CMS almost at the speed of light.
A purpose-built, blazing-fast content management system written in Rust.
Focused on blogging and portfolio/photography — no bloat, no plugin ecosystem, just what you need.
Velocty is a self-hosted CMS that ships as a single binary with your choice of SQLite or MongoDB as the database backend. It's designed for photographers, artists, designers, and bloggers who want a fast, secure, and beautiful platform without the overhead of WordPress or similar systems.
It serves pure HTML/CSS to visitors with microsecond response times, while giving you a modern, polished admin panel to manage everything.
- Photographers & visual artists — portfolio grid with lightbox, categories, likes, and digital download sales
- Bloggers & writers — rich text editor, categories, tags, comments, RSS
- Freelancers & creatives — showcase work + sell digital downloads with built-in commerce
- Privacy-conscious creators — built-in analytics (no Google Analytics, no third-party scripts)
- Self-hosters — single binary, no PHP, no MySQL, no Docker required
- Sites needing a plugin/extension ecosystem
- E-commerce stores with physical products, inventory, or shipping
- Sites requiring server-side rendering frameworks (React, Next.js, etc.)
Velocty guides you through a 4-step setup wizard on first run:
| Step 1 — Database | Step 2 — Your Site |
|---|---|
 |
 |
| Step 3 — Admin Account | Step 4 — Terms & Privacy |
|---|---|
 |
 |
| Analytics Dashboard | Sales Dashboard |
|---|---|
 |
 |
| Journal List | New Post |
|---|---|
 |
 |
| Site | Typography | Portfolio |
|---|---|---|
 |
 |
 |
| SEO | Security | Frontend |
|---|---|---|
 |
 |
 |
| Commerce | AI | |
|---|---|---|
 |
 |
 |
| Layer | Technology |
|---|---|
| Language | Rust |
| Web Framework | Rocket |
| Database | SQLite (via rusqlite + r2d2) or MongoDB (via mongodb crate) — chosen at setup |
| Templates (admin) | Tera |
| Rich Text Editor | TinyMCE 7 (self-hosted, admin-only) |
| Analytics Charts | D3.js (admin-only) |
| GeoIP | MaxMind GeoLite2 (offline, privacy-preserving) |
| Frontend (visitors) | Pure HTML/CSS + minimal vanilla JS |
| Auth | Bcrypt + session cookies + optional TOTP MFA + Magic Link + Passkey (WebAuthn/FIDO2) |
| Background Tasks | Tokio async runtime (session/token/analytics cleanup) |
| Metric | Velocty (Rust) | WordPress (PHP) |
|---|---|---|
| Response time | Microseconds | 200–500ms |
| Memory usage | ~10–20 MB | ~50–100 MB |
| Deployment | Single binary + SQLite file (or MongoDB) | PHP + MySQL + Apache/Nginx |
| Attack surface | Minimal (no plugins) | Huge (plugins, themes, XML-RPC) |
| Cold start | Instant | Seconds |
| Dependencies at runtime | Zero | PHP extensions, plugins |
| Updates | Replace one binary | Core + plugin + theme updates |
- Journal (Blog) — Rich text posts with TinyMCE, categories, tags, excerpts, featured images, publish date picker, inline category creation
- Portfolio — Image gallery with masonry grid, lightbox, categories, tags, likes, publish date picker, inline category creation
- Browse by tag —
/tag/<slug>routes for both blog and portfolio with pagination - Browse by category —
/category/<slug>routes for both blog and portfolio with pagination - Archives —
/archivespage with posts grouped by year/month, drill-down to/archives/<year>/<month> - Dynamic URL slugs — Blog and portfolio base URLs are configurable (e.g.
