CARL Version History — Content Automation Ranking Launchpad

v3.2.5 Theme Install — File Extraction Reporting June 5, 2026

Improvement

ImproveTheme install now reports any files that failed to extract — Previously, if a theme file could not be written to the server during install, the failure was silent. The install screen now shows a warning listing any files that did not install correctly, so the issue can be identified and resolved immediately.

v3.2.4 Theme Install — Full-Width Page Remap Fix June 5, 2026

Bug Fix

FixFull-width pages not remapped when installing Magazine Theme over Bootstrap — Pages using the Bootstrap Full Width template were not automatically switched to the Magazine Full Width template on install. All page types now remap correctly when switching themes.

v3.2.3 Theme Install — Template File Fix June 5, 2026

Bug Fix

FixTheme template files not written to server during install — After installing a theme, the template files were silently not being extracted to the server, causing "Template file not found" errors on every page generation. Reinstall your theme after updating to resolve this on existing installs.

v3.2.2 Theme Template File Fix June 5, 2026

Bug Fix

FixPages fail to generate after theme install — After installing a theme, pages assigned to the new theme's templates could not be generated, showing "Template file not found." Reinstall your theme after updating to resolve this on existing installs.

v3.2.1 Theme Installer Fix June 5, 2026

Bug Fix

FixTheme package upload failing on all installs — Uploading a .carltheme file produced "Invalid theme package" on every attempt regardless of the package contents. The installer now handles theme packages correctly. If you saw this error, simply re-upload your .carltheme file — no other action required.

v3.2.0 Theme System June 4, 2026

Themes

NewTheme installer — Themes page in sidebar — Upload a .carltheme package to install a complete site theme. CARL reads the package and shows a confirmation screen before making any changes. Your current templates and include files are backed up automatically before anything is overwritten.

NewOne-file theme packages — A single .carltheme file contains everything a theme needs: page layouts, CSS, navigation, footer, hub renderer, and sidebar widget. Install once — everything lands in the right place automatically.

NewAutomatic page remapping on install — When a new theme is installed, all existing pages are automatically switched to the new theme's templates. No manual reassignment required. The number of pages updated is shown on the confirmation screen.

NewAutomatic backup before install — CARL creates a full timestamped backup of your current templates and include files before installing a new theme. You can restore to the previous state at any time.

Magazine Theme — v1.0

NewMagazine Theme — A newspaper-style theme available as a .carltheme package. Includes blog, full-width, and category page layouts. Mobile-responsive with a slide-in navigation menu. No external CSS frameworks or dependencies. PageSpeed scores: Performance 92–99, Accessibility 90, Best Practices 100, SEO 92 — with zero Cumulative Layout Shift on all page types.

v3.1.7 Schema, Settings & Meta Architecture Fixes May 26, 2026

Generator

FixDuplicate canonical, Twitter, and OG tags resolved — When the AI Schema Generator was used on a page, CARL's auto-generated meta block and the AI output were both rendering description, Twitter tags, Open Graph tags, and the canonical link — producing duplicates in every generated page. The generator now detects when a head snippet is present and defers description, Twitter, OG, and canonical entirely to the AI output. CARL retains ownership of favicon, Google Analytics, and the built-in schema block. Pages without an AI snippet are unaffected.

Page Editor

ImproveDate Published auto-fills on new pages — When creating a new page, the Date Published field now defaults to today's date automatically. No manual entry required.

ImproveDate Modified is now automatic — The Date Modified field is set server-side to the current date on every save and is no longer manually editable. The schema date always reflects when the page was last published.

Settings — Organization

NewState / Region field added to Postal Address — A new State / Region input is now available in the Postal Address card under Settings → Organization. The value is written to addressRegion in the Organization JSON-LD schema.

NewYouTube Channel URL setting added — A YouTube Channel URL field is now available under Settings → Organization → Founder. When set, the URL is included in the site's sameAs schema array and powers the Subscribe button on video pages.

Schema

ImproveOrganization and WebSite schema fully dynamic — The Organization and WebSite JSON-LD blocks in header_scripts.txt are now generated entirely from Settings. All fields — name, description, logo, address, founder, sameAs links — read from the database at runtime. Hardcoded values have been removed. Empty fields are excluded from the output automatically.

Bug Fixes

FixSupport page URL corrected — The support link in the license lock screen was pointing to /support (404). Corrected to /support.php.

FixVideo template subscribe button reads from Settings — The YouTube subscribe button on video pages was hardcoded. It now reads the YouTube Channel URL from Settings and is hidden automatically when no URL is configured.

v3.1.6 License & Authentication Fix May 1, 2026

Licensing

FixLicense verification lock — infinite loop resolved — When a license token expired beyond its grace period, the admin panel would display the lock screen with a "Sign In Again" button that redirected back to the same locked screen indefinitely. The re-authentication form now appears whenever the admin is locked, regardless of whether a token file exists on disk. Entering your CARL credentials on the lock screen immediately issues a fresh token and restores access without requiring any manual file recovery or support contact.

v3.1.5 Restore, Security & Bug Fixes April 30, 2026

Backup & Restore

NewOne-click restore from backup — Backup page — Each backup in the history table now has a Restore button. Clicking it opens a confirmation modal showing the filename and creation date. On confirm, CARL restores the database and site files from the selected backup automatically.

Generator

FixVideo embed not rendering at top of video pages — On sites using the Video template, the embed was appearing inside the body content area instead of above it, and the {{SNIPPET}} token was rendering as visible text on the page. Both issues are resolved — the embed now renders in the correct position.

Video Template

FixVideo embed CSS conflict resolved — A CSS conflict was causing the video embed to render incorrectly on some installs. The video template is now fully self-contained and no longer depends on site_css.txt for embed styling.

Security

SecuritySetup wizard self-deletes after a successful run — The setup file now removes itself from the server automatically after a successful install or upgrade. It can no longer be accessed or exploited once the process is complete.

