- Migrate Gitea data from bnkopschangemaker to changemaker.lite v2
- Configure Pangolin/Newt tunnel with 17 resources (replaces Cloudflare)
- Add archive.bnkops.com with 9 preserved documentation sites
- Move bnkops landing page into MkDocs build system (lander.html)
- Serve root domain from mkdocs/site/ built output
- Add nginx routing for archive.bnkops.com and gitea.bnkops.com
- Strip V2 technical docs from nav (to be deployed separately on cmlite.org)
- Update all landing page links: changemaker → cmlite.org, repo → archive.bnkops.com
- Add archive insert system (JS/CSS injection for contextual callouts)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Vaultwarden sends a restrictive Content-Security-Policy with frame-ancestors
that blocks iframe embedding. The embed proxy (port 8890) already stripped
this header, but the subdomain server block did not.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
The /api/ location blocks in both default.conf and services.conf templates
were missing Upgrade/Connection headers, preventing the Hocuspocus WebSocket
connection from establishing through nginx.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Resolve Pangolin site slug to numeric ID in sync route (fixes target creation 400 errors)
- Disable SSO on newly created Pangolin resources for public access
- Fix nginx media API proxy: use rewrite + set ordering for proper URI rewriting
- Upgrade script: clear skip-worktree flags, fix Docker-owned dir permissions, stash untracked files
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Replace postMessage wildcard ('*') with explicit parent origin passed
via ?origin= parameter to prevent auth state disclosure to arbitrary
embedders
- Tighten frame-ancestors CSP: production restricts to self + DOMAIN,
dev restricts to localhost origins (was frame-ancestors *)
- Remove deprecated X-Frame-Options ALLOW-FROM header (CSP
frame-ancestors is the modern replacement)
- Validate targetOrigin with URL constructor before use
Bunker Admin
Remove V1 legacy configs (admin.conf, public.conf) and orphaned backup that
were never used by the container. Stop tracking generated .conf files (built
from *.template by envsubst at startup). Backport improvements to templates:
variable proxy_pass for media-api (fixes startup crash when container is down),
extended bot detection list, and mkdocs-proxy location for volunteer map docs.
Bunker Admin
Users could not submit scheduling poll votes when an invalid or partial
email was entered — Zod rejected empty strings and non-email text with a
generic validation error. Added client-side email validation in both
SchedulingPollPage and SchedulingPollWidget, plus z.preprocess() on the
backend to coerce empty strings to undefined. Also added pridecorner.ca
to all nginx server blocks and added generate_nginx_configs() to
config.sh so template-based configs are generated during setup.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