/journal,/gallery) from settings - Comments — Built-in commenting with honeypot spam protection, rate limiting, moderation queue
- RSS Feed — Auto-generated RSS 2.0 feed with configurable post count (Settings › Site)
- WordPress Import — Import posts, portfolio items, categories, tags, and comments from WP XML export
- Category management — Create, edit, delete categories with type filter (post/portfolio/both)
- Masonry grid with configurable columns (2/3/4)
- Lightbox with keyboard navigation, prev/next arrows, configurable border color
- Single page mode as alternative to lightbox
- Heart/like system (IP-based, no login required)
- Image protection — optional right-click disable
- Fade-in animations on scroll (IntersectionObserver)
- Auto-thumbnails — small, medium, large generated on upload
- WebP conversion — automatic for smaller file sizes
- 7 payment providers — PayPal (JS SDK), Stripe (Checkout), Razorpay (JS modal), Mollie, Square, 2Checkout, Payoneer (redirect-based)
- Per-item provider selection — seller chooses which payment processor to use for each portfolio item
- Sandbox/Live modes per provider (Stripe, Square, 2Checkout, Payoneer)
- Webhook security — Stripe (HMAC-SHA256), Square (HMAC-SHA256), 2Checkout (MD5), Razorpay (HMAC client verify), Mollie (API fetch-back)
- Order pipeline —
create_pending_order→ provider checkout →finalize_order(idempotent) - Secure token-based downloads with configurable expiry and download limits
- Optional download file — seller can specify a separate download file per item; falls back to featured image
- License key generation — auto-generated
XXXX-XXXX-XXXX-XXXXformat per purchase - Purchase email — async delivery via Gmail SMTP or custom SMTP with download link + license key
- Purchase lookup — returning buyers can check purchase status by email
- Sales dashboard — total/30d/7d revenue, order counts, recent orders
- Orders page — filterable by status (all/completed/pending/refunded), paginated
- Price auto-format —
25→25.00in the portfolio editor
- Meta title & description fields on every post and portfolio item
- SEO Check button — one-click 10-point analysis on each post/portfolio editor (meta title, description, slug quality, content length, image alt text, tags, heading structure) with A–F grade
- Auto-generated sitemap.xml
- JSON-LD structured data for blog posts and portfolio items
- Open Graph & Twitter Card meta tags
- Canonical URLs
- Custom robots.txt
- Webmaster Tools — verification codes for Google Search Console, Bing, Yandex, Pinterest, Baidu (auto-injected into
<head>) - Third-party Analytics — Google Analytics (GA4), Plausible, Fathom, Matomo, Cloudflare Web Analytics, Clicky, Umami — each with enable/disable toggle (scripts auto-injected into visitor pages)
- SEO Audit Dashboard —
/admin/seo-auditwith overall health donut, score distribution, top issues, settings checklist, per-item sortable tables, and integrated Google PageSpeed Insights (performance, accessibility, SEO scores + Core Web Vitals) - Auto SEO scoring — every post and portfolio item is automatically scored on create/update across 6 categories (meta, content, headings, images, links, slug)
- Rescan All — one-click bulk re-score of all published content
- Sidebar SEO widget — colored donut ring in the admin sidebar showing overall SEO health at a glance
- All configurable from Settings > SEO (tabbed: General, Webmaster Tools, per-provider analytics tabs, Audit)
- No third-party scripts — all data stays in your database (SQLite or MongoDB)
- GeoLite2 offline lookup — country/city without sending data to external services
- D3.js dashboard with:
- Visitor flow (Sankey diagram)
- Content breakdown (Sunburst chart)
- World map (Choropleth)
- Activity stream
- Calendar heatmap
- Top portfolio items (Radial bar)
- Top referrers (Horizontal bar)
- Tag relationships (Force-directed graph)
- Tracked per request: path, hashed IP, country, referrer, user-agent, device type, browser
- Dark & Light themes — toggle from sidebar
- Ultra-narrow icon sidebar that expands on hover with labels
- Responsive — works on mobile (sidebar collapses to bottom tab bar)
- Keyboard shortcuts — Cmd+S to save from any form,
/to focus settings search - Flash notifications — success/error toasts on save
- Settings search — search across all settings with keyboard shortcut, grouped dropdown results, sub-tab navigation
- Multi-user system — roles (admin/editor/author/subscriber), user management UI, per-user MFA
- Health Dashboard — system health with disk usage, DB stats, filesystem permission checks (owner:group, recommended perms, world-writable detection), resource monitoring, and maintenance tools (vacuum, WAL checkpoint, orphan scan, session cleanup, export). Backend-aware: adapts for SQLite vs MongoDB
- Cookie Consent Banner — GDPR-compliant banner with 3 styles (minimal bar, modal, corner card), dark/light/auto theme, configurable position. Analytics scripts gated behind consent
- Privacy Policy & Terms of Use — pre-filled industry-standard templates, editable with TinyMCE from Settings › Frontend, rendered at
/privacyand/terms - Import page — drag-and-drop file upload with 3-column card layout for WordPress and other importers
