tribunal-kit 3.0.0 → 4.0.0

package/.agent/skills/seo-fundamentals/SKILL.md

@@ -1,154 +1,129 @@
----
-name: seo-fundamentals
-description: Search Engine Optimization (SEO) mastery. Metadata implementation, Open Graph (OG) social card rendering, semantic HTML5 structuring, canonicalization, Core Web Vitals performance mapping, Sitemap/Robots configurations, structured data (JSON-LD), and Next.js SSR SEO implementations. Use when auditing site visibility or building consumer-facing web architectures.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 2.0.0
-last-updated: 2026-04-02
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# SEO Fundamentals — Visibility & Discoverability Mastery
-
-> If a consumer web app is not indexed efficiently, it does not mathematically exist on the internet.
-> Googlebot does not execute massive React payloads effectively. Server-Side Rendering is mandatory for SEO.
-
----
-
-## 1. Core Meta Architecture (The Next.js 15 Standard)
-
-Do not use legacy `next/head` tags scattered across components. Use the built-in Metadata API explicitly.
-
-```typescript
-// app/blog/[slug]/page.tsx
-import { Metadata } from 'next';
-
-export async function generateMetadata({ params }): Promise<Metadata> {
-  const post = await fetchPost(params.slug);
-
-  return {
-    title: `${post.title} | MyBrand`,
-    description: post.excerpt,
-    keywords: post.tags,
-    alternates: {
-      canonical: `https://www.example.com/blog/${params.slug}`
-    },
-    openGraph: {
-      title: post.title,
-      description: post.excerpt,
-      type: 'article',
-      url: `https://example.com/blog/${params.slug}`,
-      images: [{ url: post.coverImageUrl, width: 1200, height: 630 }],
-    },
-    twitter: {
-      card: 'summary_large_image', // Critical for big Twitter link previews
-    }
-  };
-}
-```
-
----
-
-## 2. Semantic HTML & Heading Hierarchy
-
-Google establishes context by parsing the DOM outline. A massive application constructed purely of `<div className="text-xl font-bold">` tags will be heavily penalized.
-
-1. **The H1 Law:** Exactly ONE `<h1>` per page. This is the primary subject.
-2. **Hierarchy Integrity:** Never skip heading levels. An `<h2>` MUST precede an `<h3>`. Do not use heading tags for visual sizing; use them purely for document structure.
-3. **Semantic Tags:** Wrap headers in `<header>`, menus in `<nav>`, main content in `<main>`, and sidebars in `<aside>`.
-
-```html
-<!-- ✅ GOOD: Perfect SEO Document Outline -->
-<main>
-  <article>
-    <h1>The Future of AI Agents</h1>
-    <p>Introduction...</p>
-
-    <h2>Architectural Patterns</h2>
-    <section>
-       <h3>The Supervisor Pattern</h3>
-       <p>Content regarding supervisors...</p>
-    </section>
-  </article>
-</main>
-```
-
----
-
-## 3. Structured Data (JSON-LD)
-
-Help search engines understand exact data graphs (Products, Reviews, Articles, Jobs) bypassingly standard text crawling. Inject standard `Schema.org` JSON-LD.
-
-```typescript
-// Injecting JSON-LD structurally into a React/Next component
-export default function ProductPage({ product }) {
-  const jsonLd = {
-    '@context': 'https://schema.org',
-    '@type': 'Product',
-    name: product.name,
-    image: product.image,
-    description: product.description,
-    offers: {
-      '@type': 'Offer',
-      price: product.price,
-      priceCurrency: 'USD',
-      availability: product.inStock ? 'https://schema.org/InStock' : 'https://schema.org/OutOfStock',
-    },
-  };
-
-  return (
-    <section>
-      {/* Script injected cleanly into DOM */}
-      <script
-        type="application/ld+json"
-        dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
-      />
-      
-      <h1>{product.name}</h1>
-      {/* ... rest of UI ... */}
-    </section>
-  );
-}
-```
-
----
-
-## 4. Robots & Sitemaps
-
-If a page shouldn't be indexed (e.g., dynamic search result matrices, user profiles), you must explicitly block it, otherwise Googlebot wastes "Crawl Budget" on infinite URLs.
