docs: update API ref, configuration, README, and CHANGELOG for v0.4.0

- docs/api.md: add settings endpoints (GET/PUT /api/admin/settings,
  GET /api/settings) and media endpoints (upload, list, delete, static
  serve note)
- docs/configuration.md: add Webhook, Media, S3, and SMTP sections;
  update example .env with all new vars
- README.md: add Media Library and Site Settings sections; update
  admin dashboard table and key variables table
- CHANGELOG.md: write v0.4.0 entry

Author: srmdn

CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## v0.4.0 (2026-04-04)
+
+Media library, site settings, and S3-compatible storage.
+
+- **Media library**: upload, browse, and delete images from the dashboard (`/admin/media`)
+- **Editor image insert**: insert images by URL from the toolbar; paste an image directly into the editor to auto-upload
+- **S3-compatible storage**: set `MEDIA_STORAGE=s3` to store files in AWS S3, Cloudflare R2, NevaObjects, MinIO, or any S3-compatible provider
+- **Site settings**: editable site metadata (`site_name`, `site_description`, `social_github`, `social_twitter`, `social_linkedin`) stored in the database and exposed via `GET /api/settings` for themes
+- New env vars: `SITE_URL`, `MEDIA_STORAGE`, `S3_ENDPOINT`, `S3_BUCKET`, `S3_REGION`, `S3_ACCESS_KEY`, `S3_SECRET_KEY`, `S3_PUBLIC_URL`
+- `docs/api.md`, `docs/configuration.md`, `README.md` updated with all new features
+
+---
+
 ## v0.3.0 (2026-04-01)
 
 Built-in admin dashboard. No separate service or install step required.

README.md

@@ -82,6 +82,8 @@ Key variables:
 | `THEME_DIR` | `theme` | Path to the theme directory |
 | `THEME_BUILD_CMD` | `npm run build` | Command to rebuild the theme |
 | `THEME_SERVICE` | (none) | systemd service name to restart after rebuild |
+| `SITE_URL` | `http://localhost:8090` | Base URL used for media file URLs |
+| `MEDIA_STORAGE` | `local` | Storage backend: `local` or `s3` |
 
 ## Admin Dashboard
 
@@ -91,11 +93,42 @@ Folio includes a built-in admin dashboard at `/admin`. No separate service or in
 |------|-------------|
 | `/admin/login` | Sign in |
 | `/admin/posts` | Create, edit, publish, and delete posts |
+| `/admin/media` | Upload, browse, and delete images |
 | `/admin/subscribers` | View and remove newsletter subscribers |
-| `/admin/settings` | Trigger a site rebuild and view build status |
+| `/admin/settings` | Edit site settings, trigger a rebuild, view build status |
 
 The post editor uses [Milkdown](https://milkdown.dev), a WYSIWYG Markdown editor with support for headings, lists, code blocks, tables, and more. Press **Cmd+S** (or **Ctrl+S** on Windows/Linux) to save at any time.
 
+## Media Library
+
+The media library lets you upload images from the dashboard and insert them directly into posts.
+
+By default, images are stored on disk in a `media/` directory next to `CONTENT_DIR` and served at `/media/{key}`. To use S3-compatible object storage instead (AWS S3, Cloudflare R2, NevaObjects, MinIO), set `MEDIA_STORAGE=s3` and the `S3_*` variables in `.env`:
+
+```env
+MEDIA_STORAGE=s3
+S3_ENDPOINT=https://s3.nevaobjects.id
+S3_BUCKET=my-bucket
+S3_REGION=auto
+S3_ACCESS_KEY=your-access-key
+S3_SECRET_KEY=your-secret-key
+S3_PUBLIC_URL=https://s3.nevaobjects.id/my-bucket
+```
+
+See [docs/configuration.md](docs/configuration.md) for provider-specific endpoint examples.
+
+## Site Settings
+
+Site metadata is stored in the database and can be updated from the dashboard at `/admin/settings` without restarting the server. The public `GET /api/settings` endpoint exposes these values to themes.
+
+| Key | Description |
+|-----|-------------|
+| `site_name` | Display name of the site |
+| `site_description` | Short description used in meta tags |
+| `social_github` | GitHub profile or repo URL |
+| `social_twitter` | Twitter/X profile URL |
+| `social_linkedin` | LinkedIn profile URL |
+
 ## API
 
