chore: add security.txt + robots.txt; document DMARC/AI Labyrinth remediation

[gocanto]

Why

Cloudflare Security Insights flagged three Low-severity findings for oullin.io
(Cloudflare_Ollin_SecurityInsights_20260604_1635.csv):

1. Security.txt not configured
2. DMARC Record Error detected (×5 duplicates)
3. Review unwanted AI crawlers with AI Labyrinth

Only #1 is a true code change here. This site is not on Cloudflare Pages — it's a Vue/Vite SPA served by Caddy in Docker, behind the Cloudflare proxy. #2 is a DNS record and #3 is a dashboard toggle, so those are documented rather than coded.

What changed (repo)

• public/.well-known/security.txt (RFC 9116). Contact: gustavoocanto@gmail.com, Expires: 2027-06-05.
• Caddy route: new handle /.well-known/* block in WebCaddyfile.internal (prod) and WebCaddyfile.local (dev) so the file is served as static text/plain, never SPA-fallback'd to index.html. robots.txt needed no Caddy change — existing @robots rules + try_files {path} already cover it.
• public/robots.txt (Disallow: /seo) to complement AI Labyrinth.
• tests/caddy/web-caddyfile.test.ts: assert the new /.well-known static route.
• docs/cloudflare-security-insights.md: runbook for the manual DNS/dashboard items (exact DMARC TXT record + AI Labyrinth toggle).

API repo

Checked ~/Sites/oullin/api — no changes needed. Its Caddyfile.prod is the public TLS edge and proxies all non-/api paths to web:80, so the web container serves /.well-known/security.txt and /robots.txt. The API also sends no email, so DMARC doesn't apply there.

Manual follow-ups (not in this PR — see the runbook doc)

• DMARC: add TXT _dmarc = v=DMARC1; p=none; rua=mailto:gustavoocanto@gmail.com; fo=1 in Cloudflare DNS, then tighten to quarantine/reject after monitoring.
• AI Labyrinth: enable in Cloudflare → Security → Bots.

Verification

• npm run build → dist/.well-known/security.txt and dist/robots.txt present. ✅
• vite preview → both return 200 Content-Type: text/plain with correct bodies. ✅
• vitest run tests/caddy/web-caddyfile.test.ts → 8/8 pass (incl. new assertion). ✅

Summary by CodeRabbit

• New Features

  • Serve /.well-known paths as static assets (excluded from SPA routing), with caching and compression applied.
  • Added security.txt and robots.txt for vulnerability contact and crawl rules.

• Documentation

  • Added a Cloudflare Security Insights remediation runbook with step-by-step verification.

• Tests

  • Added a test to verify /.well-known is served as static files and not handled by SPA routing.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses three low-severity security findings identified by Cloudflare. It implements necessary static file configurations for security and SEO compliance while providing a comprehensive runbook for non-code remediation steps such as DNS updates and dashboard settings.

Highlights

• Security Configuration: Added a security.txt file to the .well-known directory in compliance with RFC 9116.
• Caddy Server Updates: Updated both internal and local Caddy configurations to serve .well-known files as static content, bypassing the SPA fallback.
• SEO and Crawler Management: Added a robots.txt file to manage crawler access and disallowed the /seo path.
• Documentation: Created a remediation runbook to document manual DNS and dashboard actions for DMARC and AI Labyrinth settings.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 43ec70cf-7198-4dad-ad32-b509c9ab81bb

📥 Commits

Reviewing files that changed from the base of the PR and between 408e3cb and 233beef.

📒 Files selected for processing (1)

• docs/cloudflare-security-insights.md

---

Walkthrough

This change adds HTTP routing for /.well-known/* paths (security.txt and robots.txt) across both Caddy configurations, applying static file serving with caching headers and compression whilst bypassing SPA fallback logic. Tests validate the configuration, and documentation describes the Cloudflare security findings remediation process.

Changes

Well-Known Path Serving and Security Metadata

Layer / File(s)	Summary
Caddy routing for .well-known paths caddy/WebCaddyfile.internal, caddy/WebCaddyfile.local, tests/caddy/web-caddyfile.test.ts	Both Caddy configurations add a dedicated handle /.well-known/* block serving static files from /usr/share/caddy with zstd/gzip encoding and Cache-Control: public, max-age=86400, explicitly avoiding SPA fallback. A new test assertion verifies the routing configuration is generated correctly.
Static .well-known artifacts public/.well-known/security.txt, public/robots.txt	security.txt contains contact metadata with an expiration deadline (2027-06-05), preferred language (en), and canonical URL. robots.txt allows root access and disallows /seo for all user agents.
Cloudflare Security Insights remediation runbook docs/cloudflare-security-insights.md	Runbook documenting remediation for three low-severity Cloudflare findings: configuring security.txt via Caddy, enabling "AI Labyrinth" in the Cloudflare dashboard, and resolving duplicate DMARC records via DNS. Includes verification commands and rescanning instructions.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• oullin/web#54: Both PRs modify caddy/WebCaddyfile.internal request routing; this PR adds a dedicated /.well-known/* static handler before SPA fallback, whilst the related PR adjusts the SPA try_files fallback sequence.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding security.txt and robots.txt files, and documenting security remediation steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request configures Caddy to serve static files under the /.well-known/ path (such as security.txt) without falling back to the Single Page Application (SPA) routing. It adds the security.txt and robots.txt files, includes a test to verify the Caddy configuration, and provides a remediation runbook document for Cloudflare Security Insights. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/cloudflare-security-insights.md`:
- Line 40: The markdown line containing "Start with `p=none` (monitor only).
DMARC only *passes* if SPF and/or DKIM are configured for the" uses asterisks
for emphasis which is drifting the formatter; update that token to the
formatter's expected emphasis style (e.g., replace *passes* with _passes_ or run
the repository markdown formatter like Prettier/markdownlint and commit the
formatted output) and commit the resulting change so the linter no longer
produces a dirty diff.
- Around line 34-38: The fenced DNS example block containing the lines "Type: 
TXT", "Name:  _dmarc", and "Value: v=DMARC1; p=none;
rua=mailto:gustavoocanto@gmail.com; fo=1" is missing a language tag; update the
opening triple-backtick fence to include a language (for example "txt") so the
block becomes ```txt which will satisfy markdownlint MD040.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: ccc528e3-c195-44af-bf9e-9152f6916fde

📥 Commits

Reviewing files that changed from the base of the PR and between 903769a and 408e3cb.

📒 Files selected for processing (6)

• caddy/WebCaddyfile.internal
• caddy/WebCaddyfile.local
• docs/cloudflare-security-insights.md
• public/.well-known/security.txt
• public/robots.txt
• tests/caddy/web-caddyfile.test.ts