v3.7.0 — AMA Content Type

What's New

AMA (Ask Me Anything) — a fourth content type for MarkGo. Readers submit questions, author moderates and answers from admin, published Q&As flow into the home feed. No other blog engine ships this as a first-class feature.

Highlights

• Reader submission: FAB (desktop) and bottom nav center button (mobile) open AMA sheet for unauthenticated visitors — name, optional email, question with math captcha + honeypot spam prevention
• Admin moderation: /admin/ama page with pending question cards, answer textarea, publish/delete actions
• Feed integration: published AMAs appear in home feed with distinct "Q" badge card design, dedicated filter pill, RSS inclusion
• FAB dual-purpose: compose (auth) / AMA question mark (unauth) with Cmd/Ctrl+. keyboard shortcut
• Accessibility: shared focus-trap utility for all modal dialogs, reduced motion support, ARIA live regions
• About page CTA: "Ask Me Anything" section with trigger button

Bug Fixes

• Bottom nav login swap targeted removed .bottom-nav-subscribe class
• Keyboard shortcut Cmd+N conflicted with browser "new window"
• Compose-sheet and ama-sheet missing focus trap (WCAG)

Full Changelog

See CHANGELOG.md for complete details.

v3.6.0 — Stabilize & Harden

Summary

Structural reliability release. No new features. Every change closes a security gap, eliminates an inconsistency class, or removes duplication. E2E browser-tested across 5 parallel test suites (core pages, mobile/responsive, feeds/SEO, theme/dark mode, search/contact/errors).

Highlights

• auth-fetch.js module: single source of truth for mutation fetches — CSRF injection, auth error detection, structured JSON responses
• Upload rate limiting: per-endpoint rate limit, environment-aware defaults
• CSRF enforcement: admin route group now has CSRF middleware at group level
• Content-negotiated errors: all middleware error paths return proper JSON or styled HTML
• Security fix: renderHTML no longer leaks server config (including credentials) in JSON error responses
• SEO fix: duplicate meta tags eliminated across all public pages when SEO service is enabled
• Template fix: html/template type error on canonical URL line no longer crashes page rendering

What Changed

Added

• auth-fetch.js module for centralized mutation fetches
• Upload rate limiting (20 req/5min production)
• abortWithError middleware helper for content-negotiated errors

Changed

• CSRF enforcement at admin route group level
• JS fetch consolidation (removed 6 duplicate getCSRFToken implementations)
• CSS --max-content-width design token (replaces 14 hardcoded 42rem values)
• CollectionPage JSON-LD consolidated to handler pattern
• Service worker cache version bumped to v5

Fixed

• Config leak in JSON error responses (critical security fix)
• Template crash from html/template and with mixed types
• Duplicate SEO meta tags across 9 per-page -head templates
• About page missing og:description and twitter:description
• relativeTime and timeAgo zero time guard
• admin.js CSRF gap on POST requests

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v3.5.0...v3.6.0

v3.5.0 — Org migration and Go 1.26

What's Changed

Org Migration

• Module path moved from github.com/vnykmshr/markgo to github.com/1mb-dev/markgo
• All imports, build tooling, CI, docs, and templates updated
• GitHub redirects active from old URL

Go 1.26

• Runtime, CI workflow, and Docker base images upgraded from Go 1.25 to 1.26
• golangci-lint bumped to v2.9.0 for compatibility

Build Improvements

• AppVersion is now a single ldflags-injected variable — health endpoint, logs, CLI help, and --version all report the same value
• Removed redundant serve.Version variable
• Removed unused Codecov integration from CI

Dependency Updates

• 17 indirect deps updated: sonic 1.15, quic-go 0.59, otel 1.40, go-redis 9.17, validator 10.30, x/crypto 0.48, x/net 0.50, protobuf 1.36.11

Cleanup

• Stale cmd/server references fixed in docker-compose, scripts
• WebStress references updated to Lobster (renamed project)

Full Changelog: v3.4.0...v3.5.0

What's Changed

• chore(deps)(deps): bump golang.org/x/text from 0.33.0 to 0.34.0 in the minor-and-patch group by @dependabot[bot] in #28
• chore(docker)(deps): bump golang from 1.25.7-alpine to 1.26.0-alpine by @dependabot[bot] in #27

