Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

acidgreenservers/clawchives-build-pipeline©™

Name: clawchives-build-pipeline©™
Author: acidgreenservers

.crustagent/skills/build-pipeline/SKILL.md

npx skillsauth add acidgreenservers/clawchives clawchives-build-pipeline©™

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

ClawChives©™ Docker Build Pipeline

🏗️ Pipeline Overview

ClawChives©™ uses a two-stage Docker build — builder produces the frontend bundle, production runs the API and serves static files.

┌─────────────────────────────────────────────────────────────┐
│  STAGE 1: builder (node:20-alpine)                          │
│    npm install (all deps incl. devDependencies)             │
│    COPY: index.html, vite.config.ts, tsconfig*.json         │
│    COPY: postcss.config.js, tailwind.config.js  ← CRITICAL  │
│    COPY: src/, public/                                       │
│    RUN: npm run build  →  dist/ (Vite + Tailwind)           │
└──────────────────────────┬──────────────────────────────────┘
                           │ COPY --from=builder /app/dist
┌──────────────────────────▼──────────────────────────────────┐
│  STAGE 2: production (node:20-alpine)                       │
│    npm install --omit=dev                                    │
│    COPY: server.js, src/ (middleware/utils/config)          │
│    COPY: dist/ (from builder)                               │
│    ENTRYPOINT: docker-entrypoint.sh → node server.js        │
│    PORT: 4545 (UI + API, single container)                  │
└─────────────────────────────────────────────────────────────┘

Key rule: dist/ is NEVER copied from the host. It is always built fresh inside Docker from source files only.

📋 Pre-Build Checklist

Run before every docker-compose up --build:

Builder Stage Files

[ ] postcss.config.js exists in project root
[ ] tailwind.config.js exists in project root
[ ] Both are included in Dockerfile builder COPY (see Dockerfile Invariants below)
[ ] dist/ is NOT committed to git and NOT present on host (or is ignored)

Security Headers (HTTP LAN vs HTTPS)

[ ] ENFORCE_HTTPS is false for plain HTTP LAN deployments
[ ] ENFORCE_HTTPS is true only behind a reverse proxy with a real certificate
[ ] Helmet CSP upgradeInsecureRequests is gated: process.env.ENFORCE_HTTPS === "true" ? [] : null

Compose File

[ ] Using docker-compose.dev.yml for local builds (has build: section)
[ ] Using docker-compose.yml only for pulling published GHCR images
[ ] SPA catch-all regex excludes /assets/: /^(?!\/api\/)(?!\/assets\/)/

🚀 Build Commands

Local / LAN Development

# Standard build from local source
docker-compose -f docker-compose.dev.yml down
docker-compose -f docker-compose.dev.yml up --build -d

# Force fully clean build (bust all layer cache)
docker-compose -f docker-compose.dev.yml build --no-cache
docker-compose -f docker-compose.dev.yml up -d

# Watch logs during startup
docker logs clawchives -f

Production (GHCR via GitHub Actions)

# Push to main branch — Actions workflow builds and pushes to GHCR
git push origin main

# Pull and run published image (no local build)
docker-compose up -d   # uses docker-compose.yml → pulls ghcr.io image

Useful One-Liners

# Full teardown + clean rebuild + start
docker-compose -f docker-compose.dev.yml down && \
  docker-compose -f docker-compose.dev.yml build --no-cache && \
  docker-compose -f docker-compose.dev.yml up -d

# Check what's in the container's dist/
docker exec clawchives ls /app/dist/assets/
docker exec clawchives cat /app/dist/index.html

✅ Post-Build Verification

Run after every rebuild to confirm the pipeline succeeded:

1. CSS must be `text/css` — NOT `text/html`

# Get the CSS filename from the container
CSS_FILE=$(docker exec clawchives ls /app/dist/assets/*.css | head -1 | xargs basename)
curl -sI http://192.168.1.6:4545/assets/$CSS_FILE | grep content-type
# Expected: content-type: text/css; charset=utf-8
# FAIL if:  content-type: text/html  (SPA catch-all is intercepting assets)

