docs: auto-generate API route documentation

Signed-off-by: NotAShelf <raf@notashelf.dev>
Change-Id: Id0d1f9769b7ccdbf83d5fa78adef62e46a6a6964

docs/api/users.md

@@ -0,0 +1,207 @@
+# Users
+
+User and library access management
+
+## Endpoints
+
+### GET /api/v1/admin/users
+
+List all users (admin only)
+
+**Authentication:** Required (Bearer JWT)
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | List of users |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+
+---
+
+### POST /api/v1/admin/users
+
+Create a new user (admin only)
+
+**Authentication:** Required (Bearer JWT)
+
+#### Request Body
+
+username, password, role, and optional profile fields
+`Content-Type: application/json`
+
+See `docs/api/openapi.json` for the full schema.
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | User created |
+| 400 | Bad request |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+| 500 | Internal server error |
+
+---
+
+### GET /api/v1/admin/users/{id}
+
+Get a specific user by ID
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | User details |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+| 404 | Not found |
+
+---
+
+### PATCH /api/v1/admin/users/{id}
+
+Update a user
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Request Body
+
+Optional password, role, or profile fields to update
+`Content-Type: application/json`
+
+See `docs/api/openapi.json` for the full schema.
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | User updated |
+| 400 | Bad request |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+| 404 | Not found |
+
+---
+
+### DELETE /api/v1/admin/users/{id}
+
+Delete a user (admin only)
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | User deleted |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+| 404 | Not found |
+
+---
+
+### GET /api/v1/admin/users/{id}/libraries
+
+Get user's accessible libraries
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | User libraries |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+
+---
+
+### POST /api/v1/admin/users/{id}/libraries
+
+Grant library access to a user (admin only)
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Request Body
+
+`Content-Type: application/json`
+
+See `docs/api/openapi.json` for the full schema.
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | Access granted |
+| 400 | Bad request |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+
+---
+
+### DELETE /api/v1/admin/users/{id}/libraries
+
+Revoke library access from a user (admin only)
+
+Uses a JSON body instead of a path parameter because `root_path` may contain
+slashes that conflict with URL routing.
+
+**Authentication:** Required (Bearer JWT)
+
+#### Parameters
+
+| Name | In | Required | Description |
+|------|----|----------|-------------|
+| `id` | path | Yes | User ID |
+
+#### Request Body
+
+`Content-Type: application/json`
+
+See `docs/api/openapi.json` for the full schema.
+
+#### Responses
+
+| Status | Description |
+|--------|-------------|
+| 200 | Access revoked |
+| 400 | Bad request |
+| 401 | Unauthorized |
+| 403 | Forbidden |
+
+---
+