npm - domma-cms - Versions diffs - 0.9.5 → 0.9.10 - Mend

domma-cms 0.9.5 → 0.9.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/admin/js/app.js +2 -2
package/admin/js/lib/card-builder.js +7 -0
package/admin/js/templates/api-reference.html +943 -1107
package/admin/js/templates/documentation.html +828 -655
package/admin/js/templates/tutorials.html +202 -177
package/admin/js/views/api-reference.js +1 -1
package/admin/js/views/documentation.js +1 -1
package/admin/js/views/index.js +1 -1
package/admin/js/views/page-editor.js +4 -4
package/admin/js/views/plugins.js +10 -16
package/admin/js/views/tutorials.js +1 -1
package/config/plugins.json +4 -14
package/config/site.json +1 -1
package/package.json +1 -1
package/plugins/notes/admin/views/notes.js +24 -25
package/plugins/todo/admin/views/todo.js +32 -33
package/public/css/site.css +1 -1
package/server/services/markdown.js +609 -79

package/admin/js/templates/api-reference.html CHANGED Viewed

@@ -75,185 +75,197 @@
           <code>Authorization</code> header unless noted otherwise. Content type for request bodies is
           <code>application/json</code>. Tokens are obtained via <code>POST /api/auth/login</code>.
         </p>
-        <p>
-          Base URL: <code>http://your-domain/api</code>
-        </p>
+          <p>Base URL: <code>http://your-domain/api</code></p>
       </div>
     </div>
-    <!-- ─── Authentication ─────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="lock"></span> Authentication</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
+      <div class="tabs" id="api-tabs">
+          <div class="tab-list" style="flex-wrap: wrap;">
+              <button class="tab-item active">Authentication</button>
+              <button class="tab-item">Pages</button>
+              <button class="tab-item">Settings</button>
+              <button class="tab-item">Layouts</button>
+              <button class="tab-item">Navigation</button>
+              <button class="tab-item">Media</button>
+              <button class="tab-item">Users</button>
+              <button class="tab-item">Plugins</button>
+              <button class="tab-item">Collections</button>
+              <button class="tab-item">Views API</button>
+              <button class="tab-item">Actions API</button>
       </div>
-      <div class="card-body docs-body">
+          <div class="tab-content">
+              <!-- Authentication -->
+              <div class="tab-panel active docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/auth/setup-status</span>
-        </h3>
-        <p class="auth-note">No authentication required.</p>
-        <p>Check whether the CMS has been set up. Returns <code>{ needsSetup: true }</code> when no users exist.</p>
-        <pre class="code-block"><code>// Response
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/auth/setup-status</span></h3>
+                  <p class="auth-note">No authentication required.</p>
+                  <p>Check whether the CMS has been set up. Returns <code>{ needsSetup: true }</code> when no users
+                      exist.</p>
+                  <pre class="code-block"><code>// Response
 { "needsSetup": false }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/setup</span></h3>
-        <p class="auth-note">No authentication required. Only succeeds when zero users exist.</p>
-        <p>Create the initial admin account. Blocked once any user exists (returns 403).</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>name</code></td>
-            <td>string</td>
-            <td>Display name</td>
-          </tr>
-          <tr>
-            <td><code>email</code></td>
-            <td>string</td>
-            <td>Email address</td>
-          </tr>
-          <tr>
-            <td><code>password</code></td>
-            <td>string</td>
-            <td>Minimum 8 characters</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 201
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/auth/setup</span></h3>
+                  <p class="auth-note">No authentication required. Only succeeds when zero users exist.</p>
+                  <p>Create the initial admin account. Blocked once any user exists (returns 403).</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>name</code></td>
+                          <td>string</td>
+                          <td>Display name</td>
+                      </tr>
+                      <tr>
+                          <td><code>email</code></td>
+                          <td>string</td>
+                          <td>Email address</td>
+                      </tr>
+                      <tr>
+                          <td><code>password</code></td>
+                          <td>string</td>
+                          <td>Minimum 8 characters</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 201
 { "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "...", "name": "...", "email": "...", "role": "admin" } }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/login</span></h3>
-        <p class="auth-note">No authentication required.</p>
-        <p>Authenticate with email and password. Returns access and refresh tokens.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>email</code></td>
-            <td>string</td>
-            <td>User email</td>
-          </tr>
-          <tr>
-            <td><code>password</code></td>
-            <td>string</td>
-            <td>User password</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/auth/login</span></h3>
+                  <p class="auth-note">No authentication required.</p>
+                  <p>Authenticate with email and password. Returns access and refresh tokens.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>email</code></td>
+                          <td>string</td>
+                          <td>User email</td>
+                      </tr>
+                      <tr>
+                          <td><code>password</code></td>
+                          <td>string</td>
+                          <td>User password</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "token": "eyJ...", "refreshToken": "eyJ...", "user": { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin" } }
 // Error 401
 { "error": "Invalid credentials" }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/auth/me</span></h3>
-        <p class="auth-note">Requires Bearer token.</p>
-        <p>Return the authenticated user's profile.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/auth/me</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token.</p>
+                  <p>Return the authenticated user's profile.</p>
+                  <pre class="code-block"><code>// Response 200
 { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/logout</span></h3>
-        <p class="auth-note">No authentication required. Safe to call without a token.</p>
-        <p>Blacklists the provided refresh token. The in-memory blacklist is cleared on server restart.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>refreshToken</code></td>
-            <td>string</td>
-            <td>The refresh token to revoke (optional)</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/auth/logout</span></h3>
+                  <p class="auth-note">No authentication required. Safe to call without a token.</p>
+                  <p>Blacklists the provided refresh token. The in-memory blacklist is cleared on server restart.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>refreshToken</code></td>
+                          <td>string</td>
+                          <td>The refresh token to revoke (optional)</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "ok": true }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/auth/refresh</span></h3>
-        <p class="auth-note">No authentication required. Provide a valid refresh token.</p>
-        <p>Exchange a refresh token for a new access token.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>refreshToken</code></td>
-            <td>string</td>
-            <td>A valid, non-revoked refresh token</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/auth/refresh</span></h3>
+                  <p class="auth-note">No authentication required. Provide a valid refresh token.</p>
+                  <p>Exchange a refresh token for a new access token.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>refreshToken</code></td>
+                          <td>string</td>
+                          <td>A valid, non-revoked refresh token</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "token": "eyJ..." }
 // Error 401
 { "error": "Invalid or expired refresh token" }</code></pre>
-      </div>
-    </div>
-    <!-- ─── Pages ──────────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="file-text"></span> Pages</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/pages/preview</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>Render Markdown to HTML (shortcodes processed, no frontmatter). Useful for live editor previews.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>markdown</code></td>
-            <td>string</td>
-            <td>Markdown string to render</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+              </div>
+              <!-- Pages -->
+              <div class="tab-panel docs-body">
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/pages/preview</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>Render Markdown to HTML (shortcodes processed, no frontmatter). Useful for live editor
+                      previews.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>markdown</code></td>
+                          <td>string</td>
+                          <td>Markdown string to render</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "html": "&lt;p&gt;Hello &lt;strong&gt;world&lt;/strong&gt;&lt;/p&gt;" }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/tags</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>Aggregate all unique tags across every page, sorted alphabetically.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/tags</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>Aggregate all unique tags across every page, sorted alphabetically.</p>
+                  <pre class="code-block"><code>// Response 200
 { "tags": ["guide", "news", "tutorial"] }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>List all pages with their metadata. Body content is excluded.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>List all pages with their metadata. Body content is excluded.</p>
+                  <pre class="code-block"><code>// Response 200
 [
   {
     "urlPath": "/about",
@@ -261,94 +273,87 @@
     "slug": "about",
     "status": "published",
     "layout": "default",
-    "showInNav": true,
-    "sortOrder": 1,
-    "category": null,
-    "visibility": "public",
     "tags": [],
     "updatedAt": "2024-01-15T10:30:00.000Z",
     "createdAt": "2024-01-01T09:00:00.000Z"
   }
 ]</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/*</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission. The <code>*</code> is the URL path,
-          e.g. <code>/api/pages/about</code> or <code>/api/pages/blog/post-1</code>.</p>
-        <p>Retrieve a single page including its frontmatter and full body content.</p>
-        <pre class="code-block"><code>// Response 200
-{
-  "urlPath": "/about",
-  "title": "About Us",
-  "body": "## Our Story\n\nWe started...",
-  "status": "published",
-  ...
