "error": "Entry not found" }</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+          <p>Delete a single entry. Deleting the root admin role from <code>roles</code> is blocked.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries</span>
+        </h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Clear all entries from a collection. Irreversible.</p>
+        <pre class="code-block"><code>// Response 200
+{ "success": true }</code></pre>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Export &amp;
+          Import</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span
+            class="endpoint-path">/api/collections/:slug/export</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Download all entries as a file attachment.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Query param</th>
+            <th>Values</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>format</code></td>
+            <td><code>json</code> (default), <code>csv</code></td>
+            <td>Export format</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Response 200 — file download
+// Content-Disposition: attachment; filename="blog-entries.json"</code></pre>
+
+        <h3><span class="method-badge method-post">POST</span><span
+            class="endpoint-path">/api/collections/:slug/import</span></h3>
+        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+        <p>Bulk-import entries from a JSON array. Existing entries are not removed.</p>
+        <table class="table table-sm">
+          <thead>
+          <tr>
+            <th>Field</th>
+            <th>Type</th>
+            <th>Description</th>
+          </tr>
+          </thead>
+          <tbody>
+          <tr>
+            <td><code>entries</code></td>
+            <td>array</td>
+            <td>Array of entry objects with a <code>data</code> field each</td>
+          </tr>
+          </tbody>
+        </table>
+        <pre class="code-block"><code>// Request body
+{ "entries": [ { "data": { "title": "Post 1" } }, { "data": { "title": "Post 2" } } ] }
+
+// Response 201
+{ "imported": 2, "skipped": 0 }</code></pre>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Public
+          Access</h3>
+
+        <p>Public endpoints respect the per-collection <code>api</code> config. Each operation (<code>read</code>,
+          <code>create</code>, <code>update</code>, <code>delete</code>) can be <strong>disabled</strong>, <strong>public</strong>
+          (no auth), or restricted to a minimum role level.</p>
+
+        <h3><span class="method-badge method-get">GET</span><span
+            class="endpoint-path">/api/collections/:slug/public</span></h3>
+        <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
+        <p>List entries publicly. Supports the same pagination and search query params as the admin endpoint.</p>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+        </h3>
+        <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
+        <p>Return a single entry publicly by ID.</p>
+
+        <h3><span class="method-badge method-post">POST</span><span
+            class="endpoint-path">/api/collections/:slug/public</span></h3>
+        <p class="auth-note">Access level: per collection <code>api.create</code> config.</p>
+        <p>Create an entry publicly (e.g. form submissions). Entry is tagged with <code>source: "api"</code>.</p>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+        </h3>
+        <p class="auth-note">Access level: per collection <code>api.update</code> config.</p>
+        <p>Update an entry publicly.</p>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+        </h3>
+        <p class="auth-note">Access level: per collection <code>api.delete</code> config.</p>
+        <p>Delete an entry publicly.</p>
+
+      </div>
+    </div>
+
+    <!-- Views API -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content">
+          <h2><span data-icon="eye"></span> Views API
+            <span class="badge badge-warning" style="font-size:.7rem;margin-left:.4rem;">Pro</span>
+          </h2>
+        </div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+        <p>Views require a MongoDB connection. All admin endpoints require authentication and the
+          <code>views</code> permission. View configs are stored in the <code>cms__views</code> MongoDB collection
+          on the <code>default</code> connection.</p>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+          Admin Endpoints</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>List all view configs, sorted by creation date descending.</p>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/views</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>Create a new view config. Returns <code>201</code> on success.</p>
+        <pre class="code-block"><code>{
+  "title": "Active Premium Users",
+  "slug": "active-premium-users",       // optional — auto-derived from title
+  "description": "...",
+  "connection": "default",
+  "pipeline": {
+    "source": "users",                  // CMS collection slug
+    "stages": [
+      { "type": "$match",   "config": { "data.status": "active" } },
+      { "type": "$sort",    "config": { "meta.createdAt": -1 } },
+      { "type": "$project", "config": { "data.name": 1, "data.email": 1 } }
+    ]
+  },
+  "display": {
+    "mode": "table",                    // "table" | "list"
+    "columns": [
+      { "key": "data.name",  "label": "Name" },
+      { "key": "data.email", "label": "Email" }
+    ],
+    "pageSize": 25
+  },
+  "access": {
+    "roles": ["admin", "manager"],
+    "public": false
+  }
