ariffazil/arif-sites-production-sync
hermes-backup/daily/2026-04-28_203212/skills/devops/arif-sites-production-sync/SKILL.md
Sync /999 credential artifacts from arif-sites source repo to live Nginx production web root — includes key consistency checks and manual deploy steps.
development
Updated May 1, 2026
$ install --global
skillsauthnpx skillsauth add ariffazil/openclaw-workspace arif-sites-production-syncInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 2, 2026, 5:25 AM197.3s1 file scanned
SKILL.md
- name:
- arif-sites-production-sync
- description:
- Sync /999 credential artifacts from arif-sites source repo to live Nginx production web root — includes key consistency checks and manual deploy steps.
- tags:
- [arif-sites, Nginx, production-deploy, /999, DID, Ed25519]
- last_updated:
- 2026-04-27
arif-sites Production Sync — /999 Credential Artifacts
Context
The arifOS identity/verification surface lives at https://arif-fazil.com/999/ (the "Verification Room"). Source code lives in /root/sites/arif/ (GitHub: ariffazil/arif-sites), but production is served from a SEPARATE web root via Nginx — NOT via git push or Caddy.
Key Discovery (2026-04-27)
Production did.json key can differ from source repo did.json key.
The production /var/www/arif-fazil.com/.well-known/did.json was independently updated and contained a DIFFERENT Ed25519 Multikey (z6MkuQTtujH...) than the source repo's version (z6MkkWQz...).
If you generate .sig files using a key from the source repo but the production did.json has a different key, verification will FAIL in production even though it works locally.
Rule: Always read production files before making artifacts.
Production Stack
- Web server: Caddy (Docker container
caddy) - Caddyfile:
/root/compose/Caddyfile - Web root:
/var/www/html/arif/(served athttps://arif-fazil.com/) - Source repo:
/root/sites/(git remote:github.com/ariffazil/arif-sites) - Branches:
site-autoresearch/apr26is the working branch — commit here, push when verified
Canonical Deploy Pattern
External agent deploy scripts often use wrong paths (e.g. /mnt/agents/output/,
/root/sites/arif/ as root, or Nginx paths). Always verify against git staging first.
Step 0 — Find the real files
# External agents stage work in /root/sites/ git repo
cd /root/sites && git status -s # Shows all modified/new/untracked files
ls /root/sites/arif/ # Human surface source files
ls /root/sites/apex/ # Apex surface source files
Step 1 — Copy to Caddy web root
# Human surface (arif-fazil.com)
cp /root/sites/arif/<file> /var/www/html/arif/
cp -r /root/sites/arif/888 /var/www/html/arif/
cp -r /root/sites/arif/history /var/www/html/arif/
cp -r /root/sites/arif/weight /var/www/html/arif/
# Apex surface (apex.arif-fazil.com)
cp /root/sites/apex/<file> /var/www/html/apex/
# Verify served correctly
curl -s -o /dev/null -w "%{http_code}" https://arif-fazil.com/<path>
Step 2 — Reload Caddy (NOT Nginx)
docker exec caddy caddy reload --config /etc/caddy/Caddyfile
No nginx reload — Caddy handles everything.
Step 3 — Commit to git
cd /root/sites
git add arif/888 arif/history arif/weight ...
git commit -m "feat(surface): <description>"
git push origin site-autoresearch/apr26
DID/Keys Consistency Check
Before deploying, verify the key in did.json matches keys.json:
import json
did_key = json.load(open('/path/to/.well-known/did.json'))['verificationMethod'][0]['publicKeyMultibase']
keys_key = json.load(open('/path/to/999/keys.json'))['keys'][0]['public_key']
assert did_key == keys_key, f"DID key ({did_key}) != keys.json ({keys_key}) — signatures will fail!"
print("Consistent ✅")
Key Files Location
| File | Source | Production | Permissions |
|------|--------|------------|-------------|
| did.json | /root/sites/arif/.well-known/ | /var/www/arif-fazil.com/.well-known/ | 755 |
| keys.json | /root/sites/arif/999/ | /var/www/arif-fazil.com/999/ | 644 |
| *.sig files | /root/sites/arif/999/ | /var/www/arif-fazil.com/999/ | 644 |
| verify.sh | /root/sites/arif/999/ | /var/www/arif-fazil.com/999/ | 755 |
| index.html | /root/sites/arif/999/ | /var/www/arif-fazil.com/999/ | 644 |
| Private key | /root/arifOS/secrets/did_ed25519_private.key | N/A — never public | 600 |
/999 Trust Ladder
Current state:
- L0 ✅ Published (file exists)
- L1 ✅ Structured (valid JSON)
- L2 ✅ Signed (Ed25519 .sig files, key consistent)
- L3 ⚠️ Anchored (GitHub commit verified but no timestamp authority)
- L4 ⚠️ Attested (third-party issuer pending — PETRONAS/university/professional body)
- L5 ⚠️ Monitored (CI not active)
Symptoms Fixed This Session
keys.jsonhadPLACEHOLDER— replaced with real Ed25519 Multikey- No
.sigfiles existed — generated 4 detached Ed25519 signatures did.jsonkey ≠keys.jsonkey — discovered via production read, fixed both/proof/geologist-credential.jsonlinks broken — fixed to/999/paths- No trust ladder badge — added L0–L5 visual to page
- No claim status table — added honest label table to page
Known Limitation
The .sig files are self-signed (issuer = did:web:arif-fazil.com). To reach L4, a third-party issuer must sign the geoscientist credential. This requires Arif to initiate, not an agent.
Related Skills
ariffazil/AAA Agentic Governance (AAA-Cockpit, canonical)
development
VerifiedTrustedCommunity
Governed intelligence skill for AAA as the abstraction, attestation, and abduction control plane across arifOS, APEX, A-FORGE, GEOX, WEALTH, WELL, and the ariffazil profile repository. Use when the user asks to explain or design AAA, route agentic work, reduce chaos/entropy in an arifOS federation task, create AREP/task declarations, classify risk, plan multi-repo changes, review governance boundaries, or translate human intent into evidence-backed, authority-safe, recursively agentic workflows. Provides deterministic F1-F13 floor checking, bounded abduction, and FederationReceipt composition.
SKILL.mdUpdated Jun 6, 2026
ariffazil/skill-trigger-linter
development
VerifiedTrustedCommunity
Check every skill’s “use when” and “do not use when” clauses for collisions, missing negatives, and vague verbs like “help,” “assist,” or “improve.” Load when linting, reviewing, or validating trigger boundaries.
SKILL.mdUpdated May 27, 2026
ariffazil/skill-creator
development
VerifiedTrustedCommunity
Bootstrap, design, and package new skills. Load when capturing user intent for a new skill or drafting its initial instruction framework.
SKILL.mdUpdated May 27, 2026
ariffazil/Federation Service Health Triage
content-media
VerifiedTrustedCommunity
Diagnose which federation services are up, down, or drifting. Produce a prioritized remediation plan.
SKILL.mdUpdated May 27, 2026