LightCMS Version History

LightCMS Version History

All notable changes to LightCMS, organized by version. Source: CHANGELOG.md

v3.0.0 — Dynamic Index Pages: Tags, Snippets & lc:query

The most significant content modelling capability added since v1.0 — a first-class system for building dynamic, automatically-updated index pages.

Content Tagging

  • Tags field on all content items — Any content item can carry zero or more freeform string labels, set in the admin editor or via {"tags": [...]} in the REST API
  • Full API supportGET /api/v1/content?tag=TAGNAME filters by tag; PUT /api/v1/content/{id} accepts a tags array
  • Tags are exact-match strings with preserved capitalization, indexed in MongoDB for efficient filtering

Snippets

  • New snippets collection — Named HTML template fragments with Go template variable support
  • Admin UI at /cm/snippets — Create, edit, and delete snippets with a live editor
  • REST API — Full CRUD at /api/v1/snippets
  • Available variables{{.Title}}, {{.FullPath}}, {{.Slug}}, {{.MetaDescription}}, {{.PublishedAt}}
  • Rendered through Go’s html/template — safe from XSS by default

lc:query Directives

  • Embed live content queries in template layouts — Using HTML comment syntax: <!-- lc:query filter="tag:X" snippet="name" -->
  • Processed at page generation time, replaced with rendered output of all matching published content items
  • Filter optionstag, category, template, folder
  • Sort optionstitle:asc, title:desc, created_at:asc, created_at:desc
  • Multiple directives per template — each is an independent query

Automatic Cascade Regeneration

  • Auto-regeneration — When tagged content is published or updated, all index pages whose templates contain lc:query directives are automatically regenerated
  • Also triggers when a template layout or snippet is updated

New MCP Tools (5 added, 54 → 59 total)

  • list_snippets — list all snippets
  • get_snippet — retrieve a snippet by ID or name
  • create_snippet — create a new named HTML snippet
  • update_snippet — update a snippet’s name or HTML
  • delete_snippet — delete a snippet

Security Fix

  • XSS in lc:query default fallback — When no snippet attribute was specified, title and path were concatenated without escaping. Fixed to use template.HTMLEscapeString()

v2.6.0 — MCP Tool Improvements

Bug Fixes

  • get_theme returned empty stringsThemeSettings struct was missing json struct tags; all theme fields now serialize correctly via the REST API and MCP
  • search_replace_execute response missing search/replace fields — Both search_replace_execute and scoped_search_replace_execute now echo back the search and replace strings used

New MCP Feature: Rendered HTML in get_content

  • get_content now accepts an include_rendered boolean parameter
  • When true, the response includes a rendered_html field containing the fully rendered page HTML (template + theme header/footer applied)
  • Works for both published and draft content — lets agents inspect exactly what visitors see without publishing

v2.5.0 — Security Hardening

  • SSRF preventionupload_asset_from_url blocks all private/reserved IP ranges (loopback, RFC1918, link-local, CGNAT, IPv6 ULA) before making any network request
  • ReDoS prevention — Full-text search runs under a 5-second context deadline, preventing pathological queries from pinning CPU
  • Permission checks — Search-replace preview and reindex-embeddings endpoints now require admin-only permissions
  • API rate limiting — Per-bearer-token sliding-window limiter: 300 requests per token per minute across the entire /api/v1/ subrouter
  • Asset serve_path whitelist — Upload paths restricted to /assets/, /images/, /docs/, /media/, or /files/
  • Trusted proxy IP extraction — Rate limiter uses configured trusted proxy settings, preventing IP spoofing via forged headers
  • Database indexes — Compound index on the content collection for improved query performance under load
  • Session secret validation — Server warns if secret is too short, fails hard in production if under 16 characters

v2.1.0 — Agentic API Improvements

Theme Reliability

  • Theme CSS on startupstatic/css/theme-vars.css is now regenerated from the database every time the server starts, preventing blank styles after a deploy or container restart

New Content Endpoints

  • Update by path — Update content by URL path instead of MongoDB ID, useful when you know the page URL but not its ID
  • Batch publish — Publish multiple content items in one call; pass an ID list or publish_all_drafts: true
  • Content preview — Render a content item’s HTML without publishing; accepts optional title/data overrides to preview unsaved edits; returns rendered_html and warnings (missing required fields, unclosed tags, unresolved placeholders)
  • Rendered HTML in get_contentinclude_rendered=true returns the fully rendered page HTML alongside regular content data

New Asset Endpoints

  • Upload from URL — Fetch a remote URL and store it as a LightCMS asset (HTTP/HTTPS only, 50 MB cap, MIME validation)

Theme Version Pinning

  • Pin/unpin theme versions — Lock a theme version to protect it from auto-pruning; pinned versions are marked with locked: true in version history

Scoped Search & Replace

  • Targeted replacements — Run search-and-replace filtered by content_ids, folder_path, template_name, and/or category — safer than a full site-wide replacement

New MCP Tools (13 added, 41 → 54 total)

