From 93899554d13f8db39a9aa3446fa0e53c90054b55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Tue, 12 May 2026 20:15:20 +0300
Subject: [PATCH 01/10] Added information about configuring the rate limiter

---
 .../docs/customizing-fossbilling/config.mdoc  | 24 ++++++++++++++-----
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/config.mdoc b/src/content/docs/customizing-fossbilling/config.mdoc
index 1b99d88..4429bf5 100644
--- a/src/content/docs/customizing-fossbilling/config.mdoc
+++ b/src/content/docs/customizing-fossbilling/config.mdoc
@@ -101,21 +101,33 @@ Temporarily disable public access. Use `allowed_urls` for endpoints that must st
 
 ### API Settings
 
-Control API access and rate limiting. Use `require_referrer_header` to lock browser-originated requests to your install URL, `allowed_ips` for explicit allowlists, and the `rate_*` values to tune throttling.
+Control API access. Use `require_referrer_header` to lock browser-originated requests to your install URL, and `allowed_ips` for explicit allowlists.
 
 ```php
 'api' => [
     'require_referrer_header' => true,
     'allowed_ips' => [],
-    'rate_span' => 60,
-    'rate_limit' => 100,
-    'throttle_delay' => 2,
-    'rate_span_login' => 60,
-    'rate_limit_login' => 20,
     'CSRFPrevention' => true,
 ],
 ```
 
+### Rate Limiter
+FOSSBilling includes a built-in rate limiter which depends on Symfony's [rate limiter](https://symfony.com/doc/current/rate_limiter.html) component.
+
+`policies` is an empty array by default and inherits sensible defaults from [`FOSSBilling\Security\RateLimiter::getDefaultConfig()`](https://github.com/FOSSBilling/FOSSBilling/blob/9acf34ec12f908e01e516b7d54839e155b990b9d/src/library/FOSSBilling/Security/RateLimiter.php#L37).
+
+Any policy you explicitly set in the `policies` array will override the default one. We have included an example below. You can refer to their documentation on creating rate limiter policies.
+
+```php
+'rate_limiter' => [
+    'enabled' => true,
+    'whitelist_ips' => [], // Array of whitelisted IP addresses and CIDRs
+    'policies' => [
+        'client_signup' => ['policy' => 'fixed_window', 'limit' => 5, 'interval' => '1 hour'],
+    ],
+],
+```
+
 ## Environment Variables
 
 Some settings can be overridden via environment variables:

From d3b76994d6c4025218b812c946a261af0a27a648 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 00:13:58 +0300
Subject: [PATCH 02/10] Update invoice PDF documentation for v0.8

---
 .../customizing-fossbilling/invoice-pdf.mdoc  | 69 +++++++++++--------
 1 file changed, 41 insertions(+), 28 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/invoice-pdf.mdoc b/src/content/docs/customizing-fossbilling/invoice-pdf.mdoc
index a7c7adf..fa2a36a 100644
--- a/src/content/docs/customizing-fossbilling/invoice-pdf.mdoc
+++ b/src/content/docs/customizing-fossbilling/invoice-pdf.mdoc
@@ -7,13 +7,14 @@ FOSSBilling generates invoice PDFs with [Dompdf](https://github.com/dompdf/dompd
 
 ## CSS Limitations
 
-Dompdf doesn't support everything. As of version 2.0.3:
+Dompdf is not a complete PDF engine. FOSSBilling uses Dompdf 3.x, which supports many print-friendly CSS features but still has layout limitations:
 
 | Supported | Not Supported |
 |-----------|---------------|
 | CSS 2.1 and some CSS3 | Flexbox |
 | `@import`, `@media`, `@page` | CSS Grid |
-| Basic positioning | Complex layouts |
+| CSS custom properties and math functions such as `calc()` | Browser-style complex layouts |
+| Basic positioning and table layouts | Splitting table rows or cells across pages |
 
 {% aside type="tip" %}
 Table cells can't span pages. Keep table rows compact enough to fit on one page.
@@ -23,37 +24,41 @@ Table cells can't span pages. Keep table rows compact enough to fit on one page.
 
 ### Creating a Custom Stylesheet
 
-1. Copy `/modules/Invoice/pdf_template/default-pdf.css`
-2. Paste as `/modules/Invoice/pdf_template/custom-pdf.css`
+1. Copy `/modules/Invoice/templates/pdf/default-invoice.css`
+2. Paste as `/modules/Invoice/templates/pdf/custom-invoice.css`
 
-FOSSBilling automatically uses `custom-pdf.css` if it exists.
+FOSSBilling automatically uses `custom-invoice.css` if it exists.
 
 {% aside type="caution" %}
-Editing `default-pdf.css` directly is overwritten on updates. Always use `custom-pdf.css`.
+Editing `default-invoice.css` directly is overwritten on updates. Always use `custom-invoice.css`.
 {% /aside %}
 
 ### CSS Classes Reference
 
 ![PDF layout with CSS classes](../../../assets/invoice-layout.png)
 
-Common classes include:
+The default stylesheet uses these classes:
 
-- `.invoice-header` — Company and client info
-- `.invoice-details` — Invoice number, date, due date
-- `.invoice-items` — Line items table
-- `.invoice-totals` — Subtotal, tax, total
-- `.invoice-footer` — Terms, notes
+- `.CompanyLogo` — Company logo image
+- `.TopSectionDivider` — Divider below the header area
+- `.InvoiceInfo` — Invoice number, dates, and status
+- `.CompanyInfo` — Seller/company heading and details
+- `.ClientInfo` — Client heading and details
+- `.Breakdown` — Line items, tax, discount, and total table
+- `.InvoiceText` — Custom invoice text blocks
+- `.InvoiceFooter` — Payment details, company footer, and signature
+- `.muted-text` — Muted footer signature text
 
 ## Custom HTML Template
 
-**FOSSBilling 0.6.0+**: Customize the HTML structure.
+Customize the HTML structure by adding a custom Twig template.
 
 ### Creating a Custom Template
 
-1. Copy `/modules/Invoice/pdf_template/default-pdf.twig`
-2. Paste as `/modules/Invoice/pdf_template/custom-pdf.twig`
+1. Copy `/modules/Invoice/templates/pdf/default-invoice.twig`
+2. Paste as `/modules/Invoice/templates/pdf/custom-invoice.twig`
 
-FOSSBilling uses `custom-pdf.twig` automatically.
+FOSSBilling uses `custom-invoice.twig` automatically.
 
 ### Template Variables
 
@@ -61,17 +66,24 @@ Available in PDF templates:
 
 | Variable | Description |
 |----------|-------------|
-| `invoice` | Invoice data (id, total, items, etc.) |
-| `client` | Client information |
-| `company` | Your company details |
-| `currency` | Currency code and symbol |
+| `currency_code` | Invoice currency code for `format_currency`. |
+| `css` | Contents of `custom-invoice.css` or `default-invoice.css`, inserted into the template's `<style>` block. |
+| `logo_source` | Resolved company logo source. This can be a local path, a remote URL, an SVG data URI, or an empty string. |
+| `seller` | Display-ready seller/company lines keyed by labels such as `Name`, `Address 1`, `Phone`, and `VAT Number`. |
+| `seller_lines` | Number of seller lines used by the default template for layout calculations. |
+| `footer` | Company footer details, including company name, bank details, address fields, email, phone, VAT/company number, website, and signature. |
+| `buyer` | Display-ready buyer/client lines keyed by labels such as `Company`, `Name`, `Address`, `City`, `Country`, `Phone`, and `VAT Number`. |
+| `buyer_lines` | Number of buyer lines used by the default template for layout calculations. |
+| `invoice` | Full invoice API array. Line items are in `invoice.lines`; raw buyer, seller, and client data are in `invoice.buyer`, `invoice.seller`, and `invoice.client`. |
+
+The PDF renderer does not provide top-level `client`, `company`, or `currency` variables. Use `invoice.client`, `seller`/`footer`, and `currency_code` instead.
 
 ### Example: Add a Custom Header
 
 ```twig
 <div class="custom-header">
   <img src="{{ company.logo_url }}" alt="{{ company.name }}">
-  <h1>INVOICE #{{ invoice.serie_nr }}</h1>
+  <h1>{{ 'Invoice'|trans }} #{{ invoice.serie_nr }}</h1>
 </div>
 ```
 
@@ -80,29 +92,30 @@ Available in PDF templates:
 PDF templates support the same [Twig filters](/developing-fossbilling/twig-filters/) available elsewhere in FOSSBilling:
 
 ```twig
-{{ invoice.total | money }}           {# Format as currency #}
-{{ invoice.created_at | timeago }}    {# Show relative time #}
+{{ invoice.total|format_currency(currency_code) }}  {# Format as currency #}
+{{ invoice.created_at|format_date }}                {# Format the invoice date #}
+{{ invoice.text_1|default('')|markdown_to_html }}   {# Render invoice text as HTML #}
 ```
 
 ## Testing Changes
 
-1. Make your edits to `custom-pdf.css` or `custom-pdf.twig`
+1. Make your edits to `custom-invoice.css` or `custom-invoice.twig`
 2. Generate a test invoice
 3. Download the PDF
 4. Review the output
 
 {% aside type="tip" %}
-PDF generation is cached. Clear the cache (**System → Tools → Clear cache**) after template changes.
+Twig templates may be cached. Clear the cache (**System → Tools → Clear cache**) if template changes do not appear.
 {% /aside %}
 
 ## Debugging
 
-For complex issues, enable Dompdf debugging in `config.php`:
+For complex issues, enable FOSSBilling debug mode in `config.php`:
 
 ```php
-'dompdf' => [
+'debug_and_monitoring' => [
     'debug' => true,
 ],
 ```
 
-Then review your PHP error logs for Dompdf-related messages.
+Then review your PHP or FOSSBilling logs for Dompdf-related messages.