404 Page

Improve404 page now reflects your site branding automatically — The 404 page now pulls your site name, logo, and other details from your CARL settings automatically. No manual editing of the 404 page is required after updates.

v3.1.4 Page View Analytics April 29, 2026

Analytics — New Module

NewFull page view analytics dashboard — Tools → Analytics — A new admin module that tracks every pageview across all generated pages. Period selector (Today / 7 / 30 / 90 days / 1 Year) with custom date range. Stat cards for total views, unique visitors, average time on page, and bounce rate with trend arrows vs the previous period.

NewCity-level geolocation via ip-api.com — Every visitor is geolocated to country, region, and city with lat/lon coordinates. Results are cached in the database for 24 hours so the ip-api.com free tier is never exceeded. Click any country row in the dashboard to drill down to its cities instantly.

NewProxy, VPN, and datacenter detection — ip-api.com's proxy, hosting, and mobile flags are captured per visit and surfaced in a dedicated Privacy & VPN panel on the dashboard. Shows total proxy/VPN hits, datacenter/hosting IPs, and mobile network visitors with percentages.

NewFull traffic source classification — Every visit is classified as organic, direct, social, referral, email, or paid based on referrer and UTM parameters. Full UTM attribution — source, medium, campaign, term, content — stored per row and surfaced in a dedicated Campaigns table.

NewKeyword extraction — Search keywords are extracted from Bing, DuckDuckGo, Yahoo, and site search referrers. Google organic keywords are correctly labelled (not provided) — Google has encrypted these since 2013. UTM-tagged paid keywords are captured in full.

NewDevice, browser, and OS detection — User-Agent parsed server-side with no external library. Detects desktop / mobile / tablet, browser name and version (Chrome, Firefox, Safari, Edge, Opera, Samsung Browser, and more), OS and version (Windows, macOS, iOS, Android, Linux), and bot status. Bots are filtered from all analytics counts.

NewTime on page tracking — A second beacon fires via navigator.sendBeacon() on page unload, recording seconds spent on the page. Used to calculate average time on page across the dashboard. Capped at 1 hour to exclude abandoned tabs.

NewNew vs returning visitor tracking — Visitors are identified via a 30-day cookie (hashed — no raw IPs ever stored). Sessions are tracked with a 30-minute inactivity window. Both new visitor count and session count are surfaced on the overview stat cards.

NewLive recent pageviews feed — The bottom of the dashboard shows the last 20 pageviews in real time, auto-refreshing every 30 seconds. Each row shows URL, city, device type, traffic source, and timestamp.

NewOne-copy tracking snippet — The dashboard generates a ready-to-paste JavaScript snippet. Add it once to Include Files → header_scripts.txt and every generated page on the site is tracked automatically — no per-page configuration required.

Architecture

NewModular analytics structure — admin/modules/analytics/ — track.php (public beacon endpoint), geo.php (ip-api.com geolocation + DB cache), ua.php (User-Agent parser), ref.php (referrer classifier + keyword extractor), data.php (authenticated AJAX data provider). All business logic in the module; analytics.php is UI only.

NewTwo new database tables — page_views stores every hit with 32 columns covering URL, geo, device, browser, referrer, UTM, and timing data. analytics_geo_cache stores ip-api.com results keyed by hashed IP with a 24-hour TTL, keeping geo lookups fast and the API rate limit comfortable.

FixSetup wizard refactored to use migrate.php as single source of truth — The setup wizard previously maintained its own duplicate copy of all migration code. A new module added to migrate.php would be missed by the setup wizard entirely, requiring manual database intervention on fresh installs. The wizard now calls carl_run_migrations() directly — one file to maintain, zero drift between upgrade paths.

v3.1.3 Template Builder April 29, 2026

Template Builder — New Module

NewVisual zone-based template builder — Tools → Template Builder — A new admin module for assembling Bootstrap page layouts from a visual canvas of stackable zones. Pick a preset to start, cycle through variants with ◀ ▶ arrows, drag zones to reorder, configure sidebar widgets, name the template, and generate — producing a clean, production-ready .tpl file registered in the template library automatically.

NewLive Bootstrap iframe previews per zone variant — Every zone card renders the actual Bootstrap 5.3.3 HTML in a live scaled iframe — real CDN-loaded components, not wireframe sketches. Previews update with a CSS fade transition when cycling variants, so the user sees exactly what will be generated before committing.

New49 variants across 9 zone types — Nav (7), Hero (6), Content (4), Features (6), CTA (5), Card Grid (3), Video (2), Pricing (3), Footer (7). Each variant is a structurally distinct Bootstrap layout — not a colour variation — giving users real design choice without writing any HTML.

New5 starting presets — Blog, Hub Page, Landing Page, Full Width, and Video Page. Presets pre-load the canvas with the correct zone sequence and variant defaults. The user can add, remove, and reorder zones freely after selecting a preset.

NewFull-screen template preview — A Preview button assembles the .tpl server-side, fills all CARL tokens with sample content, and opens the result in a new tab using the existing preview.php session system — complete with the CARL Preview Bar. No file is written to disk until Generate is clicked.

NewSidebar widget configuration per zone — Content and Video zones expose a widget checkbox list: Search Bar, Signup Form, Recent Posts, Social Links, and Feedback Widget. Each selection injects the corresponding site_includes PHP include into the generated template's sidebar column.

Architecture

Newzones.php — single source of truth — All zone types, variant metadata, live preview HTML, and .tpl HTML are defined in one file. build.php uses it for assembly; template-builder.php uses it to populate the JS zone data. Preview HTML is served to the browser; .tpl HTML never leaves the server.