  • update_content_by_path — update by URL path; merges data fields
  • publish_multiple — batch publish by ID list or all drafts at once
  • preview_content — render HTML without saving; supports field overrides
  • scoped_search_replace_preview / scoped_search_replace_execute — folder/template/category-scoped search & replace
  • upload_asset_from_url — fetch remote file and store as asset
  • pin_theme_version / unpin_theme_version — protect important theme milestones
  • Improved descriptions on existing tools with workflow guidance and examples

v2.0.1 — Configurable Search Ranking

  • Database-stored ranking config — All search ranking parameters now stored in the database and editable from the admin panel at Tools → End User Search → Search Ranking
  • Configurable fields — Title match boost, nav page boost, boosted template name substrings, template boost score, demoted path prefixes, demotion penalty score
  • Safety clamping — Values clamped to −1.0…1.0 to prevent accidental misconfiguration
  • Instant effect — Changes take effect immediately; in-memory cache invalidated on save
  • Search API documentation — Expanded typeahead suggest API docs, full parameter tables, response schemas, and JavaScript examples in the admin Integration Guide and README

v2.0.0 — Multi-User RBAC & Smart Search

Multi-User Access Control

  • Role-Based Access Control (RBAC) — Three roles (admin, editor, viewer) with granular permissions enforced on every admin UI page and REST API endpoint
  • User Management — Admin-only panel at /cm/users for creating users, assigning roles, disabling accounts, and resetting passwords
  • Email-based login — Authentication migrated from a single shared password to per-user email + password credentials
  • Force password change — Temporary passwords prompt a mandatory change on first login
  • Automatic migration — On first startup with an empty users collection, the existing admin password hash is carried over into a new admin user account

Audit Logging

  • Persistent audit trail — All mutations logged with acting user, action, resource, and timestamp
  • 365-day retention — Audit logs auto-expire via MongoDB TTL index
  • Filterable UI at /cm/audit — Filter by action type, resource, and date range
  • Async logging — LogAsync fire-and-forget pattern to avoid blocking request handlers

User-Scoped API Keys

  • API keys now belong to a specific user and inherit that user’s permissions
  • Admins can view and manage all keys; non-admins can only manage their own
  • Keys created before v2.0 remain functional as system-level keys with full access

Smart Search Ranking

  • Structural boost — Nav-linked pages (parsed from header HTML, cached 5 min) surface above other results
  • Template-based ranking — Concept pages rank above generic body-only content
  • Video deprioritisation — Pages under /videos/ rank below all other content types
  • Typeahead suggestions — Same structural ranking applied to prefix-match suggestions
  • Ranking priority: title+nav > title-only > nav-linked > concept pages > body-only > video transcripts

Bug Fixes

  • Fixed /cm/audit page crash caused by subtract/add template functions receiving mismatched integer types
  • Made arithmetic template functions type-flexible via interface{} dispatch

v1.4.0 — End-User Search API

  • Full-text search (/api/search?q=...) — Regex-based exact matching across all published content
  • Semantic vector search — Voyage AI embeddings stored in MongoDB Atlas; $vectorSearch pipeline for similarity queries
  • Hybrid mode — Reciprocal rank fusion (RRF, k=60) merges full-text and semantic results into a single ranked list
  • Title boosting — Results where the query appears in the page title float above body-only matches
  • Graceful degradation — Works without a Voyage API key (full-text only); automatically enables semantic search when configured
  • Rate limiting — Per-IP (10 req/min) and global (100 req/min) limits with DDoS protection
  • Embedding pipeline — Background batch generation with progress tracking in the admin panel
  • Typeahead suggestions/api/search/suggest endpoint for prefix-matching page titles and extracted keywords
  • WARP proxy for Voyage API calls on Fly.io to avoid IP-based rate limiting
  • Upgraded embedding model from voyage-3-lite to voyage-4-lite
  • Fixed SVG assets not displaying when uploaded with /assets path prefix
  • Expanded upload allowlist to include CSS, JS, JSON, and other text-based web assets

v1.2.0 — OAuth 2.1 & HTTP MCP Transport

  • OAuth 2.1 authorization server — Full authorization code flow with PKCE (S256), dynamic client registration (RFC 7591), token rotation, and revocation (RFC 7009)
  • Remote MCP clients — HTTP streamable MCP endpoint at /mcp — connects Cowork, Claude Desktop, and any MCP-compatible app without embedding credentials
  • Discovery endpoints/.well-known/oauth-authorization-server (RFC 8414) and /.well-known/oauth-protected-resource (RFC 9728) for automatic client setup
  • Dynamic MCP server card/.well-known/mcp/server-card.json with full tool schemas, served live from the running server
  • Smithery registry support — smithery.yaml and packaging config for registry publication
  • Test suite: 82% → 86% coverage with CI via GitHub Actions and Codecov integration
  • Loading state feedback on OAuth authorize buttons

v1.1.0 — REST API, CLI Tool & API Keys

  • REST API at /api/v1/ — Full JSON API for all content management operations (content, templates, assets, theme, config, redirects, folders, collections)
  • API key authenticationlc_-prefixed keys stored as SHA-256 hashes; created and managed in the admin panel
  • CLI tool (cmd/cli) — Command-line interface wrapping the REST API for scripting and CI/CD workflows
  • MCP refactor — MCP tools now use the REST API client rather than direct DB access
  • Partial update support on all PUT endpoints (send only changed fields)

v1.0.0 — Initial Release

  • Content management — Create, edit, publish, and delete content using customizable templates
  • Template system — Define reusable page structures with typed fields; HTML layout with {{.field_name}} placeholders
  • Static page generation — Published content rendered to content/generated/ for fast, zero-runtime serving
  • Content versioning — Automatic version snapshots on every update; revert to any prior version
  • Soft delete — Deleted content recoverable from the admin panel
  • Content collections — Auto-generated paginated listing pages filtered by category
  • MCP server (stdio) — 43 tools for managing the entire site through AI agents
  • Theme customization — Colors, fonts, border radius, custom CSS; header/footer HTML injection with versioning
  • Asset management — Upload, organize, and serve images, documents, and other files
  • URL redirects — 301/302 rules managed from the admin panel
  • Rich text editor — TinyMCE integration for visual editing
  • Search & replace — Site-wide text replacement with preview before execution
  • Security — CSRF protection, bcrypt passwords (cost 12), session cookies (SameSite=Strict), file upload validation, login rate limiting
  • Fly.io deployment — fly.toml and Dockerfile for one-command production deploy

MIT License · Copyright 2026 Metavert LLC