-}
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/pages/*</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission. The <code>*</code> is the
+                      URL path,
+                      e.g. <code>/api/pages/about</code>.</p>
+                  <p>Retrieve a single page including its frontmatter and full body content.</p>
+                  <pre class="code-block"><code>// Response 200
+{ "urlPath": "/about", "title": "About Us", "body": "## Our Story\n\nWe started...", ... }
 // Error 404
 { "error": "Page not found" }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/pages</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>Create a new page. Fails with 409 if a page already exists at the given path.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>urlPath</code></td>
-            <td>string</td>
-            <td>Required. Public URL path e.g. <code>/about</code></td>
-          </tr>
-          <tr>
-            <td><code>frontmatter</code></td>
-            <td>object</td>
-            <td>YAML frontmatter fields (title, status, etc.)</td>
-          </tr>
-          <tr>
-            <td><code>body</code></td>
-            <td>string</td>
-            <td>Markdown content</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 201 — returns the created page object</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/pages/*</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>Update an existing page. Optionally rename it to a new URL path (navigation links are rewritten
-          automatically).</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>frontmatter</code></td>
-            <td>object</td>
-            <td>Updated frontmatter fields</td>
-          </tr>
-          <tr>
-            <td><code>body</code></td>
-            <td>string</td>
-            <td>Updated Markdown content</td>
-          </tr>
-          <tr>
-            <td><code>newUrlPath</code></td>
-            <td>string</td>
-            <td>Optional. Rename the page to a different URL path</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200 — returns the updated page object
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/pages</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>Create a new page. Fails with 409 if a page already exists at the given path.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>urlPath</code></td>
+                          <td>string</td>
+                          <td>Required. Public URL path e.g. <code>/about</code></td>
+                      </tr>
+                      <tr>
+                          <td><code>frontmatter</code></td>
+                          <td>object</td>
+                          <td>YAML frontmatter fields (title, status, etc.)</td>
+                      </tr>
+                      <tr>
+                          <td><code>body</code></td>
+                          <td>string</td>
+                          <td>Markdown content</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 201 — returns the created page object</code></pre>
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/pages/*</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>Update an existing page. Optionally rename it to a new URL path.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>frontmatter</code></td>
+                          <td>object</td>
+                          <td>Updated frontmatter fields</td>
+                      </tr>
+                      <tr>
+                          <td><code>body</code></td>
+                          <td>string</td>
+                          <td>Updated Markdown content</td>
+                      </tr>
+                      <tr>
+                          <td><code>newUrlPath</code></td>
+                          <td>string</td>
+                          <td>Optional. Rename the page to a different URL path</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200 — returns the updated page object
 // Error 404
 { "error": "Page not found" }
@@ -356,449 +361,398 @@
 // Error 409
 { "error": "A page already exists at that path" }</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/pages/*</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
-        <p>Delete a page and its source file.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-delete">DELETE</span><span
+                          class="endpoint-path">/api/pages/*</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>pages</code> permission.</p>
+                  <p>Delete a page and its source file.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }
 // Error 404
 { "error": "Page not found" }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Settings ───────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="settings"></span> Settings</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Settings -->
+              <div class="tab-panel docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
-        <p>Return the full site settings object from <code>config/site.json</code>.</p>
-        <pre class="code-block"><code>// Response 200
-{
-  "siteName": "My Site",
-  "adminTheme": "charcoal-dark",
-  "smtp": { "host": "smtp.example.com", "port": 587, ... },
-  ...
-}</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+                  <p>Return the full site settings object from <code>config/site.json</code>.</p>
+                  <pre class="code-block"><code>// Response 200
+{ "siteName": "My Site", "adminTheme": "charcoal-dark", "smtp": { ... }, ... }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
-        <p>Replace the site settings object. Send the full merged object — partial updates overwrite the entire
-          config.</p>
-        <pre class="code-block"><code>// Request body — full site settings object
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+                  <p>Replace the site settings object. Send the full merged object — partial updates overwrite the
+                      entire config.</p>
+                  <pre class="code-block"><code>// Request body — full site settings object
 { "siteName": "My Site", "adminTheme": "ocean-dark", ... }
 // Response 200
 { "success": true }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span
-            class="endpoint-path">/api/settings/test-email</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
-        <p>Send a test email using the stored SMTP configuration. Fails if SMTP host is not configured.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>to</code></td>
-            <td>string</td>
-            <td>Optional. Recipient address. Defaults to the configured From Address.</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/settings/test-email</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+                  <p>Send a test email using the stored SMTP configuration.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>to</code></td>
+                          <td>string</td>
+                          <td>Optional. Recipient address. Defaults to the configured From Address.</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "success": true, "message": "Test email sent to alice@example.com" }
 // Error 400
 { "error": "SMTP is not configured. Save your SMTP settings first." }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings/custom-css</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
-        <p>Return the current custom CSS from <code>content/custom.css</code>. Returns an empty string if the file does
-          not exist.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/settings/custom-css</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+                  <p>Return the current custom CSS from <code>content/custom.css</code>.</p>
+                  <pre class="code-block"><code>// Response 200
 { "css": "body { font-family: sans-serif; }" }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings/custom-css</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
-        <p>Write CSS to <code>content/custom.css</code>. Maximum size is 100 KB.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>css</code></td>
-            <td>string</td>
-            <td>CSS string (max 100 KB)</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/settings/custom-css</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>settings</code> permission.</p>
+                  <p>Write CSS to <code>content/custom.css</code>. Maximum size is 100 KB.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>css</code></td>
+                          <td>string</td>
+                          <td>CSS string (max 100 KB)</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Layouts ────────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="layout"></span> Layouts</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Layouts -->
+              <div class="tab-panel docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/layouts</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
-        <p>Return all layout presets from <code>config/presets.json</code>.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/layouts</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+                  <p>Return all layout presets from <code>config/presets.json</code>.</p>
+                  <pre class="code-block"><code>// Response 200
 {
   "default": { "label": "Default", "sections": [...] },
   "full-width": { "label": "Full Width", "sections": [...] }
 }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/layouts</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
-        <p>Replace the entire layout presets object.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/layouts</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+                  <p>Replace the entire layout presets object.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/layouts/options</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
-        <p>Return layout display options (e.g. spacer size) stored in <code>config/site.json</code> under <code>layoutOptions</code>.