Full Changelog: v3.4.0...v3.5.0

v3.4.0

Full Changelog: v3.3.0...v3.4.0

v3.3.0 — Article uploads, reactive auth, admin dashboard

Highlights

• Article asset uploads — slug-scoped file uploads with extension blocklist, filepath containment, and atomic writes
• Reactive auth — login without page reload, draft recovery after auth
• Admin dashboard — clickable stat tiles, writing management with edit links, one-click publish from drafts
• Bean Brace brand — logo, favicon, Open Graph images
• Security hardening — upload blocklist (19 types), X-Content-Type-Options: nosniff, conditional Content-Disposition, CSRF sync after SPA navigation
• Test coverage — 52% → 58.7% (+120 new test cases)

What's New

Article Asset Uploads

• Upload images, PDFs, and other assets scoped to each article's slug directory
• Extension-based blocklist rejects executables, scripts, and HTML-renderable types
• Filepath containment prevents directory traversal attacks
• Random filename suffix prevents collision on concurrent uploads
• Content-Disposition: inline for images, attachment for all other types

Reactive Authentication

• Login without page reload — DOM swap preserves SPA state
• Draft recovery toast after login (unsaved work detected)
• Popover module with AbortController lifecycle cleanup

Admin & Drafts

• Admin dashboard with clickable stat tiles and Edit action buttons
• /admin/writing page with direct edit links to published articles
• One-click publish from drafts list with fade animation

Compose Enhancements

• Draft-first compose: two buttons (Save Draft / Publish) replace checkbox
• Full compose auto-save with localStorage failure warning
• Quick compose 401 auto-login flow
• Dynamic maxFileSize from server config

Security

• Upload blocklist expanded to 19 types (scripts, HTML-renderable, Java archives)
• Filepath containment via filepath.Abs + prefix check
• Upload config validation: empty path rejected, max size enforced
• fallbackErrorHTML extracted to shared constant (single source of truth)
• Upload directory writability probe at startup

Stats

• 30 commits since v3.2.0
• 101 files changed, +3,398 / -1,062 lines
• Coverage: 58.7% (up from 52%)
• Lint: 0 issues

See CHANGELOG.md for the full list of changes.

Full Changelog: v3.2.0...v3.3.0

v3.2.0 — Semantic HTML, SEO, Admin Redesign

Web standards compliance, structured data, admin redesign, and security hardening.

Highlights

SEO & Structured Data

• Canonical URLs on all public pages (conditional — omitted on 404/admin/compose)
• Visible breadcrumb navigation with JSON-LD BreadcrumbList schema
• JSON-LD structured data: BlogPosting, CollectionPage, WebSite
• Open Graph and meta description on all page types

Admin Dashboard

• Redesigned to match blog UX (card-based layout, consistent typography)
• Admin popover with Dashboard, Drafts, Sign out
• Auth-aware UI across all pages (login/admin popover based on session state)
• Sample articles with one-click creation

Public Compose

• Compose page accessible without authentication — login deferred to publish
• Compose link in header nav when admin is configured
• Dynamic CTA: "Publish" / "Save Draft" / "Update" based on state
• 401/403 handling with toast notification and login popover trigger

Web Standards

• Semantic HTML: single <h1> per page, proper heading hierarchy, <section>/<article> elements
• 404/offline layout fix (CSS class collision resolved)

Security Hardening

• CSRF cookie reuse validates token format (64-char hex) before accepting
• CSRF cookie max-age refreshed on reuse to prevent silent expiry
• SPA router syncs CSRF tokens after content swap (prevents SPA desync)

Stats

• 12 commits since v3.1.0
• 52 files changed, 1,123 insertions, 1,699 deletions (net -576 lines)

Binaries

Platform	Binary
Linux amd64	markgo-linux-amd64
macOS Intel	markgo-darwin-amd64
macOS Apple Silicon	markgo-darwin-arm64
Windows amd64	markgo-windows-amd64.exe

All binaries are single-file executables with embedded web assets. No external dependencies.

Full changelog: https://github.com/vnykmshr/markgo/blob/main/CHANGELOG.md

Full Changelog: v3.1.0...v3.2.0

v3.1.0

Full Changelog: v2.3.1...v3.1.0

v2.3.1 - Lint fixes, export improvements, and UX consistency

What's New

Patch release resolving all 78 golangci-lint issues, improving static export fidelity, and standardizing page layout across the site.