2. CSS must be >10KB (Tailwind actually processed)

docker exec clawchives wc -c /app/dist/assets/*.css
# Expected: 50000+ bytes for a full Tailwind build
# FAIL if:  ~1400 bytes  (Tailwind directives were NOT processed — raw @tailwind text)

3. CSP must NOT contain `upgrade-insecure-requests` on HTTP

curl -sI http://192.168.1.6:4545/ | grep content-security-policy
# FAIL if output contains: upgrade-insecure-requests

4. No HSTS on HTTP

curl -sI http://192.168.1.6:4545/ | grep -i strict-transport
# Expected: (no output)
# FAIL if:  strict-transport-security header is present

5. Container is healthy

docker ps | grep clawchives
# Expected: Status "healthy" or "Up X seconds"
docker logs clawchives --tail=20
# Expected: "🦞 ClawChives API running on port 4545"

☠️ Known Failure Modes

A registry of bugs found and fixed — consult before debugging a new styling/asset issue.

#1 — Tailwind Not Processed (Missing Config in Builder Stage)

Symptom: Page renders with zero styles, no colors, huge default font
Evidence: dist/assets/*.css is ~1400 bytes and contains literal @tailwind base; text
Root Cause: postcss.config.js and/or tailwind.config.js missing from Dockerfile COPY
Fix: Add to Dockerfile builder stage:
     COPY postcss.config.js tailwind.config.js ./

#2 — SPA Catch-All Swallowing Assets

Symptom: CSS/JS returns Content-Type: text/html (457 bytes = index.html)
Evidence: curl -sI /assets/foo.css shows content-type: text/html
Root Cause: Express catch-all regex /^(?!\/api\/).*/ matches /assets/* paths
            express.static serves the file, but if it calls next() the catch-all
            fires and returns index.html instead of 404
Fix: Tighten regex in server.js:
     app.get(/^(?!\/api\/)(?!\/assets\/).*/, ...)

#3 — CSP `upgrade-insecure-requests` on HTTP LAN

Symptom: ERR_SSL_PROTOCOL_ERROR — browser tries to HTTPS-upgrade every asset
Evidence: curl -I response contains upgrade-insecure-requests in CSP header
Root Cause: Helmet injects upgrade-insecure-requests by default, even on HTTP
Fix: Add to helmet() CSP directives in server.js:
     upgradeInsecureRequests: process.env.ENFORCE_HTTPS === "true" ? [] : null,

#4 — `docker-compose up --build` Is a No-Op

Symptom: Code changes don't appear in running container after rebuild
Evidence: git diff shows local changes; container serves old behavior
Root Cause: docker-compose.yml has only image: (GHCR pull), no build: section
            docker-compose up --build does nothing when there's no build: key
Fix: Use docker-compose.dev.yml for local development (has build: section)
     OR add build: to docker-compose.yml for local-only use

#5 — Stale Layer Cache

Symptom: After fixing Dockerfile, container still shows old behavior
Root Cause: Docker cached the builder stage from before the fix
Fix: docker-compose -f docker-compose.dev.yml build --no-cache

#6 — HSTS Caching "Always Use HTTPS"

Symptom: Browser shows ERR_SSL_PROTOCOL_ERROR even on HTTP-only LAN
Evidence: Previous deployment had ENFORCE_HTTPS=true; browser cached HSTS
Root Cause: HSTS (Strict-Transport-Security) cached by browser, not server issue
Fix: Disable in browser: chrome://net-internals/#hsts → delete domain entry
     Server: strictTransportSecurity: process.env.ENFORCE_HTTPS === "true" ? undefined : false

🔐 Dockerfile Builder Stage Invariants

These files MUST be present in the builder COPY section. Missing any causes silent failures:

