✨ feat: enhance admin UI configuration and SSR handling

- Add support for number chip arrays and JSON editor in admin UI config.
- Introduce pagebuilder block registry for Svelte components in admin previews.
- Implement custom role names and a 3-layer cascade model for field-level permissions.
- Add CORS configuration hierarchy for better API security.
- Update project setup instructions for admin token and config management.
- Improve SSR 404 signaling with proper context handling in NotFound component.
- Refactor routing structure to separate NotFound page into its own route.

api/hooks/ssr/AGENTS.md

@@ -29,3 +29,11 @@ Server-side rendering via goja (Go JS runtime) with HTML caching.
 - SSR route validation is active in `config.js`.
 - Public page URLs are language-prefixed (`/de/...`, `/en/...`), while `content.path` in the DB is stored without that prefix.
 - `ssrValidatePath()` must strip the language prefix before querying content and return a canonical language-prefixed URL when needed.
+
+## 404 signaling
+
+The SSR hook (`get_read.js`) checks `context.is404` after rendering to determine the HTTP status code. If `true`, it returns HTTP 404 with the rendered 404 page HTML (and does not cache the result).
+
+`NotFound.svelte` sets `context.is404 = true` during SSR. When the component renders (only when the page is not found), its top-level script sets the flag. The goja runtime provides `context` as a global during SSR, so it's available from the compiled frontend code.
+
+When adding a 404 page or changing the not-found logic, ensure `context.is404` is still set during SSR.