From 0ed88a6737e8d1a32466c1751369d5ef41c6a7a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 00:28:15 +0300
Subject: [PATCH 03/10] Update Twig and email-related docs to match v0.8

---
 .../email-templates.mdoc                      |  8 +-
 .../file-structure.mdoc                       |  7 +-
 .../guides/creating-a-theme.mdoc              | 33 ++++----
 .../developing-fossbilling/twig-filters.mdoc  | 77 +++++++++++--------
 4 files changed, 68 insertions(+), 57 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/email-templates.mdoc b/src/content/docs/customizing-fossbilling/email-templates.mdoc
index 8d4fee9..3654f0f 100644
--- a/src/content/docs/customizing-fossbilling/email-templates.mdoc
+++ b/src/content/docs/customizing-fossbilling/email-templates.mdoc
@@ -45,10 +45,10 @@ See [Twig Filters & Functions](/developing-fossbilling/twig-filters/) for all av
 
 ### Markdown Format
 
-Default templates use Markdown for simple formatting. Wrap your content with the `apply markdown` filter:
+Default templates use Markdown for simple formatting. Wrap your content with the `apply markdown_to_html` filter:
 
 ```twig
-\{% apply markdown %\}
+\{% apply markdown_to_html %\}
 Hi \{\{ staff.name \}\},
 
 If you are reading this email, FOSSBilling is **configured properly** and is **able to send emails**.
@@ -108,7 +108,7 @@ For full control, use HTML:
 
 Templates exist in two places:
 
-1. **Module source** — `modules/{Module}/html_email/`
+1. **Module source** — `modules/{Module}/templates/email/`
 2. **Database** — `email_template` table (copied there when module is installed)
 
 After installation, edit templates through the admin panel or directly in the database. Changes made only to the module files will not apply until you regenerate the templates.
@@ -121,4 +121,4 @@ After installation, edit templates through the admin panel or directly in the da
 
 ## Example Module
 
-See the [example module](https://github.com/FOSSBilling/example-module/tree/main/html_email) for more template examples.
+See the [core email templates](https://github.com/FOSSBilling/FOSSBilling/tree/main/src/modules/Email/templates/email) for more template examples.
diff --git a/src/content/docs/developing-fossbilling/file-structure.mdoc b/src/content/docs/developing-fossbilling/file-structure.mdoc
index 4583c8f..e90580c 100644
--- a/src/content/docs/developing-fossbilling/file-structure.mdoc
+++ b/src/content/docs/developing-fossbilling/file-structure.mdoc
@@ -90,9 +90,10 @@ ModuleName/
 │   ├── Admin.php       # Admin routes/controllers
 │   ├── Client.php      # Client routes/controllers
 │   └── Guest.php       # Guest routes/controllers
-├── html_admin/         # Admin panel templates
-├── html_client/        # Client area templates
-├── html_email/         # Email templates
+├── templates/
+│   ├── admin/          # Admin panel templates
+│   ├── client/         # Client area templates
+│   └── email/          # Email templates
 ├── manifest.json       # Module metadata
 └── Service.php         # Business logic (not exposed via API)
 ```
diff --git a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
index 6ed6872..58c0990 100644
--- a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
+++ b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
@@ -11,8 +11,8 @@ FOSSBilling is evolving quickly on the path to 1.0. Expect breaking changes in 0
 
 FOSSBilling uses [Twig](https://twig.symfony.com/) for templating. Themes work by overriding the templates shipped by modules:
 
-1. Module provides a default template (`modules/example/html_client/template.twig`)
-2. Your theme provides an override (`themes/mytheme/html/template.twig`)
+1. Module provides a default template (`modules/Example/templates/client/mod_example_index.html.twig`)
+2. Your theme provides an override with the same filename (`themes/mytheme/html/mod_example_index.html.twig`)
 3. FOSSBilling uses your theme's version
 
 ## Template Priority Order
@@ -21,7 +21,7 @@ FOSSBilling loads templates in this order (highest priority first):
 
 1. `themes/mytheme/html_custom/` — User customizations
 2. `themes/mytheme/html/` — Your theme files
-3. `modules/example/html_client/` — Module defaults
+3. `modules/Example/templates/client/` or `modules/Example/templates/admin/` — Module defaults for the current area
 
 ## Theme Structure
 
@@ -34,13 +34,11 @@ themes/mytheme/
 ├── config/
 │   └── settings.html.twig      # Theme settings UI (optional)
 ├── html/                       # Your templates
-│   ├── layouts/
-│   │   └── default.twig        # Base layout
-│   ├── partials/
-│   │   ├── header.twig
-│   │   └── footer.twig
-│   └── index.twig              # Homepage
-├── html_custom/                  # For user customizations (leave empty)
+│   ├── layout_default.html.twig # Base layout
+│   ├── layout_public.html.twig  # Public pages layout
+│   ├── partial_menu.html.twig   # Shared partial
+│   └── mod_index_dashboard.html.twig # Optional module override
+├── html_custom/                 # For user customizations (leave empty)
 └── manifest.json               # Theme metadata
 ```
 
@@ -48,7 +46,6 @@ themes/mytheme/
 
 ```json
 {
-    "id": "mytheme",
     "name": "My Theme",
     "description": "A custom FOSSBilling theme",
     "version": "1.0.0",
@@ -68,8 +65,8 @@ All API calls need a CSRF token. Access it in templates as `CSRFToken`:
 ```
 
 **In a link:**
-```html
-<a href="{{ 'api/admin/client/group_delete'|link({ 'id': group.id, 'CSRFToken': CSRFToken }) }}">
+```twig
+<a href="{{ 'client/group_delete'|api_url(query: { 'id': group.id, 'CSRFToken': CSRFToken }, role: 'admin') }}">
     Delete
 </a>
 ```
@@ -103,11 +100,11 @@ Access API endpoints directly in Twig (no CSRF token needed):
 FOSSBilling provides [custom filters](/developing-fossbilling/twig-filters) for themes:
 
 ```twig
-{{ price | money }}                    {# Format currency #}
-{{ 'client/manage' | alink }}          {# Admin panel link #}
-{{ 'theme.css' | asset_url }}          {# Theme asset URL #}
-{{ date | timeago }}                   {# "2 hours ago" #}
-{{ content | markdown }}               {# Parse Markdown #}
+{{ price | format_currency(currency.code) }} {# Format currency #}
+{{ 'client/manage' | url(area: 'admin') }}   {# Admin panel link #}
+{{ 'css/theme.css' | asset_url }}            {# Theme asset URL #}
+{{ date | timeago }}                         {# "2 hours ago" #}
+{{ content | markdown_to_html }}             {# Parse Markdown #}
 ```
 
 ## Security Best Practices
diff --git a/src/content/docs/developing-fossbilling/twig-filters.mdoc b/src/content/docs/developing-fossbilling/twig-filters.mdoc
index 194a90a..5234836 100644
--- a/src/content/docs/developing-fossbilling/twig-filters.mdoc
+++ b/src/content/docs/developing-fossbilling/twig-filters.mdoc
@@ -3,15 +3,29 @@ title: Twig Filters & Functions
 description: Available Twig filters and functions for theming and module development.
 ---
 
-FOSSBilling uses [Twig](https://twig.symfony.com/) across themes, email templates, and PDFs. This page lists the project-specific filters and functions you can rely on while building against it.
+FOSSBilling uses [Twig](https://twig.symfony.com/) across themes, email templates, and PDFs. This page lists the filters and functions you can rely on while building against it.
 
 ## Standard Twig
 
-FOSSBilling includes all [default Twig filters](https://twig.symfony.com/doc/3.x/filters/index.html), plus the [Intl Extra Extension](https://github.com/twigphp/intl-extra) for internationalization.
+FOSSBilling includes the [default Twig filters](https://twig.symfony.com/doc/3.x/filters/index.html), plus the [Intl Extra Extension](https://github.com/twigphp/intl-extra) and [Markdown Extra Extension](https://github.com/twigphp/markdown-extra).
+
+Common bundled filters include:
+
+| Filter | Description |
+|--------|-------------|
+| `format_currency` | Format a number as currency, for example `{{ 29.99 | format_currency('USD') }}`. |
+| `format_date` | Format a date using the configured locale and date format. |
+| `format_datetime` | Format a date and time using the configured locale and time zone. |
+| `markdown_to_html` | Convert Markdown to HTML with FOSSBilling's safe CommonMark renderer. |
 
 ## FOSSBilling Custom Filters
 
-These filters are defined in [`/library/Box/TwigExtensions.php`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/Box/TwigExtensions.php):
+Project-specific filters and functions are defined in these classes:
+
+- [`FOSSBilling\Twig\Extension\ApiExtension`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/FOSSBilling/Twig/Extension/ApiExtension.php)
+- [`FOSSBilling\Twig\Extension\FOSSBillingExtension`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/FOSSBilling/Twig/Extension/FOSSBillingExtension.php)
+- [`FOSSBilling\Twig\Extension\LegacyExtension`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/FOSSBilling/Twig/Extension/LegacyExtension.php)
+- [`FOSSBilling\Twig\Extension\DebugBarExtension`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/FOSSBilling/Twig/Extension/DebugBarExtension.php)
 