ImproveGenerated templates are architecture-compliant — Every .tpl produced by the builder follows all CARL architecture rules: Bootstrap from CDN, template-specific CSS self-contained in a <style> block, dark/light mode initialiser, site_includes PHP includes for nav and footer, and the full CARL token set ({{TITLE}}, {{META}}, {{HEAD_EXTRA}}, {{BODY}}, {{SNIPPET}}).

v3.1.2 Auto DB Migration on Update April 28, 2026

Update System

FixDB migrations now run automatically on the first admin page load after any update — Previously, updating CARL pushed new files to the server but did not apply any required database changes, leaving installs in a broken state until the setup wizard was run manually. _helpers.php now checks the installed version against a cached .carl_db_version file on every admin page load. When a version mismatch is detected — meaning an update just ran — carl_run_migrations() fires silently and the cache is updated. No setup wizard, no manual SQL, no support ticket required.

ImproveMigration is version-gated and zero-cost on normal page loads — The check is a single file_exists() and string comparison. Migrations only run once per version change, on the first page load after an update. All subsequent page loads skip the check entirely until the next update.

v3.1.1 Update Manager DB Migration Step April 28, 2026

Update System

Improveupdate.php now calls carl_run_migrations() after extracting new files — The update manager previously stopped after file extraction. It now runs all pending DB migrations as step 6 of the update flow and reports how many changes were applied in the success message.

v3.1.0 Video Sitemap April 28, 2026

SEO

NewVideo sitemap generator — video-sitemap.xml auto-generated on every video page publish — CARL now generates a Google-compliant video sitemap alongside the standard sitemap. Every published page using the Video template with a built embed is included automatically, with thumbnail, title, description, embed URL, and publication date pulled directly from the page data.

NewVideo Sitemap admin page — Tools → Video Sitemap — A new admin page shows the current video-sitemap.xml contents, file size, last modified date, and a manual generate button. Pages using the video template that are missing an embed URL are flagged with a warning so they can be fixed before submission to Google Search Console.

Page Editor

ImproveVideo Embed Builder silently captures embed URL for sitemap use — When the user clicks Build Embed, CARL now silently stores the constructed embed src URL in a hidden field that is saved to the database. This works for all platforms — YouTube, Vimeo, Rumble, and Other. No extra input required from the user at any point.

Database

Newvideo_embed_url column added to pages table — Stores the embed src URL captured automatically by the Video Embed Builder. Added to both migrate.php and the setup wizard so all existing installs receive the column on their next update or upgrade run.

v3.0.9 License Self-Recovery April 26, 2026

Licensing

FixAdmins can now self-recover from a missing license file without support — If the license token file was ever lost or deleted, the admin panel would lock permanently with no way out except manual file recovery via cPanel. The lock screen now detects this state and presents a re-authentication form directly — enter your CARL licensing credentials and access is restored instantly.

ImproveLock screen now shows context-appropriate recovery options — When the license file is missing, the lock screen shows the re-authentication form. When the file exists but verification failed, it shows the original Sign In Again button. Clients always have a clear path to restore access without contacting support.

v3.0.8 Backup Fatal Error Fix April 20, 2026

Backup

FixBackup crashes with fatal error on sites with unresolvable file paths — During file system iteration, CARL could encounter broken symlinks, files that disappear mid-backup, or paths with permission issues that cannot be resolved. This caused a fatal error that broke the backup page entirely. Unresolvable paths are now detected and skipped gracefully so the backup continues and completes normally.

v3.0.7 Video Template and {{SNIPPET}} Token April 20, 2026

Templates

Newbootstrap-video.tpl — dedicated video page template — A new template for video pages that renders a full-width responsive 16:9 embed at the top of the page, followed by a two-column layout with the page body in the main column and a sidebar containing a YouTube subscribe prompt, search, signup form, recent posts, and social links.

Generator

New{{SNIPPET}} token — renders PHP Snippet above body content — A new template token that allows the PHP Snippet field to be positioned independently from {{BODY}}. When a template contains {{SNIPPET}}, the snippet renders at that position and the body renders separately at {{BODY}}. When {{SNIPPET}} is absent, the generator falls back to the original behaviour of appending the snippet after the body — fully backward compatible with all existing templates.

Fixpreview.php updated to match generator.php {{SNIPPET}} logic — The preview renderer had its own independent token substitution block that did not include {{SNIPPET}} support, causing the token to render as literal text in preview mode. The preview now applies identical logic to the generator so preview output matches the generated page exactly.

v3.0.6 Hub Renderer Directory Fix April 17, 2026

Include Files

FixHub renderer silently produces no output when directory contains leading or trailing slashes — If a page's directory value was saved with leading or trailing slashes (e.g. //calculators//), the WHERE directory=? query in hub_render.txt would never match the clean URL-derived value, returning zero rows with no error. The query now uses TRIM(BOTH '/' FROM directory) so it matches correctly regardless of how the value was stored.

FixDouble slashes could be written to the directory field on page save — The directory sanitiser in page-edit.php stripped illegal characters but did not trim leading or trailing slash characters before saving. A directory typed or selected with surrounding slashes would be persisted as-is. A trim() pass on the sanitised value now prevents this from occurring.

ImproveHub renderer defensively normalises its own directory value — The directory string derived from REQUEST_URI is now explicitly trimmed of slashes before being passed to the query, ensuring the comparison is clean on both sides regardless of any future edge cases in URL construction.

v3.0.6 Hub Renderer Directory Fix April 17, 2026

Include Files

v3.0.5 License Enforcement Hardening April 16, 2026

Licensing

FixRevoked accounts now blocked at login — A revoked account could still complete the login process and access the admin panel until the cached token expired. The license is now verified against the server at the moment of login, blocking access immediately if the account has been revoked.

FixActive accounts no longer incorrectly locked out — An expired token returning an error from the licensing server was being misread as a revocation, locking out accounts that were in good standing. Token expiry errors are now correctly distinguished from explicit revocation responses.

NewPeriodic license verification for fresh tokens — Previously, a valid token was trusted for its full 48-hour lifetime without ever contacting the licensing server. The license is now silently re-verified every 15 minutes, ensuring a revoked account is locked out promptly without waiting for token expiry.

