A small feature release: 

• Collections now have access to a 'Gallery' template option, which displays child objects as a thumbnail grid below the description. This allows you to use collections to generate an 'article + gallery' pattern for (say) events or travel articles, or can be used as an alternative display format for publications catalogues etc.

A small feature release and polish. The shiny new things are:

• CSS grid themes: Several new themes are available based on native CSS grid, which removes Bootstrap as a dependency. This makes them both simpler and more lightweight. They are also more refined and precise in terms of spacing and layout. The new themes are Tide (teal), Sand and Sea (blue), Kelp (olive-amber), Canyon (rust stained) and Pond (green). The themes feature a 'night mode' toggle and use image source sets to ensure that thumbnails are crisp when displayed at different resolutions or on high resolution screens.
• Block template overrides: Copy the internal block templates from modules into the relevant theme/blocks directory and customise them however you like, (eg. copy yourmodule/Block/some-template.html to themes/yourtheme/blocks/some-template.html). The versions internal to the modules provide safe defaults if theme-specific versions are not available.
• Pagination control has been extracted from the PHP code and placed in a html template.

I've added libvips as a third option for thumbnail generation. It's better than ImageMagick in that it is around 4x faster, and uses 1/10th the memory. It is particularly good if your webserver has more than one core available as it will split the work across multiple threads, whereas ImageMagick won't. Like ImageMagick, it is colour space aware (GD isn't).

In terms of speed and quality, the options are now (best to worst):

• libvips
• ImageMagick
• GD (default)

GD is best avoided (worst quality, and the lack of colour space awareness can make images drab and lifeless) but is set as default because it is widely available on most web hosts, whereas ImageMagick is sometimes available, usually with some configuration, and libvips usually isn't a PHP thing. You'll probably need your own VPS or webserver, or be running Tuskfish on a Docker stack.

To enable it, install libvips-tools on your system and rename ResizeImage-Vips.php to ResizeImage.php (and backup or remove the existing one). Refer to the files's docblock for instructions, and to configure compression and sharpening.

Sharpening is off by default, but I have found a value of 0.5 (light sharpening) works pretty well. It comes at a cost though, forcing a second pass over the image so it noticeably slows thumbnail generation down on pages with a lot of images. However, this is only an issue on first load, as after that you're pulling the thumbnails from the cache.

A small update to simplify / reduce friction during installation:

• Change index.php to route from request path only, independent of scheme and host. This avoids the need to manually configure when deploying behind reverse proxy that handles TLS termination.

A minor update that provides a performance boost, file structure reorganisation and security hardening:

• Optimise database performance: Indexes have been added, which accelerate queries, improve resilience under load, and further reduce the already small hardware requirements of Tuskfish. The indexes are primarily of benefit to sites with large content loads.
• Modularity has been improved so that new modules can be dropped in or ripped out without modifying other code, which will simplify future development.
• The SMTP password is now encrypted at rest.

I'm releasing Go2Serve, a static file server written in Go. It's a single binary with simple configuration, no runtime dependencies, and secure defaults out of the box. You can build it and learn how to use it in two minutes.

I built Go2Serve because I wanted something lightweight, performant and safe. Something I could drop onto a Pi or a VPS, point at a directory, and have it serving files over HTTPS in under a minute with near-zero configuration.

Go2Serve serves static files. That's it. No CGI, no reverse proxying, no dynamic content. What it does do, it tries to do well:

• HTTPS with zero configuration: Pass `--domain example.com` and go2serve handles Let's Encrypt certificates automatically, including renewal. Manual certificates are also supported, with automatic reload every 60 seconds for zero-downtime rotation.
• Security defaults: Path traversal protection (including via symlinks), `X-Content-Type-Options`, `X-Frame-Options`, `Referrer-Policy`, and optional HSTS and Content-Security-Policy headers. These are on by default, not buried in a config file you have to remember to write.
• Per-IP rate limiting: Token bucket rate limiting is enabled out of the box, with proxy-aware client IP extraction when you're behind a load balancer.
• Lightweight: No CGO, no runtime dependencies. The Docker image is built from `scratch` and contains nothing but the binary and CA certificates. Memory footprint is minimal.

Go2Serve ships Docker-first. The supported, cross-platform install path is "make up", which builds a pinned, reproducible Linux image and runs it in a hardened scratch container — identical on Linux, macOS, and Windows (WSL2). Building a native binary (make build-bin, requires Go) is offered as a secondary path for non-Docker hosts. See the README.md!

A minor feature and security hardening release:

• Add SMTP support via PHPMailer.
• Add TFISH_EMAIL_URL constant to config.php.
• Proactive security hardening pass based on sweep by Claude Opus 4.6.