Highlights

Lint & Code Quality

• Resolved all 78 golangci-lint v2 issues across 17 files in 3 atomic commits
• Zero lint issues on full golangci-lint run ./... (no --new-from-rev needed)
• Tag-triggered CI releases no longer surface pre-existing lint findings

Static Export Improvements

• Custom 404.html exported for GitHub Pages error handling
• Footer shows actual version/commit instead of "unknown"
• Contact page title now includes blog title suffix

UX Consistency

• All page headers standardized to full-width hero pattern with gradient background
• Added breathing space between hero sections and body content
• Navbar tagline no longer falls back to long description text
• Placeholder @yourusername links replaced with actual project URLs

Full Changelog

See CHANGELOG.md for complete details.

Full Changelog: v2.3.0...v2.3.1

v2.3.0 — Design System & Color Palette Unification

Highlights

• Unified color palette: Replaced amber accent and rainbow gradients with a restrained monochrome system. Each theme preset's accent is now a lighter variant of its primary hue.
• Mobile-first CSS architecture: Complete design token system with breakpoints, dark mode dual-selector pattern, and FOUC prevention.
• Theme system: Independent light/dark toggle and color presets (ocean, forest, sunset, berry).
• BLOG_TAGLINE config: Concise navbar branding separate from full description.
• Security hardening: YAML injection prevention, safe static export, cache race condition fix.
• Test coverage: ~46.5% (up from ~21%) with article repository, search, cache, and content processor tests.

Design Changes

• About page sidebar: 6 hardcoded gradient cards → 1 accent (profile) + 5 neutral
• Social share buttons: platform brand colors → unified --color-primary
• Tech icons: individual brand colors → standardized --color-primary-dark
• Tag cloud pills: filled → outlined style
• JS notifications: hardcoded hex → CSS custom property reads with fallbacks

Full Changelog

See CHANGELOG.md for complete details.

Compare: v2.2.0...v2.3.0

MarkGo v2.2.0 - Stress Test Graduation & Operational Excellence

🎉 MarkGo v2.2.0

This release marks the graduation of the stress testing tool into an independent project (WebStress) and includes significant operational improvements.

Highlights

✨ WebStress - Independent Project

• Graduated stress testing tool from examples/stress-test/
• Now available at: https://github.com/vnykmshr/webstress
• Enhanced with clean architecture and comprehensive documentation
• Works with any web application, not just MarkGo
• See migration guide: examples/STRESS_TESTING.md

📚 Operational Excellence

• Operational Runbook (docs/RUNBOOK.md) - 1,000+ line comprehensive guide

  • Incident response procedures (P1/P2/P3 classification)
  • Troubleshooting guides for common issues
  • Health check protocols and monitoring recommendations
  • Rollback procedures with timing estimates

• Pre-Release Checklist (.github/RELEASE_CHECKLIST.md)

  • 13-step comprehensive release validation process
  • Docker build verification steps
  • CI/CD workflow validation
  • Prevents regressions

• Automated Dependencies (.github/dependabot.yml)

  • Weekly automated dependency update PRs
  • Grouped minor/patch updates

🧪 Test Coverage Improvement

• Added comprehensive handler tests (575 new test lines)
• Article viewing, listings, tag/category filtering
• Search functionality tests
• Coverage: 14.1% → 50.1% (+36 percentage points)

🔧 Dependencies

• Updated 33 outdated packages (all tests passing)
• Security updates: golang.org/x/crypto, golang.org/x/net
• Framework updates: gin v1.11.0, testify v1.11.1, redis v9.14.1

📖 Documentation

• Comprehensive cleanup and simplification
• Moved status reports to historical documentation
• Pruned outdated documentation
• Simplified structure for better maintainability

🎯 Quality Metrics

• Hygiene Score Improvement: 78 → 91 (+13 points)
• All tests passing ✓
• All builds verified ✓
• CI/CD pipelines passing ✓

What's Changed

Added

• Operational runbook with incident response procedures
• Pre-release checklist (13-step validation)
• Automated dependency updates (Dependabot)
• Comprehensive handler tests
• Migration guide for stress testing

Changed

• 33 dependency updates with security patches
• Documentation cleanup and simplification

Removed

• examples/stress-test/ - graduated to WebStress project
• 6 files removed (~50KB of code)

Full Changelog

See CHANGELOG.md for complete details.

Migration Notes

If you were using the stress testing tool from examples/stress-test/, it's now available as WebStress:

# Install WebStress
go install github.com/vnykmshr/webstress/cmd/webstress@latest

# Test your MarkGo instance
webstress -url http://localhost:3000

See examples/STRESS_TESTING.md for migration details.

---

Commits in this release: 8 since v2.1.0