- New zddc-server feature bullet for OPA-compatible policy decider:
ZDDC_OPA_URL flips to external Rego with the same .zddc files as input
- Access-control bullet now links to the cascade reference (worked
examples for paired open/closed + third-party-vendor layouts)
- Access-logging bullet covers stdout-as-canonical and the file-tee
fallback so orchestrator-pipeline deployments aren't surprised
- New Learn-more link to the access-control reference (cascade rules,
anti-patterns, five-minute verify recipe, federal-readiness gap
analysis with NIST control refs)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Switching to identity-level avatars (VARASYS org + personal) instead
of per-repo, so the per-repo file isn't needed. Also drops the
matching rsync exclude.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
avatar.png is the Forgejo repo avatar (290x290), not site content.
Adding it to the deploy rsync excludes so it doesn't surface at
https://zddc.varasys.io/avatar.png.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- index.html: stable channel chip referenced --color-primary, which
is undefined; falling back to the browser-default visited-link color
rendered it purple. Switch to the actually-defined --color-accent.
- css/style.css: lift dark-mode pill backgrounds (--color-accent-soft,
--color-Tracking, --color-Title) so pills have a visible edge against
the near-black page bg (~1.5:1 → ~2.2:1 adjacency contrast). Accent
text on the lighter pills stays at 3.6:1, fine for short labels.
- css/style.css: brand-logo's navy <rect> blends into the page bg in
dark mode; override its fill to a lighter steel-blue so the rounded
square stays visible.
Light mode is untouched.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Captures the rsync-on-push contract (excludes, delete-after) and the
two non-obvious editing constraints (layout.js selector list, inline
<style> convention). CLAUDE.md is now a one-line pointer to README so
/init has something to find.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Runner now runs in a quadlet container on caddy-net, so 127.0.0.1
is the runner's own loopback. Reach the Caddy container by name
('caddy') with --connect-to keeping SNI/Host as the public hostname
so the right vhost matches.
First Forgejo Actions workflow. Runs on the local runner (host
mode), rsyncs the checked-out tree to /srv/zddc/ on the deploy
host, excluding /releases/ which the ZDDC source repo owns.
Seeded from the website branch's working tree as of zddc@76e1e78.
Release artifacts (HTML tool builds + zddc-server binaries) live on
the deploy host under /srv/zddc/releases/; they are reproducible
from <tool>-vX.Y.Z tags on https://codeberg.org/VARASYS/ZDDC.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