 ### Translation & Localization
 
@@ -21,65 +35,64 @@ These filters are defined in [`/library/Box/TwigExtensions.php`](https://github.
 | `timeago` | Show how long ago a date was (e.g., "2 hours ago"). Accepts ISO 8601 format. |
 | `daysleft` | Show days until a date. Accepts ISO 8601 format. |
 | `period_title` | Display a translated period title (e.g., `1M` → "1 Month"). |
+| `ip_country_name` | Show the country name for an IP address. |
 
 ### URLs & Links
 
 | Filter | Description |
 |--------|-------------|
-| `alink` | Create a link to the admin panel from a URI. |
-| `link` | Generate a full URL from a URI. |
-| `autolink` | Automatically convert text to HTML links. |
-| `iplookup` | Create a clickable admin panel link to look up an IP address. |
+| `url` | Generate a URL for the current area, or pass `area: 'admin'` / `area: 'client'`. |
+| `api_url` | Generate a URL for an API endpoint. Pass `role: 'admin'`, `role: 'client'`, or `role: 'guest'` when needed. |
 
 ### Assets & Resources
 
 | Filter | Description |
 |--------|-------------|
-| `mod_asset_url` | Get the correct URL for a module asset. |
 | `asset_url` | Get the URL for a theme asset. |
 | `library_url` | Get the URL for the library folder. |
-| `img_tag` | Generate an HTML `<img>` tag. |
+| `mod_asset_url` | Get the URL for a module asset. Use the asset path as the filtered value and the module name as the argument. |
 | `script_tag` | Generate an HTML `<script>` tag. |
 | `stylesheet_tag` | Generate an HTML `<link>` tag for CSS. |
 
-### Formatting
+### Utilities
 
 | Filter | Description |
 |--------|-------------|
-| `money` | Format a price with currency symbol. |
-| `money_without_currency` | Format a price without the currency symbol. |
-| `money_convert` | Convert and format a price to another currency. |
-| `money_convert_without_currency` | Convert without showing the currency symbol. |
-| `number` | PHP `number_format()` as a filter. |
-| `size` | Convert bytes to human-readable size (KB, MB, GB, etc.). |
+| `file_size` | Convert bytes to a human-readable size (KB, MB, GB, etc.). |
+| `hash` | Hash a value. Defaults to `xxh128`; pass another PHP-supported algorithm if needed. |
 | `truncate` | Truncate a string to a maximum length. |
 
-### Utilities
+## FOSSBilling Custom Functions
 
-| Filter | Description |
-|--------|-------------|
-| `gravatar` | Generate a Gravatar image URL from an email. Optional size parameter. |
-| `markdown` | Parse Markdown to HTML. Escapes HTML and removes unsafe links (`javascript:`, `vbscript:`, `file:`, `data:`). Uses CommonMark with GitHub extensions. |
-| `ipcountryname` | Show the country name for an IP address. |
+| Function | Description |
+|----------|-------------|
+| `fb_api` | Render `data-fb-api` attributes from a configuration array. |
+| `fb_api_form` | Render API form attributes, or a full `<form>` tag when configured with `tag: 'form'`. |
+| `fb_api_link` | Render API link/button attributes, or a full `<a>` tag when configured with `tag: 'a'`. |
+| `render_widgets` | Render widgets registered for a slot. |
+| `svg_sprite` | Render the current theme's SVG icon sprite when available. |
+| `has_permission` | Check whether the logged-in admin has a module permission. |
+| `antispam_honeypot` | Return honeypot field configuration from the Antispam module. |
+| `debug_bar_render_head` | Render debug bar head assets in development/debug contexts. |
+| `debug_bar_render` | Render the debug bar in development/debug contexts. |
 
 ## Usage Examples
 
 ```twig
-{# Format money #}
-{{ 29.99 | money }}  {# $29.99 #}
+{# Format currency #}
+{{ 29.99 | format_currency('USD') }} {# $29.99 #}
 
-{# Generate Gravatar #}
-<img src="{{ 'user@example.com' | gravatar(64) }}" alt="Avatar">
+{# Generate client and admin URLs #}
+<a href="{{ 'invoice' | url }}">Invoices</a>
+<a href="{{ 'client/manage' | url(area: 'admin') }}">Manage Client</a>
 
 {# Parse Markdown #}
-{{ product.description | markdown }}
+{{ product.description | markdown_to_html }}
 
 {# Time ago #}
 {{ order.created_at | timeago }}  {# 2 hours ago #}
 
-{# Admin link #}
-<a href="{{ 'client/manage' | alink }}">Manage Client</a>
-
-{# Module asset #}
-<script src="{{ 'myfile.js' | mod_asset_url }}"></script>
+{# Theme and module assets #}
+<link rel="stylesheet" href="{{ 'css/theme.css'|asset_url }}">
+<script src="{{ 'js/widget.js'|mod_asset_url('Example') }}"></script>
 ```

From c9d6c6f0c75d073174b957212371f4f1361e63bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 00:29:34 +0300
Subject: [PATCH 04/10] Updated documentation for Antispam

---
 src/content/docs/faq/features.mdoc    | 4 ++--
 src/content/docs/troubleshooting.mdoc | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/content/docs/faq/features.mdoc b/src/content/docs/faq/features.mdoc
index 36b71c6..457af8f 100644
--- a/src/content/docs/faq/features.mdoc
+++ b/src/content/docs/faq/features.mdoc
@@ -19,13 +19,13 @@ Use this page as a quick reference for what is available today, what is in progr
 ## Security & Anti-Spam
 
 {% aside type="tip" %}
-Many of these features require the "SpamChecker" module. Configure it in **Settings → SpamChecker**.
+Many of these features require the "Antispam" module. Configure it in **Settings → Antispam**.
 {% /aside %}
 
 | Feature | Status | Notes |
 |---------|--------|-------|
 | IP blocking | ✅ | Block problematic IPs |
-| reCAPTCHA | ✅ | v2 supported. More providers coming. |
+| CAPTCHA | ✅ | reCaptcha v2, Cloudflare Turnstile and hCaptcha supported. |
 | Stop Forum Spam | ✅ | Community-driven spam prevention |
 | Disposable email blocking | ✅ | Uses [FakeFilter](https://fakefilter.net) |
 | MFA/2FA | 🚧 | Planned before 1.0 release |
diff --git a/src/content/docs/troubleshooting.mdoc b/src/content/docs/troubleshooting.mdoc
index 28e67b2..935528c 100644
--- a/src/content/docs/troubleshooting.mdoc
+++ b/src/content/docs/troubleshooting.mdoc
@@ -113,7 +113,7 @@ Because cron runs as a server command, it is not tied to the PHP version configu
 These steps may help you resolve this issue:
 
 1. If your control panel provides a PHP selector for cron, choose a version that meets FOSSBilling's requirements.
-2. Try specifying a different PHP binary in the cron command, for example `php8.2` or `/usr/bin/php8.2` instead of just `php`.
+2. Try specifying a different PHP binary in the cron command, for example `php8.3` or `/usr/bin/php8.3` instead of just `php`.
 3. Remove unsupported PHP versions if they keep being selected by default.
 4. Ask your hosting or control-panel provider how to set a different PHP version for cron jobs.
 5. As a last resort, use the [cron API endpoint](/getting-started/installation#option-2-remote-cron-service) with `wget` or an external cron service.

From 161f2094b1d4a5cd969bf04fc747b210b617fe38 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 02:06:52 +0300
Subject: [PATCH 05/10] Update the list of events and add troubleshooting
 information

---
 .../developing-fossbilling/event-hooks.mdoc   | 74 +++++++++++++++----
 1 file changed, 58 insertions(+), 16 deletions(-)

diff --git a/src/content/docs/developing-fossbilling/event-hooks.mdoc b/src/content/docs/developing-fossbilling/event-hooks.mdoc
index 0a73dd0..fe80a59 100644
--- a/src/content/docs/developing-fossbilling/event-hooks.mdoc
+++ b/src/content/docs/developing-fossbilling/event-hooks.mdoc
@@ -6,7 +6,7 @@ description: Hook into FOSSBilling events to run custom code when things happen.
 Event hooks let your module or theme respond to actions in FOSSBilling — like when a client signs up, an order is placed, or cron runs.
 
 {% aside type="note" %}
-This reference lists all available hooks. For practical examples, see [how the example module implements hooks](https://github.com/FOSSBilling/example-module/blob/main/src/Service.php).
+This reference lists hooks fired by FOSSBilling core modules. Optional or community modules can fire additional hooks. For practical examples, see [how the example module implements hooks](https://github.com/FOSSBilling/example-module/blob/main/src/Service.php).
 {% /aside %}
 
 ## How Hooks Work
@@ -18,6 +18,8 @@ Hook names follow this pattern:
 - `onAfter{Action}` — Runs **after** the action
 - `onEvent{Description}` — Fires when a specific event occurs
 
+The Hook module also supports `onEveryEvent`, a global listener that is connected to every fired event.
+
 ## Admin Hooks
 
 ### Extensions
@@ -32,12 +34,16 @@ Hook names follow this pattern:
 - `onAfterAdminUninstallExtension`
 - `onBeforeAdminUpdateExtension`
 - `onAfterAdminUpdateExtension`
+- `onBeforeAdminExtensionConfigSave`
 - `onAfterAdminExtensionConfigSave`
 
 ### Clients
 
+- `onBeforeAdminClientCreate`
+- `onAfterAdminClientCreate`
 - `onBeforeAdminCreateClient`
 - `onAfterAdminCreateClient`
+- `onBeforeAdminClientDelete`
 - `onAfterAdminClientDelete`
 - `onBeforeAdminClientPasswordChange`
 - `onAfterAdminClientPasswordChange`
@@ -64,7 +70,10 @@ Hook names follow this pattern:
 - `onAfterAdminOrderUnsuspend`
 - `onBeforeAdminOrderUpdate`
 - `onAfterAdminOrderUpdate`
+- `onBeforeAdminBatchSuspendOrders`
 - `onAfterAdminBatchSuspendOrders`
+- `onBeforeAdminBatchCancelSuspendedOrders`
+- `onAfterAdminBatchCancelSuspendedOrders`
 
