docs: add deploy helper, freshness badge, and built-in knowledge badge

2026-03-13 21:33:30 +01:00 · 2026-03-13 21:33:30 +01:00 · 52a737b163
commit 52a737b163
parent 2515a1cafa
10 changed files with 75 additions and 1 deletions
--- a/.agent/skills/nginx/SKILL.md
+++ b/.agent/skills/nginx/SKILL.md
@ -113,6 +113,11 @@ server {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    location /docs/ {
        try_files $uri $uri/ /docs/index.html =404;
    }
@ -130,6 +135,13 @@ Use this site to explain:
 - local built-in knowledge in the `db` jail
 - upstream-aware relationship to NanoClaw

+Recommended baseline for all public vhosts:
+
+- `add_header X-Content-Type-Options "nosniff" always;`
+- `add_header X-Frame-Options "SAMEORIGIN" always;`
+- `add_header X-XSS-Protection "1; mode=block" always;`
+- `add_header Referrer-Policy "strict-origin-when-cross-origin" always;`
+
 ## Site structure: clawdie.local

 ```
--- a/.agent/skills/nginx/references/vhost-template.md
+++ b/.agent/skills/nginx/references/vhost-template.md
@ -40,6 +40,11 @@ server {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    location / {
        try_files $uri $uri/ =404;
    }
@ -79,6 +84,11 @@ server {
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    location /docs/ {
        try_files $uri $uri/ /docs/index.html =404;
    }
--- a/README.md
+++ b/README.md
@ -20,10 +20,14 @@

 <p align="center">
  <a href="repo-tokens"><img src="repo-tokens/badge.svg" alt="38.4k tokens, 19% of context window" valign="middle"></a>
+  &nbsp;
+  <a href="https://docs.clawdie.si/docs/split-brain.html"><img src="https://img.shields.io/badge/built--in%20knowledge-preloaded-2ab7ca" alt="built-in knowledge preloaded" valign="middle"></a>
 </p>

 <p align="center">
  <!-- token-count -->38.4k tokens · 19% of context window<!-- /token-count -->
+  &nbsp; • &nbsp;
+  built-in knowledge · preloaded
 </p>

 ---
--- a/html/clawdie/docs/split-brain.html
+++ b/html/clawdie/docs/split-brain.html
@ -84,6 +84,11 @@
  -> import Brain A into db jail
  -> local built-in knowledge is ready
  -> add production LLM keys later</code></pre>
+
+        <p>
+            The bootstrap step that imports Brain A lives in
+            <a href="https://codeberg.org/Clawdie/Clawdie-AI/src/branch/main/setup/skills-memory.ts" target="_blank" rel="noopener"><code>setup/skills-memory.ts</code></a>.
+        </p>
    </section>

    <div class="divider"></div>
--- a/html/clawdie/guides/nginx-ssl.html
+++ b/html/clawdie/guides/nginx-ssl.html
@ -253,6 +253,11 @@ server {
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;

+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
    location /docs/ {
        try_files $uri $uri/ /docs/index.html =404;
    }
@ -269,6 +274,15 @@ server {
                before requesting the SSL certificate.
            </p>
        </div>
+
+        <div class="info-box">
+            <span class="info-label">Security headers</span>
+            <p>
+                Apply a small baseline to every public vhost: <code>X-Content-Type-Options</code>,
+                <code>X-Frame-Options</code>, <code>X-XSS-Protection</code>, and
+                <code>Referrer-Policy</code>. It is low-effort hardening worth standardising.
+            </p>
+        </div>
    </section>

    <div class="divider"></div>
--- a/html/clawdie/index.html
+++ b/html/clawdie/index.html
@ -559,6 +559,7 @@
        }

        .s-badge.version { border-color: rgba(0, 180, 216, 0.5); color: var(--amber); }
+        .s-badge.builtin { border-color: rgba(42, 183, 202, 0.35); color: #7bd7e2; }
        .s-badge.live    { border-color: rgba(74, 222, 128, 0.35); color: #4ade80; }
        .s-badge .dot    { width: 5px; height: 5px; border-radius: 50%; background: currentColor; flex-shrink: 0; }
        .s-badge.live .dot { animation: pulsedot 2.2s ease-in-out infinite; }
@ -689,6 +690,7 @@
            <span class="s-badge version">v0.4.0</span>
            <span class="s-badge">Node ≥24</span>
            <span class="s-badge">FreeBSD 15</span>
+            <span class="s-badge builtin">built-in knowledge</span>
            <span class="s-badge">MIT License</span>
            <span class="s-badge live" id="badge-updated"><span class="dot"></span>active</span>
        </div>
--- a/html/docs-clawdie-si/deploy.sh
+++ b/html/docs-clawdie-si/deploy.sh
@ -0,0 +1,9 @@
+#!/bin/sh
+set -eu
+
+sudo mkdir -p /usr/local/www/docs.clawdie.si
+sudo cp -R index.html css docs /usr/local/www/docs.clawdie.si/
+sudo cp nginx/docs.clawdie.si.conf /usr/local/etc/nginx/vhosts/
+sudo nginx -t
+sudo service nginx reload
+echo "✓ docs.clawdie.si deployed"
--- a/html/docs-clawdie-si/docs/index.html
+++ b/html/docs-clawdie-si/docs/index.html
@ -106,13 +106,25 @@ db jail import during bootstrap</code></pre>
    <footer>
        <div class="footer-left">
            <a href="/">Clawdie AI</a> · Docs<br>
-            Local knowledge · FreeBSD · Upstream-aware
+            Local knowledge · FreeBSD · Upstream-aware<br>
+            <span class="last-updated">Docs last updated: <span id="docs-timestamp">loading...</span></span>
        </div>
        <div class="footer-hex">△</div>
    </footer>
 </div>

 <script>
+fetch('https://codeberg.org/api/v1/repos/Clawdie/Clawdie-AI/commits?limit=1')
+    .then((response) => response.json())
+    .then((data) => {
+        if (!Array.isArray(data) || !data.length) return;
+        const stamp = new Date(data[0].created);
+        document.getElementById('docs-timestamp').textContent = stamp.toLocaleDateString('en-GB');
+    })
+    .catch(() => {
+        document.getElementById('docs-timestamp').textContent = 'unavailable';
+    });
+
 const sections = document.querySelectorAll('section');
 const observer = new IntersectionObserver((entries) => {
    entries.forEach((entry, i) => {
--- a/html/docs-clawdie-si/docs/split-brain.html
+++ b/html/docs-clawdie-si/docs/split-brain.html
@ -110,6 +110,11 @@ import Brain A into db jail
 local built-in knowledge is ready
        ↓
 add production LLM keys later</code></pre>
+
+        <p>
+            The bootstrap step that imports Brain A lives in
+            <a href="https://codeberg.org/Clawdie/Clawdie-AI/src/branch/main/setup/skills-memory.ts" target="_blank" rel="noopener"><code>setup/skills-memory.ts</code></a>.
+        </p>
    </section>

    <div class="divider"></div>
--- a/html/docs-clawdie-si/nginx/docs.clawdie.si.conf
+++ b/html/docs-clawdie-si/nginx/docs.clawdie.si.conf
@ -20,6 +20,7 @@ server {

    add_header X-Content-Type-Options nosniff always;
    add_header X-Frame-Options SAMEORIGIN always;
+    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy strict-origin-when-cross-origin always;

    location = / {