# ✅ REQUIRED — all must be present
COPY package.json package-lock.json* ./
RUN npm install
COPY index.html vite.config.ts tsconfig.json tsconfig.node.json ./
COPY postcss.config.js tailwind.config.js ./   ← NEVER REMOVE
COPY src ./src
COPY public ./public
RUN npm run build

# ❌ NEVER DO THIS — copies stale local dist/ into image
# COPY . .
# COPY dist ./dist

The production stage MUST get dist/ from the builder, never from the host:

# ✅ CORRECT
COPY --from=builder /app/dist ./dist

🦞 Lobster Wisdom

"A lobster never carries its old shell into the new one. The Docker builder stage is the molt — start clean, build fresh, never drag stale dist/ into production."

acidgreenservers/clawchives-build-pipeline©™

.crustagent/skills/build-pipeline/SKILL.md

Docker build pipeline for ClawChives©™. Covers multi-stage Dockerfile requirements, dev vs production compose, post-build verification, and a registry of known failure modes learned from production debugging.

development

Updated Mar 29, 2026

$ install --global

skillsauth

npx skillsauth add acidgreenservers/clawchives clawchives-build-pipeline©™

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 1, 2026, 12:18 AM58.5s1 file scanned

SKILL.md

name:: clawchives-build-pipeline©™
description:: Docker build pipeline for ClawChives©™. Covers multi-stage Dockerfile requirements, dev vs production compose, post-build verification, and a registry of known failure modes learned from production debugging.

ClawChives©™ Docker Build Pipeline

🏗️ Pipeline Overview

ClawChives©™ uses a two-stage Docker build — builder produces the frontend bundle, production runs the API and serves static files.

┌─────────────────────────────────────────────────────────────┐
│  STAGE 1: builder (node:20-alpine)                          │
│    npm install (all deps incl. devDependencies)             │
│    COPY: index.html, vite.config.ts, tsconfig*.json         │
│    COPY: postcss.config.js, tailwind.config.js  ← CRITICAL  │
│    COPY: src/, public/                                       │
│    RUN: npm run build  →  dist/ (Vite + Tailwind)           │
└──────────────────────────┬──────────────────────────────────┘
                           │ COPY --from=builder /app/dist
┌──────────────────────────▼──────────────────────────────────┐
│  STAGE 2: production (node:20-alpine)                       │
│    npm install --omit=dev                                    │
│    COPY: server.js, src/ (middleware/utils/config)          │
│    COPY: dist/ (from builder)                               │
│    ENTRYPOINT: docker-entrypoint.sh → node server.js        │
│    PORT: 4545 (UI + API, single container)                  │
└─────────────────────────────────────────────────────────────┘

Key rule: dist/ is NEVER copied from the host. It is always built fresh inside Docker from source files only.

📋 Pre-Build Checklist

Run before every docker-compose up --build:

Builder Stage Files

[ ] postcss.config.js exists in project root
[ ] tailwind.config.js exists in project root
[ ] Both are included in Dockerfile builder COPY (see Dockerfile Invariants below)
[ ] dist/ is NOT committed to git and NOT present on host (or is ignored)

Security Headers (HTTP LAN vs HTTPS)

[ ] ENFORCE_HTTPS is false for plain HTTP LAN deployments
[ ] ENFORCE_HTTPS is true only behind a reverse proxy with a real certificate
[ ] Helmet CSP upgradeInsecureRequests is gated: process.env.ENFORCE_HTTPS === "true" ? [] : null

Compose File

[ ] Using docker-compose.dev.yml for local builds (has build: section)
[ ] Using docker-compose.yml only for pulling published GHCR images
[ ] SPA catch-all regex excludes /assets/: /^(?!\/api\/)(?!\/assets\/)/

🚀 Build Commands

Local / LAN Development

# Standard build from local source
docker-compose -f docker-compose.dev.yml down
docker-compose -f docker-compose.dev.yml up --build -d

