From templates to token safety — what shipped since shared partials

The last devlog covered shared template partials. A lot has happened since.

Here is what shipped, grouped by what problem it solves rather than what code changed.

Templates got smarter

Favicons, stylesheets, and scripts used to live in each template. They now live in one place — registered once via app.SEO() and automatically injected by forge:head. Custom handlers got the same treatment with PageHead, an embeddable struct that lets any handler participate in the shared head without using a full module template.

The docs sidebar was the first real test of ContextFunc, a new way to pass per-request data into module templates. The sidebar sorts and groups pages in Go, hands the result to the template as .Extra, and the template ranges over it directly.

AI agents can now manage content on this site

Token management shipped in full. Named, revocable bearer tokens replace the previous stateless HMAC approach — a token can now be revoked immediately if compromised, and every token is stored as a hash so a database breach does not expose usable credentials. The MCP demo at forge-cms.dev/docs/demo shows a live session where Claude creates and publishes a page through the MCP connector.

AI agents got guardrails

Two safety improvements. First, revoke_token now refuses to revoke the last active admin token — a single call can no longer lock you out of your own site. Second, content type fields now carry authoring hints: forge_format and forge_description struct tags tell an AI agent whether a field expects Markdown or raw HTML, directly in the tool description at the point of use.