-
-- **`robots.txt`**: Denies crawling of specific directories.
-- **`<meta name="robots" content="noindex, nofollow">`**: Denies indexing of a specific page instance.
-- **`sitemap.xml`**: A programmatic manifest mapped to root guiding crawlers mathematically through all valid indexable paths.
-
----
-
-## 🤖 LLM-Specific Traps (SEO)
-
-1. **The SPA Fallacy:** AI building a Client-Side Rendered (CSR) React App with `react-router` and assuring the user SEO is perfect. Googlebot struggles heavily with executing massive JS bundles. Force SSR Next.js/Astro architecture for consumer-facing sites.
-2. **Missing Canonicals:** Failing to generate `<link rel="canonical">` tags on dynamic URL structures (`?category=shoes&brand=nike`), resulting in Google penalizing the main page for "Duplicate Content" against itself.
-3. **OpenGraph Amputation:** Creating `<title>` tags perfectly but entirely omitting the `og:` and `twitter:` meta tags. The site will look like a broken ugly text link when shared on social media.
-4. **`next/head` Obsession:** The AI relies on the legacy React `Helmet` library or Next 12 `Head` tag generation methods instead of utilizing the Next.js `generateMetadata()` App Router architectural API.
-5. **Div Soups:** Generating 400 lines of UI where bold strings are mapped as `<span>` tags instead of strong semantic `<h2>` and `<h3>` document structural tags.
-6. **NoIndex Blindness:** The AI scaffolds the staging `/dev/` URL environment but neglects to inject global `noindex` headers into staging layouts, causing Google to permanently index half-finished development drafts globally.
-7. **Image Alt-Tag Exclusion:** Utilizing `<Image src="...">` without writing highly descriptive `alt="..."` attributes, wiping out all potential Google Images search traffic and destroying accessibility scores simultaneously.
-8. **Invalid Schema Output:** Generating broken JSON-LD objects because the AI used generic un-validated JSON types instead of rigidly consulting the `schema.org` mandated data structures (e.g., omitting the required `priceCurrency` on an Offer schema).
-9. **Sitemap Generation Forgetting:** Ensuring excellent SEO on specific pages but totally failing to scaffold dynamic `app/sitemap.ts` files that continually update the XML tree when new databases articles are published.
-10. **The H1 Spam:** Putting multiple `<h1>` tags on a single page visually simply because they want the font to be large, heavily confusing the search engine content analyzers.
-
----
-
-## 🏛️ Tribunal Integration
-
-### ✅ Pre-Flight Self-Audit
-```
-✅ Have dynamic Meta tags (Title, Description) been localized into SSR native configuration (`generateMetadata`)?
-✅ Did I guarantee the mathematical generation of Open Graph (OG) and Twitter Card payload tags?
-✅ Is there strictly only one `<h1>` tag rendered structurally per page view?
-✅ Is the DOM heavily semantic (`<main>`, `<article>`, `<nav>`) bypassing standard div-soups?
-✅ Were Canonical URL alternates properly mapped on complex pagination/parameterized URL routes?
-✅ Have standard `Schema.org` JSON-LD data graphs been injected for transactional/content entries?
-✅ Has `alt` text been rigidly mandated and populated for all primary visual `<Image>` tags?
-✅ Ensure that indexing prevention (robots noindex) is actively applied to user-private/admin/test routes?
-✅ Was the SEO advice generated explicitly recognizing the difference between static SSR delivery vs CSR Javascript limits?
-✅ Did I ensure the XML sitemap generation accurately captures dynamically generated database routes (e.g., blog slugs)?