-        </p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/layouts/options</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+                  <p>Return layout display options stored in <code>config/site.json</code> under
+                      <code>layoutOptions</code>.</p>
+                  <pre class="code-block"><code>// Response 200
 { "spacerSize": 8 }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/layouts/options</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
-        <p>Merge layout option updates into the existing options. Existing keys not included in the request are
-          preserved.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>spacerSize</code></td>
-            <td>number</td>
-            <td>Default spacer block size in pixels</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-put">PUT</span><span
+                          class="endpoint-path">/api/layouts/options</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>layouts</code> permission.</p>
+                  <p>Merge layout option updates into the existing options. Existing keys not included are
+                      preserved.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>spacerSize</code></td>
+                          <td>number</td>
+                          <td>Default spacer block size in pixels</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Navigation ─────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="menu"></span> Navigation</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Navigation -->
+              <div class="tab-panel docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/navigation</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
-        <p>Return the navigation configuration from <code>config/navigation.json</code>.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/navigation</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
+                  <p>Return the navigation configuration from <code>config/navigation.json</code>.</p>
+                  <pre class="code-block"><code>// Response 200
 {
   "items": [
     { "label": "Home", "url": "/" },
     { "label": "About", "url": "/about" },
-    {
-      "label": "Resources",
-      "items": [
-        { "label": "Blog", "url": "/blog" }
-      ]
-    }
+    { "label": "Resources", "items": [ { "label": "Blog", "url": "/blog" } ] }
   ]
 }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/navigation</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
-        <p>Replace the navigation config. Sub-items must use the <code>items</code> key (the server normalises <code>children</code>
-          to <code>items</code> automatically).</p>
-        <pre class="code-block"><code>// Request body
-{
-  "items": [
-    { "label": "Home", "url": "/" },
-    { "label": "About", "url": "/about" }
-  ]
-}
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/navigation</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>navigation</code> permission.</p>
+                  <p>Replace the navigation config. Sub-items must use the <code>items</code> key (the server normalises
+                      <code>children</code>
+                      to <code>items</code> automatically).</p>
+                  <pre class="code-block"><code>// Request body
+{ "items": [ { "label": "Home", "url": "/" }, { "label": "About", "url": "/about" } ] }
 // Response 200
 { "success": true }</code></pre>
-      </div>
-    </div>
-    <!-- ─── Media ──────────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="image"></span> Media</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/media</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
-        <p>List all media files in the uploads directory.</p>
-        <pre class="code-block"><code>// Response 200
-[
-  { "name": "hero.jpg", "url": "/media/hero.jpg", "size": 204800, "mime": "image/jpeg" }
-]</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/media</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission. Content-Type: <code>multipart/form-data</code>.
-        </p>
-        <p>Upload one or more files. Filenames are sanitised (only alphanumeric, dot, underscore, hyphen allowed).
-          Returns a single object for one file, or an array for multiple.</p>
-        <pre class="code-block"><code>// Response 201 (single file)
-{ "name": "photo.jpg", "url": "/media/photo.jpg", "size": 98304, "mime": "image/jpeg" }
-// Response 201 (multiple files)
-[
-  { "name": "photo1.jpg", "url": "/media/photo1.jpg", ... },
-  { "name": "photo2.jpg", "url": "/media/photo2.jpg", ... }
-]</code></pre>
-        <h3><span class="method-badge method-patch">PATCH</span><span class="endpoint-path">/api/media/:name</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
-        <p>Rename a media file. Returns the updated file info. Fails with 409 if the new name already exists.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>newName</code></td>
-            <td>string</td>
-            <td>New filename (will be sanitised)</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+              </div>
+              <!-- Media -->
+              <div class="tab-panel docs-body">
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/media</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+                  <p>List all media files in the uploads directory.</p>
+                  <pre class="code-block"><code>// Response 200
+[ { "name": "hero.jpg", "url": "/media/hero.jpg", "size": 204800, "mime": "image/jpeg" } ]</code></pre>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/media</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission. Content-Type: <code>multipart/form-data</code>.
+                  </p>
+                  <p>Upload one or more files. Returns a single object for one file, or an array for multiple.</p>
+                  <pre class="code-block"><code>// Response 201 (single)
+{ "name": "photo.jpg", "url": "/media/photo.jpg", "size": 98304, "mime": "image/jpeg" }</code></pre>
+                  <h3><span class="method-badge method-patch">PATCH</span><span
+                          class="endpoint-path">/api/media/:name</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+                  <p>Rename a media file. Fails with 409 if the new name already exists.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>newName</code></td>
+                          <td>string</td>
+                          <td>New filename (will be sanitised)</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "name": "new-photo.jpg", "url": "/media/new-photo.jpg", ... }</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/media/:name</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
-        <p>Delete a media file from the uploads directory.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-delete">DELETE</span><span
+                          class="endpoint-path">/api/media/:name</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+                  <p>Delete a media file from the uploads directory.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/media/:name/info</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
-        <p>Return image metadata (dimensions, format, file size) for editable image formats (JPEG, PNG, WebP, GIF,
-          TIFF).</p>
-        <pre class="code-block"><code>// Response 200
-{ "width": 1920, "height": 1080, "format": "jpeg", "size": 204800 }
-// Error 400
-{ "error": "Not an editable image format" }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span
-            class="endpoint-path">/api/media/:name/transform</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
-        <p>Apply image transformations (resize, crop, rotate, watermark, etc.) and optionally save to a new
-          filename.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>operations</code></td>
-            <td>object</td>
-            <td>Transformation operations to apply</td>
-          </tr>
-          <tr>
-            <td><code>saveAs</code></td>
-            <td>string</td>
-            <td>Optional. Output filename. Defaults to overwriting the source.</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Request body example
-{
-  "operations": { "resize": { "width": 800, "height": 600 }, "format": "webp" },
-  "saveAs": "hero-800.webp"
-}
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/media/:name/info</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+                  <p>Return image metadata (dimensions, format, file size) for editable image formats (JPEG, PNG, WebP,
+                      GIF, TIFF).</p>
+                  <pre class="code-block"><code>// Response 200
+{ "width": 1920, "height": 1080, "format": "jpeg", "size": 204800 }</code></pre>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/media/:name/transform</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>media</code> permission.</p>
+                  <p>Apply image transformations (resize, crop, rotate, watermark, etc.) and optionally save to a new
+                      filename.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>operations</code></td>
+                          <td>object</td>
+                          <td>Transformation operations to apply</td>
+                      </tr>
+                      <tr>
+                          <td><code>saveAs</code></td>
+                          <td>string</td>
+                          <td>Optional. Output filename. Defaults to overwriting the source.</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Request body
+{ "operations": { "resize": { "width": 800, "height": 600 }, "format": "webp" }, "saveAs": "hero-800.webp" }
 // Response 200
 { "name": "hero-800.webp", "url": "/media/hero-800.webp", ... }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Users ──────────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="users"></span> Users</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Users -->
+              <div class="tab-panel docs-body">
-        <p>Role hierarchy governs which users can manage other users. A manager cannot create, edit, or delete an admin.