# Force fully clean build (bust all layer cache)
docker-compose -f docker-compose.dev.yml build --no-cache
docker-compose -f docker-compose.dev.yml up -d

# Watch logs during startup
docker logs clawchives -f

Production (GHCR via GitHub Actions)

# Push to main branch — Actions workflow builds and pushes to GHCR
git push origin main

# Pull and run published image (no local build)
docker-compose up -d   # uses docker-compose.yml → pulls ghcr.io image

Useful One-Liners

# Full teardown + clean rebuild + start
docker-compose -f docker-compose.dev.yml down && \
  docker-compose -f docker-compose.dev.yml build --no-cache && \
  docker-compose -f docker-compose.dev.yml up -d

# Check what's in the container's dist/
docker exec clawchives ls /app/dist/assets/
docker exec clawchives cat /app/dist/index.html

✅ Post-Build Verification

Run after every rebuild to confirm the pipeline succeeded:

1. CSS must be `text/css` — NOT `text/html`

# Get the CSS filename from the container
CSS_FILE=$(docker exec clawchives ls /app/dist/assets/*.css | head -1 | xargs basename)
curl -sI http://192.168.1.6:4545/assets/$CSS_FILE | grep content-type
# Expected: content-type: text/css; charset=utf-8
# FAIL if:  content-type: text/html  (SPA catch-all is intercepting assets)

2. CSS must be >10KB (Tailwind actually processed)

docker exec clawchives wc -c /app/dist/assets/*.css
# Expected: 50000+ bytes for a full Tailwind build
# FAIL if:  ~1400 bytes  (Tailwind directives were NOT processed — raw @tailwind text)

3. CSP must NOT contain `upgrade-insecure-requests` on HTTP

curl -sI http://192.168.1.6:4545/ | grep content-security-policy
# FAIL if output contains: upgrade-insecure-requests

4. No HSTS on HTTP

curl -sI http://192.168.1.6:4545/ | grep -i strict-transport
# Expected: (no output)
# FAIL if:  strict-transport-security header is present

5. Container is healthy

docker ps | grep clawchives
# Expected: Status "healthy" or "Up X seconds"
docker logs clawchives --tail=20
# Expected: "🦞 ClawChives API running on port 4545"

☠️ Known Failure Modes

A registry of bugs found and fixed — consult before debugging a new styling/asset issue.

#1 — Tailwind Not Processed (Missing Config in Builder Stage)

Symptom: Page renders with zero styles, no colors, huge default font
Evidence: dist/assets/*.css is ~1400 bytes and contains literal @tailwind base; text
Root Cause: postcss.config.js and/or tailwind.config.js missing from Dockerfile COPY
Fix: Add to Dockerfile builder stage:
     COPY postcss.config.js tailwind.config.js ./

#2 — SPA Catch-All Swallowing Assets

Symptom: CSS/JS returns Content-Type: text/html (457 bytes = index.html)
Evidence: curl -sI /assets/foo.css shows content-type: text/html
Root Cause: Express catch-all regex /^(?!\/api\/).*/ matches /assets/* paths
            express.static serves the file, but if it calls next() the catch-all
            fires and returns index.html instead of 404
Fix: Tighten regex in server.js:
     app.get(/^(?!\/api\/)(?!\/assets\/).*/, ...)

#3 — CSP `upgrade-insecure-requests` on HTTP LAN

Symptom: ERR_SSL_PROTOCOL_ERROR — browser tries to HTTPS-upgrade every asset
Evidence: curl -I response contains upgrade-insecure-requests in CSP header
Root Cause: Helmet injects upgrade-insecure-requests by default, even on HTTP
Fix: Add to helmet() CSP directives in server.js:
     upgradeInsecureRequests: process.env.ENFORCE_HTTPS === "true" ? [] : null,