[Update: This is now done] Just a quick note about the next release (2.2.9) of Tuskfish:

• Given the proliferation of AI-assisted attacks on software and supply chain ecosystems, I wanted to let people know that the Tuskfish code base has been proactively put through several rounds of security scanning and a structured evaluation by a strong AI model (Claude Code Opus 4.6). No serious issues were found, and to the best of my knowledge Tuskfish 2.2.7 is safe for production use.
• A few minor issues were found, which basically concern additional hardening, adding defense in depth and tidying up. These have now been patched and will be released in v2.2.9 sometime in the next week once I've had a chance to test them. You can grab them from main right now, if you like, but I suggest you wait.
• Additional evaluations are planned (not yet done) using a different model (Codex) will be conducted periodically as stronger models become available. So: We're not done with this, evaluations will become part of the process as new and stronger models become available.
• One new feature: Support for SMTP mail has been added, and I have ditched the native mail() function of PHP, which should make it easier to get email notifications up and running.

Coming soon: I will be developing a Docker Compose package that will allow automated deployment of Tuskfish with a one line command. I just did this for a new project and wow it just makes life so much easier.

A minor patch to fix a bug in collection pagination.

A minor maintenance release to harden the WebAuthn service class.

A minor patch:

Tighten access-control-origin header, close open redirects, improve validation and add resource limits to JS.

Tuskfish CMS now supports login with Windows Hello, Touch ID, Face ID, iOS and Android devices, and hardware security keys like the Yubikey. This is implemented as a second factor after password check for two-factor authentication (2FA) login security.

Users can register and revoke their 2FA credentials by visiting Preferences => Two-Factor Authentication in the Admin panel. Registration of a credential only takes a few seconds. Once a credential is registered, two-factor login becomes mandatory, so it is a good idea to register more than one device to avoid lock out. Users can revert to simple password login by revoking all their 2FA credentials.

Technically this is an implementation of the FIDO 2 / WebAuthn standards. Users register passkeys from platform authenticators (Hello, Touch ID etc) or hardware security keys (CTAP2 authenticators). Credentials are public-key based and origin-bound; no shared secrets are stored.

Minor bugfixes:

Reverted cache writes to avoid use of remove(), as this function is normally disabled in php.ini; tidied cached file names (prevent param separator being used on first param); fixed bug in gallery logic that prevented dynamic changes in columns to suit display width.

Tuskfish V2.2 brings a lot of improvements, including a group permissions system to control access to routes and individual content items, fourteen new colourful themes, and a new default theme preference for flipping the look and feel of your site. All content types can now be set as 'static' with a new 'in feed' toggle switch, there is optional support for better thumbnail generation and colour space support with ImageMagick 6 available. The entire codebase has been reviewed with AI assistance for bugs, security issues, and compliance with PHP 8.4/8.5, Bootstrap 5 and HTML5. Core libraries have been updated. Note: I pushed a minor bugfix update so the current version is 2.2.1.

Tuskfish 2.1 is a feature release that adds an extensible system for creating and managing blocks (the equivalent of 'widgets' in Wordpress or 'modules' in Joomla). Three block types ship by default: A Spotlight block for highlighting a particular piece of content, and 'Recent Content' block that lists the last X pieces of content filtered by tag and type, and custom HTML blocks. The code base has been updated to use recent language features. The minimum PHP version is now 8.3.

I was tempted to call this the "2025 update" but since I usually take leave in December and spend most of it tinkering, quite likely I'll do some of this before new year or at least by the end of January. The next Tuskfish CMS release will be version 2.1. Core functionality will remain unchanged, but I will add support for blocks, and if I can sort out a couple of issues, native multilanguage. Not a crappy hacked up multilanguage, but one that is baked into the core and seamless. I'll be making use of some of the more recent language features in PHP, which will raise the minimum version required to PHP 8.3. Please note that the contemporary versions of PHP are now V8.3 and V8.4, with V8.2 now end of life.

Tuskfish 2.0.8 is an incremental update with a bunch of small fixes and refinements. New features include an alternate compact template option for collections that displays child content as a list, support for a 3rd Yubikey hardware token, and extension of html toggling of content online status extended to admin search results. There are several improvements to the video templates as well: They are now responsive, and alternate selectable templates are available for common aspect ratios including 16:9, 4:3, 21:9 and 1:1.

Optional support for ImageMagick V6 is now available. This gives much better quality thumbnails than PHP's native GD2 library, but at the cost of some manual configuration. You need to:

• Have ImageMagic installed on your webserver (most hosting companies provide this).
• Access to PHP's exec() function must be enabled (it is often disabled by default through the disable_functions setting in php.ini).
• Swap in an alternative ResizeImage.php trait file (provided).
• Configure the file path to an sRGB.icc colour profile on your server (you can download one if necessary).
• Clear the image cache (html/cache), which will cause thumbnails to be rebuilt.

You can adjust the level of compression and sharpening in the trait file method createThumbnailWithExec().

Tuskfish 2.0.7 is a minor update to fix small bugs and add htmx support. Back end toggling of content on/offline now uses a htmx call to avoid reloading the whole page. This makes management easier when you have a large amount of content. The htmx library is now available in /vendor, but it is only used in the back end administrative theme.