-          Self-deletion is always blocked.</p>
+                  <p>Role hierarchy governs which users can manage other users. A manager cannot create, edit, or delete
+                      an admin.
+                      Self-deletion is always blocked.</p>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>users</code> permission (admin or manager).</p>
-        <p>Return all users. Passwords are stripped from the response.</p>
-        <pre class="code-block"><code>// Response 200
-[
-  { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }
-]</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>users</code> permission (admin or manager).</p>
+                  <p>Return all users. Passwords are stripped from the response.</p>
+                  <pre class="code-block"><code>// Response 200
+[ { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true } ]</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users/:id</span></h3>
-        <p class="auth-note">Requires Bearer token. Accessible to the user themselves, or a user with <code>users</code>
-          permission.</p>
-        <p>Return a single user by ID.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/users/:id</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token. Accessible to the user themselves, or a user with <code>users</code>
+                      permission.</p>
+                  <p>Return a single user by ID.</p>
+                  <pre class="code-block"><code>// Response 200
 { "id": "uuid", "name": "Alice", "email": "alice@example.com", "role": "admin", "isActive": true }
 // Error 404
 { "error": "User not found" }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/users</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
-        <p>Create a new user. The actor cannot assign a role higher than their own level.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>name</code></td>
-            <td>string</td>
-            <td>Display name</td>
-          </tr>
-          <tr>
-            <td><code>email</code></td>
-            <td>string</td>
-            <td>Unique email address</td>
-          </tr>
-          <tr>
-            <td><code>password</code></td>
-            <td>string</td>
-            <td>Minimum 8 characters</td>
-          </tr>
-          <tr>
-            <td><code>role</code></td>
-            <td>string</td>
-            <td>Optional. Defaults to <code>editor</code>.</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 201
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/users</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+                  <p>Create a new user. The actor cannot assign a role higher than their own level.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>name</code></td>
+                          <td>string</td>
+                          <td>Display name</td>
+                      </tr>
+                      <tr>
+                          <td><code>email</code></td>
+                          <td>string</td>
+                          <td>Unique email address</td>
+                      </tr>
+                      <tr>
+                          <td><code>password</code></td>
+                          <td>string</td>
+                          <td>Minimum 8 characters</td>
+                      </tr>
+                      <tr>
+                          <td><code>role</code></td>
+                          <td>string</td>
+                          <td>Optional. Defaults to <code>editor</code>.</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 201
 { "id": "uuid", "name": "Bob", "email": "bob@example.com", "role": "editor", "isActive": true }
 // Error 409
 { "error": "Email already in use" }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/users/:id</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
-        <p>Update a user's details. Managers cannot edit admins. Role escalation beyond the actor's own level is
-          blocked.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>name</code></td>
-            <td>string</td>
-            <td>New display name</td>
-          </tr>
-          <tr>
-            <td><code>email</code></td>
-            <td>string</td>
-            <td>New email address</td>
-          </tr>
-          <tr>
-            <td><code>password</code></td>
-            <td>string</td>
-            <td>New password (min 8 chars)</td>
-          </tr>
-          <tr>
-            <td><code>role</code></td>
-            <td>string</td>
-            <td>New role</td>
-          </tr>
-          <tr>
-            <td><code>isActive</code></td>
-            <td>boolean</td>
-            <td>Enable or disable the account</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200 — returns the updated user object</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/users/:id</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
-        <p>Delete a user. Cannot delete your own account or a user with a higher role level.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/users/:id</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+                  <p>Update a user's details. Managers cannot edit admins. Role escalation beyond the actor's own level
+                      is blocked.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>name</code></td>
+                          <td>string</td>
+                          <td>New display name</td>
+                      </tr>
+                      <tr>
+                          <td><code>email</code></td>
+                          <td>string</td>
+                          <td>New email address</td>
+                      </tr>
+                      <tr>
+                          <td><code>password</code></td>
+                          <td>string</td>
+                          <td>New password (min 8 chars)</td>
+                      </tr>
+                      <tr>
+                          <td><code>role</code></td>
+                          <td>string</td>
+                          <td>New role</td>
+                      </tr>
+                      <tr>
+                          <td><code>isActive</code></td>
+                          <td>boolean</td>
+                          <td>Enable or disable the account</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200 — returns the updated user object</code></pre>
+                  <h3><span class="method-badge method-delete">DELETE</span><span
+                          class="endpoint-path">/api/users/:id</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>users</code> permission.</p>
+                  <p>Delete a user. Cannot delete your own account or a user with a higher role level.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }
 // Error 403
 { "error": "You cannot delete your own account" }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Plugins ────────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="package"></span> Plugins</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Plugins -->
+              <div class="tab-panel docs-body">
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins</span></h3>
-        <p class="auth-note">Requires Bearer token + admin role.</p>
-        <p>List all discovered plugins with their current enabled state and settings.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + admin role.</p>
+                  <p>List all discovered plugins with their current enabled state and settings.</p>
+                  <pre class="code-block"><code>// Response 200
 [
   {
     "name": "form-builder",
@@ -813,596 +767,478 @@
   }
 ]</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/plugins/:name</span></h3>
-        <p class="auth-note">Requires Bearer token + admin role.</p>
-        <p>Enable or disable a plugin, or update its settings. Plugin must exist in the <code>plugins/</code> directory.