-```
+---
+name: seo-fundamentals
+description: Search Engine Optimization (SEO) mastery. Metadata implementation, Open Graph (OG) social card rendering, semantic HTML5 structuring, canonicalization, Core Web Vitals performance mapping, Sitemap/Robots configurations, structured data (JSON-LD), and Next.js SSR SEO implementations. Use when auditing site visibility or building consumer-facing web architectures.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 2.0.0
+last-updated: 2026-04-02
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+## Hallucination Traps (Read First)
+- ❌ Using `<div>` for everything instead of semantic HTML -> ✅ Use `<main>`, `<article>`, `<nav>`, `<section>` for crawler comprehension
+- ❌ Multiple `<h1>` tags on a single page -> ✅ One `<h1>` per page; use `<h2>`-`<h6>` for hierarchy
+- ❌ Generating meta descriptions with AI boilerplate -> ✅ Each page needs a unique, specific meta description under 160 characters
+- ❌ Using client-side rendering for content pages -> ✅ SSR/SSG for pages that need to be indexed; CSR is invisible to crawlers without JS rendering
+
+---
+
+
+# SEO Fundamentals — Visibility & Discoverability Mastery
+
+---
+
+## 1. Core Meta Architecture (The Next.js 15 Standard)
+
+Do not use legacy `next/head` tags scattered across components. Use the built-in Metadata API explicitly.
+
+```typescript
+// app/blog/[slug]/page.tsx
+import { Metadata } from 'next';
+
+export async function generateMetadata({ params }): Promise<Metadata> {
+  const post = await fetchPost(params.slug);
+
+  return {
+    title: `${post.title} | MyBrand`,
+    description: post.excerpt,
+    keywords: post.tags,
+    alternates: {
+      canonical: `https://www.example.com/blog/${params.slug}`
+    },
+    openGraph: {
+      title: post.title,
+      description: post.excerpt,
+      type: 'article',
+      url: `https://example.com/blog/${params.slug}`,
+      images: [{ url: post.coverImageUrl, width: 1200, height: 630 }],
+    },
+    twitter: {
+      card: 'summary_large_image', // Critical for big Twitter link previews
+    }
+  };
+}
+```
+
+---
+
+## 2. Semantic HTML & Heading Hierarchy
+
+Google establishes context by parsing the DOM outline. A massive application constructed purely of `<div className="text-xl font-bold">` tags will be heavily penalized.
+
+1. **The H1 Law:** Exactly ONE `<h1>` per page. This is the primary subject.
+2. **Hierarchy Integrity:** Never skip heading levels. An `<h2>` MUST precede an `<h3>`. Do not use heading tags for visual sizing; use them purely for document structure.
+3. **Semantic Tags:** Wrap headers in `<header>`, menus in `<nav>`, main content in `<main>`, and sidebars in `<aside>`.
+
+```html
+<!-- ✅ GOOD: Perfect SEO Document Outline -->
+<main>
+  <article>
+    <h1>The Future of AI Agents</h1>
+    <p>Introduction...</p>
+
+    <h2>Architectural Patterns</h2>
+    <section>
+       <h3>The Supervisor Pattern</h3>
+       <p>Content regarding supervisors...</p>
+    </section>
+  </article>
+</main>
+```
+
+---
+
+## 3. Structured Data (JSON-LD)
+
+Help search engines understand exact data graphs (Products, Reviews, Articles, Jobs) bypassingly standard text crawling. Inject standard `Schema.org` JSON-LD.
+
+```typescript
+// Injecting JSON-LD structurally into a React/Next component
+export default function ProductPage({ product }) {
+  const jsonLd = {
+    '@context': 'https://schema.org',
+    '@type': 'Product',
+    name: product.name,
+    image: product.image,
+    description: product.description,
+    offers: {
+      '@type': 'Offer',
+      price: product.price,
+      priceCurrency: 'USD',
+      availability: product.inStock ? 'https://schema.org/InStock' : 'https://schema.org/OutOfStock',
+    },
+  };
+
+  return (
+    <section>
+      {/* Script injected cleanly into DOM */}
+      <script
+        type="application/ld+json"
+        dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
+      />
+      
+      <h1>{product.name}</h1>
+      {/* ... rest of UI ... */}
+    </section>
+  );
+}
+```
+
+---
+
+## 4. Robots & Sitemaps
+
+If a page shouldn't be indexed (e.g., dynamic search result matrices, user profiles), you must explicitly block it, otherwise Googlebot wastes "Crawl Budget" on infinite URLs.
+
+- **`robots.txt`**: Denies crawling of specific directories.
