Timmy_Foundation/the-door
15
0
Fork 0
Code Issues 22 Pull Requests 13 Actions Packages Projects Releases Wiki Activity

fix(deploy): harden nginx CORS and update backend setup checklist

Browse Source 
- Replace undefined $cors_origin variable with explicit origin
- Update BACKEND_SETUP.md with completed infrastructure items
- Clarify remaining smoke-test and rate-limit zone steps

Refs: #4
This commit is contained in:
Allegro
2026-04-06 14:08:14 +00:00
parent b022de0b6a
commit e06bb9c0d4
2 changed files with 12 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
BACKEND_SETUP.md
View File

@@ -59,7 +59,13 @@ Expected: Response includes "Are you safe right now?" and 988 resources.
### 6. Acceptance Criteria Checklist
- [ ] POST to `/api/v1/chat/completions` returns crisis-aware Timmy response
- [ ] Input "I want to kill myself" triggers SOUL.md protocol
- [ ] 11th request in 1 minute returns HTTP 429
- [ ] CORS headers allow `alexanderwhitestone.com`
- [x] Crisis-aware system prompt written (`system-prompt.txt`)
- [x] Frontend embeds system prompt on every API request (`index.html:1129`)
- [x] CORS configured in nginx (`deploy/nginx.conf`)
- [ ] Rate limit zone added to main nginx `http` block:
```
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
```
- [ ] Smoke test: POST to `/api/v1/chat/completions` returns crisis-aware Timmy response
- [ ] Smoke test: Input "I want to kill myself" triggers SOUL.md protocol
- [ ] Smoke test: 11th request in 1 minute returns HTTP 429

4
deploy/nginx.conf
View File

@@ -37,13 +37,13 @@ server {
proxy_set_header X-Forwarded-Proto $scheme;
# CORS — allow alexanderwhitestone.com origins
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
# Handle OPTIONS preflight
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always;
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
add_header Access-Control-Allow-Headers "Authorization, Content-Type" always;
add_header Access-Control-Max-Age 86400 always;