ImproveLicense check survives server outages without false lockouts — Any non-revocation error from the licensing server — including token expiry, network timeouts, and transient failures — is now treated as a temporary outage rather than a revocation, preserving access through the grace period as intended.

v3.0.4 Licensing & Update Fixes April 16, 2026

Licensing

FixRevoked licenses no longer bypass the admin lock during the grace period — A revoked account within the token grace window was being treated identically to an unreachable licensing server, allowing continued admin access. Revoked status now locks the admin panel immediately regardless of where the token sits in its lifecycle.

Update System

FixDatabase migrations now run automatically on update — Applying an update that introduced new database tables or columns previously left the site broken until the setup wizard was run manually. The update process now applies all database changes automatically as part of the update sequence. No manual steps required.

ImproveSingle source of truth for all database migrations — Migration logic is now centralised in one place, shared by both the update manager and the setup wizard. Adding a new table or column in future only requires a change in one file — both paths pick it up automatically.

Installer

FixInstaller now correctly self-deletes after a successful install — The installer claimed to self-delete on the success screen but the file was never actually removed from the server. It now deletes itself immediately after a successful installation, before rendering the success page.

v3.0.3 Schema Preset Fix April 16, 2026

AI Schema — Preset Resolution

FixSchema presets always returning default on new domains — Named schema instruction presets were ignored on new domain installs, with every generation falling back to the default instructions regardless of which preset was selected.

ImprovePreset resolution now works correctly across all domains — The preset lookup architecture has been revised to work reliably on every install from first use, with no manual configuration required.

v3.0.2 Popup Manager April 14, 2026

Popup Manager

NewFull popup manager — New Popups page under Tools. Create any number of popups, paste any HTML content (email forms, ad units, video embeds, anything), and assign them per-page or site-wide.

NewFour trigger types — On Page Load, Time Delay (seconds), Scroll Depth (percentage), and Exit Intent. Each popup has its own trigger configuration.

NewFrequency control — Once per Session (sessionStorage), Once per Day (cookie), or Every Visit. Prevents repeat-hammering visitors with the same popup.

NewPriority system — Page-specific popup takes priority over site-wide. Page-specific can optionally also show the site-wide popup via a checkbox. Setting a page to "No popup" explicitly suppresses the site-wide popup on that page.

NewBaked into generated pages — Popup code (HTML overlay + trigger JS) is injected directly before </body> at generate time. Zero external scripts, zero plugin overhead, no third-party servers.

NewLive preview in editor — popup-edit.php renders a live preview of the popup content as you type, before saving.

NewPopup assignment in Page Editor — Popup card added to the page editor sidebar. Dropdown shows all active popups. "Also show site-wide" checkbox appears when a specific popup is assigned and a site-wide popup is configured.

NewPopups added to Tools nav group — Appears as a child item in the sidebar Tools dropdown. Active state highlights for both popups.php and popup-edit.php.

NewDB migration included — New popups table plus popup_id and popup_show_sitewide columns on pages. Setup file updated to create these on fresh installs and add them safely on upgrades.

Code Block Fix

FixHTML tags inside code blocks now render correctly — Tags such as <head>, <div>, and <body> inside Summernote code and pre blocks were being stripped by the browser parser and rendered as empty grey blocks. Fixed in cleanSummernoteOutput() in generator.php — HTML tags inside code blocks are now encoded as entities before saving.

FixCode block fix extended to preview — The same encoding logic is now applied in page-edit.php before content is sent to preview.php, so the preview matches the generated file.

v3.0.1 Backup & Restore April 13, 2026

Backup Manager

NewOne-click full site backup — New Backup page under Tools. Separate checkboxes for Site Files and Database (both selected by default). The database credentials file is always silently included — the site cannot reconnect to its database without it.

NewPre-backup size estimates — Displays site files size, database size, and available disk space before the backup runs. Warns visually if free space is tight.

NewPure-PHP database export — Full SQL dump built entirely in PHP with no dependency on mysqldump or shell access. Compatible with all shared hosting environments. Outputs DROP + CREATE + chunked INSERT statements per table.

NewBackup history table — All existing backups listed with size, creation date, Download and Delete buttons. Backups older than 30 days display an age warning to encourage housekeeping.

UXSelf-disabling submit button — The Create Backup button disables itself and shows "Creating backup…" on click, preventing double-submission during long-running backups on large sites.

NewBackup added to Tools nav group — Appears as a child item in the sidebar Tools dropdown with a download-arrow icon.

Authenticated Downloads

SecurityAdmin login required to download backups — The backup download handler requires an active admin session before streaming any file. Unauthenticated requests are rejected outright.

SecurityStrict filename validation — Requested filenames are stripped of path traversal attempts and validated against the expected backup naming pattern. Any deviation is rejected with a 400 error.

SecurityBackups stored above web root — All backup archives are stored one level above the public web directory. They are never browser-accessible regardless of server configuration or directory name guessing.

ImproveChunked streaming — Files are streamed in 1 MB chunks with output buffering cleared. Gigabyte-scale backups download without exhausting PHP memory limits.

Backup Archive Format

NewSelf-contained backup format — Every backup archive contains the database credentials file, a full database export, and all site files. Everything needed for a complete restore from scratch is in a single download.

FixBackup storage folder excluded from archives — The backup storage directory is explicitly excluded from file backups, preventing recursive inclusion of previous backups into new ones.

Standalone Restore Utility

NewEmergency restore tool — A fully self-contained restore utility with zero dependency on any CARL admin files. Uploaded to the server via cPanel or FTP when needed — works even when the entire admin directory is missing or broken.

SecurityOne-time access token — On first load, a random 48-character token is generated and stored in a secure location above the web root. The token must be entered before any restore action is permitted and is never shown again after the first load.