 Full API reference: [docs/api.md](docs/api.md)

docs/api.md

@@ -335,3 +335,128 @@ Get the current rebuild status.
 | `running` | Build in progress |
 | `success` | Last build succeeded |
 | `failed` | Last build failed; see `error` field |
+
+---
+
+### `GET /api/settings`
+
+Get all site settings. Public endpoint — intended for themes to read site metadata.
+
+**Response `200`**
+```json
+{
+  "site_name": "My Blog",
+  "site_description": "A personal blog about Go and systems.",
+  "social_github": "https://github.com/example",
+  "social_twitter": "https://twitter.com/example",
+  "social_linkedin": ""
+}
+```
+
+Returns a flat key/value object. Keys with no value set return an empty string.
+
+---
+
+### `GET /api/admin/settings`
+
+Get all site settings (protected). Same response shape as `GET /api/settings`.
+
+---
+
+### `PUT /api/admin/settings`
+
+Update one or more site settings (protected + CSRF).
+
+**Request body**
+```json
+{
+  "site_name": "My Blog",
+  "site_description": "A personal blog about Go and systems.",
+  "social_github": "https://github.com/example",
+  "social_twitter": "",
+  "social_linkedin": ""
+}
+```
+
+Only known keys are accepted. Unknown keys return `400`.
+
+| Key | Description |
+|-----|-------------|
+| `site_name` | Display name of the site |
+| `site_description` | Short description used in meta tags |
+| `social_github` | GitHub profile or repo URL |
+| `social_twitter` | Twitter/X profile URL |
+| `social_linkedin` | LinkedIn profile URL |
+
+**Response `204`** No content.
+
+**Errors**: `400` invalid JSON or unknown key
+
+---
+
+### `POST /api/admin/media`
+
+Upload an image file (protected + CSRF). Accepts `multipart/form-data`.
+
+**Form field**: `file` — the image to upload.
+
+**Constraints**:
+- Max file size: 10 MB
+- Allowed types: `image/jpeg`, `image/png`, `image/gif`, `image/webp`, `image/svg+xml`
+- Content type is detected from file bytes, not the `Content-Type` header
+
+**Response `201`**
+```json
+{
+  "key": "550e8400-e29b-41d4-a716-446655440000-photo.jpg",
+  "filename": "photo.jpg",
+  "content_type": "image/jpeg",
+  "size": 204800,
+  "url": "https://example.com/media/550e8400-e29b-41d4-a716-446655440000-photo.jpg",
+  "created_at": "2026-04-01T10:00:00Z"
+}
+```
+
+**Errors**: `400` missing file or invalid form, `415` unsupported file type, `413` file too large
+
+---
+
+### `GET /api/admin/media`
+
+List all uploaded files (protected + CSRF). Returns newest first.
+
+**Response `200`**
+```json
+[
+  {
+    "key": "550e8400-e29b-41d4-a716-446655440000-photo.jpg",
+    "filename": "photo.jpg",
+    "content_type": "image/jpeg",
+    "size": 204800,
+    "url": "https://example.com/media/550e8400-e29b-41d4-a716-446655440000-photo.jpg",
+    "created_at": "2026-04-01T10:00:00Z"
+  }
+]
+```
+
+Returns `[]` if no files have been uploaded.
+
+---
+
+### `DELETE /api/admin/media/{key}`
+
+Delete an uploaded file by key (protected + CSRF). Removes the file from storage and the database record.
+
+**Response `204`** No content.
+
+**Errors**: `400` missing key, `500` storage or database error
+
+---
+
+## Static File Serving
+
+### `GET /media/{key}`
+
+Serves an uploaded file by key. Only available when `MEDIA_STORAGE=local` (default).
+When using S3-compatible storage, files are served directly from the bucket via the `url` field
+returned by the upload and list endpoints.

docs/configuration.md

@@ -68,6 +68,67 @@ exposed. Consider unsetting them or using interactive setup instead.
 
