A small follow-up to 1.2.0 with two bug fixes and expanded documentation.

nginx charset#

Plain-text responses — /llms.txt, /robots.txt — were served without a charset declaration. Browsers would render non-ASCII characters as garbage. charset utf-8; is now set at the server-block level in docker/nginx.conf.template, so every response type gets the correct declaration automatically.

Ambiguous directory key warning#

The "Ambiguous directory key" warning previously fired at tree construction time — the moment a second content item registered a conflicting basename — regardless of whether that bare key was ever actually used in a template.

Now the warning is deferred to the actual lookup: it fires once, and only when content_item() or content_url() is called with an ambiguous bare key. Sites with naming collisions in different content sections no longer see spurious warnings from keys they never reference.

Two new documentation pages#

The demo theme now has pages for Theme Building and Security, available in all four locales.

Theme Building covers the full template layer model — how local/templates/, registered theme paths, and the bare core resolve in priority order — plus a reference for template context contracts, Twig globals, functions and filters, the ContentItem API, required translation keys, and the six portability rules every theme should follow.

Security explains the threat model that shapes notACMS's security decisions: no database, no dynamic rendering, a build pipeline that never executes content. It covers the built-in protections (Turnstile hostname validation, path traversal guarding, strict types), the deliberate CSRF design on the contact form, and the deployment best practices for a production instance.

Both pages appear in the Documentation nav dropdown and sidebar.

Full changelog#

CHANGELOG.md

1.2.0 is the result of a complete audit of notACMS — architecture, security, code quality, and both template trees. Around 170 findings were fixed. The highlights:

Robustness#

• A markdown file with broken frontmatter no longer takes down a locale or the build — it's skipped and reported with its path and error.
• A missing slug: can no longer silently hijack the homepage; posts_per_page: 0 can no longer crash every blog page; duplicate URLs, ambiguous directory keys, and invalid tag values now produce clear build warnings.
• Draft and scheduled pages are now genuinely excluded from builds, menus, and /llms.txt — previously only posts were filtered.
• app:build -o <dir> refuses to wipe a directory other than the configured static dir unless you pass --force.
• Visiting a /pl/ link for the first time no longer bounces you to EN — the URL is treated as your language choice and a cookie is set. The locale cookie is now also Secure-conditional so the mechanism works in HTTP dev environments.
• Search result excerpts now render highlighted terms as actual <mark> highlights instead of literal <mark> text.
• The bare starter theme's _site.yaml now includes placeholder contact_form values — no more build error on a fresh install.

Security#

• ImageMagick runs through Symfony\Process with argv arrays — exec() is gone.
• Turnstile now validates the response hostname against your base_url and logs an error when the committed always-pass test keys are active in production. A boot check warns when APP_SECRET is still the placeholder.
• JSON-LD output is hex-escaped (</script> in a title can't break out), translation catalogs no longer carry HTML, and the nginx security headers now also apply to /assets/ and /media/ responses.
• The locale-prefixed contact API was unreachable in the Docker runtime deployment due to an nginx regex bug — fixed.

For theme builders#

• New THEME_BUILDING.md: the full theme API contract — per-route template contexts, Twig functions and globals, the ContentItem API, and the translation keys every theme must define.
• #[LocalizedRoute] now works in local/src/Controller/, language switching works correctly on 3+-locale sites, and the static build pipeline is decomposed into reusable services.

New#

• The static build now produces a /llms.txt feed per locale — the most recent posts in a machine-readable format for LLM context windows. Configurable via llms_limit in _site.yaml (default: 5). The template is overridable per-theme via the @base Twig namespace.

Breaking changes#

A few — each with a one-line migration. directoryKey() returns full content paths (basename lookups still work), getTree() moved to ContentTreeProviderInterface, blogPosting() takes a named map, the lang_switch_url context key is gone, four dead translation keys were removed, and the 1.0 old-template package was dropped. See UPGRADE-1.2.md for the complete guide.

Upgrade immediately. Run composer update in your project, then rebuild.