+- **`<meta name="robots" content="noindex, nofollow">`**: Denies indexing of a specific page instance.
+- **`sitemap.xml`**: A programmatic manifest mapped to root guiding crawlers mathematically through all valid indexable paths.
+
+---

package/.agent/skills/server-management/SKILL.md

@@ -1,190 +1,164 @@
----
-name: server-management
-description: Production Linux server administration mastery. Systemd services, Nginx reverse proxy architecture, UFW firewalls, SSH key security, cron scheduling, log rotation, and server hardening. Use when configuring bare-metal, VPS instances, or reviewing deployment architecture.
-allowed-tools: Read, Write, Edit, Glob, Grep
-version: 2.0.0
-last-updated: 2026-04-02
-applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
----
-
-# Server Management — Production Linux Mastery
-
-> Never run a web server as root. Never expose raw ports securely.
-> A naked Node/Python process dies silently. A systemd service acts as its immortal guardian.
-
----
-
-## 1. Systemd Service Architecture (Process Guard)
-
-Do not use `pm2`, `forever`, or custom `screen` sessions attached to SSH panels for server orchestration. Linux provides an enterprise-grade init system natively: systemd.
-
-```ini
-# /etc/systemd/system/myapp.service
-
-[Unit]
-Description=My Application Node.js Server
-Documentation=https://example.com/docs
-After=network.target postgresql.service # Ensure DB and Network start first
-
-[Service]
-Type=simple
-User=appuser     # NEVER run as root
-Group=appuser
-WorkingDirectory=/var/www/myapp
-
-# Explicitly declare environment limits and variables
-Environment=NODE_ENV=production
-Environment=PORT=3000
-EnvironmentFile=/var/www/myapp/.env
-
-# The execution target
-ExecStart=/usr/bin/node /var/www/myapp/build/index.js
-
-# Immortal behavior: Restart strictly on failure
-Restart=on-failure
-RestartSec=5
-
-# Security Hardening
-NoNewPrivileges=yes
-PrivateTmp=yes
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
-
-[Install]
-WantedBy=multi-user.target
-```
-
-**Commands:**
-`sudo systemctl daemon-reload`
-`sudo systemctl enable myapp`
-`sudo systemctl start myapp`
-`journalctl -u myapp -f` (Follow logs seamlessly)
-
----
-
-## 2. Nginx Reverse Proxy Architecture
-
-You must shield your internal application framework (Node/Python/Ruby) behind Nginx. Nginx handles SSL termination, static file caching, and DDOS mitigation.
-
-```nginx
-# /etc/nginx/sites-available/myapp.com
-
-server {
-    listen 80;
-    server_name api.myapp.com;
-    
-    # Force SSL Redirect
-    return 301 https://$host$request_uri;
-}
-
-server {
-    listen 443 ssl http2;
-    server_name api.myapp.com;
-
-    # SSL Certs (Let's Encrypt / Certbot)
-    ssl_certificate /etc/letsencrypt/live/api.myapp.com/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/api.myapp.com/privkey.pem;
-
-    # Modern Security Headers
-    add_header Strict-Transport-Security "max-age=63072000" always;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-Frame-Options DENY;
-
-    # GZIP Compression
-    gzip on;
-    gzip_types text/plain application/json;
-
-    location / {
-        # Proxy traffic to internal local process
-        proxy_pass http://127.0.0.1:3000;
-        
-        # Forward original IP and Protocol for rate limiters
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-
-        # WebSocket support (Required for GraphQL subscriptions, TRPC, Socket.io)
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection "upgrade";
-    }
-}
-```
-
----
-
-## 3. Server Hardening Fundamentals
-
-### SSH Security (`/etc/ssh/sshd_config`)
-```bash
-PermitRootLogin no           # Kill direct root login attacks immediately
-PasswordAuthentication no    # Enforce SSH key-based login ONLY
-Port 2022                    # (Optional) Obscurity defense against automated script-kiddie scanners
-```
-
-### Uncomplicated Firewall (UFW)
-A naked server with all ports open is a honeypot.