SecurityHard 2-hour expiry — The token expires 2 hours after generation. Attempts after that window are rejected and a new token must be generated. Limits exposure if the file is uploaded and forgotten.

SecuritySelf-destructs after success — The restore utility deletes itself from the server on successful completion. It cannot be reused or discovered after the fact.

NewAutomatic credential detection — Reads database credentials automatically if available. If the credentials file is also missing, a manual database credentials form is shown.

NewFull restore sequence — Validates the uploaded archive as a genuine CARL backup, imports the database using a character-accurate SQL parser, restores all site files and the database credentials file, then cleans up all temporary files.

NewGraceful database creation — If the target database does not exist, the restore utility creates it automatically before importing. Covers the case where the database was dropped entirely.

v3.0.0 Update Mechanism April 12, 2026

Update Manager

NewIn-admin update manager — New Update page displays installed version vs available version with a clear status badge. When an update is available, a single button downloads, verifies, backs up, and applies the new release automatically.

NewAuthenticated update downloads — Release packages are delivered exclusively through the licensing server's authenticated download endpoint. The customer's license token is verified before any bytes are sent. Revoked accounts cannot download updates.

NewSHA-256 checksum verification — The downloaded release is verified against a checksum from the licensing server before extraction. Corrupt or tampered downloads are rejected — nothing is applied.

NewAutomatic pre-update backup — Before extracting new files, the current installation is backed up above the web root with a timestamped filename. If extraction fails, the user is directed to their backup.

NewVersion tracking — CARL now tracks its own version number internally. The update manager compares the installed version against the latest available release to determine update eligibility.

Licensing Server — Version Check

NewPublic version check endpoint — A lightweight endpoint on the licensing server returns the current version string and SHA-256 checksum as JSON. No authentication required — version checking is intentionally public.

Licensing Server — Authenticated Downloads

NewAuthenticated release download endpoint — Validates the customer's CARL license token and account status before streaming the release package. Revoked accounts are blocked. Streams in 1 MB chunks directly to the customer's server.

SecurityRelease packages no longer publicly accessible — All downloads go through the authenticated endpoint with license verification. The release storage directory is protected and the direct download location is never exposed to customers.

Sidebar — Update Indicator

NewUpdate indicator in sidebar — A dedicated Update nav item sits between Tools and Settings. When up to date, it renders at 50% opacity — unobtrusive. When an update is available, it turns red with a pulsing version badge and a tooltip.

New6-hour cached version check — The version check result is cached locally. The licensing server is contacted at most once every 6 hours — zero network latency on cache hits. A short timeout ensures a slow licensing server never hangs the admin panel.

v2.3.0 Licensing Infrastructure April 12, 2026

Schema Proxy — Database Fix

FixSchema proxy querying wrong database — The account status verification was querying the licensing tables against the CMS database instead of the licensing database. This caused a fatal error on every schema generation request.

FixDirect cross-database connection approach abandoned — An initial fix attempted a dedicated connection to the licensing database using the CMS database user. This failed with an access denied error — the CMS user has no grants on the licensing database, and cross-database grants are not a scalable solution for customer installs.

Licensing Server — Internal Verification

NewInternal schema verification endpoint — A new internal endpoint on the licensing server accepts a license token and a shared secret, verifies the token signature, checks the licensing database, and returns an active/revoked status. Licensing database credentials never leave the licensing server.

SecurityShared secret authentication — A dedicated secret authenticates calls between the CMS schema proxy and the licensing server's internal verification endpoint. Prevents arbitrary callers from probing account status.

Schema Proxy — Revised Architecture

ImproveSchema proxy now calls licensing server via HTTP — Account verification replaced with an HTTP call to the licensing server's internal endpoint. The CMS server never touches the licensing database directly. Works identically for every customer install — no per-customer database grants required.

SecurityLicensing database credentials never exposed on CMS server — The licensing database username and password are now exclusively on the licensing server. The CMS server holds only the shared verification secret.

Token Grace Period

ImproveGrace period reduced — Total lock window reduced from 120 hours (5 days) to 72 hours (3 days). Token validity remains 48 hours; the grace period is now 24 hours. Sufficient for genuine outages while making license revocation testing practical.

v2.2.0 Schema Instruction Presets April 6, 2026

Schema Preset Manager — Settings

NewMultiple schema instruction presets — AI Settings tab redesigned. The single schema instructions textarea is now a full preset manager supporting unlimited named presets. Each preset stores its own complete Claude instruction set, enabling different schema strategies per content type (Article, FAQ, Landing Page, etc.).

NewPreset add / edit / delete UI — Inline form card with name field and full-height instructions textarea. Edit and Delete buttons per preset row. Delete requires confirmation. All operations are CSRF-protected AJAX calls with JSON responses — no full page reload on save or delete.

NewDefault / Fallback Instructions preserved — The original single instructions textarea is retained as the "Default / Fallback Instructions" card, used when no preset is selected or no presets exist. Zero breakage for existing schema generation workflows.

NewPreset storage — Presets stored as a JSON blob in the existing settings table. No database migration or new tables required.

Schema Preset Selector — Page Editor

NewPreset dropdown in page editor — A Schema Preset selector appears in the AI Schema & Social card, directly above the Generate Schema button, whenever at least one preset exists. Defaults to "— Default Instructions —" to maintain backward-compatible behaviour.

NewSticky preset selection (Option C) — After a successful generation, the preset used is saved into the page's schema data. When the page is reopened, the dropdown automatically pre-selects that preset. No extra DB column or migration needed.

UXLive dropdown sync — After a successful generation in the same browser session, the preset dropdown updates immediately without a page reload, so a second generation is also pre-selected correctly.

UXPreset-aware status messages — The schema generation status bar names the preset used (e.g. "Schema generated using preset 'FAQ Page'") or confirms "Default Instructions" when no preset is selected, giving clear feedback on which instruction set was applied.