Symfony 7.4.13 (6 CVEs)#

• CVE-2026-48489 — Security firewall bypass: the failure_forward handler honored an attacker-supplied _failure_path parameter on the internal subrequest, allowing the firewall to be bypassed.
• CVE-2026-48736 — SSRF bypass in NoPrivateNetworkHttpClient and IpUtils::PRIVATE_SUBNETS via IPv6 transition address forms (IPv4-mapped, IPv4-compatible, 6to4, Teredo).
• CVE-2026-48761 — HtmlSanitizer failed to sanitize URL attributes on <object>, <applet>, <iframe>, <img>, and the URL inside <meta http-equiv="refresh"> content.
• CVE-2026-48760 — HtmlSanitizer accepted percent-encoded BiDi marks and Unicode whitespace in URLs, allowing sanitizer bypass via visual spoofing.
• CVE-2026-48784 — UrlGenerator misencoded chained ../ and ./ segments, producing URLs that could traverse out of the intended path.
• CVE-2026-48747 — Mailer: the Mailomat webhook signature algorithm was not pinned to SHA-256, allowing algorithm-substitution attacks.

Full list: symfony.com/blog/symfony-7-4-13-released.

Twig 3.27.0 (5 CVEs)#

All five are sandbox bypasses. If your theme renders user-controlled templates in a sandbox, these are critical:

• CVE-2026-46636 — Filter, tag, and function allow-list bypass when sandbox state changes between renders in long-lived workers (e.g. FrankenPHP, RoadRunner).
• CVE-2026-48808 — column filter bypassed the property allowlist under SourcePolicyInterface.
• CVE-2026-48806 — __toString() policy bypass via dynamic mapping keys: {% set arr = {(obj): "value"} %}.
• CVE-2026-48807 — __toString() policy bypass via Traversable objects in the join/replace filters and the in/not in operators.
• CVE-2026-48805 — Sandbox state regression in deprecated internal wrappers (twig_check_arrow_in_sandbox(), twig_array_some(), twig_array_every()).

Also in 1.1.4#

• symfony/polyfill-* updated from v1.37.0 to v1.38.1.
• Dev dependencies bumped: phpstan/phpstan 2.1.55 → 2.2.1, phpunit/phpunit 13.1.10 → 13.1.13, rector/rector 2.4.4 → 2.4.5.

How to upgrade#

composer update
ddev build   # or your equivalent build command

No configuration changes or migration steps required.

Full changelog#

CHANGELOG.md

Six JSON Schema draft-07 files now live in config/schema/:

All template YAML files (_site.yaml, _routes.yaml, _tags.yaml) in docs/bare/, docs/demo/, and docs/customization/old-template/ now carry a # yaml-language-server: $schema= comment pointing to the raw GitHub URL. VS Code (and any editor with YAML Language Server) picks these up automatically — you get validation and autocomplete in the content files without any project configuration.

Schemas are optimised for AI-assisted authoring: descriptions include defaults, constraints, and behaviour explanation so an AI agent working in another project can fetch a schema and know exactly what each field does.

Fetch any schema directly from the main branch:

https://raw.githubusercontent.com/holas1337/notACMS/main/config/schema/<name>.schema.json

Security update: Symfony 7.4.12 and Twig 3.26.0#

Upgrade immediately. Run composer update in your project, then rebuild.

Symfony 7.4.12 (21 CVEs)#

The most impactful for a CMS deployment:

• CVE-2026-45073 — SQL injection in Cache via unsanitized $prefix in PdoAdapter::doClear().
• CVE-2026-45071 — XXE / local file disclosure in DomCrawler::addXmlContent() when validateOnParse is enabled.
• CVE-2026-45075 — HEAD requests bypass the methods filter on #[IsGranted], #[IsCsrfTokenValid], and #[IsSignatureValid] attributes.
• CVE-2026-45072 — XSS in TwigBridge's CodeExtension::fileExcerpt().
• CVE-2026-45068 — Header injection in SendmailTransport; addresses starting with a dash are now rejected.
• CVE-2026-45067 — Email addresses containing line breaks accepted in Mime\Address — now rejected.
• CVE-2026-45305 / 45304 / 45133 — Catastrophic backtracking and unbounded recursion in the YAML parser.
• CVE-2026-45066 / 45064 / 45753 — Three HtmlSanitizer bypasses: BiDi override characters, URL parser differentials, and unsanitized action/formaction/poster/cite attributes.

Full list: symfony.com/blog/symfony-7-4-12-released.

Twig 3.26.0 (4 CVEs)#

All four are sandbox bypasses. If your theme uses Twig's sandbox for user-supplied templates, these are critical:

• CVE-2026-46635 — Property allowlist bypass via the column filter (array_column on objects).
• CVE-2026-46638 — {% sandbox %}{% include %} skips checkSecurity() on cached templates; incomplete fix for CVE-2024-45411.
• CVE-2026-24425 — Sandbox bypass when using a source policy.
• CVE-2026-47732 — Multiple __toString() policy bypasses via unguarded string coercion.

