A privacy-first content management system combining AI-powered writing, visual scheduling, and direct LinkedIn publishing — running entirely on your own server with zero third-party tracking.
From first draft to published post — every step of your content workflow in one place.
Full-featured post editor with title, rich text (3,000 chars max), categories, and file attachments.
Generate posts with Google Gemini 2.5 Flash — full control over tone, length, audience, and language.
Three calendar views (month, week, day) for planning your content pipeline with precision.
OAuth 2.0 integration with LinkedIn's UGC Posts API for one-click or automated publishing.
7-day kanban board for visualizing your pipeline with drag-and-drop scheduling.
Real-time in-app notifications for every important event in your content lifecycle.
Curated hashtag collection organized by category for consistent branding.
Save, organize, and bulk-import URLs for content research and references.
Lightweight note-taking for content ideas, research, and brainstorming.
From idea to published LinkedIn post in four steps.
Use AI with your topic, tone, and audience — or write from scratch. Get 2 variants with hashtag suggestions.
Pick a date and time using the calendar or weekly board. Drag-and-drop to reschedule anytime.
Background scheduler checks every 60s. When your post's time arrives, it's published to LinkedIn automatically.
Get notified on success or failure. Review analytics. Refine your strategy and repeat.
Defense-in-depth. Your data never leaves your server. Zero third-party analytics or tracking.
310,000 iterations · SHA-512 · 32-byte salt · crypto.timingSafeEqual prevents timing attacks.
httpOnly + sameSite: strict + secure. Completely inaccessible to JavaScript or XSS attacks.
X-Frame-Options · X-Content-Type-Options · HSTS · Strict CSP · X-Powered-By removed.
Global: 500 req/15min · Auth: 20/15min · Per-action in-memory limits with 10K entry cap.
5 failed attempts → 15-minute lockout. Remaining attempts shown. Per-account tracking.
HMAC-SHA256 signed + timingSafeEqual verified. 10-minute expiry prevents CSRF/forgery.
Production domain only. Credentials restricted. Explicit method/header control.
Password: 8-128 chars, mixed case + digit. Username: 3-30 chars. Email: RFC. Body: 2MB max.
Auth-only access. Directory traversal blocked. Dotfiles denied. Path resolution validated.
No stack traces in production. Consistent JSON format. Forgot-password prevents enumeration.
48-byte tokens (96 hex). Max 5/user. 24h expiry (30d remember). Last-seen tracking. Instant revoke.
Role-based (admin/user). Per-user page access. Signup/signin toggles. First user = admin.
MVC pattern with clear separation of concerns. Each layer has a single responsibility.
No bloated frameworks. Fast, reliable tools with active communities.
Everything included to deploy on any Linux VPS. No Docker required.
ecosystem.config.js with memory limits, log rotation, auto-restart, and cluster mode for multi-core.
Reverse proxy with SSL (Let's Encrypt), gzip, static cache (30d), and security headers.
Schema created on first run. Missing columns detected and added on every startup — zero manual SQL.
All secrets via .env (never committed). Template included. DB, API keys, OAuth — all configurable.