Just keep it simple for once.
feat: access the URLs by sending origin/referrer allowDomain and right user-id.
feat: add allowlist of URLs that can access the Admin API.
feat: add authentication with better-auth.
feat: check out important CMS options out there.
feat: find out what is missing: simplicity.