 ### Invoices
 
@@ -79,17 +88,33 @@ Hook names follow this pattern:
 - `onAfterAdminInvoiceReminderSent`
 - `onBeforeAdminInvoiceUpdate`
 - `onAfterAdminInvoiceUpdate`
+- `onAfterAdminInvoicePaymentReceived`
 - `onBeforeAdminGenerateRenewalInvoice`
 - `onAfterAdminGenerateRenewalInvoice`
 - `onEventBeforeInvoiceIsDue`
 - `onEventAfterInvoiceIsDue`
 
+### Subscriptions
+
+- `onAfterAdminSubscriptionCreate`
+- `onAfterAdminSubscriptionDelete`
+
+### Transactions
+
+- `onBeforeAdminTransactionCreate`
+- `onAfterAdminTransactionCreate`
+- `onBeforeAdminTransactionProcess`
+- `onAfterAdminTransactionProcess`
+- `onBeforeAdminTransactionUpdate`
+- `onAfterAdminTransactionUpdate`
+
 ### Tickets
 
 - `onBeforeAdminOpenTicket`
 - `onAfterAdminOpenTicket`
 - `onAfterAdminCloseTicket`
 - `onAfterAdminReplyTicket`
+- `onBeforeAdminPublicTicketOpen`
 - `onAfterAdminPublicTicketOpen`
 - `onAfterAdminPublicTicketClose`
 - `onAfterAdminPublicTicketReply`
@@ -119,21 +144,23 @@ Hook names follow this pattern:
 - `onAfterAdminDeleteCurrency`
 - `onBeforeAdminSettingsUpdate`
 - `onAfterAdminSettingsUpdate`
-- `onBeforeAdminTransactionCreate`
-- `onAfterAdminTransactionCreate`
-- `onBeforeAdminTransactionProcess`
-- `onAfterAdminTransactionProcess`
-- `onBeforeAdminTransactionUpdate`
-- `onAfterAdminTransactionUpdate`
 - `onAfterAdminNotificationAdd`
 - `onBeforeAdminUpdateCore`
 - `onAfterAdminUpdateCore`
+- `onBeforeAdminManualUpdate`
+- `onAfterAdminManualUpdate`
+
+### Themes
+
+- `onBeforeThemeSettingsSave`
 
 ### Authentication
 
 - `onBeforeAdminLogin`
 - `onAfterAdminLogin`
 - `onEventAdminLoginFailed`
+- `onBeforePasswordResetStaff`
+- `onAfterPasswordResetStaff`
 
 ## Client Hooks
 
@@ -148,14 +175,18 @@ Hook names follow this pattern:
 - `onAfterClientProfileUpdate`
 - `onBeforeClientProfilePasswordChange`
 - `onAfterClientProfilePasswordChange`
+- `onBeforeClientProfilePasswordReset`
+- `onAfterClientProfilePasswordReset`
+- `onBeforePasswordResetClient`
 
-### Orders
+### Orders and Cart
 
-- `onAfterClientOrderCreate`
 - `onBeforeProductAddedToCart`
 - `onAfterProductAddedToCart`
+- `onBeforeClientCheckout`
+- `onAfterClientOrderCreate`
 
-### Tickets
+### Tickets and Domains
 
 - `onBeforeClientOpenTicket`
 - `onAfterClientOpenTicket`
@@ -164,18 +195,20 @@ Hook names follow this pattern:
 - `onBeforeClientChangeNameservers`
 - `onAfterClientChangeNameservers`
 
-### Invoices
-
-- `onBeforeClientCheckout`
-- `onBeforeClientInvoiceDelete`
-
 ## Guest Hooks
 
+- `onBeforeGuestPasswordResetRequest`
 - `onBeforeGuestPublicTicketOpen`
 - `onAfterGuestPublicTicketOpen`
 - `onAfterGuestPublicTicketClose`
 - `onAfterGuestPublicTicketReply`
-- `onBeforeGuestPasswordResetRequest`
+
+## Product Hooks
+
+### Service License
+
+- `onBeforeServicelicenseReset`
+- `onAfterServicelicenseReset`
 
 ## Using Hooks in Your Module
 
@@ -197,3 +230,12 @@ class Service
 ```
 
 FOSSBilling automatically discovers and calls these hooks when the events fire.
+
+## Troubleshooting Hook Discovery
+
+FOSSBilling discovers hook methods when cron jobs run. If you add a new hook handler in a module, cron must run at least once before the hook is registered.
+
+If a new hook is not being called:
+- Confirm cron is configured and running correctly.
+- During development, run cron jobs manually once after adding or renaming hook methods.
+- Make sure the hook method is public and accepts a `\Box_Event` argument.
\ No newline at end of file

From 03a6aef3f2099b5aaddef830a0762abd99271d59 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 02:28:19 +0300
Subject: [PATCH 06/10] Update information about the wrapper and CSRF tokens

---
 .../docs/customizing-fossbilling/config.mdoc  |   5 +-
 .../docs/developing-fossbilling/api.mdoc      |  44 +++++-
 .../guides/creating-a-theme.mdoc              |  42 ++++--
 .../developing-fossbilling/javascript.mdoc    | 130 +++++++++++++++---
 .../developing-fossbilling/twig-filters.mdoc  |  26 +++-
 src/content/docs/faq/features.mdoc            |   2 +-
 .../docs/security/securing-fossbilling.mdoc   |   4 +-
 7 files changed, 215 insertions(+), 38 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/config.mdoc b/src/content/docs/customizing-fossbilling/config.mdoc
index 4429bf5..56773e7 100644
--- a/src/content/docs/customizing-fossbilling/config.mdoc
+++ b/src/content/docs/customizing-fossbilling/config.mdoc
@@ -101,7 +101,10 @@ Temporarily disable public access. Use `allowed_urls` for endpoints that must st
 
 ### API Settings
 
-Control API access. Use `require_referrer_header` to lock browser-originated requests to your install URL, and `allowed_ips` for explicit allowlists.
+Control API access.
+
+- Use `require_referrer_header` to lock browser-originated requests to your install URL, and `allowed_ips` for explicit allowlists.
+- Keep `CSRFPrevention` enabled. The bundled JavaScript API wrapper handles CSRF tokens for session-authenticated browser calls.
 
 ```php
 'api' => [
diff --git a/src/content/docs/developing-fossbilling/api.mdoc b/src/content/docs/developing-fossbilling/api.mdoc
index 463a5fb..a631173 100644
--- a/src/content/docs/developing-fossbilling/api.mdoc
+++ b/src/content/docs/developing-fossbilling/api.mdoc
@@ -4,7 +4,7 @@ description: Complete reference for the FOSSBilling REST API.
 ---
 
 {% aside type="note" %}
-Building a theme or module? Use the [JavaScript wrapper](/developing-fossbilling/javascript/) instead of raw API calls when possible. It handles common boilerplate and tracks platform changes more gracefully.
+Building a theme or module? Use the [JavaScript wrapper](/developing-fossbilling/javascript/) and Twig API helpers instead of raw browser calls when possible. They handle CSRF tokens and common response behavior for you.
 {% /aside %}
 
 ## Overview
@@ -27,8 +27,8 @@ Three main entrypoints:
 
 ## Request Format
 
-- **Method:** All requests use POST
-- **Format:** JSON for both request and response
+- **Method:** Core API routes accept GET and POST. Use POST for requests with a JSON body or form data.
+- **Format:** JSON responses. POST requests may send JSON or form data.
 - **Naming:** Lowercase with underscores (`change_password`)
 - **Nulls:** Blank fields are included as `null`, not omitted
 - **Dates:** [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601) format
@@ -46,6 +46,44 @@ Authorization: Basic base64_encode('admin:YOUR_API_KEY')
 
 Most HTTP clients (curl, Postman) handle the encoding automatically.
 
+Browser requests from an active client or admin session use the session cookie instead. Those requests must include a valid CSRF token.
+
+## CSRF Tokens
+
+CSRF protection applies to session-authenticated `client` and `admin` browser API calls. It does not apply to `guest` calls or external API calls authenticated with API tokens.
+
+For browser calls, FOSSBilling accepts the token in any of these places:
+
+- `CSRFToken` in the JSON body
+- `CSRFToken` in form data or query parameters
+- `X-CSRF-Token` request header
+
+The token must match the `csrf_token` cookie or the session token. The bundled `Api/API.js` wrapper reads the cookie and adds the token automatically.
+
+Use Twig helpers for theme and module templates. This way, you don't need to manually attach CSRF tokens to the requests:
+
+```twig
+<form action="{{ 'profile/update'|api_url }}" {{ fb_api_form({ message: 'Saved'|trans }) }}>
+  <input type="text" name="first_name">
+  <button type="submit">{{ 'Save'|trans }}</button>
+</form>
+```
+
+For raw `fetch()` requests, send the token yourself:
+
+```javascript
+const token = document.cookie.match(/csrf_token=([^;]*)/)?.[1] || '';
+
+fetch('/api/client/profile/update', {
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'X-CSRF-Token': decodeURIComponent(token),
+  },
+  body: JSON.stringify({ first_name: 'Jane' }),
+});
+```
+
 ## Example Requests
 