-        </p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>enabled</code></td>
-            <td>boolean</td>
-            <td>Whether the plugin is active</td>
-          </tr>
-          <tr>
-            <td><code>settings</code></td>
-            <td>object</td>
-            <td>Plugin-specific settings object</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-put">PUT</span><span
+                          class="endpoint-path">/api/plugins/:name</span></h3>
+                  <p class="auth-note">Requires Bearer token + admin role.</p>
+                  <p>Enable or disable a plugin, or update its settings.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>enabled</code></td>
+                          <td>boolean</td>
+                          <td>Whether the plugin is active</td>
+                      </tr>
+                      <tr>
+                          <td><code>settings</code></td>
+                          <td>object</td>
+                          <td>Plugin-specific settings object</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }
 // Error 404
 { "error": "Plugin not found" }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins/admin-config</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token (any role).</p>
-        <p>Return the merged admin configuration for all enabled plugins — sidebar items, SPA routes, and view entry
-          points. Used by the admin SPA on startup to inject plugin UI.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/plugins/admin-config</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token (any role).</p>
+                  <p>Return the merged admin configuration for all enabled plugins — sidebar items, SPA routes, and view
+                      entry points.</p>
+                  <pre class="code-block"><code>// Response 200
 {
-  "sidebar": [
-    { "id": "form-builder", "text": "Form Settings", "icon": "clipboard", "url": "#/form-settings" }
-  ],
-  "routes": [
-    { "path": "/form-settings", "view": "formSettings", "title": "Form Settings - Domma CMS" }
-  ],
-  "views": {
-    "formSettings": { "entry": "form-builder/admin/views/settings.js", "exportName": "formSettingsView" }
-  }
+  "sidebar": [ { "id": "form-builder", "text": "Form Settings", "icon": "clipboard", "url": "#/form-settings" } ],
+  "routes": [ { "path": "/form-settings", "view": "formSettings", "title": "Form Settings - Domma CMS" } ],
+  "views": { "formSettings": { "entry": "form-builder/admin/views/settings.js", "exportName": "formSettingsView" } }
 }</code></pre>
-      </div>
-    </div>
+              </div>
-    <!-- ─── Collections ────────────────────────────────────────────── -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content"><h2><span data-icon="database"></span> Collections</h2></div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
+              <!-- Collections -->
+              <div class="tab-panel docs-body">
-        <p>Collections have two access planes: <strong>admin endpoints</strong> (authenticated, role-gated) and <strong>public
-          endpoints</strong> (access level configured per collection).</p>
+                  <p>Collections have two access planes: <strong>admin endpoints</strong> (authenticated, role-gated)
+                      and <strong>public
+                          endpoints</strong> (access level configured per collection).</p>
-        <h3 style="margin-top:16px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Schema
-          Management</h3>
+                  <h3 style="margin-top:16px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Schema Management</h3>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>List all collection schemas (metadata only, no entries).</p>
-        <pre class="code-block"><code>// Response 200
-[
-  { "slug": "blog", "title": "Blog Posts", "description": "...", "fields": [...] }
-]</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/collections</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>List all collection schemas (metadata only, no entries).</p>
+                  <pre class="code-block"><code>// Response 200
+[ { "slug": "blog", "title": "Blog Posts", "description": "...", "fields": [...] } ]</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span
-            class="endpoint-path">/api/collections/pro-status</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Check whether the Pro (MongoDB) storage adapter is available. Returns named connections if configured.</p>
-        <pre class="code-block"><code>// Response 200 (free)
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/pro-status</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Check whether the Pro (MongoDB) storage adapter is available.</p>
+                  <pre class="code-block"><code>// Response 200 (free)
 { "pro": false, "connections": [] }
 // Response 200 (pro)
 { "pro": true, "connections": ["default", "analytics"] }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span
-            class="endpoint-path">/api/collections/connections</span></h3>
-        <p class="auth-note">Requires Bearer token + admin role.</p>
-        <p>Return configured MongoDB connections from <code>config/connections.json</code>.</p>
-        <pre class="code-block"><code>// Response 200
-{
-  "default": { "type": "mongodb", "uri": "mongodb://localhost:27017", "database": "my_cms" }
-}</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span
-            class="endpoint-path">/api/collections/connections</span></h3>
-        <p class="auth-note">Requires Bearer token + admin role.</p>
-        <p>Save MongoDB connection definitions. Each connection requires <code>type</code>, <code>uri</code>, and <code>database</code>.
-        </p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>{name}</code></td>
-            <td>object</td>
-            <td>Named connection with <code>type</code>, <code>uri</code>, <code>database</code></td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/connections</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + admin role.</p>
+                  <p>Return configured MongoDB connections from <code>config/connections.json</code>.</p>
+                  <pre class="code-block"><code>// Response 200
+{ "default": { "type": "mongodb", "uri": "mongodb://localhost:27017", "database": "my_cms" } }</code></pre>
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/connections</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + admin role.</p>
+                  <p>Save MongoDB connection definitions. Each connection requires <code>type</code>, <code>uri</code>,
+                      and <code>database</code>.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }
 // Error 400
 { "error": "Connection \"default\" requires type, uri, and database" }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/collections</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Create a new collection. A <code>slug</code> is auto-generated from the title if not provided.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>title</code></td>
-            <td>string</td>
-            <td>Required. Human-readable collection name</td>
-          </tr>
-          <tr>
-            <td><code>slug</code></td>
-            <td>string</td>
-            <td>Optional. URL-safe identifier. Auto-generated if omitted.</td>
-          </tr>
-          <tr>
-            <td><code>description</code></td>
-            <td>string</td>
-            <td>Optional description</td>
-          </tr>
-          <tr>
-            <td><code>fields</code></td>
-            <td>array</td>
-            <td>Field definitions</td>
-          </tr>
-          <tr>
-            <td><code>api</code></td>
-            <td>object</td>
-            <td>Public API access config per operation</td>
-          </tr>
-          <tr>
-            <td><code>storage</code></td>
-            <td>object</td>
-            <td>Optional. Pro: <code>{ "adapter": "mongodb", "connection": "default" }</code></td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 201 — returns the created schema object
+                  <h3><span class="method-badge method-post">POST</span><span
+                          class="endpoint-path">/api/collections</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Create a new collection. A <code>slug</code> is auto-generated from the title if not provided.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>title</code></td>
+                          <td>string</td>
+                          <td>Required. Human-readable collection name</td>
+                      </tr>
+                      <tr>
+                          <td><code>slug</code></td>
+                          <td>string</td>
+                          <td>Optional. URL-safe identifier. Auto-generated if omitted.</td>
+                      </tr>
+                      <tr>
+                          <td><code>description</code></td>
+                          <td>string</td>
+                          <td>Optional description</td>
+                      </tr>
+                      <tr>
+                          <td><code>fields</code></td>
+                          <td>array</td>
+                          <td>Field definitions</td>
+                      </tr>
+                      <tr>
+                          <td><code>api</code></td>
+                          <td>object</td>
+                          <td>Public API access config per operation</td>
+                      </tr>
+                      <tr>
+                          <td><code>storage</code></td>
+                          <td>object</td>
+                          <td>Optional Pro: <code>{ "adapter": "mongodb", "connection": "default" }</code></td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 201 — returns the created schema object
 // Error 409
 { "error": "A collection with that slug already exists" }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Return the schema for a single collection by slug.</p>
-        <pre class="code-block"><code>// Response 200
-{
-  "slug": "blog",
-  "title": "Blog Posts",
-  "fields": [
-    { "name": "title", "type": "text", "required": true },
-    { "name": "body",  "type": "richtext" }
-  ],
-  "api": { "read": { "enabled": true, "access": "public" }, ... }
-}
-// Error 404
-{ "error": "Collection not found" }</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Update a collection schema.</p>
-        <pre class="code-block"><code>// Response 200 — returns the updated schema
-// Error 404
-{ "error": "Collection not found" }</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span
-            class="endpoint-path">/api/collections/:slug</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-          <p>Delete a collection and all its entries. Preset collections (e.g. <code>roles</code>) cannot be deleted.