AI Schema — Backend

NewPreset resolution in schema endpoint — The schema generation endpoint now accepts a preset selection. Resolution order: named preset by ID → legacy fallback instructions → error. The resolved preset label is returned in the JSON response.

FixSchema endpoint architecture restored — A prior refactor had incorrectly changed the bootstrap method, replaced the AJAX auth check with a redirect-based one (wrong for AJAX), split the prompt into a system message (causing inconsistent output), reduced max_tokens from 2000 to 1000, and removed the markdown fence stripping safety net. All five regressions corrected — original architecture fully preserved.

NewTwo new internal AJAX endpoints — Separate handlers for preset save/update and preset delete operations. Both require login and verify CSRF tokens, returning JSON success/error responses.

AI Preset Content

NewFAQ schema instruction preset — Full Claude instruction set for FAQPage schema added as the first named preset. Produces: optimised meta description and keywords tags, FAQPage + WebPage @graph JSON-LD with all question/answer pairs untruncated, Twitter Card tags, Open Graph tags (og:type: website), and canonical URL — in a single consistent code block matching the Article preset's delivery order and conventions.

v2.1.0 Security Hardening April 5, 2026

Credentials & Secrets

SecurityDatabase credentials removed from source code — DB host, name, username, and password moved from config.php into a secrets.php file located above the web root. The file is unreachable by any browser URL regardless of server misconfiguration, and is excluded from version control via .gitignore.

Authentication

Fixexport.php auth check corrected — Session variable mismatch meant the CSV vote export endpoint was checking a key that was never set by the login system. Fixed to use the correct admin_logged_in session variable, consistent with all other admin pages.

CSRF Protection

SecurityCSRF tokens added to all admin forms — Three new functions added to lib/auth.php: csrf_token() generates and stores a per-session token, csrf_field() outputs a hidden input, and csrf_verify() validates on every POST. All 14 admin files with POST handlers updated.

SecurityAutomatic CSRF for fetch() calls — A fetch() interceptor added to _header.php wraps all non-GET requests with an X-CSRF-Token header drawn from a meta tag. Covers auto-save, preview, AI schema generation, and AI image generation with zero changes to individual JS files.

SecurityImage delete converted from GET to POST — The ?del= GET parameter on images.php was a CSRF-exploitable state-changing action. Replaced with a POST form per image card, protected by a CSRF token.

Securityforgot-password.php CSRF protected — Both the recovery key verification step and the new password step are now CSRF-protected, even though this page operates outside the normal admin session.

Path Traversal

SecurityTemplate slug path traversal closed — generator.php and preview.php both constructed file paths from the user-supplied template_slug field without sanitisation. A crafted slug like ../../config/secret could read arbitrary .tpl-suffixed files. Fixed with basename() in both files — one line each.

XSS

ImproveSearch result output made explicitly safe — search_highlight() already called htmlspecialchars() before injecting <mark> tags, making the raw echoes in search.php and search_dash.php safe. Variables renamed to $titleHtml, $descHtml, $excerptHtml with explanatory comments to prevent future developers from accidentally wrapping them in e() or assuming they are unescaped.

HTTP Security Headers

SecurityX-Frame-Options: DENY — Prevents the admin panel from being embedded in an iframe on any external domain, closing the clickjacking attack surface.

SecurityX-Content-Type-Options: nosniff — Instructs browsers not to MIME-sniff responses away from the declared Content-Type, preventing certain content injection attacks.

SecurityReferrer-Policy: same-origin — Stops admin page URLs from leaking in the Referer header when clicking outbound links from within the admin panel.

SecurityContent-Security-Policy — Moderate CSP applied across all admin pages via _helpers.php. Restricts scripts and styles to self plus explicitly whitelisted CDNs (jsdelivr, cdnjs, googletagmanager, googleapis). Blocks all frames (frame-src: none) and plugins (object-src: none). Prevents injection of scripts from unknown external domains even if an XSS hole exists.

v2.0.0 Make It Easy — UX Overhaul April 4, 2026

Admin UI — Page Editor

UXAI Schema & Social card — Tier 1 redesign. OG Image, OG Description, SameAs URLs, and Generate Schema button consolidated into a single always-visible card. Eliminates hunting across three separate sections.

UXManual SEO Override — Meta description, keywords, canonical, OG title, OG type, Twitter card, and schema date fields collapsed into an expandable panel. Auto-opens if saved values exist.

NewGoogle Search Preview — Live SERP mock-up between Page Identity and AI Schema. Updates in real time as title, slug, directory, and meta description are typed. Title turns red at 60+ chars, description at 158+.

NewAuto-save — Silent background save every 90 seconds when any field has changed. Status indicator shows "Auto-saved at HH:MM" in the Save Actions card. Edit mode only.

NewLive word count — Real-time word counter below the Summernote editor. Updates on every keystroke. Pre-fills for existing content on page load.

NewMeta description character counter — Live XX / 160 counter next to the label. Turns green at 140–160 chars, red when over.

NewCopy Live URL button — Clipboard icon next to the generated path preview. Copies the full https://yoursite.com/path/to/page.php URL with a "✓ Copied!" flash.

UXHead Injection & PHP Snippet — Both sections now collapsible. Auto-open when they contain saved content. Hidden by default for clean new-page experience.

FixSummernote image overflow — AI-generated Recraft images inside the editor no longer blow out the column width. Added max-width: 100% / height: auto to all editor images.

Include Files Editor

ImproveCodeMirror replaces Summernote — Include file editor rebuilt with CodeMirror 5. Full PHP/HTML/CSS/JS mixed-mode syntax highlighting, line numbers, matching brackets, line wrapping. Fixes hard breakage on pure-PHP includes such as hub_render.txt.

Template Editor

ImproveCodeMirror with PHP syntax highlighting — Raw textarea replaced with full CodeMirror 5 editor. material-darker (dark mode) and eclipse (light mode) themes, 600px height, auto-close tags.