 ---
 
+## Webhook
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `WEBHOOK_SECRET` | _(empty)_ | Optional. If set, enables `POST /api/webhook/rebuild`. Pass the secret via `X-Webhook-Secret` header or `Authorization: Bearer`. |
+
+---
+
+## Media Library
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SITE_URL` | `http://localhost:8090` | Base URL of the site. Used to build absolute URLs for locally stored media files. |
+| `MEDIA_STORAGE` | `local` | Storage backend. `local` stores files on disk; `s3` uses any S3-compatible provider. |
+
+When `MEDIA_STORAGE=local`, uploaded files are stored in a `media/` directory next to `CONTENT_DIR`
+and served at `GET /media/{key}`.
+
+---
+
+## S3-Compatible Storage
+
+Required when `MEDIA_STORAGE=s3`. Supports AWS S3, Cloudflare R2, NevaObjects, MinIO, and any
+S3-compatible provider.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `S3_ENDPOINT` | _(required)_ | API endpoint of the S3 provider. |
+| `S3_BUCKET` | _(required)_ | Bucket name. |
+| `S3_REGION` | `auto` | Region. Use `auto` for providers that don't require one (R2, NevaObjects). |
+| `S3_ACCESS_KEY` | _(required)_ | Access key ID. |
+| `S3_SECRET_KEY` | _(required)_ | Secret access key. |
+| `S3_PUBLIC_URL` | _(required)_ | Base URL prepended to file keys for public access. |
+
+Provider-specific endpoint and public URL examples:
+
+| Provider | `S3_ENDPOINT` | `S3_PUBLIC_URL` |
+|----------|--------------|-----------------|
+| AWS S3 | `https://s3.<region>.amazonaws.com` | `https://<bucket>.s3.<region>.amazonaws.com` |
+| Cloudflare R2 | `https://<account_id>.r2.cloudflarestorage.com` | your custom domain or R2 public URL |
+| NevaObjects | `https://s3.nevaobjects.id` | `https://s3.nevaobjects.id/<bucket>` |
+| MinIO | `https://minio.example.com` | `https://minio.example.com/<bucket>` |
+
+---
+
+## SMTP (Newsletter)
+
+Required to send newsletters via `POST /api/admin/newsletter/send`.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SMTP_HOST` | _(empty)_ | SMTP server hostname, e.g. `smtp.mailgun.org` |
+| `SMTP_PORT` | `587` | SMTP port |
+| `SMTP_USERNAME` | _(empty)_ | SMTP username |
+| `SMTP_PASSWORD` | _(empty)_ | SMTP password |
+| `SMTP_FROM` | _(empty)_ | Sender address, e.g. `newsletter@example.com` |
+
+If `SMTP_HOST` is not set, the newsletter send endpoint returns `503`.
+
+---
+
 ## Example `.env`
 
 ```env
@@ -80,6 +141,26 @@ JWT_SECRET=your-generated-secret-here
 THEME_DIR=theme
 THEME_BUILD_CMD=npm run build
 THEME_SERVICE=
+
+# Media (local storage, default)
+SITE_URL=https://example.com
+MEDIA_STORAGE=local
+
+# Media (S3-compatible storage, uncomment to use)
+# MEDIA_STORAGE=s3
+# S3_ENDPOINT=https://s3.nevaobjects.id
+# S3_BUCKET=my-bucket
+# S3_REGION=auto
+# S3_ACCESS_KEY=
+# S3_SECRET_KEY=
+# S3_PUBLIC_URL=https://s3.nevaobjects.id/my-bucket
+
+# Newsletter (optional)
+# SMTP_HOST=smtp.mailgun.org
+# SMTP_PORT=587
+# SMTP_USERNAME=
+# SMTP_PASSWORD=
+# SMTP_FROM=newsletter@example.com
 ```
 
 ---