 {% tabs %}
diff --git a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
index 58c0990..8c54ec7 100644
--- a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
+++ b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
@@ -55,25 +55,44 @@ themes/mytheme/
 }
 ```
 
-## CSRF Protection
+## API URLs and CSRF
 
-All API calls need a CSRF token. Access it in templates as `CSRFToken`:
+Use `api_url` to build browser API URLs and `fb_api_form` or `fb_api_link` to let the JavaScript API wrapper handle submissions.
 
-**In a form:**
-```html
-<input type="hidden" name="CSRFToken" value="{{ CSRFToken }}"/>
+```twig
+<form action="{{ 'profile/update'|api_url }}" {{ fb_api_form({ message: 'Profile updated'|trans }) }}>
+  <input type="text" name="first_name" value="{{ profile.first_name }}">
+  <button type="submit">{{ 'Save'|trans }}</button>
+</form>
 ```
 
-**In a link:**
+For links that trigger API actions:
+
 ```twig
-<a href="{{ 'client/group_delete'|api_url(query: { 'id': group.id, 'CSRFToken': CSRFToken }, role: 'admin') }}">
-    Delete
+<a href="{{ 'client/group_delete'|api_url(query: { id: group.id }, role: 'admin') }}"
+   {{ fb_api_link({
+     modal: { type: 'confirm', title: 'Are you sure?'|trans },
+     reload: true
+   }) }}>
+  {{ 'Delete'|trans }}
 </a>
 ```
 
-## Calling the API from Templates
+Session-authenticated `client` and `admin` browser API calls require CSRF protection. The wrapper reads the `csrf_token` cookie and sends the token automatically.
+
+Use `role: 'guest'` for public actions such as login, signup, and password reset:
+
+```twig
+<form action="{{ 'client/login'|api_url(role: 'guest') }}" {{ fb_api_form({ redirect: '/'|url }) }}>
+  <input type="email" name="email" required>
+  <input type="password" name="password" required>
+  <button type="submit">{{ 'Login'|trans }}</button>
+</form>
+```
+
+## Server-Side API Globals
 
-Access API endpoints directly in Twig (no CSRF token needed):
+The `guest`, `client`, and `admin` Twig globals call FOSSBilling APIs during server-side template rendering. They are not browser HTTP requests and do not use CSRF tokens.
 
 ### Guest API (always available)
 
@@ -111,7 +130,8 @@ FOSSBilling provides [custom filters](/developing-fossbilling/twig-filters) for
 
 - Use `htmlspecialchars` when outputting user data
 - Validate all inputs
-- Include CSRF tokens in forms
+- Use `fb_api_form` and `fb_api_link` for browser API actions
+- Include CSRF tokens manually for raw requests that do not use the wrapper
 - See the [security docs](/security/securing-fossbilling) for more
 
 ## Testing Your Theme
diff --git a/src/content/docs/developing-fossbilling/javascript.mdoc b/src/content/docs/developing-fossbilling/javascript.mdoc
index e3c440f..248c490 100644
--- a/src/content/docs/developing-fossbilling/javascript.mdoc
+++ b/src/content/docs/developing-fossbilling/javascript.mdoc
@@ -4,7 +4,7 @@ description: Use the JavaScript wrapper for easier, more reliable API calls from
 ---
 
 {% aside type="note" %}
-If you're building themes or modules, use this wrapper instead of making raw API calls. It handles authentication, CSRF tokens, and other repetitive details for you.
+If you're building themes or modules, use this wrapper instead of making raw browser API calls. It handles CSRF tokens, response parsing, and other repetitive details for you.
 {% /aside %}
 
 ## Why Use the Wrapper?
@@ -16,16 +16,35 @@ If you're building themes or modules, use this wrapper instead of making raw API
 
 ## Importing the Wrapper
 
-Add this to your template's `<head>`:
+The bundled admin and Huraga themes already load the wrapper. For a custom theme, add this to your base layout before your theme JavaScript:
 
-```html
-<meta name="csrf-token" content="{{ CSRFToken }}">
-<script src="{{ "Api/API.js?v=#{guest.system_version}" | library_url }}"></script>
+```twig
+{{ "Api/API.js"|library_url|script_tag }}
+<script src="{{ 'build/js/mytheme.js'|asset_url }}"></script>
 ```
 
-What this does:
-1. Creates a meta tag with the CSRF token (the wrapper reads this automatically)
-2. Loads the API wrapper, appending the system version to prevent caching issues
+The `script_tag` filter adds a cache-busting hash and prevents the same script from being rendered more than once.
+
+If your custom theme does not reuse the bundled theme JavaScript, initialize automatic API forms and links after the DOM loads:
+
+```javascript
+document.addEventListener('DOMContentLoaded', function() {
+  API._apiForm();
+  API._apiLink();
+});
+```
+
+## CSRF Tokens
+
+FOSSBilling uses a double-submit style token for browser API calls. Browser-rendered Twig pages expose `CSRFToken` and set a `csrf_token` cookie.
+
+| Call type | CSRF requirement |
+|-----------|------------------|
+| `guest` API calls | Not required. |
+| `client` or `admin` API calls with the browser session | Required. |
+| External `client` or `admin` API calls using an API key | Not required. |
+
+The JavaScript wrapper reads the `csrf_token` cookie and sends it automatically where applicable. You don't need to manually attach the token to form data when using the wrapper.
 
 ## Making Requests
 
@@ -38,11 +57,11 @@ API.{role}.{method}(endpoint, params, onSuccess, onError, showSpinner)
 | Parameter | Description |
 |-----------|-------------|
 | `role` | `admin`, `client`, or `guest` |
-| `method` | `get` or `post` |
+| `method` | Use `get` or `post` for core FOSSBilling API routes. |
 | `endpoint` | The API endpoint (e.g., `"system/version"`) |
 | `params` | Request parameters (object) |
 | `onSuccess` | Callback function for successful responses |
-| `onError` | Callback function for errors |
+| `onError` | Callback function for errors. Receives `{ message, code }`. |
 | `showSpinner` | Boolean to show/hide the loading spinner (optional, default: `true`) |
 
 ## Examples
@@ -95,10 +114,9 @@ API.admin.post(
 
 ## Loading Spinner
 
-The wrapper automatically shows a spinner for requests taking longer than 250ms. To use it:
+The wrapper automatically creates a loader element for requests when the spinner is enabled. To use it, make sure your theme has styling for `.spinner-border`.
 
-1. Include a `.spinner-border` class in your CSS
-2. The wrapper creates and removes the spinner element automatically
+The wrapper creates and removes the spinner element automatically:
 
 ```css
 .spinner-border {
@@ -111,9 +129,66 @@ The wrapper automatically shows a spinner for requests taking longer than 250ms.
 
 ### Disabling the Spinner
 
+
 Either:
 - Don't define a `.spinner-border` class in your CSS
-- Pass `false` as the fifth parameter to the API call
+- Pass `false` as the fifth parameter to the API call like below:
+
+```javascript
+API.admin.post('client/get_list', {}, onSuccess, onError, false);
+```
+
+## API Forms and Links
+
+The Twig helpers `fb_api_form()` and `fb_api_link()` render a `data-fb-api` attribute that the wrapper uses for automatic form and link handling.
+
+Use `api_url` for the target endpoint:
+
+```twig
+<form action="{{ 'profile/update'|api_url }}" {{ fb_api_form({ message: 'Profile updated'|trans }) }}>
+  <input type="text" name="first_name" value="{{ profile.first_name }}">
+  <button type="submit">{{ 'Save'|trans }}</button>
+</form>
+```
+
+`fb_api_form()` adds `method="post"` and `data-fb-api`. The wrapper serializes the form, adds the CSRF token automatically for session-authenticated calls, disables enabled buttons while the request is running, and shows errors with `FOSSBilling.message()`.
+
+For API links:
+
+```twig
+<a href="{{ 'client/delete'|api_url(query: { id: client.id }, role: 'admin') }}"
+   {{ fb_api_link({
+     modal: { type: 'confirm', title: 'Are you sure?'|trans },
+     redirect: 'client'|url
+   }) }}>
+  {{ 'Delete'|trans }}
+</a>
+```
+
+The wrapper intercepts links with `data-fb-api`, sends a `GET` request to the link `href`, and then handles the configured follow-up action.
+
+Supported `data-fb-api` options:
+
+| Option | Applies to | Description |
+|--------|------------|-------------|
+| `message` | Forms and links | Show a success toast after the request. |
+| `redirect` | Forms and links | Redirect to the given URL after success. |
+| `reload` | Forms and links | Pass `true` to reload the current page after success. |
+| `callback` | Forms and links | Name of a global `window` function to call with the API result. |
+| `params` | Links | Extra request parameters merged into the link request. |
+| `modal` | Links | Show a confirmation, danger, or prompt modal before the request. |
+
+Prompt modals require a `key`; the entered value is sent under that request parameter name:
+
+```twig
+<a href="{{ 'example/update_name'|api_url }}"
+   {{ fb_api_link({
+     modal: { type: 'prompt', title: 'New name'|trans, label: 'Name'|trans, key: 'name' },
+     reload: true
+   }) }}>
+  {{ 'Rename'|trans }}
+</a>
+```
 
 ## Handling Responses
 
@@ -123,7 +198,7 @@ The success callback receives the decoded API response object:
 
 ```javascript
 function(response) {
-  console.log(response.result);
+  console.log(response);
 }
 ```
 
@@ -133,16 +208,37 @@ The error callback receives the API error payload:
 
 ```javascript
 function(error) {
-  console.error(error.message);
+  console.error(error.message, error.code);
 }
 ```
 
