diff --git a/BACKEND_SETUP.md b/BACKEND_SETUP.md index a94c447..4cc7268 100644 --- a/BACKEND_SETUP.md +++ b/BACKEND_SETUP.md @@ -59,7 +59,13 @@ Expected: Response includes "Are you safe right now?" and 988 resources. ### 6. Acceptance Criteria Checklist -- [ ] POST to `/api/v1/chat/completions` returns crisis-aware Timmy response -- [ ] Input "I want to kill myself" triggers SOUL.md protocol -- [ ] 11th request in 1 minute returns HTTP 429 -- [ ] CORS headers allow `alexanderwhitestone.com` +- [x] Crisis-aware system prompt written (`system-prompt.txt`) +- [x] Frontend embeds system prompt on every API request (`index.html:1129`) +- [x] CORS configured in nginx (`deploy/nginx.conf`) +- [ ] Rate limit zone added to main nginx `http` block: + ``` + limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m; + ``` +- [ ] Smoke test: POST to `/api/v1/chat/completions` returns crisis-aware Timmy response +- [ ] Smoke test: Input "I want to kill myself" triggers SOUL.md protocol +- [ ] Smoke test: 11th request in 1 minute returns HTTP 429 diff --git a/deploy/nginx.conf b/deploy/nginx.conf index f1f3af1..18408d0 100644 --- a/deploy/nginx.conf +++ b/deploy/nginx.conf @@ -37,13 +37,13 @@ server { proxy_set_header X-Forwarded-Proto $scheme; # CORS — allow alexanderwhitestone.com origins - add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type" always; # Handle OPTIONS preflight if ($request_method = OPTIONS) { - add_header Access-Control-Allow-Origin $cors_origin always; + add_header Access-Control-Allow-Origin "https://alexanderwhitestone.com" always; add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always; add_header Access-Control-Allow-Headers "Authorization, Content-Type" always; add_header Access-Control-Max-Age 86400 always;