feat: Settings hub, automation API, bundled docs, npm migration

[salexson]

Summary

This PR contributes product and documentation changes only. It does not include GitHub Actions/workflows, custom .github/actions, or any Ansible / deploy/ automation (those remain on my fork for personal CI and test-server deploy).

Admin UI and credentials

• Settings hub with tabs: Default site, DNS credentials, External credential stores, API keys, Webhooks
• Removed standalone Credentials page; /credentials redirects to /settings?tab=dns-credentials
• Users with credentials-only permission can open Settings for the DNS tab without full admin
• External credential providers: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, Infisical (Universal Auth), HTTP OIDC
• DNS credentials stored under /data; certificates support credential_ref; legacy credential migration API and UI

Automation API and jobs

• API keys (npmak_…), webhooks with HMAC verification, async certificate jobs (GET /api/jobs/{id})
• Expanded OpenAPI schema, operation-descriptions.json, Vacuum-friendly operation descriptions
• Access control JSON extended for new resources

Documentation

• VitePress site bundled at /docs/; in-app /documentation with allowlisted ?section= iframe links
• Redoc and Swagger UI under /docs/api-reference/; dev Swagger on port 3082
• Sample nginx config for same-origin Swagger “Try it out”: docker/docs-api-proxy.conf.example
• Help docs and rehype-sanitize on HelpModal markdown

Security hardening

• res.json() on API routes; upload size limits and safeFileNames on express-fileupload
• Safer setup-mode user roles (applied after apiValidator)
• SECURITY.md and .snyk policy for express-fileupload (no upstream patch available; mitigations documented)

Tooling and build

• npm and package-lock.json across frontend, backend, test, and docs (Yarn removed)
• scripts/frontend-build, scripts/docs-build, Docker npm ci
• scripts/sync-version.py and docs/VERSIONING.md aligned with upstream versioning (.version file)

Bug fixes and polish

• IPv6-less host startup / setup.js promise chain
• Biome accessibility and hooks fixes; duplicate documentation sidebar removed
• Infisical secretPath / secret key resolution fix

Manual testing status

External credential store support includes Vault, AWS Secrets Manager, Azure Key Vault, Infisical (Universal Auth), and HTTP OIDC. Only Infisical has been manually tested end-to-end so far. The other providers are implemented but not yet verified against live backends.

Out of scope (intentionally excluded)

• All .github/workflows and .github/actions (fork CI, Docker publish, Infisical OIDC action, OpenAPI CI, etc.)
• Entire deploy/ tree (Ansible playbooks, inventory, test-server roles)
• Fork-only publish helpers (build-push.ps1, publish-semver, docker-compose.hub.yml)

Test plan

• npm ci and npm run build in frontend/, backend/, docs/, test/
• Fresh install: setup wizard, login, Settings tabs (DNS + external stores + API keys + webhooks)
• Create proxy host and certificate with credential_ref and external provider
• API key auth and webhook delivery; poll GET /api/jobs/{id} for cert job
• Open /documentation and bundled /docs/; Swagger “Try it out” with docker/docs-api-proxy.conf.example pattern
• Redirect from /credentials to Settings DNS tab
• Infisical external credential store: create provider, test connection, resolve secret for certificate flow (manually verified)
• Vault / AWS / Azure / HTTP OIDC external credential stores (not yet manually verified)

[nginxproxymanagerci]

Docker Image for build 10 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5630

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!