+## Manual Requests
+
+Use manual `fetch()` only when the wrapper does not fit. For session-authenticated `admin` or `client` calls, include the CSRF token in the JSON body, query string, form data, or `X-CSRF-Token` header:
+
+```javascript
+function getCsrfToken() {
+  const match = document.cookie.match(/csrf_token=([^;]*)/);
+  return match ? decodeURIComponent(match[1]) : '';
+}
+
+fetch('{{ "profile/update"|api_url }}', {
+  method: 'POST',
+  headers: {
+    'Accept': 'application/json',
+    'Content-Type': 'application/json',
+    'X-CSRF-Token': getCsrfToken(),
+  },
+  body: JSON.stringify({ first_name: 'Jane' }),
+});
+```
+
 ## Complete Example
 
 ```javascript
 function loadProfile() {
   API.client.get(
-    "client/profile",
+    "profile/get",
     {},
     function(profile) {
       document.getElementById('name').textContent = profile.first_name + ' ' + profile.last_name;
diff --git a/src/content/docs/developing-fossbilling/twig-filters.mdoc b/src/content/docs/developing-fossbilling/twig-filters.mdoc
index 5234836..bb0ade0 100644
--- a/src/content/docs/developing-fossbilling/twig-filters.mdoc
+++ b/src/content/docs/developing-fossbilling/twig-filters.mdoc
@@ -42,7 +42,7 @@ Project-specific filters and functions are defined in these classes:
 | Filter | Description |
 |--------|-------------|
 | `url` | Generate a URL for the current area, or pass `area: 'admin'` / `area: 'client'`. |
-| `api_url` | Generate a URL for an API endpoint. Pass `role: 'admin'`, `role: 'client'`, or `role: 'guest'` when needed. |
+| `api_url` | Generate a URL for an API endpoint. Defaults to the current area; pass `role: 'admin'`, `role: 'client'`, or `role: 'guest'` when needed. |
 
 ### Assets & Resources
 
@@ -66,9 +66,9 @@ Project-specific filters and functions are defined in these classes:
 
 | Function | Description |
 |----------|-------------|
-| `fb_api` | Render `data-fb-api` attributes from a configuration array. |
-| `fb_api_form` | Render API form attributes, or a full `<form>` tag when configured with `tag: 'form'`. |
-| `fb_api_link` | Render API link/button attributes, or a full `<a>` tag when configured with `tag: 'a'`. |
+| `fb_api` | Render a `data-fb-api` attribute from a configuration array. |
+| `fb_api_form` | Render `method="post"` and `data-fb-api` attributes for JavaScript API forms, or a full `<form>` tag when configured with `tag: 'form'`. |
+| `fb_api_link` | Render `data-fb-api` link/button attributes, or a full `<a>` tag when configured with `tag: 'a'`. |
 | `render_widgets` | Render widgets registered for a slot. |
 | `svg_sprite` | Render the current theme's SVG icon sprite when available. |
 | `has_permission` | Check whether the logged-in admin has a module permission. |
@@ -86,6 +86,10 @@ Project-specific filters and functions are defined in these classes:
 <a href="{{ 'invoice' | url }}">Invoices</a>
 <a href="{{ 'client/manage' | url(area: 'admin') }}">Manage Client</a>
 
+{# Generate API URLs #}
+{{ 'profile/update' | api_url }}
+{{ 'client/login' | api_url(role: 'guest') }}
+
 {# Parse Markdown #}
 {{ product.description | markdown_to_html }}
 
@@ -95,4 +99,18 @@ Project-specific filters and functions are defined in these classes:
 {# Theme and module assets #}
 <link rel="stylesheet" href="{{ 'css/theme.css'|asset_url }}">
 <script src="{{ 'js/widget.js'|mod_asset_url('Example') }}"></script>
+
+{# API form handled by Api/API.js #}
+<form action="{{ 'profile/update'|api_url }}" {{ fb_api_form({ message: 'Saved'|trans }) }}>
+  <input type="text" name="first_name">
+  <button type="submit">{{ 'Save'|trans }}</button>
+</form>
+
+{# API link with a confirmation modal #}
+<a href="{{ 'client/delete'|api_url(query: { id: client.id }, role: 'admin') }}"
+   {{ fb_api_link({ modal: { type: 'confirm', title: 'Are you sure?'|trans }, reload: true }) }}>
+  {{ 'Delete'|trans }}
+</a>
 ```
+
+See [JavaScript API Wrapper](/developing-fossbilling/javascript/) for the `data-fb-api` options and CSRF behavior.
diff --git a/src/content/docs/faq/features.mdoc b/src/content/docs/faq/features.mdoc
index 457af8f..448ce6a 100644
--- a/src/content/docs/faq/features.mdoc
+++ b/src/content/docs/faq/features.mdoc
@@ -33,7 +33,7 @@ Many of these features require the "Antispam" module. Configure it in **Settings
 | Session protection | ✅ | Hijacking prevention and session limits |
 | IP restrictions for staff | ✅ | Restrict admin access by IP (note: incorrect configuration may lock you out) |
 | Security alerts | ✅ | Checks our [Central Alerts API](https://fossbilling.org/api/central-alerts/list) for vulnerabilities |
-| CSRF protection | ✅ | Can be disabled in config if needed |
+| CSRF protection | ✅ | Enabled by default. Browser API calls are handled by the bundled wrapper |
 | Staff permissions | ✅ | Role-based access control |
 | AbuseIPDB | 🚧 | Planned |
 
diff --git a/src/content/docs/security/securing-fossbilling.mdoc b/src/content/docs/security/securing-fossbilling.mdoc
index fb5d012..941817a 100644
--- a/src/content/docs/security/securing-fossbilling.mdoc
+++ b/src/content/docs/security/securing-fossbilling.mdoc
@@ -29,7 +29,7 @@ These settings live in your `config.php` file and control FOSSBilling's built-in
 
 | Property | Default | Options | Description |
 |----------|---------|---------|-------------|
-| `CSRFPrevention` | `true` | `bool` | Enables CSRF protection. Keep this enabled unless it's causing specific issues. |
+| `CSRFPrevention` | `true` | `bool` | Enables CSRF protection for session-authenticated browser API calls. Keep this enabled unless it is causing a specific compatibility issue. |
 
 ```php
 'api' => [
@@ -37,6 +37,8 @@ These settings live in your `config.php` file and control FOSSBilling's built-in
 ],
 ```
 
+The bundled JavaScript API wrapper sends the CSRF token automatically. External API calls authenticated with an API key do not need a CSRF token.
+
 ## Cloudflare
 
 If you're using Cloudflare, enable **IP Geolocation** under your site's **Network** settings. This allows FOSSBilling to use the visitor's country information to strengthen some session checks.

From 784a454a4bfc6f6a5719e1e36e8d019fa8431cea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 02:36:25 +0300
Subject: [PATCH 07/10] Added internal links between pages

---
 src/content/docs/customizing-fossbilling/company.mdoc     | 2 ++
 src/content/docs/customizing-fossbilling/config.mdoc      | 2 +-
 src/content/docs/developing-fossbilling/api.mdoc          | 2 +-
 src/content/docs/developing-fossbilling/event-hooks.mdoc  | 4 +++-
 .../docs/developing-fossbilling/file-structure.mdoc       | 5 +++--
 .../developing-fossbilling/guides/creating-a-module.mdoc  | 4 ++++
 .../developing-fossbilling/guides/creating-a-theme.mdoc   | 4 ++--
 src/content/docs/extensions.mdoc                          | 8 ++++++++
 src/content/docs/faq/features.mdoc                        | 2 +-
 src/content/docs/maintaining-fossbilling/updating.mdoc    | 2 ++
 src/content/docs/product-types/domains.mdoc               | 2 ++
 src/content/docs/security/best-practices.mdoc             | 4 ++++
 src/content/docs/security/securing-fossbilling.mdoc       | 2 +-
 src/content/docs/troubleshooting.mdoc                     | 2 +-
 14 files changed, 35 insertions(+), 10 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/company.mdoc b/src/content/docs/customizing-fossbilling/company.mdoc
index 9ce747d..3da7203 100644
--- a/src/content/docs/customizing-fossbilling/company.mdoc
+++ b/src/content/docs/customizing-fossbilling/company.mdoc
@@ -60,6 +60,8 @@ https://example.com
 
 This signature appears at the bottom of most automated emails. You can still override it in individual templates.
 
+For more control over generated output, see [Email Templates](/customizing-fossbilling/email-templates/) and [Customizing Invoice PDFs](/customizing-fossbilling/invoice-pdf/).
+
 ## Currency Settings
 
 Also in **Configuration → Settings → Currency**:
diff --git a/src/content/docs/customizing-fossbilling/config.mdoc b/src/content/docs/customizing-fossbilling/config.mdoc
index 56773e7..b16654a 100644
--- a/src/content/docs/customizing-fossbilling/config.mdoc
+++ b/src/content/docs/customizing-fossbilling/config.mdoc
@@ -104,7 +104,7 @@ Temporarily disable public access. Use `allowed_urls` for endpoints that must st
 Control API access.
 