-```bash
-sudo ufw default deny incoming
-sudo ufw default allow outgoing
-sudo ufw allow 22/tcp      # Allow SSH
-sudo ufw allow 80/tcp      # Allow HTTP
-sudo ufw allow 443/tcp     # Allow HTTPS
-sudo ufw enable
-```
-
-### Fail2Ban
-Automatically bans IPs attempting brute force credential filling after 5 bad attempts.
-
----
-
-## 4. Log Rotation (Prevent Disk Full Outages)
-
-A server will inevitably crash when `/var/log` consumes 100% of the disk.
-
-```bash
-# /etc/logrotate.d/myapp
-
-/var/www/myapp/logs/*.log {
-    daily                # Rotate every day
-    missingok            # Ignore if file is missing
-    rotate 14            # Keep 14 days of history
-    compress             # Gzip old logs
-    delaycompress        # Don't compress the one created yesterday
-    notifempty           # Do nothing if log is empty
-    copytruncate         # Copy then clear (avoids disrupting Node's open file handles)
-}
-```
-
----
-
-## 🤖 LLM-Specific Traps (Server Management)
-
-1. **PM2 Fallacy:** AI frequently defaults to `pm2 start app.js` for production deployments. Demand raw `systemd`. It ensures startup order (Wait for network) and unified journalctl logging.
-2. **Root Execution:** Suggesting `ExecStart=npm start` under the `User=root` directive. The application process should operate under a restricted `appuser` daemon tier.
-3. **Missing Proxy Headers:** AI writing basic Nginx configs but omitting `X-Forwarded-For`. This causes the internal App to log all requests as coming from "127.0.0.1", instantly breaking IP Rate limiters.
-4. **WebSocket Blocking:** Forgetting to pass `Upgrade` headers in Nginx proxy setups, breaking realtime web applications silently.
-5. **Naked Node Ports:** Instructing users to run `node index.js` on `port 80`. Never natively bind unprivileged web processes to port 80. Bind to 3000 locally and use reverse proxy routing.
-6. **Firewall Blindness:** Assuming Docker auto-secures ports. Executing `docker run -p 8080:80` on Ubuntu completely bypasses UFW restrictions through iptables hooks, exposing the database to the internet. Always bind `127.0.0.1:8080:80`.
-7. **Password SSH Prompts:** Creating automation scripts utilizing raw passwords (e.g., `sshpass`). Always assume ed25519 identity keyfiles for automated CI deployments.
-8. **Log Rotation Void:** Neglecting log rotation in custom bash script loops, guaranteeing a 100% disk usage outage 3 months later.
-9. **GZIP Assumption:** Forgetting to enable `gzip on` in Nginx resulting in 10MB JSON payloads saturating the virtual server network adapter.
-10. **In-place Nginx Modding:** Editing `/etc/nginx/nginx.conf` directly instead of writing symlinks between the `sites-available` and `sites-enabled` architecture.
-
----
-
-## 🏛️ Tribunal Integration
-
-### ✅ Pre-Flight Self-Audit
-```
-✅ Are persistent services orchestrated securely via `systemd` (not PM2)?
-✅ Does the systemd service explicitly execute as a non-root `appuser`?
-✅ Is the internal application shielded by an Nginx/Caddy reverse proxy?
-✅ Does the reverse proxy explicitly forward realtime `Upgrade` (WebSocket) headers?
-✅ Does the reverse proxy forward IP integrity headers (`X-Forwarded-For`)?
-✅ Has SSH `PasswordAuthentication` been disabled defensively?
-✅ Is UFW configured to strictly deny all incoming non-essential ports?
-✅ If suggesting Docker, are database/internal ports scoped to `127.0.0.1:X:Y`?
-✅ Have manual application log files been mapped in `logrotate.d`?
-✅ Has `PermitRootLogin` been set to `no`?
-```
+---
+name: server-management
+description: Production Linux server administration mastery. Systemd services, Nginx reverse proxy architecture, UFW firewalls, SSH key security, cron scheduling, log rotation, and server hardening. Use when configuring bare-metal, VPS instances, or reviewing deployment architecture.