- Background tasks — automatic session cleanup, magic link token cleanup, analytics data cleanup with configurable intervals (Settings › Tasks)
- Bcrypt password hashing
- Session-based auth with secure cookies (SameSite=Strict, HttpOnly)
- Configurable admin URL slug — change
/adminto anything for security through obscurity - Authentication modes:
- Email & Password — traditional login
- Magic Link — passwordless login via email (requires email provider)
- Passkey (WebAuthn/FIDO2) — phishing-resistant login with hardware keys, fingerprint, or Face ID; replaces both password and MFA
- Passkey management — register multiple passkeys per user, auto-enable on first registration, auto-revert to fallback method on last deletion, MFA automatically disabled when passkey is active
- Optional TOTP MFA — per-user, Google Authenticator, Authy, etc. with recovery codes
- Multi-user auth guards — AdminUser, EditorUser, AuthorUser, AuthenticatedUser with role-based route gating
- Login rate limiting — in-memory IP-based enforcement, configurable attempts per 15 minutes
- Comment rate limiting — in-memory enforcement, configurable per 15-minute window
- Like rate limiting — 30 toggles per 5 minutes per IP
- Purchase lookup rate limiting — 10 requests per 15 minutes per IP (prevents email enumeration)
- Login captcha — reCAPTCHA v3, Cloudflare Turnstile, or hCaptcha
- Anti-spam services — Akismet, CleanTalk, OOPSpam
- Firewall fairing — bot detection, failed login tracking, auto-ban, XSS/SQLi/path traversal protection, rate limiting, geo-blocking, security headers
- Session expiry — configurable (default 24h)
- Security headers — X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, HSTS (
Strict-Transport-Security: max-age=31536000; includeSubDomainswhen site URL is HTTPS) - Constant-time comparison — consolidated SHA-256 hash-then-compare for all secret comparisons (deploy keys, webhook signatures, HMAC tokens), preventing timing and length-leak side-channels
- Rate limiting — login, comments, like toggles (30/5min per IP), and purchase lookups (10/15min per IP)
- Download path validation — open redirect and path traversal prevention on commerce download redirects
- Media delete hardening — filename validation +
canonicalize()check to prevent symlink/encoding traversal - Content-Disposition — forced
attachmentfor HTML/XHTML files served from uploads to prevent inline script execution - Template XSS prevention — all
json_encode() | safeusages in Tera templates escape</to prevent</script>breakout - Error sanitization — payment provider errors logged server-side with generic messages returned to clients (no internal detail leakage)
- Image proxy — all public
/uploads/URLs rewritten to HMAC-signed/img/<token>paths, with zero-downtime key rotation and configurable grace period - SVG sanitization — uploaded SVGs are sanitized to strip
<script>, event handlers,<foreignObject>, dangerous URIs, and IE conditional comments; SVGs served with restrictive CSP (script-src 'none') as defense-in-depth
- 11 email providers — Gmail/Google Workspace, Resend, Amazon SES, Postmark, Brevo, SendPulse, Mailgun, Moosend, Mandrill, SparkPost, Custom SMTP
- Used for: Magic Link login, purchase notifications, comment notifications
- Google Fonts integration with 1,500+ fonts
- Adobe Fonts support
- Custom font upload
- Per-element font assignment — body, headings, navigation, buttons, captions
- Configurable sizes for H1–H6 and body
- Text transform options
| Section | What it controls |
|---|---|
| Site | Name, tagline, logo, favicon, URL, timezone, date format |
| Journal | Posts per page, display type, excerpt length, reading time |
| Portfolio | Grid columns, likes, lightbox, image protection, animations |
| Comments | Enable/disable, moderation mode, spam protection, rate limits |
| Typography | Fonts, sizes, sources, per-element assignment |
| Media | Image upload (max size, quality, WebP, thumbnails, HEIC/HEIF conversion), image optimization (max dimension resize, JPEG/PNG re-encode, EXIF stripping), video upload (types, size, duration), media organization (6 folder structures) |
| SEO | Title template, meta defaults, sitemap, structured data, robots.txt, webmaster verification, 7 analytics providers |
| Security | Admin slug, auth method (password/magic link/passkey), MFA, passkey management, sessions, rate limits, captcha, anti-spam |
| Frontend | Active design, back-to-top button |
| Social | Social media links with brand color icons |
| 11 provider configurations | |
| Commerce | 7 payment providers, currency, download limits, license template |
| AI | Provider chain, model selection, failover |
| Tasks | Background task intervals (session cleanup, magic link cleanup, analytics cleanup) |
- Rust toolchain (1.75+)
- (Optional) MaxMind GeoLite2-City.mmdb for analytics geo-lookup
| Feature | macOS | Linux |
|---|---|---|
| HEIC/HEIF image upload | Built-in (sips) — no install needed |
apt install imagemagick or apt install libheif-examples |
HEIC/HEIF support is not enabled by default. To enable it, add heic and/or heif to the allowed image types in Settings › Media. A confirmation dialog will explain the system requirements. When enabled, HEIC/HEIF files are automatically converted to JPEG on upload — no browser plugin or Rust crate needed.