-        </p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/collections/:slug</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Return the schema for a single collection by slug.</p>
+                  <h3><span class="method-badge method-put">PUT</span><span
+                          class="endpoint-path">/api/collections/:slug</span></h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Update a collection schema.</p>
+                  <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Delete a collection and all its entries. Preset collections cannot be deleted.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }
 // Error 403
 { "error": "Cannot delete a preset collection" }</code></pre>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Admin Entry
-          CRUD</h3>
-        <h3><span class="method-badge method-get">GET</span><span
-            class="endpoint-path">/api/collections/:slug/entries</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>List entries with pagination, sorting, and full-text search.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Query param</th>
-            <th>Default</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>page</code></td>
-            <td>1</td>
-            <td>Page number</td>
-          </tr>
-          <tr>
-            <td><code>limit</code></td>
-            <td>50</td>
-            <td>Entries per page</td>
-          </tr>
-          <tr>
-            <td><code>sort</code></td>
-            <td>createdAt</td>
-            <td>Field to sort by</td>
-          </tr>
-          <tr>
-            <td><code>order</code></td>
-            <td>desc</td>
-            <td><code>asc</code> or <code>desc</code></td>
-          </tr>
-          <tr>
-            <td><code>search</code></td>
-            <td>—</td>
-            <td>Full-text search query</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200
-{
-  "entries": [ { "id": "uuid", "data": { ... }, "createdAt": "...", "updatedAt": "..." } ],
-  "total": 42,
-  "page": 1,
-  "limit": 50
-}</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Return a single entry by ID.</p>
-        <pre class="code-block"><code>// Response 200
-{ "id": "uuid", "data": { "title": "Hello World", "body": "..." }, "createdAt": "...", "updatedAt": "..." }
-// Error 404
-{ "error": "Entry not found" }</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span
-            class="endpoint-path">/api/collections/:slug/entries</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Create a new entry. Data is validated against the collection schema.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>data</code></td>
-            <td>object</td>
-            <td>Entry field values keyed by field name</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 201 — returns the created entry</code></pre>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Update an entry. Data is validated against the schema.</p>
-        <pre class="code-block"><code>// Response 200 — returns the updated entry
-// Error 404
-{ "error": "Entry not found" }</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-          <p>Delete a single entry. Deleting the root admin role from <code>roles</code> is blocked.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Admin Entry CRUD</h3>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/entries</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>List entries with pagination, sorting, and full-text search.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Query param</th>
+                          <th>Default</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>page</code></td>
+                          <td>1</td>
+                          <td>Page number</td>
+                      </tr>
+                      <tr>
+                          <td><code>limit</code></td>
+                          <td>50</td>
+                          <td>Entries per page</td>
+                      </tr>
+                      <tr>
+                          <td><code>sort</code></td>
+                          <td>createdAt</td>
+                          <td>Field to sort by</td>
+                      </tr>
+                      <tr>
+                          <td><code>order</code></td>
+                          <td>desc</td>
+                          <td><code>asc</code> or <code>desc</code></td>
+                      </tr>
+                      <tr>
+                          <td><code>search</code></td>
+                          <td>—</td>
+                          <td>Full-text search query</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200
+{ "entries": [ { "id": "uuid", "data": { ... }, "createdAt": "...", "updatedAt": "..." } ], "total": 42, "page": 1, "limit": 50 }</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Return a single entry by ID.</p>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/collections/:slug/entries</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Create a new entry. Data is validated against the collection schema.</p>
+                  <pre class="code-block"><code>// Response 201 — returns the created entry</code></pre>
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Update an entry. Data is validated against the schema.</p>
+                  <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries/:id</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Delete a single entry.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries</span>
-        </h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Clear all entries from a collection. Irreversible.</p>
-        <pre class="code-block"><code>// Response 200
+                  <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/entries</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Clear all entries from a collection. Irreversible.</p>
+                  <pre class="code-block"><code>// Response 200
 { "success": true }</code></pre>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Export &amp;
-          Import</h3>
-        <h3><span class="method-badge method-get">GET</span><span
-            class="endpoint-path">/api/collections/:slug/export</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Download all entries as a file attachment.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Query param</th>
-            <th>Values</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>format</code></td>
-            <td><code>json</code> (default), <code>csv</code></td>
-            <td>Export format</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Response 200 — file download
+                  <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Export &amp; Import</h3>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/export</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Download all entries as a file attachment.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Query param</th>
+                          <th>Values</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>format</code></td>
+                          <td><code>json</code> (default), <code>csv</code></td>
+                          <td>Export format</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Response 200 — file download
 // Content-Disposition: attachment; filename="blog-entries.json"</code></pre>
-        <h3><span class="method-badge method-post">POST</span><span
-            class="endpoint-path">/api/collections/:slug/import</span></h3>
-        <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
-        <p>Bulk-import entries from a JSON array. Existing entries are not removed.</p>
-        <table class="table table-sm">
-          <thead>
-          <tr>
-            <th>Field</th>
-            <th>Type</th>
-            <th>Description</th>
-          </tr>
-          </thead>
-          <tbody>
-          <tr>
-            <td><code>entries</code></td>
-            <td>array</td>
-            <td>Array of entry objects with a <code>data</code> field each</td>
-          </tr>
-          </tbody>
-        </table>
-        <pre class="code-block"><code>// Request body
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/collections/:slug/import</span>
+                  </h3>
+                  <p class="auth-note">Requires Bearer token + <code>collections</code> permission.</p>
+                  <p>Bulk-import entries from a JSON array. Existing entries are not removed.</p>
+                  <table class="table table-sm">
+                      <thead>
+                      <tr>
+                          <th>Field</th>
+                          <th>Type</th>
+                          <th>Description</th>
+                      </tr>
+                      </thead>
+                      <tbody>
+                      <tr>
+                          <td><code>entries</code></td>
+                          <td>array</td>
+                          <td>Array of entry objects with a <code>data</code> field each</td>
+                      </tr>
