diff --git a/.agent/skills/nginx/SKILL.md b/.agent/skills/nginx/SKILL.md index b8c2448..4841d34 100644 --- a/.agent/skills/nginx/SKILL.md +++ b/.agent/skills/nginx/SKILL.md @@ -113,6 +113,11 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location /docs/ { try_files $uri $uri/ /docs/index.html =404; } @@ -130,6 +135,13 @@ Use this site to explain: - local built-in knowledge in the `db` jail - upstream-aware relationship to NanoClaw +Recommended baseline for all public vhosts: + +- `add_header X-Content-Type-Options "nosniff" always;` +- `add_header X-Frame-Options "SAMEORIGIN" always;` +- `add_header X-XSS-Protection "1; mode=block" always;` +- `add_header Referrer-Policy "strict-origin-when-cross-origin" always;` + ## Site structure: clawdie.local ``` diff --git a/.agent/skills/nginx/references/vhost-template.md b/.agent/skills/nginx/references/vhost-template.md index f62b935..9327534 100644 --- a/.agent/skills/nginx/references/vhost-template.md +++ b/.agent/skills/nginx/references/vhost-template.md @@ -40,6 +40,11 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location / { try_files $uri $uri/ =404; } @@ -79,6 +84,11 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location /docs/ { try_files $uri $uri/ /docs/index.html =404; } diff --git a/README.md b/README.md index e18d2b1..d393a68 100644 --- a/README.md +++ b/README.md @@ -20,10 +20,14 @@

38.4k tokens, 19% of context window +   + built-in knowledge preloaded

38.4k tokens · 19% of context window +   •   + built-in knowledge · preloaded

--- diff --git a/html/clawdie/docs/split-brain.html b/html/clawdie/docs/split-brain.html index 7d0a038..77b5a2d 100644 --- a/html/clawdie/docs/split-brain.html +++ b/html/clawdie/docs/split-brain.html @@ -84,6 +84,11 @@ -> import Brain A into db jail -> local built-in knowledge is ready -> add production LLM keys later + +

+ The bootstrap step that imports Brain A lives in + setup/skills-memory.ts. +

diff --git a/html/clawdie/guides/nginx-ssl.html b/html/clawdie/guides/nginx-ssl.html index d71725b..bad78ed 100644 --- a/html/clawdie/guides/nginx-ssl.html +++ b/html/clawdie/guides/nginx-ssl.html @@ -253,6 +253,11 @@ server { ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; + add_header X-Content-Type-Options "nosniff" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + location /docs/ { try_files $uri $uri/ /docs/index.html =404; } @@ -269,6 +274,15 @@ server { before requesting the SSL certificate.

+ +
+ Security headers +

+ Apply a small baseline to every public vhost: X-Content-Type-Options, + X-Frame-Options, X-XSS-Protection, and + Referrer-Policy. It is low-effort hardening worth standardising. +

+
diff --git a/html/clawdie/index.html b/html/clawdie/index.html index 7b66b24..8a0054e 100644 --- a/html/clawdie/index.html +++ b/html/clawdie/index.html @@ -559,6 +559,7 @@ } .s-badge.version { border-color: rgba(0, 180, 216, 0.5); color: var(--amber); } + .s-badge.builtin { border-color: rgba(42, 183, 202, 0.35); color: #7bd7e2; } .s-badge.live { border-color: rgba(74, 222, 128, 0.35); color: #4ade80; } .s-badge .dot { width: 5px; height: 5px; border-radius: 50%; background: currentColor; flex-shrink: 0; } .s-badge.live .dot { animation: pulsedot 2.2s ease-in-out infinite; } @@ -689,6 +690,7 @@ v0.4.0 Node ≥24 FreeBSD 15 + built-in knowledge MIT License active diff --git a/html/docs-clawdie-si/deploy.sh b/html/docs-clawdie-si/deploy.sh new file mode 100755 index 0000000..9bf68ae --- /dev/null +++ b/html/docs-clawdie-si/deploy.sh @@ -0,0 +1,9 @@ +#!/bin/sh +set -eu + +sudo mkdir -p /usr/local/www/docs.clawdie.si +sudo cp -R index.html css docs /usr/local/www/docs.clawdie.si/ +sudo cp nginx/docs.clawdie.si.conf /usr/local/etc/nginx/vhosts/ +sudo nginx -t +sudo service nginx reload +echo "✓ docs.clawdie.si deployed" diff --git a/html/docs-clawdie-si/docs/index.html b/html/docs-clawdie-si/docs/index.html index ff7d55f..2498c76 100644 --- a/html/docs-clawdie-si/docs/index.html +++ b/html/docs-clawdie-si/docs/index.html @@ -106,13 +106,25 @@ db jail import during bootstrap