git clone https://github.com/marirs/velocty.git
cd velocty
cargo build --release
./target/release/veloctyOpen http://localhost:8000/admin/setup — the setup wizard walks you through:
- Database — choose SQLite (default) or MongoDB (with connection test & auth config)
- Site name
- Admin account
- Terms acceptance
Your choice is saved to velocty.toml and cannot be changed after setup.
To serve multiple independent sites from a single binary:
cargo build --release --features multi-site
./target/release/veloctyOpen http://localhost:8000/super/setup to create the super admin account, then add sites from the dashboard. See MULTI-SITE.md for full architecture details.
All configuration is done through the admin panel. Settings are stored in the database and take effect immediately (except admin slug, which requires a restart).
velocty.toml is generated during first-run setup and stores the database backend choice:
# SQLite (default)
[database]
backend = "sqlite"
path = "website/site/db/velocty.db"
# MongoDB (alternative)
[database]
backend = "mongodb"
uri = "mongodb://localhost:27017"
name = "velocty"
[database.auth]
mechanism = "scram_sha256"
auth_db = "admin"
username = "myuser"
password = "mypass"velocty/
├── Cargo.toml
├── README.md
├── Rocket.toml # Rocket config (port, template dir)
├── docs/ # Documentation & design specs
│ ├── Architecture.md
│ ├── DESIGN.md
│ ├── MULTI-SITE.md # Multi-site/multi-tenancy architecture
│ └── README-CMS.md
├── src/
│ ├── main.rs # Rocket launch, DB init, route mounting
│ ├── db.rs # SQLite pool, migrations, seed defaults, shared default_settings()
│ ├── store/ # Backend-agnostic database abstraction
│ │ ├── mod.rs # Store trait (~100 methods) + unit tests
│ │ ├── sqlite.rs # SqliteStore impl (wraps DbPool) + DbPool bridge
│ │ └── mongo.rs # MongoStore impl (fully implemented, ~3000 lines)
│ ├── analytics.rs # Page view logging fairing, GeoIP
│ ├── render.rs # Design + content merge (with captcha widget injection)
│ ├── seo/ # SEO module
│ │ ├── mod.rs # Module root
│ │ └── audit.rs # SEO scoring engine (10-factor analysis, auto-score, rescan)
│ ├── seo.rs # Meta tags, JSON-LD, sitemap
│ ├── rss.rs # RSS/Atom feed generation
│ ├── image_proxy.rs # HMAC-signed image URL proxy with key rotation
│ ├── svg_sanitizer.rs # SVG upload sanitizer (strips scripts, event handlers, etc.)