Also in 1.1.3#

• Stale Pagefind fragments fixed — scripts/rebuild-content.sh now wipes public/pagefind/ before reindexing. Previously, removing or renaming content left orphaned fragment files that Pagefind served alongside fresh results.
• DESIGN.md improvements — hardcoded hex values replaced with token references in both bare and demo DESIGN.md files; primary color alias added; card-hover component token added to the demo theme.

How to upgrade#

composer update
ddev build   # or your equivalent build command

No configuration changes or migration steps required.

Full changelog#

CHANGELOG.md

If your site's default locale is en, /en/blog/ and /blog/ were both reachable and rendered the same content. That's two indexable URLs for one page — and search engines pick whichever they like, which is rarely the one you want.

1.1.2 adds DefaultLocaleRedirectListener. Every request to /<default-locale>/... returns a 301 to the unprefixed URL:

GET /en/blog/         →  301 Location: /blog/
GET /en/about/?ref=x  →  301 Location: /about/?ref=x
GET /pl/blog/         →  200 (non-default locale, untouched)

The listener runs before Symfony's router, so the redirect happens before the framework even tries to match a route — no wasted work, no 404 noise in logs. Non-default locales (pl, de, fr on this site) are left alone.

This also closes a small SEO leak: backlinks that accidentally include the locale prefix now consolidate into the canonical URL instead of splitting authority.

Schema.org JSON-LD as a fluent builder#

Until 1.1.1, every template that needed structured data inlined a PHP array, piped it through |json_encode|raw, and wrapped the result in a <script> tag. Six templates, six near-identical blocks, and each one a fresh chance to forget JSON_UNESCAPED_SLASHES or to ship <script>false</script> if any frontmatter contained an invalid byte.

1.1.2 replaces all of that with a service and two Twig functions:

{% block structured_data %}{{ json_ld(structured_data().blogPosting(
    content.title(),
    site_base_url ~ content.url(),
    content.date(),
    content.htmlContent,
    site_author.name,
    content.image() ? site_base_url ~ content.image() : null
)) }}{% endblock %}

structured_data() returns the builder; chain a typed method (webSite, webPage, blogPosting, collectionPage, contactPage, person, breadcrumbList, organization, imageObject) and the result is a plain array. json_ld(array) encodes it and wraps it in a <script type="application/ld+json"> tag. Empty/null fields are stripped recursively, so optional inputs (an unset author email, a missing image) simply don't appear in the output.

Encoding now uses JSON_THROW_ON_ERROR — bad UTF-8 in frontmatter surfaces as a real exception during render instead of silently shipping a broken <script> tag.

The bare core templates for contact, default, and projects pages now emit Schema.org markup too. Previously bare deploys had weaker SEO than every customisation example we ship; that gap is gone.

See the Customisation guide → Structured data for the full builder API and how to override the structured_data block in your own theme.

Security fixes#

Two bugs surfaced during the 1.1.2 review and were fixed before release:

• Open-redirect via path normalisation. Symfony's Request::getPathInfo() does not collapse repeated slashes, so a request to /<default-locale>//evil.com would otherwise produce Location: //evil.com — a protocol-relative redirect that browsers follow cross-origin. The new redirect listener now refuses to issue redirects to anything that isn't a single-slash-rooted local path.
• XSS in search results. assets/search.js interpolated the Pagefind excerpt field into innerHTML without escaping. The demo build was already correct; core had drifted. The two are now in sync. Pagefind's <mark> highlight tags are no longer rendered in core search results — a deliberate trade for the safer baseline.

Also in 1.1.2#

• Internal Twig refactor. Sidebar, breadcrumb, post-badge, og-image, and blog-filter logic moved out of templates into dedicated Twig extensions. Templates stay focused on layout; tests can target each helper directly. New customisation surface: see Layout helpers in the customisation guide.
• O(1) directory-key lookups on ContentTree — a small performance fix on sites with hundreds of pages.
• docs/customization/old-template/ is now deprecated and will be removed in 1.2.0. It was a one-shot 1.0→1.1 transition aid; new customisation work should branch from custom-footer/ or self-hosted-fonts/ instead.
• Dependency bumps: Symfony 7.4.8 → 7.4.9 across the bundle, PHPStan 2.1.51 → 2.1.54, PHPUnit 13.1.7 → 13.1.8.