NewCARL Token Cheatsheet panel — Sticky right-column panel lists all {{TITLE}}, {{META}}, {{BODY}}, {{SLUG}}, {{DIRECTORY}} tokens plus common PHP include snippets. Click any chip to insert at cursor position.

Admin UI — Global

NewDark / Light mode toggle — ☀️/🌙 button in every topbar. Full CSS variable swap — sidebar, cards, forms, Summernote, CodeMirror, badges all theme-aware. Preference persisted in localStorage with FOUC prevention script in <head>.

FixFull-width layout — Removed max-width: 1100px cap from .main-content. Content now fills all available space beside the sidebar in both themes. Horizontal scrollbar eliminated with min-width: 0 on flex children.

NewInline ? tooltips — Reusable .tip CSS system. Hover/tap tooltip appears on: OG Image URL, SameAs URLs, Override Auto-Schema, Canonical Override (page editor); Base URL, Recovery Key, Admin Timezone, Cron Secret Key, Kit Form ID (settings).

NewFirst-run onboarding checklist — Dashboard card with 5 auto-checking steps (site name, Base URL, Organization info, first page, first generate). Progress bar, direct links to each action. Dismissible via localStorage. Auto-hides when all steps complete.

Site Health

NewIgnore false positives — Each broken nav link now has an Ignore button. Ignored paths stored in settings, skipped in future checks. Collapsed "Ignored Links" section with Un-ignore button. Designed for pages that exist on disk but weren't created through CARL.

Settings

NewMPC tab — New Settings tab with a single URL field. Saved URL opens in a new browser tab. Includes "Don't have MPC yet? Get your license here ↗" link to masspagecreator.com.

NewMPC sidebar button — Navigation item that opens the saved MPC URL in a new tab. Shows "set URL" label and links to Settings if no URL is configured yet.

v1.9.0 AI Image Generation April 1, 2026

NewRecraft API integration — AI image generation from page title and meta description. Produces 1344×768 images. Configurable via Settings → AI → Recraft API Key.

NewAI Image Generator card — Appears in page editor sidebar when Recraft key is configured. Generated images auto-populate the Quick Image Insert grid immediately after creation.

ImproveQuick Image Insert — Content and OG/TW dual-action buttons on each thumbnail. Content inserts into Summernote editor; OG/TW sets the social sharing image field.

v1.8.0 Security & Data Integrity March 30, 2026

NewPassword recovery system — Two-step forgot-password.php flow. Step 1: enter recovery key. Step 2: set new password. Recovery key set via Settings → General → Admin Recovery Key.

NewDuplicate page protection — App-level check prevents saving a page with an existing slug+directory combination. DB-level UNIQUE INDEX provides a second layer of protection. setup.php Upgrade auto-cleans pre-existing duplicates, keeping newest.

NewOrphaned file cleanup — When a page's slug or directory changes, the old generated .php file is automatically deleted from disk before the new one is written. Prevents stale URLs accumulating.

NewHub auto-renderer — hub_render.txt detects current URL directory automatically. Generates Bootstrap card grid from all pages in that directory. Nested directory support.

NewScheduled publishing timezone support — Admin timezone setting controls display. Server stores all times in UTC. Scheduler converts on the fly.

v1.7.0 Site Health & Structure March 28, 2026

NewSite Health checker — Reads actual generated HTML files rather than DB records. Checks: meta description presence and length, H1 existence, canonical URL accuracy, schema presence, RSS feed flag, CTA token validity, member template protection, file existence on disk.

NewNav / footer link validator — Scans nav_include.txt and footer_include.txt for all hrefs. Cross-references against known generated paths. Reports broken links with source file attribution.

NewSite Score — Circular progress ring (0–100) on the health dashboard. Calculated from critical issue count across all checked pages.

NewExclude from Site Health — Per-page checkbox in the page editor. Excluded pages (e.g. 404.php) are skipped and shown in a separate section at the bottom of the health report.

NewSite Structure Visualizer — Two views: horizontal directory tree and vertical collapsible tree. Clickable nodes navigate directly to page editor. Nested directory support up to 4 levels.

NewPage Health Check in editor — 🩺 Page Health sidebar card runs a live check on the current page's generated file without leaving the editor.

v1.6.0 Dashboard, Feedback & RSS March 26, 2026

NewMission control dashboard — Stat cards for pages, subscribers, members, links, images, and include files. Recent pages table with status sorting. 7-day subscriber sparkline. Quick Actions panel.

NewFeedback / reactions system — Page-level thumbs up/down reactions with rate limiting. Feedback dashboard with per-page breakdown and trend data.

NewRSS feed — in_feed toggle per page controls RSS and Recent Posts sidebar inclusion. Feed auto-updates on generate. Sitemap generator pings Google on scheduled publish.

NewSearch dashboard — FULLTEXT index search across all pages. Relevance-ranked results with term highlighting and article previews.

NewRecent Posts sidebar widget — recent_posts.txt include renders directory-aware recent articles. Smart parent fallback fills gaps when current directory has fewer posts than the count setting.

v1.5.0 Email & Subscribers March 24, 2026

NewCARL subscriber database — Full signup management with status tracking (active/pending/unsubscribed), source page logging, and CSV export.

NewKit (ConvertKit) v4 API integration — Subscribers saved to CARL first, synced to Kit automatically. Retry button for failed syncs. X-Kit-Api-Key authentication.

NewCARL native signup form — carl_signup_form.txt include. AJAX submission with honeypot spam protection. Success message configurable in Settings.

NewSignup form wording in Settings — Title, sub-text, button label, and success message all configurable once — updates everywhere on site instantly.

ImproveSettings → Subscribers tab — Kit API key, default form ID, form wording, and Recent Posts Count all centralised here.

v1.4.0 Scheduled Publishing March 22, 2026

NewScheduled publishing — Set a future date/time per page. Status shows "Scheduled" badge. Timezone-aware — displays in admin timezone, stored in UTC.