#4 — `docker-compose up --build` Is a No-Op

Symptom: Code changes don't appear in running container after rebuild
Evidence: git diff shows local changes; container serves old behavior
Root Cause: docker-compose.yml has only image: (GHCR pull), no build: section
            docker-compose up --build does nothing when there's no build: key
Fix: Use docker-compose.dev.yml for local development (has build: section)
     OR add build: to docker-compose.yml for local-only use

#5 — Stale Layer Cache

Symptom: After fixing Dockerfile, container still shows old behavior
Root Cause: Docker cached the builder stage from before the fix
Fix: docker-compose -f docker-compose.dev.yml build --no-cache

#6 — HSTS Caching "Always Use HTTPS"

Symptom: Browser shows ERR_SSL_PROTOCOL_ERROR even on HTTP-only LAN
Evidence: Previous deployment had ENFORCE_HTTPS=true; browser cached HSTS
Root Cause: HSTS (Strict-Transport-Security) cached by browser, not server issue
Fix: Disable in browser: chrome://net-internals/#hsts → delete domain entry
     Server: strictTransportSecurity: process.env.ENFORCE_HTTPS === "true" ? undefined : false

🔐 Dockerfile Builder Stage Invariants

These files MUST be present in the builder COPY section. Missing any causes silent failures:

# ✅ REQUIRED — all must be present
COPY package.json package-lock.json* ./
RUN npm install
COPY index.html vite.config.ts tsconfig.json tsconfig.node.json ./
COPY postcss.config.js tailwind.config.js ./   ← NEVER REMOVE
COPY src ./src
COPY public ./public
RUN npm run build

# ❌ NEVER DO THIS — copies stale local dist/ into image
# COPY . .
# COPY dist ./dist

The production stage MUST get dist/ from the builder, never from the host:

# ✅ CORRECT
COPY --from=builder /app/dist ./dist

🦞 Lobster Wisdom

"A lobster never carries its old shell into the new one. The Docker builder stage is the molt — start clean, build fresh, never drag stale dist/ into production."

Related Skills

acidgreenservers/.crustagent/skills/feature-dev

development

VerifiedTrustedCommunity

# Feature Development Assistant ## Mission Statement You are an expert full-stack developer who builds complete features from concept to implementation using Desktop Commander's file management capabilities. Your role is to analyze existing codebases, design feature architecture, implement all necessary code, and integrate seamlessly with existing systems. ## Important: Multi-Chat Workflow **Feature development requires multiple chat sessions to avoid context limits and manage implementation c

SKILL.mdUpdated Apr 16, 2026

acidgreenservers/.crustagent/skills/feature-dev

development

VerifiedTrustedCommunity

The canonical ClawChives©™ agent integration skill. Full API reference for autonomous agents (Lobsters©™) to authenticate, manage bookmarks, folders, and integrate with the ClawChive bookmarking system.

SKILL.mdUpdated Mar 29, 2026

acidgreenservers/.crustagent/vibecheck/skills/truthpack-updater

development

VerifiedTrustedCommunity

# Truthpack Updater Skill ## When to Use Activate this skill whenever: - A new route is added to `server/routes/` - A new environment variable is introduced - The project structure or a feature cluster is modified - Security protocols or auth rules are updated ## Instructions 1. **Audit Phase**: Perform a full-codebase scan (`grep` or `list_dir`) to identify changes since the last truthpack sync. 2. **Atomic Updates**: Update the corresponding JSON file in `.crustagent/vibecheck/truthpack/`:

SKILL.mdUpdated Mar 29, 2026

acidgreenservers/.crustagent/vibecheck/skills/truthpack-updater

acidgreenservers/.crustagent/vibecheck/skills/truthpack-lookup

development

VerifiedTrustedCommunity

# Truthpack Lookup Skill ## When to Use Activate this skill BEFORE generating any code that: - Creates or modifies API routes - References environment variables - Touches authentication/authorization - Modifies API request/response shapes ## Instructions 1. Read `.crustagent/vibecheck/truthpack/routes.json` for verified API routes 2. Read `.crustagent/vibecheck/truthpack/env.json` for verified environment variables 3. Read `.crustagent/vibecheck/truthpack/auth.json` for verified auth rules 4.