Full changelog#

Every change with its category: CHANGELOG.md.

Navigation labels for content pages now come from frontmatter — not translation keys. Set menu.label in any page's frontmatter and it becomes the label in the navigation; omit it and the page title is used as fallback.

---
title: "Architecture guide"
slug: "architecture-guide"
menu:
  label: "Architecture"
  weight: 30
---

New content_item() Twig function resolves any content page by directory key:

{{ content_item('architecture-guide', 'en').menuLabel() }}
{# → "Architecture" (or the page title if menu.label is absent) #}

Why this matters: Previously every locale's messages.*.yaml had to duplicate translations for nav.home, nav.blog, nav.about, nav.contact, nav.privacy_policy (core) and site.releases, site.about, site.manual, site.architecture, site.customization, site.locales, site.design_reference, site.contact (demo). Adding a page meant updating N translation files. Now it's one frontmatter field. Custom templates referencing the removed keys should switch to content_item('key', locale).menuLabel().

Deploy no longer overwrites existing local/#

The bug#

Running ./notACMS deploy --prod would back up and replace your entire local/ directory with docs/demo/ on every deploy — even when it already contained your content, templates, and customisations. The seed logic didn't distinguish between "user explicitly requested a theme re-seed" and "user just wants to redeploy with existing content."

The fix#

Deploy now works exactly like ddev build:

• No --bare / --demo flag → seeds local/ only if it's missing or empty; skips if it has content.
• --bare or --demo passed explicitly → backs up existing local/ and seeds the chosen theme.

./notACMS deploy --prod          # preserves existing local/
./notACMS deploy --prod --demo   # forces re-seed from docs/demo/
./notACMS deploy --prod --bare   # forces re-seed from docs/bare/

--prod now only controls Composer flags (--no-dev) and the runtime environment (APP_ENV=prod). It never touches local/.

Also in 1.1.1#

• Dependency bump: symfony/polyfill-* packages updated from v1.36.0 to v1.37.0.
• Polish, German, and French demo content reviewed and improved across all pages and blog posts.
• Translation style guides added to the AI-agent skill system for Polish, German, and French to ensure consistent quality in future translations.

Full changelog#

Every change with its category: CHANGELOG.md.

The headline change in 1.1.0 is that notACMS now ships two themes out of the box, and you pick one on your very first build:

./notACMS deploy --demo    # default — the amber-phosphor design you see here
./notACMS deploy --bare    # a minimal wireframe: system fonts, light mode, ~200 lines of CSS

ddev build supports the same flags. Whichever you choose, every feature works: multi-language content, blog, RSS, sitemap, search, contact form, images with responsive variants, reading time, reading progress. The difference is only in how it looks — and, critically, in how much you inherit before you start customising.

Bare core#

The core at templates/, assets/, translations/ is now a wireframe. It's intentionally minimal so that overriding a single block doesn't drag in a visual language you have to fight. If you're building a bespoke design, start from bare and you'll own the full look from day one.

Demo theme#

The demo lives at docs/demo/ and is copied into local/ when you choose --demo. It's the full amber-phosphor design you're reading now — dark mode, search overlay, docs sidebar, theme toggle, the lot. Start here if you want a polished design today and plan to tweak, not rebuild.

The local/ override system#

Both themes consume the same mechanism: every file in local/ takes precedence over the matching core path.

Core is never edited. git pull stays clean. Customisations live in your site's repo, not in a fork of this one.

Upgrading from 1.0.0#

If you were running 1.0.0 and want your site to look exactly as it did, the compatibility package is a one-liner:

cp -r docs/customization/old-template/. local/
ddev build

That drops the complete pre-1.1.0 theme — templates, SCSS, fonts, images, translations — into local/. Your site renders exactly as before. Then you can remove files from local/ selectively as you adopt new design elements.

The breaking changes you'll actually hit if you customised the old core:

• SCSS entrypoint renamed: local/assets/styles/local.scss → local/assets/styles/app_local.scss. Rename the file and update the import in local/assets/app.js.
• Core colour SCSS variables replaced with CSS custom properties: $color-body → var(--text), $color-link → var(--accent), and so on. Full mapping in UPGRADE-1.1.md.
• Translation keys removed from core (still present in the demo theme): header.tagline, nav.projects, nav.search, blog.published_on, blog.comments_disabled. If your templates call '...'|trans on those, update them.
• docs/examples/ directory removed: the useful bits moved to docs/customization/old-template/; the scratch override examples were superseded by the bare/demo model.

