Production repository for the NUJ London Central Branch website (nuj-lcb.org.uk).
This repo contains the full website: WordPress theme (Sinople), page content, deployment guides, security documentation, and the experimental container infrastructure (Vörðr, Cerro Torre, Svalinn) being dogfooded alongside it.
cp .env.example .env # Edit with real credentials
podman-compose -f docker-compose.yml up -d # OpenLiteSpeed + MariaDB + VarnishSee DEPLOYMENT.md for local Podman setup, VERPEX-DEPLOYMENT.md for cPanel hosting, or WORDPRESS-DEPLOYMENT-PLAN.md for full VPS deployment.
| Path | Target |
|---|---|
| Production (now) | Verpex cPanel + LiteSpeed Enterprise + PHP 8.4 + Cloudflare DNS |
| Container (future) | podman build -f Containerfile → cerro-torre sign → selur-compose up |
| Dev (local) | podman-compose -f docker-compose.yml up -d (MariaDB + OpenLiteSpeed + Varnish) |
Key files:
Containerfile— Multi-stage Chainguard wolfi-base buildselur-compose.yml— Stapeln orchestration (svalinn + vordr + redis + mariadb)infra/wordpress.ctp— Cerro Torre manifest (Ed25519 + Dilithium5 sigs)templates/— wp-config security, .htaccess well-known, security headersTOPOLOGY.md— Architecture diagram + completion dashboard
All website pages live in content/:
content/pages/— About, Contact, Join, Members Area, LinkedIn Feedcontent/policies/— AI Usage Policy, Imprint/Impressumcontent/mockups/— HTML mockups (homepage, officers page)content/nuj-lcb-shareable-site.html— Self-contained offline demo (1072 lines)
Use scripts/ipfs-publish.sh (or just ipfs-publish) to publish
content/nuj-lcb-shareable-site.html to Pinata and automatically update the
Cloudflare DNSLink state for ipfs.nuj-lcb.org.uk.
This repo now supports both publish modes:
- DNS-only fallback: update
_dnslink.ipfs.nuj-lcb.org.ukdirectly. - Cloudflare Web3 gateway mode: update the Web3 hostname configuration so
https://ipfs.nuj-lcb.org.uk/resolves directly.
The direct-host mode still depends on a Cloudflare Web3 gateway subscription and the Terraform-managed Web3 hostname being applied in the account.
Set these in .env.local:
CLOUDFLARE_API_TOKENCLOUDFLARE_ZONE_IDPINATA_JWT(orPINATA_API_KEY+PINATA_API_SECRET)IPFS_HOST(optional, defaults toipfs.nuj-lcb.org.uk)CLOUDFLARE_WEB3_GATEWAY=trueifipfs.nuj-lcb.org.ukis managed as a Cloudflare Web3 hostnameCLOUDFLARE_WEB3_HOSTNAME_IDorCLOUDFLARE_WEB3_HOSTNAME_NAMEto identify the Cloudflare Web3 hostname to patch after each publish
For unattended publishing, the repo includes .github/workflows/ipfs-publish.yml
(daily at 05:15 UTC + manual trigger). Configure repository secrets:
CLOUDFLARE_API_TOKENCLOUDFLARE_ZONE_IDPINATA_JWT
The verified-container stack for this repo relies on svalinn, cerro-torre, and vordr as the gateway, builder, and runtime, respectively. See Containerfile for the immediate plan and references we will dogfood while developing the site.
We use asdf to pin the runtimes that run behind this site, especially the Varnish cache and OpenLiteSpeed server. See ASDF.md for which plugins and commands are required so AI handovers and collaborators can stay in sync.
See docs/hardened-wordpress.adoc for the chosen Debian-based Hardened WordPress base, Sanctify/PHP-Aegis hardening workflow, and how Cerro Torre/Svalinn/Vörðr treat it as the verified container artifact.
We will leverage cadre-router for the client-side navigation and dashboard experience; refer to docs/cadre-router.adoc for the integration notes so the SPA can stay type-safe and aligned with the verified manifests.