SKILL.mdUpdated Mar 29, 2026

acidgreenservers/.crustagent/vibecheck/skills/truthpack-lookup

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/acidgreenservers/clawchives.git

# Copy into Claude Code skills folder (global)
cp -r clawchives/.crustagent/skills/build-pipeline ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

acidgreenservers/clawchives

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT

Adoption

acidgreenservers/clawchives-build-pipeline©™

$ install --global

Security Scan Results

SKILL.md

ClawChives©™ Docker Build Pipeline

🏗️ Pipeline Overview

📋 Pre-Build Checklist

Builder Stage Files

Security Headers (HTTP LAN vs HTTPS)

Compose File

🚀 Build Commands

Local / LAN Development

Production (GHCR via GitHub Actions)

Useful One-Liners

✅ Post-Build Verification

1. CSS must be text/css — NOT text/html

2. CSS must be >10KB (Tailwind actually processed)

3. CSP must NOT contain upgrade-insecure-requests on HTTP

4. No HSTS on HTTP

5. Container is healthy

☠️ Known Failure Modes

#1 — Tailwind Not Processed (Missing Config in Builder Stage)

#2 — SPA Catch-All Swallowing Assets

#3 — CSP upgrade-insecure-requests on HTTP LAN

#4 — docker-compose up --build Is a No-Op

#5 — Stale Layer Cache

#6 — HSTS Caching "Always Use HTTPS"

🔐 Dockerfile Builder Stage Invariants

🦞 Lobster Wisdom

Related Skills

acidgreenservers/.crustagent/skills/feature-dev

acidgreenservers/clawchives-agent-api©™

acidgreenservers/.crustagent/vibecheck/skills/truthpack-updater

acidgreenservers/.crustagent/vibecheck/skills/truthpack-lookup

acidgreenservers/clawchives-build-pipeline©™

$ install --global

Security Scan Results

SKILL.md

ClawChives©™ Docker Build Pipeline

🏗️ Pipeline Overview

📋 Pre-Build Checklist

Builder Stage Files

Security Headers (HTTP LAN vs HTTPS)

Compose File

🚀 Build Commands

Local / LAN Development

Production (GHCR via GitHub Actions)

Useful One-Liners

✅ Post-Build Verification

1. CSS must be text/css — NOT text/html

2. CSS must be >10KB (Tailwind actually processed)

3. CSP must NOT contain upgrade-insecure-requests on HTTP

4. No HSTS on HTTP

5. Container is healthy

☠️ Known Failure Modes

#1 — Tailwind Not Processed (Missing Config in Builder Stage)

#2 — SPA Catch-All Swallowing Assets

#3 — CSP upgrade-insecure-requests on HTTP LAN

#4 — docker-compose up --build Is a No-Op

#5 — Stale Layer Cache

#6 — HSTS Caching "Always Use HTTPS"

🔐 Dockerfile Builder Stage Invariants

🦞 Lobster Wisdom

Related Skills

acidgreenservers/.crustagent/skills/feature-dev

acidgreenservers/clawchives-agent-api©™

acidgreenservers/.crustagent/vibecheck/skills/truthpack-updater

acidgreenservers/.crustagent/vibecheck/skills/truthpack-lookup

1. CSS must be `text/css` — NOT `text/html`

3. CSP must NOT contain `upgrade-insecure-requests` on HTTP

#3 — CSP `upgrade-insecure-requests` on HTTP LAN

#4 — `docker-compose up --build` Is a No-Op

1. CSS must be `text/css` — NOT `text/html`

3. CSP must NOT contain `upgrade-insecure-requests` on HTTP

#3 — CSP `upgrade-insecure-requests` on HTTP LAN

#4 — `docker-compose up --build` Is a No-Op