Controlled Beta Evidence level: In progress

A safe way for clients to edit their own static websites

The Safe-Editing CMS lets a business update its approved content — text, images, links — while the site's structure stays locked. Every change is validated before it can apply. Now in controlled beta, managing content across three live client sites.

Client
Internal product — used for client sites
Sector
Web infrastructure / publishing
Role
Product design, build, and operations
Period
2025–2026 · controlled beta
Services
Safe content editing · Managed publishing · Backups & integrity checks · Client/owner access boundaries
Tools
Node.js · Render (hosted dashboard) · Cloudflare Pages (published sites) · GitHub

The business

Static websites are the fastest and most secure thing a small business can run — but the moment the owner needs to change prices, hours, or photos, they're either waiting on a developer or handed a page builder with enough rope to break the layout. Traditional CMS platforms solve editing by giving up the speed, security, and simplicity that made the static site worth having.

The real problem

Let a non-technical client edit their own content safely — without being able to break the design, take the site down, delete the wrong thing, or get the business hacked through a plugin. And let the operator hand a site over without becoming a permanent helpdesk for every text change.

My responsibility

The whole system: the editing model, the validation layer, the hosted dashboard, the publishing pipeline, backups and recovery, and the operational rules for running it on behalf of clients.

  • Published client sites must stay fully static — the editing system can never become a runtime dependency or a point of failure for the live site.
  • Clients edit; only the owner-operator publishes. No client change goes live without review.
  • Not a public SaaS: a controlled, operator-managed service for sites built to be handed off safely.

What was built

The solution, in modules

01

Locked structure, open content

When a site is taken on, its layout — navigation, footer, branding, critical buttons — is frozen as structural 'chrome'. Only approved content slots (specific texts, images, links) are editable. A client can change the words; they cannot move, delete, or restyle the page.

02

Every edit is checked before it can apply

A deterministic validation layer — not an AI, not a setting — is the only path a change can take. Edits that would inject scripts, empty out required text, or point links somewhere unsafe are rejected with a plain reason. The same rules apply to everyone, including the operator.

03

Owner-only publishing

Clients log in through a private link scoped to their own site — they can't see other sites and can't publish. The operator reviews and publishes; published sites deploy as plain static files to their own hosting.

04

Versioned, backed up, recoverable

Content changes are versioned with rollback. Backups are integrity-verified bundles stored off the host, and restore only accepts bundles that pass verification. An append-only audit history records what changed, when, and by whom.

05

Now editing real, live client sites

After end-to-end validation on a real trilingual school website (all pages ingested, structure locked at 112 editable vs 55 locked slots per page, forbidden edits rejected with the right reasons), the CMS moved into real use: it now manages content edits across three live client sites — Alaska ATV Rentals, Girdwood Rapid Response, and Union CLS — with the same locked-structure, validate-before-publish workflow.

System view

How an edit becomes a live change

  1. 01

    Client edits a slot

    Through a private, site-scoped login: text, image, or link in an approved content slot.

  2. 02

    The Guardian validates

    Deterministic checks accept the change or reject it with a plain-language reason. Structure is untouchable either way.

  3. 03

    Owner reviews & publishes

    Versioned change is reviewed; publishing exports the full site as static files.

  4. 04

    Site deploys

    The static build goes to the site's own hosting. The live site never depends on the CMS being up.

Conceptual flow of the editing model — published sites remain plain static files.

Inspectable proof

Proof you can inspect

Sanitized artifacts show the underlying work without exposing client identities, credentials, private dashboards, or customer data.

  • Try the editor yourself

    A public sandbox of the real editor on a fictional bakery site. The sign-in is prefilled — just press Sign in, change a headline, try to break the layout (you can't), and roll back. Resets every 30 minutes. Hosted on a free tier, so the first load can take up to a minute to wake.

    Open the sandbox ↗

    Public demo instance — fictional business, separate from client production · verified July 4, 2026

  • Safe-editing CMS dashboard with editable content controls, locked fields, a live preview, and version history

    Sanitized editor dashboard

    A faithful reconstruction of the verified local editor state. Client identities, URLs, credentials, and production account details are excluded.

    Sanitized reconstruction from local CMS verification · verified June 13, 2026

  • The Safe-Editing CMS editing the Alaska ATV Rentals homepage: a left content panel of editable text and link fields, a live preview of the locked page layout, and a right panel with version history. The editable phone field and assistant input are covered by redaction bars while the approved public number remains visible in the locked preview header.

    Real editor session — Alaska ATV Rentals

    The actual editor on the live, named Alaska ATV Rentals site (shown with the client's written permission): locked structural chrome, editable content fields, a live preview, and saved version history — all real. The editable phone-number field and disabled AI-assistant input are redacted; the same approved public number remains visible in the locked site header, which clients cannot modify. No credentials or account identities are shown.

    Real editor screenshot on the named client site, redacted · verified June 15, 2026

  • Fresh reliability gates

    The product checks were rerun before publishing these proof numbers.

    Automated tests
    204 passed / 0 failed
    HTTP smoke workflow
    Passed end to end
    Editing loop
    Ingest, Guardian validation, render verified
    Storage integrity
    Passed with no integrity problems

    CMS test, smoke, demo, and integrity commands · verified June 13, 2026

Evidence

What backs this up

  • Production-hardening milestone (v0.7)

    Verified

    Completed and passed: configuration security, error handling, backup safety, and route-validation audits.

  • Operator rehearsal (v0.8 B1)

    Verified

    Completed and passed: full local publishing and recovery rehearsal — production checks, integrity scan, backup, dry-run restore, and edit-rejection behavior.

  • Hosted dashboard beta (v0.8 B2)

    Verified

    Completed: the dashboard runs as a hosted service with persistent storage; owner login, site-scoped client access, owner-only publishing, off-host backups, and per-site deploy targets verified.

  • Real-site pilot validation (June 10, 2026)

    Verified

    Trilingual client site ingested, chrome locked, locked-slot edits rejected, full export deployed to an isolated pilot project and live-verified.

  • In real client use across three live sites

    Verified

    The editor is now used to manage content on three live client sites — Alaska ATV Rentals, Girdwood Rapid Response, and Union CLS — confirmed working end to end on real sites, not just in a pilot.

  • Public editing sandbox live (July 4, 2026)

    Verified

    A separate demo instance now lets anyone try the real editor on a fictional business (Bright Bakery): the sign-in is prefilled, edits render live, structure-breaking attempts are rejected by the Guardian, rollback works, and the sandbox resets itself every 30 minutes. Deploys and pushes are disabled in the sandbox; it runs apart from the production instance that serves real clients.

  • Sustained-use evidence and scaling

    Pending

    The next milestone: enough real editing history to describe client experience and reliability under sustained use, then onboarding further sites as the workflow stays stable.

Results & current state

What's true today

  • The complete editing-to-publishing loop exists and has been exercised end-to-end.

    Milestone records: hardening, operator rehearsal, hosted beta, and a real-site pilot all completed and passed.

  • It is now in real use, not just validated.

    The CMS manages content across three live client sites — Alaska ATV Rentals, Girdwood Rapid Response, and Union CLS — confirmed working end to end on real sites.

  • The safety model holds under real content.

    Pilot and live use: structural chrome stays locked, forbidden edits are rejected with correct reasons, and exports contain no internal data.

Want a website your team can update — without being able to break it?

Describe your setup in a few sentences — you'll get a plain answer about whether and how I can help.