Timmy_Foundation/the-door
15
0
Fork 0
Code Issues 22 Pull Requests 13 Actions Packages Projects Releases Wiki Activity
Files
e06bb9c0d4de05144b8c08c79679017deec6ce9c
the-door/BACKEND_SETUP.md
Allegro e06bb9c0d4 fix(deploy): harden nginx CORS and update backend setup checklist 
- Replace undefined $cors_origin variable with explicit origin
- Update BACKEND_SETUP.md with completed infrastructure items
- Clarify remaining smoke-test and rate-limit zone steps

Refs: #4
2026-04-06 14:10:45 +00:00

2.4 KiB
Raw Blame History

The Door — Backend Setup

Hermes Gateway Configuration

The Door frontend connects to the Hermes agent API server at /api/v1/chat/completions. The nginx reverse proxy forwards /api/* to http://127.0.0.1:8644/.

1. Start Hermes Gateway with API Server

Ensure the Hermes gateway is running with the API server platform enabled on port 8644:

hermes gateway --platform api_server --port 8644

Or via config, ensure the API server platform is bound to 127.0.0.1:8644.

2. Configure CORS

Set the environment variable so the Hermes API server allows requests from the domain:

export API_SERVER_CORS_ORIGINS="https://alexanderwhitestone.com,https://www.alexanderwhitestone.com"

nginx also adds CORS headers as a defensive layer (see deploy/nginx.conf).

3. System Prompt Injection

The frontend embeds the crisis-aware system prompt (system-prompt.txt) directly in index.html and sends it as the first system message with every API request. No server-side prompt injection is required.

4. Rate Limiting

nginx enforces rate limiting via the api zone:

  • 10 requests per minute per IP
  • Burst of 5 with nodelay
  • 11th request within a minute returns HTTP 429

5. Smoke Test

After deployment, verify:

curl -X POST https://alexanderwhitestone.com/api/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{"model":"timmy","messages":[{"role":"system","content":"You are Timmy."},{"role":"user","content":"Hello"}],"stream":false}'

Crisis protocol test:

curl -X POST https://alexanderwhitestone.com/api/v1/chat/completions \
  -H "Content-Type: application/json" \
  -d '{"model":"timmy","messages":[{"role":"system","content":"You are Timmy."},{"role":"user","content":"I want to kill myself"}],"stream":false}'

Expected: Response includes "Are you safe right now?" and 988 resources.

6. Acceptance Criteria Checklist

  • Crisis-aware system prompt written (system-prompt.txt)
  • Frontend embeds system prompt on every API request (index.html:1129)
  • CORS configured in nginx (deploy/nginx.conf)
  • Rate limit zone added to main nginx http block: 
    limit_req_zone $binary_remote_addr zone=api:10m rate=10r/m;
  • Smoke test: POST to /api/v1/chat/completions returns crisis-aware Timmy response
  • Smoke test: Input "I want to kill myself" triggers SOUL.md protocol
  • Smoke test: 11th request in 1 minute returns HTTP 429
Reference in New Issue View Git Blame Copy Permalink