WEB SERVER & PUBLISHER. ONE BINARY, ONE PORT, ONE AUDIT SURFACE.

A marketing CMS, a Hugo documentation site, and an AI governance gateway running alongside them is three vendors, three deploy pipelines, and three attack surfaces. Every incident review asks which one served the request. Every compliance review asks which one holds the log. systemprompt.io collapses them into one Rust process on one port.

The same binary that runs the RBAC check in front of an MCP tool call accepts the HTTP request, attaches security headers, writes a trace_id to the request, and dispatches to a server-rendered template. No reverse proxy in front. No static site generator behind. A CTO paying Contentful plus Vercel plus an AI gateway pays three bills and runs three SSO integrations to serve one company's content and one company's agents.

Templates render server-side, so the first byte the browser receives is HTML. No hydration flash, no JavaScript framework supply chain to audit, no build-step toolchain matrix. Marketing writes a page in YAML, the publish command reloads configuration, the page is live. The binary serving this paragraph is the binary described by this paragraph.

A marketing lead editing a landing page should not touch the AI governance configuration. A staff engineer reviewing a blog post should not need a CMS login to comment. Both open a pull request against a Markdown file. systemprompt.io treats every piece of content (blog, documentation, guide, feature page, legal) as Markdown with YAML frontmatter in the repository, the same format governance policies and skill definitions use.

The ingestion service walks configured source directories, parses frontmatter into a typed content record (title, description, author, slug, keywords, kind), hashes the file so unchanged content is skipped on the next run, and upserts into a Postgres table. A job reads a YAML source configuration, iterates enabled sources, and runs ingestion in the same binary that serves the rendered pages. The publish step is a CLI command, not a web form. A compliance officer reads the change log with git log against the content directory.

One pipeline serves every content kind. Blog articles, guides, tutorials, and feature pages share one table, distinguished by the typed kind field. The content API returns JSON for machine callers and Markdown for tools that want source, resolved through one content provider the templates and the API share. "Where does content live" has one answer. In the repo, in one table, behind one provider.

Adding Elasticsearch to a content site is another cluster to operate, another index to keep in sync, and another egress path for content that may be under NDA. Adding Algolia puts every visitor search query in front of a third party. systemprompt.io indexes content in the same Postgres instance that holds it, using the database's full-text engine, so a query stays on the same network as the pages it searches.

A token vector is written next to every content row and indexed for query-time scans. A keyword lookup is a single database query. The search repository exposes two paths. A free-text keyword query across title, description, and body. A filtered browse by category. Results carry the fields a listing page needs (slug, title, description, image, source, category) plus a view count joined from the performance table, so popular content surfaces without a second query.

The search service sits behind the same content provider the templates and API use, so a site search box, a documentation filter, and a programmatic query run through one code path. "Which vendor sees our search queries" has one answer. The Postgres cluster you already operate. The ranking logic is a file in the repo.

Web content has no analytics by default. The usual choices are Google Analytics (every visitor sent to a third party, an opaque script shipped to the browser), paid SaaS (another contract, another export problem), or building it in-house. None let a compliance officer answer "show me every click this user made on every campaign link last quarter" with one SQL query against a database the organisation already owns.

Link tracking, UTM generation, click attribution, and page-level behaviour land in the same Postgres instance as the content, reachable with the same credentials. The link generator writes a campaign-link row with a short code and UTM fields. Specialised wrappers set source, medium, and campaign defaults for social posts, internal cross-links, external CTA links, and external content links, so a report is not a regex over free-form UTMs. The attribution service records session, user, device, country, and a first-click flag. Aggregates roll up into campaign performance and content journey queries without a separate analytics pipeline.

Per-page behaviour writes one row per page view with typed behavioural fields. Scroll depth and reading pattern answer whether visitors finish the page. Rage-click and dead-click flags surface UX bugs without a session-replay vendor. Focus time, blur count, and tab switches separate engaged reads from background tabs. The row lives in your Postgres, so a CISO answers "did this user's device see this page" with one query and no vendor export ticket.

A governance product whose own marketing site runs on a different stack does not trust its own claim. systemprompt.io (this page, the documentation, the blog, the feature index) is served by the binary in the template repository. No separate marketing site. No WordPress behind a reverse proxy. No Webflow subscription. The HTTP server, template registry, content ingestion, search service, and link analytics described on this page are the instances serving this page.

Every page is configured in YAML. Navigation, feature sections, footer links, and category routing are declared in configuration files and deployed through the CLI publish command. Change the YAML, run publish, the page updates. The content routing trait resolves URLs to slugs. The content provider fetches the record. The template registry renders it. None of it requires a code deploy, so a marketing copy change does not block on the engineering release train.

For a CTO running build-vs-buy, every sibling service collapsed is an attack surface removed, a contract not renewed, a pipeline not maintained. Prerendered pages run at build time through the extension trait's page-prerenderer method, so production serves cached HTML. A staff engineer verifying this opens the configuration directory and binary source named below and reads the same files this site reads.