+                      </tbody>
+                  </table>
+                  <pre class="code-block"><code>// Request body
 { "entries": [ { "data": { "title": "Post 1" } }, { "data": { "title": "Post 2" } } ] }
 // Response 201
 { "imported": 2, "skipped": 0 }</code></pre>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">Public
-          Access</h3>
+                  <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Public Access</h3>
-        <p>Public endpoints respect the per-collection <code>api</code> config. Each operation (<code>read</code>,
-          <code>create</code>, <code>update</code>, <code>delete</code>) can be <strong>disabled</strong>, <strong>public</strong>
-          (no auth), or restricted to a minimum role level.</p>
+                  <p>Public endpoints respect the per-collection <code>api</code> config. Each operation can be <strong>disabled</strong>,
+                      <strong>public</strong> (no auth), or restricted to a minimum role level.</p>
-        <h3><span class="method-badge method-get">GET</span><span
-            class="endpoint-path">/api/collections/:slug/public</span></h3>
-        <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
-        <p>List entries publicly. Supports the same pagination and search query params as the admin endpoint.</p>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/public</span>
+                  </h3>
+                  <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
+                  <p>List entries publicly. Supports the same pagination and search query params as the admin
+                      endpoint.</p>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
-        </h3>
-        <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
-        <p>Return a single entry publicly by ID.</p>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+                  </h3>
+                  <p class="auth-note">Access level: per collection <code>api.read</code> config.</p>
+                  <p>Return a single entry publicly by ID.</p>
-        <h3><span class="method-badge method-post">POST</span><span
-            class="endpoint-path">/api/collections/:slug/public</span></h3>
-        <p class="auth-note">Access level: per collection <code>api.create</code> config.</p>
-        <p>Create an entry publicly (e.g. form submissions). Entry is tagged with <code>source: "api"</code>.</p>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/collections/:slug/public</span>
+                  </h3>
+                  <p class="auth-note">Access level: per collection <code>api.create</code> config.</p>
+                  <p>Create an entry publicly (e.g. form submissions). Entry is tagged with <code>source: "api"</code>.
+                  </p>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
-        </h3>
-        <p class="auth-note">Access level: per collection <code>api.update</code> config.</p>
-        <p>Update an entry publicly.</p>
+                  <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+                  </h3>
+                  <p class="auth-note">Access level: per collection <code>api.update</code> config.</p>
+                  <p>Update an entry publicly.</p>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
-        </h3>
-        <p class="auth-note">Access level: per collection <code>api.delete</code> config.</p>
-        <p>Delete an entry publicly.</p>
+                  <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/collections/:slug/public/:id</span>
+                  </h3>
+                  <p class="auth-note">Access level: per collection <code>api.delete</code> config.</p>
+                  <p>Delete an entry publicly.</p>
-      </div>
-    </div>
+              </div>
-    <!-- Views API -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content">
-          <h2><span data-icon="eye"></span> Views API
-            <span class="badge badge-warning" style="font-size:.7rem;margin-left:.4rem;">Pro</span>
-          </h2>
-        </div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
-        <p>Views require a MongoDB connection. All admin endpoints require authentication and the
-          <code>views</code> permission. View configs are stored in the <code>cms__views</code> MongoDB collection
-          on the <code>default</code> connection.</p>
+              <!-- Views API -->
+              <div class="tab-panel docs-body">
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
-          Admin Endpoints</h3>
+                  <p>Views require a MongoDB connection. All admin endpoints require authentication and the
+                      <code>views</code> permission. View configs are stored in the <code>cms__views</code> MongoDB
+                      collection.</p>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>List all view configs, sorted by creation date descending.</p>
+                  <h3 style="margin-top:16px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Admin Endpoints</h3>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/views</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>Create a new view config. Returns <code>201</code> on success.</p>
-        <pre class="code-block"><code>{
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views</span></h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>List all view configs, sorted by creation date descending.</p>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/views</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>Create a new view config. Returns <code>201</code> on success.</p>
+                  <pre class="code-block"><code>{
   "title": "Active Premium Users",
-  "slug": "active-premium-users",       // optional — auto-derived from title
-  "description": "...",
+  "slug": "active-premium-users",
   "connection": "default",
   "pipeline": {
-    "source": "users",                  // CMS collection slug
+    "source": "users",
     "stages": [
       { "type": "$match",   "config": { "data.status": "active" } },
       { "type": "$sort",    "config": { "meta.createdAt": -1 } },
       { "type": "$project", "config": { "data.name": 1, "data.email": 1 } }
     ]
   },
-  "display": {
-    "mode": "table",                    // "table" | "list"
-    "columns": [
-      { "key": "data.name",  "label": "Name" },
-      { "key": "data.email", "label": "Email" }
-    ],
-    "pageSize": 25
-  },
-  "access": {
-    "roles": ["admin", "manager"],
-    "public": false
-  }
+  "display": { "mode": "table", "columns": [ { "key": "data.name", "label": "Name" } ], "pageSize": 25 },
+  "access": { "roles": ["admin", "manager"], "public": false }
 }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>Return a single view config by slug.</p>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/views/:slug</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>Update a view config. Accepts the same body shape as POST; all fields are optional.</p>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/views/:slug</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>Delete a view config.</p>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/execute</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>Execute the view's aggregation pipeline and return paginated results.</p>
-        <p><strong>Query params:</strong> <code>page</code> (default 1), <code>limit</code> (default 25).</p>
-        <pre class="code-block"><code>// Response
-{
-  "results": [ { "data": { "name": "Alice" }, ... }, ... ],
-  "total": 142,
-  "page": 1,
-  "limit": 25
-}</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/collection/:slug</span></h3>
-        <p class="auth-note">Requires: <code>views</code> permission</p>
-        <p>List all view configs whose <code>pipeline.source</code> matches the given collection slug.</p>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
-          Public Endpoint</h3>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/public</span></h3>
-        <p class="auth-note">Access level: per view <code>access</code> config</p>
-        <p>Execute the view publicly. If <code>access.public</code> is <code>false</code>, a valid JWT and
-          a role listed in <code>access.roles</code> is required. Same query params and response shape as
-          <code>/execute</code>.</p>
-      </div>
-    </div>
-    <!-- Actions API -->
-    <div class="card card-collapsible mb-4">
-      <div class="card-header" role="button" tabindex="0">
-        <div class="card-header-content">
-          <h2><span data-icon="zap"></span> Actions API
-            <span class="badge badge-warning" style="font-size:.7rem;margin-left:.4rem;">Pro</span>
-          </h2>
-        </div>
-        <span class="card-collapse-icon" data-icon="chevron-down"></span>
-      </div>
-      <div class="card-body docs-body">
-        <p>Actions require a MongoDB connection. All admin endpoints require authentication and the
