How I Built a Confluence Macro in a Day with Rovo Dev and Forge

So there we were, minding our own business, when a customer asked what seemed like a simple question:

"Can I share our roadmaps in Confluence? We collaborate with contractors there already, and I'd rather not give them all Jira access just to see what's coming next quarter."

And I thought: yeah, that's a completely reasonable thing to want. In fact, it's such an obviously reasonable thing that you'd think it would already exist. But here's the thing about enterprise software — the obvious stuff often doesn't exist because everyone assumes someone else built it.

So I built it. In about a day. And I'm not a Developer (at least not in long time).

Some background

Let me paint you a picture that'll be familiar to anyone who's worked in a company larger than a food truck.

You've got Jira. It's where your engineering team lives. It's got all your roadmap data, your epics, your carefully groomed backlogs. It's beautiful (to you). It's also completely impenetrable to anyone who doesn't spend eight hours a day swimming in it.

Then you've got stakeholders. Contractors. Partners. Executives who definitely don't want a Jira license and wouldn't know what to do with one if you gave it to them. But they do need to see the roadmap. They need to know what's coming. They might even — gasp — have opinions about it.

The traditional solutions are all terrible:

1. Export to PowerPoint every week. This is what happens in practice, and it's exactly as soul-crushing as it sounds.
2. Give everyone Jira access. Security teams love this one. (They don't.)
3. Build a custom integration. Sure, if you have six months and a team of engineers who apparently have nothing better to do.

Our customer didn't want any of these options. She wanted to embed a live roadmap in a Confluence page, have it automatically know who's viewing it, and let those viewers actually leave feedback. You know, like software should work in 2025.

Enter Forge and Rovo Dev 

I built this integration using Rovo Dev — Atlassian's AI-powered development agent — on top of the Forge platform. And honestly, this is the part that still kind of blows my mind.

eRovo Dev isn't just another code-completion tool that suggests variable names. It has platform knowledge. It knows Forge. It knows the manifest format, the permission model, the resolver patterns, the Custom UI lifecycle. When I described what I wanted to build, it didn't just write code — it wrote correct Forge code. It knew that a Confluence macro needs a resource declaration pointing to static files. It knew that backend functions need to be registered with a resolver. It knew the exact permission scopes we'd need to access user information.

This is the difference between an AI that's read the documentation and an AI that's internalized the documentation. I wasn't constantly stopping to look things up or debug platform-specific gotchas. Rovo Dev just... knew.

But what makes this actually viable for enterprises is the Forge platform underneath. Forge is what happens when you actually think about security before you build a developer platform, instead of bolting it on after three major breaches. It runs your code in Atlassian's cloud, in a sandboxed environment, with a permission system that's genuinely well thought out.

What does that mean in practice? It means I could build this thing with the confidence that:

• User data stays protected
• The app can't do anything it doesn't explicitly ask permission for
• There's no server for us to maintain, patch, or accidentally leave exposed to the internet

For enterprises, this is huge. Your security team doesn't have to vet some random server I'm running. Atlassian is running the code. The same Atlassian your company already trusts with, well, all of Confluence and Jira.

What I actually built

The solution is elegantly simple, which is usually a sign that you've found the right abstraction.

A Confluence Macro. Allowing you to embed portals from Released in Confluence. That's it. Drop it on any Confluence page, configure which roadmap to show, and you're done. The roadmap renders live, pulling data from your Released account (which in turn connects to your Jira).

Automatic Authentication. This is the clever bit. When someone views the Confluence page, the macro knows who they are — they're already logged into Confluence. We take that identity and use it to generate a secure token that tells Released "this person is allowed to see this roadmap." No separate login. No password. No friction.

Tailored Views. Here's where it gets interesting for the business folks. You can configure what each audience sees. Contractors might see high-level initiatives and rough timelines. Your executive team might see strategic themes. Your partners might see only the features that affect their integration. Same underlying data, completely different views, each one showing exactly what matters to that audience.

Built-in Feedback. Stakeholders can leave comments directly on roadmap items. Product teams can see that feedback right where they're already working. No more "can you email me your thoughts" followed by a black hole of lost context.

The technical bits

I promised this would be light on the technical details, but some of you are probably wondering how the magic actually works. Here's the thirty-second version:

The macro is a Forge "static resource" — basically a small web page that loads inside Confluence. When it loads, it asks the Forge backend "who is this person and can they see this roadmap?" The backend checks with Confluence, generates a cryptographic token, and passes it to our embed. The embed uses that token to pull the right roadmap view from Released.

The manifest file — think of it as a permission declaration — explicitly lists every external service the app can talk to. It can load scripts from released.so. It can load videos from YouTube and Loom. It cannot, by design, talk to anything else. Your security team can read this manifest in five minutes and know exactly what the app is capable of.

permissions:
  external:
    scripts:
      - address: "*.released.so"
    frames:
      - address: "*.youtube.com"
      - address: "*.loom.com"

 

Why this is exciting (at least to me)

Here's the thing that excites me about this project.

A customer asked for something. I built it in a day. It's secure by default. It runs on infrastructure someone else maintains. And it solves a real problem that thousands of other companies probably have.

This is what enterprise software development should look like.

The traditional model was: customer asks for something, you spin up a team, you build servers, you worry about uptime, you negotiate security reviews, you maintain it forever. Eighteen months later, maybe you have something.

The new model is: customer asks for something, you build it on a platform that handles the hard stuff, you deploy it, you move on with your life.

Atlassian is pushing this with their Rovo Dev initiative. The idea that AI-assisted development on the Forge platform can let smaller teams build enterprise-grade solutions faster than ever. And I have to say, having just lived through this project... they might be onto something.

The Invitation

If you're an enterprise struggling with similar problems. Sharing information across organizational boundaries without creating a security nightmare is solvable. 

If you're a developer looking at problems in the Atlassian ecosystem, Forge is worth your time. The platform is mature, the security model is sound, and the deployment story is "push a button and walk away." 

And if you're a customer who talked to us about sharing roadmaps in Confluence — thank you. Your question became this solution, and that solution will help a lot of other people with the same need.

That's how good software gets built. One reasonable request at a time.

---

Want more detail? 

It's always hard to know how much detail to provide, but if there is interest, I'm happy to get into some of the details and challenges (yes, I also ran into a couple of those)