# Batch 10 — API Documentation Update

## File Changed
- `docs/API.md`

## Exact Changes Made

### 1. Added `POST /api/content/:cxid/report` endpoint
Inserted a new endpoint section between `GET /api/content/:cxid/file/:file_idx/raw` and `POST /api/content/:cxid/verify-password`.

- **Auth:** None
- **Body:** `{ "reason": "string" }`
- **Behavior documented:** Validates cxid, checks content is active, inserts report with `reporter_user_id = 0` (web), forwards notification to all `review_group_ids` via Telegram Bot API
- **Response:** `204 No Content` on success, `404 Not Found` if content not found/deleted/blacklisted
- **Rate limiting:** Covered by the general API governor

### 2. Updated `GET /api/content/:cxid/file/:file_idx` view counter note
Changed the note from:
> "Range requests and `If-None-Match` (ETag) matches do **not** increment the counter."

To:
> "Range requests, `If-None-Match` (ETag) matches, and HEAD requests do **not** increment the counter."

### 3. Added "Password Flow" subsection under General Behavior
Inserted after "Rate Limiting" and before "Fallback / Static Assets" to clarify:
- The `sc` query parameter is checked on both the metadata endpoint (`GET /api/content/:cxid`) and the file endpoints (`GET /api/content/:cxid/file/:file_idx`, `GET /api/content/:cxid/file/:file_idx/raw`).
- When valid, the server sets an HMAC-signed `cgcx_pw` cookie on the response.
- Passwords can also be provided via the `cgcx_pw` cookie.
- For programmatic verification, use `POST /api/content/:cxid/verify-password`.