ADR 0007: Decap CMS for Docs Editing

Status

Accepted — 2026-01-28

Context

The RCS internal documentation is maintained in Markdown/MDX files within a Git repository. While this approach provides excellent version control and developer workflow integration, it creates barriers for non-technical stakeholders who need to contribute to or review documentation.

Requirements

GUI editing for documentation without requiring Git knowledge
Security through existing Cloudflare Access infrastructure
No password management (magic-link authentication only)
Git as source of truth (all changes version-controlled)
Automatic deployment via existing Cloudflare Pages pipeline
Minimal maintenance burden
Monorepo-safe implementation (no impact on marketing site)

Constraints

Must not introduce a separate user database
Must not require additional hosting infrastructure
Must integrate with existing GitHub repository
Must respect Cloudflare Access security boundaries
Must not add complexity to the build process

Decision

We will integrate Decap CMS (formerly Netlify CMS) into the Astro Starlight documentation site with the following architecture:

Implementation

Static CMS files in apps/docs/public/admin/
- index.html: Minimal HTML shell loading Decap CMS from CDN
- config.yml: CMS configuration with GitHub backend
GitHub OAuth backend
- Repository: adamsdsit/rcsweb_v2
- Branch: main
- Publish mode: Simple (direct commits, no editorial workflow)
Two-layer authentication
- Layer 1: Cloudflare Access (email magic-link)
- Layer 2: GitHub OAuth (repository write access)
Collections matching existing docs structure
- Architecture, ADRs, Diagrams, Marketing, Platform, Security, Operations
- All collections support MDX format with frontmatter
No npm dependencies
- CMS loaded from CDN (unpkg.com)
- No build-time integration required
- No Astro routes or components

Authentication Flow

Editor → Cloudflare Access (magic link) → CMS Interface → GitHub OAuth → Edit Content → Commit to GitHub → Cloudflare Pages Deploy

Alternatives Considered

1. TinaCMS

Pros:

Modern React-based UI
Real-time preview
Strong TypeScript support

Cons:

Requires npm dependencies and build integration
More complex setup and maintenance
Heavier bundle size
Overkill for our simple use case

Decision: Rejected due to complexity and maintenance burden.

2. Forestry.io / CloudCannon

Pros:

Hosted solution (no self-hosting)
Professional UI
Built-in media management

Cons:

Requires separate account/subscription
External dependency
Less control over authentication
Potential vendor lock-in

Decision: Rejected due to external dependency and cost.

3. Contentful / Sanity

Pros:

Powerful headless CMS
Rich content modeling
API-first approach

Cons:

Requires separate hosting
Git is no longer source of truth
Complex migration path
Overkill for markdown-based docs

Decision: Rejected because we want Git as the source of truth.

4. Custom Admin Interface

Pros:

Full control over features
Tailored to exact needs
No external dependencies

Cons:

Significant development time
Ongoing maintenance burden
Security responsibility
Reinventing the wheel

Decision: Rejected due to development and maintenance cost.

5. Direct GitHub Web Editor

Pros:

No additional tools needed
Native Git integration
Zero setup

Cons:

Poor UX for non-technical users
No preview functionality
Requires GitHub account knowledge
No media upload workflow

Decision: Rejected due to poor UX for non-technical stakeholders.

Consequences

Positive

Low maintenance: CMS updates automatically from CDN
No user database: Cloudflare Access handles authentication
Full audit trail: All changes tracked in Git history
Automatic deployment: Existing Cloudflare Pages pipeline
Monorepo-safe: No impact on marketing site or other packages
Security: Two-layer authentication (Cloudflare Access + GitHub OAuth)
Rollback-friendly: Delete public/admin to disable CMS
No build complexity: Static files only, no npm dependencies

Negative

Manual setup required: GitHub OAuth and Cloudflare Access must be configured manually
Limited preview: No real-time preview (must commit to see changes)
GitHub dependency: Editors must have GitHub accounts with repo access
Netlify OAuth dependency: Uses Netlify’s OAuth service even when not hosted on Netlify
No editorial workflow: Direct commits to main (no draft/review states)

Neutral

CDN dependency: CMS loaded from unpkg.com (acceptable risk)
Email-based access: Editors must use approved email addresses
Session duration: 24-hour Cloudflare Access sessions (requires daily re-authentication)

Implementation Notes

File Structure

apps/docs/
├── public/
│   └── admin/
│       ├── index.html          # CMS interface shell (13 lines)
│       └── config.yml          # CMS configuration (118 lines)
├── ADMIN_ACCESS.md             # Editor documentation (265 lines)
└── SETUP.md                    # Administrator guide (336 lines)

Security Boundaries

The CMS can ONLY edit:

Markdown/MDX files in src/content/docs
Upload images to public/images

The CMS CANNOT access:

Site configuration files
Build scripts or deployment settings
Marketing site (apps/site)
Repository settings or workflows
Other monorepo packages

Deployment

Commit CMS files to repository
Cloudflare Pages automatically deploys
Configure GitHub OAuth App
Add environment variables to Cloudflare Pages
Configure Cloudflare Access policy for /admin

Monitoring and Review

Access audit: Review Cloudflare Access logs monthly
Commit audit: Review GitHub commit history for CMS commits
Editor list: Review approved editors quarterly
Security review: Annual review of OAuth tokens and access policies

References

Decap CMS Documentation: https://decapcms.org/docs/
Cloudflare Access Documentation: https://developers.cloudflare.com/cloudflare-one/applications/
GitHub OAuth Documentation: https://docs.github.com/en/developers/apps/building-oauth-apps
Implementation: Decap CMS Operations Guide