+}</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>Return a single view config by slug.</p>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/views/:slug</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>Update a view config. Accepts the same body shape as POST; all fields are optional.</p>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/views/:slug</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>Delete a view config.</p>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/execute</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>Execute the view's aggregation pipeline and return paginated results.</p>
+        <p><strong>Query params:</strong> <code>page</code> (default 1), <code>limit</code> (default 25).</p>
+        <pre class="code-block"><code>// Response
+{
+  "results": [ { "data": { "name": "Alice" }, ... }, ... ],
+  "total": 142,
+  "page": 1,
+  "limit": 25
+}</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/collection/:slug</span></h3>
+        <p class="auth-note">Requires: <code>views</code> permission</p>
+        <p>List all view configs whose <code>pipeline.source</code> matches the given collection slug.</p>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+          Public Endpoint</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/public</span></h3>
+        <p class="auth-note">Access level: per view <code>access</code> config</p>
+        <p>Execute the view publicly. If <code>access.public</code> is <code>false</code>, a valid JWT and
+          a role listed in <code>access.roles</code> is required. Same query params and response shape as
+          <code>/execute</code>.</p>
+
+      </div>
+    </div>
+
+    <!-- Actions API -->
+    <div class="card card-collapsible mb-4">
+      <div class="card-header" role="button" tabindex="0">
+        <div class="card-header-content">
+          <h2><span data-icon="zap"></span> Actions API
+            <span class="badge badge-warning" style="font-size:.7rem;margin-left:.4rem;">Pro</span>
+          </h2>
+        </div>
+        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      </div>
+      <div class="card-body docs-body">
+        <p>Actions require a MongoDB connection. All admin endpoints require authentication and the
+          <code>actions</code> permission. Action configs are stored in <code>cms__actions</code>.</p>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+          Admin Endpoints</h3>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>List all action configs.</p>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>Create a new action config. Returns <code>201</code> on success.</p>
+        <pre class="code-block"><code>{
+  "title": "Approve Application",
+  "slug": "approve-application",         // optional
+  "description": "...",
+  "collection": "applications",
+  "trigger": {
+    "type": "manual",
+    "label": "Approve",
+    "icon": "check-circle",
+    "confirmMessage": "Approve this application?"   // null to skip confirmation
+  },
+  "steps": [
+    { "type": "updateField",  "config": { "field": "status",     "value": "approved" } },
+    { "type": "updateField",  "config": { "field": "approvedAt", "value": "{{now}}"  } },
+    { "type": "webhook",      "config": { "url": "https://hooks.example.com/approved", "method": "POST",
+                                          "body": { "email": "{{entry.data.email}}" } } },
+    { "type": "email",        "config": { "to": "{{entry.data.email}}",
+                                          "subject": "Application approved",
+                                          "template": "Hi {{entry.data.name}}, your application is approved." } }
+  ],
+  "access": { "roles": ["admin", "manager"] }
+}</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions/:slug</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>Return a single action config by slug.</p>
+
+        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/actions/:slug</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>Update an action config.</p>
+
+        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/actions/:slug</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>Delete an action config.</p>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/execute</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>Execute an action against a specific entry.</p>
+        <pre class="code-block"><code>// Request body
+{ "entryId": "uuid-of-the-entry" }
+
+// Response
+{
+  "success": true,
+  "stepsCompleted": 4,
+  "results": [
+    { "type": "updateField", "success": true, "result": { "field": "status", "value": "approved" } },
+    { "type": "email",       "success": true, "result": { "to": "user@example.com" } }
+  ]
+}
+
+// Partial failure response
+{
+  "success": false,
+  "stepsCompleted": 2,
+  "results": [
+    { "type": "updateField", "success": true,  "result": { "field": "status", "value": "approved" } },
+    { "type": "webhook",     "success": false, "error": "Webhook returned HTTP 500" }
+  ]
+}</code></pre>
+
+        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions/collection/:slug</span></h3>
+        <p class="auth-note">Requires: <code>actions</code> permission</p>
+        <p>List all action configs targeting a given collection slug. Used by the entry list view to
+          populate per-row trigger buttons.</p>
+
+        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+          Public Endpoint</h3>
+
+        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/public</span></h3>
+        <p class="auth-note">Requires: JWT + role in <code>access.roles</code></p>
+        <p>Execute an action publicly. Always requires a valid JWT — the role is checked against
+          <code>access.roles</code>. Request body and response shape are identical to the admin
+          <code>/execute</code> endpoint.</p>
+
+      </div>
+    </div>
+
+  </div>
+</div>