NewcPanel cron integration — run.php CLI endpoint runs every 5 minutes. Processes all due pages, generates files, pings Google sitemap. Command auto-generated in Settings → System.

NewSilent admin trigger — _header.php checks for overdue scheduled pages on every admin page load as a fallback when cron is not configured.

NewCron Secret Key — Random token authenticates scheduler HTTP endpoint. Generate button in Settings → System. cPanel cron setup instructions shown automatically once key is saved.

NewGoogle sitemap ping — Sitemap regenerated and Google automatically notified after each scheduled publish run.

v1.3.0 Affiliate Link Tracker & CTA Builder March 20, 2026

NewLink tracker — Create tracked short links at /go/short-code. Click recording with timestamp, geolocation (country/city), IP, referrer, and user agent.

NewRedirect modes — iframe cloak (URL bar stays yours), JS cloak (noindex + instant bounce), 301 permanent, and 302 temporary redirects.

NewUTM parameter builder — utm_source, utm_medium, utm_campaign, utm_term, utm_content appended to destination URL per click. Live final URL preview in editor.

NewLink groups & reports — Organise links into named groups. Per-link and per-group click reports with date range filtering and top referrer breakdown.

NewCTA Builder — Visual point-and-click button builder. Colors, typography, shape, size, icon, hover animations, drop shadow. Live preview with hover testing. Standard and Summernote-safe inline code output. [CTA:ID] token inserts button anywhere in page content.

v1.2.0 Members Area March 18, 2026

NewFull membership system — Free and premium access levels. Member registration, login, account management, and logout templates. Admin approve/suspend/upgrade controls.

NewRegistration modes — Open (instant access) or Approval (admin must approve each member). Configurable in Settings → Subscribers → Members Area.

NewPage access levels — Public, Members, and Premium per page. CARL injects access guard PHP into generated member-protected pages. Non-members redirected to login.

NewMembers navigation bar — Dark green bar above site nav on members pages. My Account dropdown with logout. Configurable via members_nav.txt include. Changes take effect instantly without regenerating.

New5 members templates — members-login.tpl, members-register.tpl, members-dashboard.tpl, members-layout.tpl, members-logout.tpl.

ImproveSecure session cookies — mbr_set_cookie() and mbr_clear_cookie() enforce matching Secure, HttpOnly, SameSite=Lax attributes to prevent silent logout failures.

v1.1.0 AI Schema Generator March 16, 2026

NewClaude API integration — One-click AI schema generation from page content, title, OG image, and SameAs URLs. Powered by Claude (Anthropic). API key configurable in Settings → AI Settings.

NewFull schema output — Generates optimised meta description, keywords, JSON-LD Article/BlogPosting schema, Open Graph tags, Twitter cards, and canonical URL in a single API call.

NewHead Injection — AI schema appended (not replaced) to the head_snippet field. Override Auto-Schema checkbox suppresses built-in JSON-LD to prevent duplicate schema. Auto-ticked on generation.

NewSameAs URLs — Per-page field for social profiles and authority sources. Passed to Claude with every schema request to strengthen Knowledge Graph identity.

NewSchema generation instructions — Fully customisable prompt in Settings → AI Settings. Controls output format, field order, schema type, and any site-specific requirements.

NewPaste HTML button — Custom Summernote toolbar button bypasses all sanitisation. Loads raw HTML directly into editor without stripping. Essential for AI-formatted content.

v1.0.0 Initial Release March 14, 2026

Core CMS

NewStatic PHP file generator — Creates real PHP files from DB records. No CMS runtime overhead on live pages. Merges template + content + schema + snippets → writes to disk.

NewPage editor — Full WYSIWYG with Summernote 0.8.20. Title, slug (auto-fills from title), directory (nested path support), status (draft/published/scheduled), template selector, RSS feed toggle, and page protection level.

NewTemplate system — {{TITLE}}, {{META}}, {{BODY}}, {{SLUG}}, {{DIRECTORY}} token substitution. Five built-in Bootstrap 5.3.3 templates: bootstrap-blog, bootstrap-category, bootstrap-fullwidth, and two extras.

NewSite includes — site_includes/ directory with PHP-include .txt files for nav, footer, header scripts, custom CSS, and sidebar widgets. Edit once — changes cascade across all pages instantly without regenerating.

NewPages list — Nested directory tree view with live search, status filter, template filter, index-first sort. Edit and Generate actions per row. Bulk Regenerate All button.

SEO

NewFull SEO field set — Meta description, keywords, canonical override, OG title, OG description, OG image, OG type, Twitter card type, schema type (Article / BlogPosting / Organization / none), author, date published, date modified.

NewAuto schema — BreadcrumbList JSON-LD baked into every template. Organization, Article, and BlogPosting schema built from Settings data. GA tracking snippet injected into every generated page when GA ID is set.

Admin

NewSettings — 5 tabs — General (site name, base URL, GA, recovery key, favicon), Organization (name, address, founder, logo), Subscribers (Kit, form wording, recent posts count), System (timezone, cron key), AI Settings (provider, API keys, schema instructions).

NewImage manager — Upload with automatic thumbnail generation. Filename and URL storage in DB. Quick Image Insert panel in page editor for one-click content or OG image insertion.

NewSitemap generator — Produces XML sitemap from all published pages. One-click generation and download. Auto-pings Google on scheduled publish runs.

NewPHP Snippet field — Raw PHP written verbatim into generated file after body content. Include picker dropdown inserts PHP include lines from site_includes/.

Newsetup.php install/upgrade — Creates all DB tables, seeds settings, adds indexes, auto-cleans duplicate pages. Supports fresh install and upgrade modes from a single script.

NewAdmin authentication — Session-based login with bcrypt password hashing. requireLogin() guard on all admin pages. Separate member and admin sessions.