-          <code>actions</code> permission. Action configs are stored in <code>cms__actions</code>.</p>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
-          Admin Endpoints</h3>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>List all action configs.</p>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>Create a new action config. Returns <code>201</code> on success.</p>
-        <pre class="code-block"><code>{
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/views/:slug</span></h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>Return a single view config by slug.</p>
+                  <h3><span class="method-badge method-put">PUT</span><span
+                          class="endpoint-path">/api/views/:slug</span></h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>Update a view config. Accepts the same body shape as POST; all fields are optional.</p>
+                  <h3><span class="method-badge method-delete">DELETE</span><span
+                          class="endpoint-path">/api/views/:slug</span></h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>Delete a view config.</p>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/execute</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>Execute the view's aggregation pipeline and return paginated results. Query params:
+                      <code>page</code> (default 1), <code>limit</code> (default 25).</p>
+                  <pre class="code-block"><code>// Response
+{ "results": [ ... ], "total": 142, "page": 1, "limit": 25 }</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/collection/:slug</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>views</code> permission</p>
+                  <p>List all view configs whose <code>pipeline.source</code> matches the given collection slug.</p>
+                  <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Public Endpoint</h3>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/views/:slug/public</span>
+                  </h3>
+                  <p class="auth-note">Access level: per view <code>access</code> config</p>
+                  <p>Execute the view publicly. If <code>access.public</code> is <code>false</code>, a valid JWT and a
+                      role listed in <code>access.roles</code> is required.</p>
+              </div>
+              <!-- Actions API -->
+              <div class="tab-panel docs-body">
+                  <p>Actions require a MongoDB connection. All admin endpoints require authentication and the
+                      <code>actions</code> permission. Action configs are stored in <code>cms__actions</code>.</p>
+                  <h3 style="margin-top:16px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Admin Endpoints</h3>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>List all action configs.</p>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>Create a new action config. Returns <code>201</code> on success.</p>
+                  <pre class="code-block"><code>{
   "title": "Approve Application",
-  "slug": "approve-application",         // optional
-  "description": "...",
+  "slug": "approve-application",
   "collection": "applications",
-  "trigger": {
-    "type": "manual",
-    "label": "Approve",
-    "icon": "check-circle",
-    "confirmMessage": "Approve this application?"   // null to skip confirmation
-  },
+  "trigger": { "type": "manual", "label": "Approve", "icon": "check-circle", "confirmMessage": "Approve this application?" },
   "steps": [
-    { "type": "updateField",  "config": { "field": "status",     "value": "approved" } },
-    { "type": "updateField",  "config": { "field": "approvedAt", "value": "{{now}}"  } },
-    { "type": "webhook",      "config": { "url": "https://hooks.example.com/approved", "method": "POST",
-                                          "body": { "email": "{{entry.data.email}}" } } },
-    { "type": "email",        "config": { "to": "{{entry.data.email}}",
-                                          "subject": "Application approved",
-                                          "template": "Hi {{entry.data.name}}, your application is approved." } }
+    { "type": "updateField", "config": { "field": "status",     "value": "approved" } },
+    { "type": "updateField", "config": { "field": "approvedAt", "value": "{{now}}"  } },
+    { "type": "email",       "config": { "to": "{{entry.data.email}}", "subject": "Application approved",
+                                         "template": "Hi {{entry.data.name}}, your application is approved." } }
   ],
   "access": { "roles": ["admin", "manager"] }
 }</code></pre>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions/:slug</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>Return a single action config by slug.</p>
-        <h3><span class="method-badge method-put">PUT</span><span class="endpoint-path">/api/actions/:slug</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>Update an action config.</p>
-        <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/actions/:slug</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>Delete an action config.</p>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/execute</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>Execute an action against a specific entry.</p>
-        <pre class="code-block"><code>// Request body
+                  <h3><span class="method-badge method-get">GET</span><span
+                          class="endpoint-path">/api/actions/:slug</span></h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>Return a single action config by slug.</p>
+                  <h3><span class="method-badge method-put">PUT</span><span
+                          class="endpoint-path">/api/actions/:slug</span></h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>Update an action config.</p>
+                  <h3><span class="method-badge method-delete">DELETE</span><span class="endpoint-path">/api/actions/:slug</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>Delete an action config.</p>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/execute</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>Execute an action against a specific entry.</p>
+                  <pre class="code-block"><code>// Request body
 { "entryId": "uuid-of-the-entry" }
 // Response
-{
-  "success": true,
-  "stepsCompleted": 4,
-  "results": [
-    { "type": "updateField", "success": true, "result": { "field": "status", "value": "approved" } },
-    { "type": "email",       "success": true, "result": { "to": "user@example.com" } }
-  ]
-}
+{ "success": true, "stepsCompleted": 4, "results": [ { "type": "updateField", "success": true, ... } ] }
-// Partial failure response
-{
-  "success": false,
-  "stepsCompleted": 2,
-  "results": [
-    { "type": "updateField", "success": true,  "result": { "field": "status", "value": "approved" } },
-    { "type": "webhook",     "success": false, "error": "Webhook returned HTTP 500" }
-  ]
-}</code></pre>
+// Partial failure
+{ "success": false, "stepsCompleted": 2, "results": [ ..., { "type": "webhook", "success": false, "error": "Webhook returned HTTP 500" } ] }</code></pre>
+                  <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions/collection/:slug</span>
+                  </h3>
+                  <p class="auth-note">Requires: <code>actions</code> permission</p>
+                  <p>List all action configs targeting a given collection slug. Used by the entry list view to populate
+                      per-row trigger buttons.</p>
-        <h3><span class="method-badge method-get">GET</span><span class="endpoint-path">/api/actions/collection/:slug</span></h3>
-        <p class="auth-note">Requires: <code>actions</code> permission</p>
-        <p>List all action configs targeting a given collection slug. Used by the entry list view to
-          populate per-row trigger buttons.</p>
+                  <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
+                      Public Endpoint</h3>
-        <h3 style="margin-top:24px;font-size:15px;text-transform:uppercase;letter-spacing:.5px;opacity:.6">
-          Public Endpoint</h3>
+                  <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/public</span>
+                  </h3>
+                  <p class="auth-note">Requires: JWT + role in <code>access.roles</code></p>
+                  <p>Execute an action publicly. Always requires a valid JWT — the role is checked against <code>access.roles</code>.
+                      Request body and response shape are identical to the admin <code>/execute</code> endpoint.</p>
-        <h3><span class="method-badge method-post">POST</span><span class="endpoint-path">/api/actions/:slug/public</span></h3>
-        <p class="auth-note">Requires: JWT + role in <code>access.roles</code></p>
-        <p>Execute an action publicly. Always requires a valid JWT — the role is checked against
-          <code>access.roles</code>. Request body and response shape are identical to the admin
-          <code>/execute</code> endpoint.</p>
+              </div>
       </div>
     </div>