See UPGRADE-1.1.md for the full list with before/after snippets.

Also new in 1.1.0#

• Reading time and reading progress on posts, docs, and releases.
• Language switcher as a Twig extension (lang_switch_urls) with proper fallback chains for archives, paginated lists, and home pages.
• Post excerpts strip heading anchors — no more stray # characters in listing cards.
• Test suite scaffolding at tests/Unit/, tests/Integration/, tests/Fixtures/ with initial coverage and a test command runnable from the host.
• AI-agent skills under .claude/skills/ for working with the repo: adding locales, doc alignment checks, site sweeps, translations, and upgrade-guide generation.

Full changelog#

Every change with its category: CHANGELOG.md.

After several months of internal use on personal projects, I'm tagging the first stable release. The core feature set is solid enough to build real sites with.

Content pipeline#

The content pipeline is the heart of notACMS. It reads your local/content/ directory, parses frontmatter, and generates a complete static site in one command.

• Markdown content with YAML frontmatter
• CommonMark rendering with heading permalinks
• Excerpt generation from prose content
• Reading time calculation

Multilingual routing#

Locales are defined in _site.yaml. Each locale gets its own URL space, with optional path overrides in _routes.yaml. hreflang tags are generated automatically.

site:
  locales:
    en:
      label: "English"
      date_format: "M d, Y"
    pl:
      label: "Polski"
      date_format: "d.m.Y"

Pagefind search#

Full-text search is built into the static output via Pagefind. The build command generates the search index automatically. No external API, no server-side search — just a static index that works offline.

Image processing#

Images co-located with content are processed during build. notACMS generates WebP variants at multiple widths, automatically updates src attributes with responsive srcset, and handles the path mapping between content and output directories.

DDEV local development#

The development environment is fully containerized with DDEV. ddev start gives you PHP 8.5, Nginx, and all build tools. ddev build produces the static output. ddev code-check runs PHPStan and PHP CS Fixer.

Breaking changes#

This is the first stable release. If you've been using a pre-1.0 version, review the _site.yaml schema — the social key changed from a list to a map.

Upgrade#

git pull
ddev composer install
ddev build

What's next#

v1.1.0 will focus on the design system and documentation. This site — built with notACMS — will become the official documentation and design reference.

Longer backstory on my personal blog: I left WordPress.

The problem I kept running into#

Every PHP project I worked on eventually needed a website. Documentation, a landing page, a blog — the usual. And every time I reached for a tool, I ended up in the same place: a tool that wanted me to think like it, not like a PHP developer.

Hugo is fast but its template language is alien. Jekyll requires Ruby. WordPress is the wrong shape for static content. Next.js is powerful but it turns a Markdown publishing problem into a JavaScript bundler problem.

I kept thinking: I already know Symfony. I already know Twig. I already have Composer. Why do I need to learn a new ecosystem just to publish text?

The zero-database decision#

The first thing I decided: no database. Not "database optional" — no database at all. Content lives in files. The build process reads files. The output is files.

This forces a certain discipline. Content structure has to be explicit and predictable. There's no database query to reach for when you want to find related posts or generate a sitemap. Everything has to be derivable from the file tree.

That constraint turned out to be the right one. It makes the system easy to reason about, easy to back up, and trivially easy for AI tools to work with.

AI-friendly by design#

I started thinking about this seriously when I began using LLMs in my daily work. Asking an AI to help generate content, translate pages, or validate YAML schemas is straightforward when the format is plain text.

With a database-backed CMS, you'd need to explain the schema, write SQL, manage migrations. With notACMS, you hand the AI a directory of Markdown files and it can read, generate, and edit content directly — because the format is just text.

This isn't a feature I added after the fact. It's the reason the system is designed the way it is.

The Symfony foundation#

I built notACMS on top of Symfony 7 for the same reason I use Symfony for everything else: it's explicit, typed, and well-documented. The DI container, console commands, Twig — all of this is standard Symfony. There's nothing novel about the infrastructure.

The content model is the interesting part. The routing system reads _routes.yaml and generates Symfony routes from your content tree. The build command renders each route and writes static HTML. The service layer is thin and replaceable.

What's next#

This first release is a working foundation. The things I want to build:

• Pagefind search integration (coming in v1.0.0)
• Better image pipeline with WebP generation
• More complete multilingual support
• A proper Design Reference page (that's what this site is becoming)

The repository is public. If you want to follow along or contribute, the link is in the footer.