Follow docs/consent-aware-http.adoc to see how the site enforces the consent-aware HTTP/AIBDP requirements. The canonical decision now lives at the WordPress origin in wp-content/mu-plugins/origin-governance-gateway.php, with Varnish/OpenLiteSpeed and Cloudflare acting as optional fast-fail layers around the same .well-known/aibdp.json policy.
When something goes wrong (manifest rejection, attestation error, consent failure), feed the incident into feedback-o-tron; see docs/feedback-o-tron.adoc for how we expose its MCP submit_feedback tool and include the audits in the Cerro Torre bundle so the issue is broadcast across every platform.
This repo is part of the gitbot-fleet quality automation suite; see docs/gitbot-fleet-support.adoc for the checklist each bot (rhodibot, echidnabot, oikos, glambot, seambot, finishing-bot) uses to validate this project.
This repo includes an origin-side capability gate in wp-content/mu-plugins/origin-governance-gateway.php plus an optional Cloudflare http-capability-gateway worker. Treat the origin gate as the source of truth; the Cloudflare worker is only a coarse /api/* prefilter when enable_capability_gate=true.
To coordinate automation (consent audits, feedback reporting, manifest rebuilds), we plug into hybrid-automation-router; the new docs/hybrid-automation-router.adoc tells you which auth-protected workflows we call and how they pipe events back into the container proofs.
The site’s inbound consent portal and provenance layer follow indieweb2-bastion; see docs/indieweb2-bastion.adoc for how the bastion’s consent-first GUI, Nickel/SurrealDB provenance, and GraphQL DNS policies seed the hardened WordPress stack and match the consent-aware HTTP specification.
Encrypted overlay networking uses zerotier-k8s-link; docs/zerotier-k8s-link.adoc explains how the ZeroTier DaemonSet joins the yacht/agents to the private mesh, how the overlay routes feed the capability gateway and automation router, and how health commands tie back into the feedback pipeline.
The hardened WordPress runtime runs the wp-sinople-theme; see docs/wp-sinople-theme.adoc for build steps (WASM/ReScript), WCAG/IndieWeb certifications, and how its semantic APIs tie into the cadre-router front-end, consent controls, and feedback pipelines.
well-known-ecosystem is the canonical source for .well-known/ responses (AIBDP, security.txt, ai.txt, etc.) that our hardened site publishes; docs/well-known-ecosystem-integration.adoc explains how we pull its validated files into the site’s .well-known/ directory before Cerro Torre packages the bundle.
vext powers our IRC alerting channel, feeding consent/capability events into feedback-o-tron and offering operators a Hybrid Automation Router hook for manual overrides; see docs/vext-irc-support.adoc for the workflow details and tie-ins with ZeroTier and capability logs.
The hardened stack will eventually run behind the Twingate SDP mesh; docs/twingate-k8s-integration.adoc records the plan to align the K8s manifests with twingate-helm-deploy so the ZeroTier overlay, capability gateway, and consent portal are all behind the SDP path.
The repo follows the rsr-template-repo/RSR_OUTLINE.adoc scheme so the directory layout, .well-known assets, justfile, and RSR_COMPLIANCE.adoc structure remain compliant with the Rhodium Standard Repository template; see docs/rsr-template-plan.adoc for how we keep in sync and where to run just validate-rsr.
Machine-readable metadata now lives under .machine_readable/6a2. These files (AGENTIC.a2ml, ECOSYSTEM.a2ml, META.a2ml, NEUROSYM.a2ml, PLAYBOOK.a2ml, STATE.a2ml) encode the AI agent config, ecosystem position, architectural practices, neurosymbolic hints, operational playbook, and project state so the next handover can load the repo context automatically.
See ROADMAP.adoc for the quarterly plan that covers manifest/automation/consent/overlay milestones.
This repository is licensed under PMPL-1.0-or-later (the Palimpsest-MPL License 1.0 or later). See LEGAL.txt for the full legal text from the Palimpsest Stewardship Council.
robot-repo-automaton orchestrates the automation policies and deployment gating for this repo; see docs/robot-repo-automaton.adoc to understand how its scripts hook into just validate, the ZeroTier stack, consent reports, and the feedback/automation workflows before the hardened WordPress bundle is released.