 - Use `require_referrer_header` to lock browser-originated requests to your install URL, and `allowed_ips` for explicit allowlists.
-- Keep `CSRFPrevention` enabled. The bundled JavaScript API wrapper handles CSRF tokens for session-authenticated browser calls.
+- Keep `CSRFPrevention` enabled. The bundled [JavaScript API wrapper](/developing-fossbilling/javascript/) handles CSRF tokens for session-authenticated browser calls.
 
 ```php
 'api' => [
diff --git a/src/content/docs/developing-fossbilling/api.mdoc b/src/content/docs/developing-fossbilling/api.mdoc
index a631173..961d203 100644
--- a/src/content/docs/developing-fossbilling/api.mdoc
+++ b/src/content/docs/developing-fossbilling/api.mdoc
@@ -58,7 +58,7 @@ For browser calls, FOSSBilling accepts the token in any of these places:
 - `CSRFToken` in form data or query parameters
 - `X-CSRF-Token` request header
 
-The token must match the `csrf_token` cookie or the session token. The bundled `Api/API.js` wrapper reads the cookie and adds the token automatically.
+The token must match the `csrf_token` cookie or the session token. The bundled [JavaScript API wrapper](/developing-fossbilling/javascript/) reads the cookie and adds the token automatically.
 
 Use Twig helpers for theme and module templates. This way, you don't need to manually attach CSRF tokens to the requests:
 
diff --git a/src/content/docs/developing-fossbilling/event-hooks.mdoc b/src/content/docs/developing-fossbilling/event-hooks.mdoc
index fe80a59..4716de2 100644
--- a/src/content/docs/developing-fossbilling/event-hooks.mdoc
+++ b/src/content/docs/developing-fossbilling/event-hooks.mdoc
@@ -5,6 +5,8 @@ description: Hook into FOSSBilling events to run custom code when things happen.
 
 Event hooks let your module or theme respond to actions in FOSSBilling — like when a client signs up, an order is placed, or cron runs.
 
+If you are building the module that will receive these hooks, start with [Creating a Module](/developing-fossbilling/guides/creating-a-module/).
+
 {% aside type="note" %}
 This reference lists hooks fired by FOSSBilling core modules. Optional or community modules can fire additional hooks. For practical examples, see [how the example module implements hooks](https://github.com/FOSSBilling/example-module/blob/main/src/Service.php).
 {% /aside %}
@@ -238,4 +240,4 @@ FOSSBilling discovers hook methods when cron jobs run. If you add a new hook han
 If a new hook is not being called:
 - Confirm cron is configured and running correctly.
 - During development, run cron jobs manually once after adding or renaming hook methods.
-- Make sure the hook method is public and accepts a `\Box_Event` argument.
\ No newline at end of file
+- Make sure the hook method is public and accepts a `\Box_Event` argument.
diff --git a/src/content/docs/developing-fossbilling/file-structure.mdoc b/src/content/docs/developing-fossbilling/file-structure.mdoc
index e90580c..c91eb0d 100644
--- a/src/content/docs/developing-fossbilling/file-structure.mdoc
+++ b/src/content/docs/developing-fossbilling/file-structure.mdoc
@@ -35,7 +35,6 @@ Core API files including the JavaScript wrapper (`API.js`). [See the wrapper doc
 Legacy classes inherited from BoxBilling. Contains:
 - Translation utilities
 - Exception handling
-- Twig extensions
 - Various tools
 
 These are gradually being modernized.
@@ -44,6 +43,8 @@ These are gradually being modernized.
 
 New or rewritten classes specific to FOSSBilling. This is where active development happens.
 
+Twig setup and project-specific Twig extensions live under `/src/library/FOSSBilling/Twig`. See [Twig Filters & Functions](/developing-fossbilling/twig-filters/) for the template-facing API.
+
 #### `/src/library/Model`
 
 Database models. You typically won't edit these, but they're useful for understanding the data structure.
@@ -112,7 +113,7 @@ theme-name/
 ├── config/
 │   └── settings.html.twig   # Theme settings UI
 ├── html/               # Twig templates
-│   └── layouts/        # Base layouts
+│   └── layout_default.html.twig # Base layout
 ├── html_custom/        # User overrides (not for theme files)
 └── manifest.json       # Theme metadata
 ```
diff --git a/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc b/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
index a15e20d..6d1b987 100644
--- a/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
+++ b/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
@@ -38,6 +38,8 @@ The best way to learn is by example. Our [example module](https://github.com/FOS
 - Database interaction
 - Event hooks
 
+For template-specific helpers, see [Twig Filters & Functions](/developing-fossbilling/twig-filters/). For browser-side API forms and links, see the [JavaScript API Wrapper](/developing-fossbilling/javascript/).
+
 ## Running Scheduled Tasks
 
 Hook into cron using `onBeforeAdminCronRun` or `onAfterAdminCronRun`:
@@ -49,6 +51,8 @@ public static function onBeforeAdminCronRun(\Box_Event $event): void
 }
 ```
 
+See [Event Hooks](/developing-fossbilling/event-hooks/) for the full list of hook names.
+
 ## Module Permissions
 
 Define custom permissions for staff members in your module.
diff --git a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
index 8c54ec7..7aba441 100644
--- a/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
+++ b/src/content/docs/developing-fossbilling/guides/creating-a-theme.mdoc
@@ -57,7 +57,7 @@ themes/mytheme/
 
 ## API URLs and CSRF
 
-Use `api_url` to build browser API URLs and `fb_api_form` or `fb_api_link` to let the JavaScript API wrapper handle submissions.
+Use `api_url` to build browser API URLs and `fb_api_form` or `fb_api_link` to let the [JavaScript API wrapper](/developing-fossbilling/javascript/) handle submissions.
 
 ```twig
 <form action="{{ 'profile/update'|api_url }}" {{ fb_api_form({ message: 'Profile updated'|trans }) }}>
@@ -78,7 +78,7 @@ For links that trigger API actions:
 </a>
 ```
 
-Session-authenticated `client` and `admin` browser API calls require CSRF protection. The wrapper reads the `csrf_token` cookie and sends the token automatically.
+Session-authenticated `client` and `admin` browser API calls require CSRF protection. The [JavaScript API wrapper](/developing-fossbilling/javascript/) reads the `csrf_token` cookie and sends the token automatically.
 
 Use `role: 'guest'` for public actions such as login, signup, and password reset:
 
diff --git a/src/content/docs/extensions.mdoc b/src/content/docs/extensions.mdoc
index 95baa80..ec18630 100644
--- a/src/content/docs/extensions.mdoc
+++ b/src/content/docs/extensions.mdoc
@@ -28,6 +28,8 @@ Where supported, you can install listed extensions directly from within your FOS
 
 See [this GitHub issue](https://github.com/FOSSBilling/FOSSBilling/issues/1360) for broader discussion about payment adapter plans.
 
+Building your own adapter? Start with [Creating a Payment Gateway](/developing-fossbilling/guides/creating-a-payment-gateway/).
+
 ## Registrar Modules
 
 | **Registrar Module** | **Developer** | **Status** |
@@ -38,6 +40,12 @@ See [this GitHub issue](https://github.com/FOSSBilling/FOSSBilling/issues/1360)
 
 * As with payment adapters, test registrar modules carefully before using them in production.
 
+Building your own registrar integration? See [Creating a Registrar Integration](/developing-fossbilling/guides/creating-a-registrar-integration/).
+
+## Custom Extensions
+
+For custom business logic, start with [Creating a Module](/developing-fossbilling/guides/creating-a-module/).
+
 ## How do I get my extension listed in the Extension directory?
 
 Open a pull request against the [extension-directory repository](https://github.com/FOSSBilling/extension-directory).
diff --git a/src/content/docs/faq/features.mdoc b/src/content/docs/faq/features.mdoc
index 448ce6a..10c4850 100644
--- a/src/content/docs/faq/features.mdoc
+++ b/src/content/docs/faq/features.mdoc
@@ -33,7 +33,7 @@ Many of these features require the "Antispam" module. Configure it in **Settings
 | Session protection | ✅ | Hijacking prevention and session limits |
 | IP restrictions for staff | ✅ | Restrict admin access by IP (note: incorrect configuration may lock you out) |
 | Security alerts | ✅ | Checks our [Central Alerts API](https://fossbilling.org/api/central-alerts/list) for vulnerabilities |
-| CSRF protection | ✅ | Enabled by default. Browser API calls are handled by the bundled wrapper |
+| CSRF protection | ✅ | Enabled by default. Browser API calls are handled by the [bundled wrapper](/developing-fossbilling/javascript/) |
 | Staff permissions | ✅ | Role-based access control |
 | AbuseIPDB | 🚧 | Planned |
 
diff --git a/src/content/docs/maintaining-fossbilling/updating.mdoc b/src/content/docs/maintaining-fossbilling/updating.mdoc
index 45506f2..b0a2297 100644
--- a/src/content/docs/maintaining-fossbilling/updating.mdoc
+++ b/src/content/docs/maintaining-fossbilling/updating.mdoc
@@ -29,3 +29,5 @@ If you prefer to manage files yourself:
 6. Click **Apply Patches & Update Configuration**
 
 Always run the patches after copying in new files so the database schema and configuration stay in sync with the codebase.
+
+If an update fails or FOSSBilling errors after updating, see [Troubleshooting FOSSBilling Issues](/troubleshooting/#errors-after-updating).
diff --git a/src/content/docs/product-types/domains.mdoc b/src/content/docs/product-types/domains.mdoc
index fd13f7c..bee4bab 100644
--- a/src/content/docs/product-types/domains.mdoc
+++ b/src/content/docs/product-types/domains.mdoc
@@ -55,3 +55,5 @@ The module exists but needs fixes. [Source code](https://github.com/FOSSBilling/
 3. Configure the registrar settings
 4. Set up pricing for each TLD you want to sell
 5. Enable the TLDs you want to offer
+
+Need a registrar that is not supported yet? See [Creating a Registrar Integration](/developing-fossbilling/guides/creating-a-registrar-integration/).
diff --git a/src/content/docs/security/best-practices.mdoc b/src/content/docs/security/best-practices.mdoc
index b1253b6..0031fd1 100644
--- a/src/content/docs/security/best-practices.mdoc
+++ b/src/content/docs/security/best-practices.mdoc
@@ -13,6 +13,8 @@ Good application security starts with good operational security. If your server
 - Keep FOSSBilling updated to the latest version
 - Update all server software (web server, database, PHP)
 
+See [Updating FOSSBilling](/maintaining-fossbilling/updating/) for more information about keeping FOSSBilling updated.
+
 ### Access Control
 
 - Don't run services as root — use `sudo` when needed
@@ -34,6 +36,8 @@ Good application security starts with good operational security. If your server
 - Set `force_https` to `true` in your FOSSBilling config
 - Use valid SSL certificates (Let's Encrypt is free and easy)
 
+See [Securing FOSSBilling](/security/securing-fossbilling/) for the related application-level config keys.
+
 ### Session Security
 
 - Keep `mode` set to `strict` in your security config
diff --git a/src/content/docs/security/securing-fossbilling.mdoc b/src/content/docs/security/securing-fossbilling.mdoc
index 941817a..acc0797 100644
--- a/src/content/docs/security/securing-fossbilling.mdoc
+++ b/src/content/docs/security/securing-fossbilling.mdoc
@@ -37,7 +37,7 @@ These settings live in your `config.php` file and control FOSSBilling's built-in
 ],
 ```
 