│ ├── images.rs # Upload, thumbnails, WebP conversion
│ ├── license.rs # Purchase license.txt generation
│ ├── rate_limit.rs # In-memory rate limiter (login, comments)
│ ├── tasks.rs # Background tasks fairing (session/token/analytics cleanup)
│ ├── site.rs # Multi-site: SiteContext, SiteStoreManager, SiteResolver (feature-gated)
│ ├── ai/ # AI provider integrations
│ │ ├── mod.rs # Provider dispatch, failover chain, types
│ │ ├── prompts.rs # Prompt builders for all AI features
│ │ ├── ollama.rs # Ollama provider
│ │ ├── openai.rs # OpenAI provider
│ │ ├── gemini.rs # Google Gemini provider
│ │ ├── groq.rs # Groq provider
│ │ └── cloudflare.rs # Cloudflare Workers AI provider
│ ├── email/ # Email provider integrations
│ │ ├── mod.rs # Provider dispatch, failover chain, SMTP
│ │ ├── gmail.rs # Gmail / Google Workspace SMTP
│ │ ├── resend.rs # Resend API
│ │ ├── ses.rs # Amazon SES (SigV4)
│ │ ├── postmark.rs # Postmark API
│ │ ├── brevo.rs # Brevo (Sendinblue) API
│ │ ├── sendpulse.rs # SendPulse API (OAuth2)
│ │ ├── mailgun.rs # Mailgun API
│ │ ├── moosend.rs # Moosend API
│ │ ├── mandrill.rs # Mandrill (Mailchimp Transactional) API
│ │ ├── sparkpost.rs # SparkPost API
│ │ └── smtp.rs # Custom SMTP
│ ├── security/ # Security module
│ │ ├── mod.rs # Captcha dispatch, spam dispatch, constant-time comparison, helpers
│ │ ├── auth.rs # Auth guards (Admin/Editor/Author/Authenticated), sessions, password
│ │ ├── firewall/ # Firewall module
│ │ │ └── fairing.rs # Firewall fairing (bot/XSS/SQLi/geo-blocking/rate-limit/HSTS)
│ │ ├── mfa.rs # TOTP secret, QR code, verify, recovery codes
│ │ ├── passkey.rs # WebAuthn config, credential storage, reg/auth state management
│ │ ├── magic_link.rs # Token gen, email send, verify, cleanup
│ │ ├── password_reset.rs # Password reset flow
│ │ ├── recaptcha.rs # Google reCAPTCHA v2/v3
│ │ ├── turnstile.rs # Cloudflare Turnstile
│ │ ├── hcaptcha.rs # hCaptcha
│ │ ├── akismet.rs # Akismet spam detection
│ │ ├── cleantalk.rs # CleanTalk spam detection
│ │ └── oopspam.rs # OOPSpam spam detection
│ ├── models/ # Data models (Post, Portfolio, Category, Order, User, etc.)
│ └── routes/
│ ├── admin/ # Admin panel routes (modular)
│ │ ├── mod.rs # Shared helpers, route registration
│ │ ├── dashboard.rs # Dashboard route
│ │ ├── posts.rs # Posts CRUD
│ │ ├── portfolio.rs # Portfolio CRUD
│ │ ├── comments.rs # Comments moderation
│ │ ├── categories.rs # Categories & tags CRUD
│ │ ├── media.rs # Media library & uploads
│ │ ├── settings.rs # Settings page & save
│ │ ├── designs.rs # Design management
│ │ ├── import.rs # WordPress & Velocty import
│ │ ├── health.rs # Health dashboard & tools
│ │ ├── users.rs # User management & MFA
│ │ ├── firewall.rs # Firewall dashboard & ban/unban
│ │ ├── sales.rs # Sales dashboard & orders
│ │ ├── seo_audit.rs # SEO Audit dashboard
│ │ └── api.rs # Admin JSON API (stats, SEO, PageSpeed)
│ ├── api.rs # Public API (likes, comments, portfolio filter)
│ ├── public.rs # Public-facing pages (blog, portfolio, archives)
│ ├── ai/ # AI API routes (suggest, generate, status)
│ ├── commerce/ # Payment provider routes (paypal, stripe, razorpay, etc.)
