host: experimental unguarded create-only POST /new — editor publishes live, 173/173
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 19s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 19s
host/blog-open-create-routes mounts POST /new with error-trapping but NO auth (create-only; no PUT/DELETE), so the SX editor can publish to the host end-to-end on the experimental subdomain. VALIDATED LIVE: editor-style form-urlencoded POST -> 303 -> post renders at /<slug>/ and lists on /. Deliberate short-lived public write hole (create-only, obscure subdomain). MUST be gated before real use: Caddy basicauth on /new, or session auth. Swap host/blog-open-create-routes -> host/blog-write-routes <resolver> to gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -319,6 +319,16 @@ symbols (`deps-check`, candidate pre-commit gate) → fail-loud runner (done)
|
||||
behavioural tests. A `deps-check`-style "binding shadows a special form" lint
|
||||
would catch the reserved-name class before runtime — a worthwhile follow-up.
|
||||
|
||||
## ⚠ Experimental: unguarded create live on blog.rose-ash.com
|
||||
|
||||
`host/blog-open-create-routes` mounts **`POST /new` with NO auth** (create-only,
|
||||
error-trapped) so the SX editor can publish end-to-end. **Validated live**: an
|
||||
editor-style form POST → 303 → the post renders at `/<slug>/` and lists on `/`.
|
||||
This is a deliberate, short-lived public write hole (create-only — no PUT/DELETE
|
||||
exposed; obscure subdomain). **MUST be gated before real use** — Caddy basicauth
|
||||
on `/new` (the `/root/caddy/auth` dir exists) or session auth once identity lands.
|
||||
Swap `host/blog-open-create-routes` → `host/blog-write-routes <resolver>` to gate.
|
||||
|
||||
## Blockers
|
||||
|
||||
- **Live wiring to the native OCaml HTTP server** (Phase 3/4): the prod server in
|
||||
|
||||
Reference in New Issue
Block a user