-The bundled JavaScript API wrapper sends the CSRF token automatically. External API calls authenticated with an API key do not need a CSRF token.
+The bundled [JavaScript API wrapper](/developing-fossbilling/javascript/) sends the CSRF token automatically. External API calls authenticated with an API key do not need a CSRF token.
 
 ## Cloudflare
 
diff --git a/src/content/docs/troubleshooting.mdoc b/src/content/docs/troubleshooting.mdoc
index 935528c..ec66b5f 100644
--- a/src/content/docs/troubleshooting.mdoc
+++ b/src/content/docs/troubleshooting.mdoc
@@ -92,7 +92,7 @@ Subfolder installations are not supported right now. Install FOSSBilling on a de
 
 If FOSSBilling starts failing after an update, work through these steps:
 
-1. Review the [changelog](/changelog) for any breaking changes or for any manual actions required.
+1. Review the [updating guide](/maintaining-fossbilling/updating/) and [changelog](/changelog) for any breaking changes or manual actions required.
 2. Try the fallback patcher by visiting `https://example.com/run-patcher` to make sure database and configuration updates finished cleanly.
    - If you need the fallback patcher, there is often an underlying permissions issue interrupting the normal update flow.
 3. If you're still experiencing issues, you can ask for further assistance via our [Discord](https://fossbilling.org/discord), or with a [bug report](https://github.com/FOSSBilling/FOSSBilling/issues).

From 0c0150dfd11c1beb7b9a052535944466c2c671ee Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 11:08:37 +0300
Subject: [PATCH 08/10] Added information about the has_function Twig function

---
 .../guides/creating-a-module.mdoc             | 20 +++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc b/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
index 6d1b987..ce93ea7 100644
--- a/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
+++ b/src/content/docs/developing-fossbilling/guides/creating-a-module.mdoc
@@ -20,8 +20,8 @@ These early releases let us modernize the codebase inherited from BoxBilling whi
 
 Module names start with a capital letter:
 
-✅ **Valid:** `Example`, `Mynewmodule`, `Servicehosting`
-❌ **Invalid:** `example`, `MyNewModule`, `servicehosting`
+- ✅ **Valid:** `Example`, `Mynewmodule`, `Servicehosting`
+- ❌ **Invalid:** `example`, `MyNewModule`, `servicehosting`
 
 See the [file structure docs](/developing-fossbilling/file-structure#modules) for the complete layout.
 
@@ -32,10 +32,10 @@ The best way to learn is by example. Our [example module](https://github.com/FOS
 - Admin and client area templates
 - Email templates
 - API routes
-- Using the DI container
+- Using the dependency injection container
 - Routes with variables (`/example/user/:id`)
 - Translations
-- Database interaction
+- Interacting with the database
 - Event hooks
 
 For template-specific helpers, see [Twig Filters & Functions](/developing-fossbilling/twig-filters/). For browser-side API forms and links, see the [JavaScript API Wrapper](/developing-fossbilling/javascript/).
@@ -95,10 +95,22 @@ if (!$staff_service->hasPermission(null, 'example', 'delete_something')) {
 }
 ```
 
+**Twig templates:**
+```twig
+{\% if has_permission('example', 'delete_something') %}
+    <button type="button">{{ 'Delete something'|trans }}</button>
+{\% endif %}
+```
+
+Remove the backslashes when using this in your actual template.
+
+Use the `has_permission(module, permission = null)` Twig function in admin templates to check whether the logged-in staff member has access to a module or module permission. Omit the second argument to check module access only, for example `has_permission('example')`. The function returns `false` when no admin is logged in or the permission check fails.
+
 Key points:
 - Pass `null` to check the currently logged-in staff member
 - Use your module ID as the second parameter
 - Permission keys are module-specific (no naming conflicts)
+- Use `has_permission` to conditionally render admin UI, but keep enforcing permissions in PHP/API handlers
 
 ## Getting Started
 

From b93aad06eac38f5c78655af85ae37bb3df372392 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan?= <hi@yagiz.dev>
Date: Wed, 13 May 2026 11:14:01 +0300
Subject: [PATCH 09/10] Remove internal Twig functions that aren't used by
 other modules

---
 .../docs/developing-fossbilling/twig-filters.mdoc     | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/src/content/docs/developing-fossbilling/twig-filters.mdoc b/src/content/docs/developing-fossbilling/twig-filters.mdoc
index bb0ade0..434c702 100644
--- a/src/content/docs/developing-fossbilling/twig-filters.mdoc
+++ b/src/content/docs/developing-fossbilling/twig-filters.mdoc
@@ -13,7 +13,7 @@ Common bundled filters include:
 
 | Filter | Description |
 |--------|-------------|
-| `format_currency` | Format a number as currency, for example `{{ 29.99 | format_currency('USD') }}`. |
+| `format_currency` | Format a number as currency, for example `{{ 29.99 \| format_currency('USD') }}`. |
 | `format_date` | Format a date using the configured locale and date format. |
 | `format_datetime` | Format a date and time using the configured locale and time zone. |
 | `markdown_to_html` | Convert Markdown to HTML with FOSSBilling's safe CommonMark renderer. |
@@ -66,15 +66,12 @@ Project-specific filters and functions are defined in these classes:
 
 | Function | Description |
 |----------|-------------|
-| `fb_api` | Render a `data-fb-api` attribute from a configuration array. |
-| `fb_api_form` | Render `method="post"` and `data-fb-api` attributes for JavaScript API forms, or a full `<form>` tag when configured with `tag: 'form'`. |
-| `fb_api_link` | Render `data-fb-api` link/button attributes, or a full `<a>` tag when configured with `tag: 'a'`. |
+| `fb_api` | Refer to [JavaScript Wrapper](/developing-fossbilling/javascript/#api-forms-and-links) for documentation. |
+| `fb_api_form` | Refer to [JavaScript Wrapper](/developing-fossbilling/javascript/#api-forms-and-links) for documentation. |
+| `fb_api_link` | Refer to [JavaScript Wrapper](/developing-fossbilling/javascript/#api-forms-and-links) for documentation. |
 | `render_widgets` | Render widgets registered for a slot. |
 | `svg_sprite` | Render the current theme's SVG icon sprite when available. |
 | `has_permission` | Check whether the logged-in admin has a module permission. |
-| `antispam_honeypot` | Return honeypot field configuration from the Antispam module. |
-| `debug_bar_render_head` | Render debug bar head assets in development/debug contexts. |
-| `debug_bar_render` | Render the debug bar in development/debug contexts. |
 
 ## Usage Examples
 

From d52355f89adf31fccdd2a6427fcf9f0275125dfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ya=C4=9F=C4=B1zhan=20Burak=20Yakar?=
 <yagizhan49@protonmail.com>
Date: Mon, 18 May 2026 20:36:10 +0300
Subject: [PATCH 10/10] Address code review comment

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 src/content/docs/customizing-fossbilling/config.mdoc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/docs/customizing-fossbilling/config.mdoc b/src/content/docs/customizing-fossbilling/config.mdoc
index b16654a..395fdb4 100644
--- a/src/content/docs/customizing-fossbilling/config.mdoc
+++ b/src/content/docs/customizing-fossbilling/config.mdoc
@@ -117,9 +117,9 @@ Control API access.
 ### Rate Limiter
 FOSSBilling includes a built-in rate limiter which depends on Symfony's [rate limiter](https://symfony.com/doc/current/rate_limiter.html) component.
 
-`policies` is an empty array by default and inherits sensible defaults from [`FOSSBilling\Security\RateLimiter::getDefaultConfig()`](https://github.com/FOSSBilling/FOSSBilling/blob/9acf34ec12f908e01e516b7d54839e155b990b9d/src/library/FOSSBilling/Security/RateLimiter.php#L37).
+`policies` is an empty array by default and inherits sensible defaults from [`FOSSBilling\Security\RateLimiter::getDefaultConfig()`](https://github.com/FOSSBilling/FOSSBilling/blob/main/src/library/FOSSBilling/Security/RateLimiter.php#L37).
 
-Any policy you explicitly set in the `policies` array will override the default one. We have included an example below. You can refer to their documentation on creating rate limiter policies.
+Any policy you explicitly set in the `policies` array will override the default one. We have included an example below. You can refer to Symfony's documentation on creating rate limiter policies.
 
 ```php
 'rate_limiter' => [