│ └── security/ # Auth & security routes
│ └── auth/ # Login, MFA, magic link, passkey, setup, logout
├── website/
│ ├── site/ # Site-specific data (single-site mode)
│ │ ├── db/velocty.db # SQLite database
│ │ ├── uploads/ # User uploads
│ │ └── designs/ # Saved page designs
│ ├── templates/ # Tera templates (admin panel + super admin)
│ ├── static/ # CSS, JS, images, TinyMCE
│ ├── sites.db # Central registry (multi-site mode only)
│ └── sites/ # Per-site data with UUID folders (multi-site mode only)
│ └── <uuid>/ # Each site mirrors the site/ structure
│ ├── db/velocty.db
│ ├── uploads/
│ └── designs/
└── GeoLite2-City.mmdb # Optional GeoIP database
- Rocket + SQLite scaffold with full schema
- Admin panel with dark/light themes
- Journal: posts with TinyMCE, categories, tags, comments, RSS
- Portfolio: upload, masonry grid, lightbox, categories, tags, likes
- Browse by tag & category with pagination for both blog and portfolio
- Archives page (posts grouped by year/month)
- Dynamic URL slugs for blog and portfolio (configurable from settings)
- SEO Check button on post/portfolio editors (10-point analysis with A–F grade)
- SEO Audit Dashboard with auto-scoring, bulk rescan, PageSpeed Insights integration
- Built-in SEO: meta fields, sitemap.xml, JSON-LD, OG/Twitter tags
- Built-in analytics with D3.js dashboard
- WordPress XML importer
- 16 settings sections with full configuration
- Authentication: password, Magic Link, Passkey (WebAuthn), MFA, captcha
- Login & comment rate limiting (in-memory, IP-based)
- Image right-click protection (configurable)
- 7 commerce provider configurations
- 11 email provider configurations
- Multi-site/multi-tenancy (optional
--features multi-siteCargo flag)- Per-site databases: SQLite files in UUID-named folders, or per-site MongoDB databases (
velocty_site_<uuid>) - Central
sites.dbregistry with hostname → UUID mapping - Super Admin panel at
/super/for managing all sites SiteResolverfairing for Host-based routingSiteStoreManagerwithDashMap-cached per-siteArc<dyn Store>instances
- Per-site databases: SQLite files in UUID-named folders, or per-site MongoDB databases (
- 7 payment providers: PayPal (JS SDK), Stripe (Checkout + webhook), Razorpay (JS modal + HMAC verify), Mollie (redirect + API webhook), Square (redirect + HMAC webhook), 2Checkout (redirect + MD5 IPN), Payoneer (redirect + webhook)
- Per-item payment provider selection (dropdown if >1 enabled, auto-assign if 1)
- Order pipeline: create pending → provider checkout → finalize (download token + license key + email)
- Token-based secure downloads with configurable expiry and max download count
- Optional download file path per portfolio item (falls back to featured image)
- License key generation per purchase (XXXX-XXXX-XXXX-XXXX)
- Buyer email notifications via Gmail SMTP or custom SMTP
- Sales dashboard (revenue stats, order counts) + Orders page (filterable, paginated)
- Price auto-format in editor (25 → 25.00)
- Zero
.unwrap()calls in all commerce routes — safe error handling throughout
- GrapesJS integration for drag-and-drop page layout design
- Design management: create, edit, duplicate, delete, activate, preview
- Custom components for content placeholders
- Pluggable LLM connector with failover chain (Ollama → OpenAI → Gemini → Groq → Cloudflare Workers AI)
- Provider-agnostic
ai::complete()— automatic failover to next enabled provider on failure - SEO suggestions: ✨ buttons on Slug, Tags, Meta Title, Meta Description fields
- Blog post generation from description (title, HTML content, excerpt, tags — all in one shot)
- TinyMCE inline assist: select text → ✨ AI menu → Expand, Rewrite, Summarise, Continue, More Formal, More Casual
- AI features conditionally shown only when at least one provider is enabled
- All AI responses parsed with robust JSON extraction (handles markdown fences, leading text)
- Settings UI: per-provider configuration, draggable failover chain ordering, model download for local LLM
- Zero hardcoded API keys — all credentials stored in settings DB
- Multi-user system — users table with roles (admin/editor/author/subscriber), status (active/suspended/locked), per-user MFA
- Auth guards — AdminUser, EditorUser, AuthorUser, AuthenticatedUser with role-based route gating
- User management UI — admin page with create/edit/suspend/lock/unlock/delete
- Firewall fairing — bot detection, failed login tracking, auto-ban, XSS/SQLi/path traversal protection, rate limiting, geo-blocking, security headers
- Password reset — email-based flow
- Background tasks — tokio-spawned cleanup loops for sessions, magic link tokens, analytics data with configurable intervals
- Settings search — client-side search across all 16 settings tabs with
/keyboard shortcut and sub-tab navigation - Editor enhancements — inline category creation (JSON API), publish date picker, category edit on list page
Detailed documentation is in the docs/ folder:
- Architecture.md — Technical architecture, auth system, design system, render pipeline, AI integration, full settings reference, database schema
- DESIGN.md — Visual design specification for admin panel and default visitor design, color palettes (dark & light), wireframes, responsive breakpoints
- MULTI-SITE.md — Multi-site/multi-tenancy architecture: storage layout, central registry schema, request flow, key types, super admin panel, routing strategy, feature flag boundaries
- README-CMS.md — Original CMS specification, feature overview, editor details, database schema
All rights reserved. See LICENSE for details.