+allowed-tools: Read, Write, Edit, Glob, Grep
+version: 2.0.0
+last-updated: 2026-04-02
+applies-to-model: gemini-2.5-pro, claude-3-7-sonnet
+---
+
+## Hallucination Traps (Read First)
+- ❌ Running services as root -> ✅ Create a dedicated service user with minimal permissions; never run as root
+- ❌ Using password-based SSH -> ✅ Disable password auth; use SSH key pairs only with `PermitRootLogin no`
+- ❌ Editing nginx config without testing -> ✅ Always run `nginx -t` before `systemctl reload nginx`; syntax errors take down all sites
+
+---
+
+
+# Server Management — Production Linux Mastery
+
+---
+
+## 1. Systemd Service Architecture (Process Guard)
+
+Do not use `pm2`, `forever`, or custom `screen` sessions attached to SSH panels for server orchestration. Linux provides an enterprise-grade init system natively: systemd.
+
+```ini
+# /etc/systemd/system/myapp.service
+
+[Unit]
+Description=My Application Node.js Server
+Documentation=https://example.com/docs
+After=network.target postgresql.service # Ensure DB and Network start first
+
+[Service]
+Type=simple
+User=appuser     # NEVER run as root
+Group=appuser
+WorkingDirectory=/var/www/myapp
+
+# Explicitly declare environment limits and variables
+Environment=NODE_ENV=production
+Environment=PORT=3000
+EnvironmentFile=/var/www/myapp/.env
+
+# The execution target
+ExecStart=/usr/bin/node /var/www/myapp/build/index.js
+
+# Immortal behavior: Restart strictly on failure
+Restart=on-failure
+RestartSec=5
+
+# Security Hardening
+NoNewPrivileges=yes
+PrivateTmp=yes
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+[Install]
+WantedBy=multi-user.target
+```
+
+**Commands:**
+`sudo systemctl daemon-reload`
+`sudo systemctl enable myapp`
+`sudo systemctl start myapp`
+`journalctl -u myapp -f` (Follow logs seamlessly)
+
+---
+
+## 2. Nginx Reverse Proxy Architecture
+
+You must shield your internal application framework (Node/Python/Ruby) behind Nginx. Nginx handles SSL termination, static file caching, and DDOS mitigation.
+
+```nginx
+# /etc/nginx/sites-available/myapp.com
+
+server {
+    listen 80;
+    server_name api.myapp.com;
+    
+    # Force SSL Redirect
+    return 301 https://$host$request_uri;
+}
+
+server {
+    listen 443 ssl http2;
+    server_name api.myapp.com;
+
+    # SSL Certs (Let's Encrypt / Certbot)
+    ssl_certificate /etc/letsencrypt/live/api.myapp.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/api.myapp.com/privkey.pem;
+
+    # Modern Security Headers
+    add_header Strict-Transport-Security "max-age=63072000" always;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options DENY;
+
+    # GZIP Compression
+    gzip on;
+    gzip_types text/plain application/json;
+
+    location / {
+        # Proxy traffic to internal local process
+        proxy_pass http://127.0.0.1:3000;
+        
+        # Forward original IP and Protocol for rate limiters
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # WebSocket support (Required for GraphQL subscriptions, TRPC, Socket.io)
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+    }
+}
+```
+
+---
+
+## 3. Server Hardening Fundamentals
+
+### SSH Security (`/etc/ssh/sshd_config`)
+```bash
+PermitRootLogin no           # Kill direct root login attacks immediately
+PasswordAuthentication no    # Enforce SSH key-based login ONLY
+Port 2022                    # (Optional) Obscurity defense against automated script-kiddie scanners
+```
+
+### Uncomplicated Firewall (UFW)
+A naked server with all ports open is a honeypot.
+```bash
+sudo ufw default deny incoming
+sudo ufw default allow outgoing
+sudo ufw allow 22/tcp      # Allow SSH
+sudo ufw allow 80/tcp      # Allow HTTP
+sudo ufw allow 443/tcp     # Allow HTTPS
+sudo ufw enable
+```
+
+### Fail2Ban
+Automatically bans IPs attempting brute force credential filling after 5 bad attempts.
+
+---
+
+## 4. Log Rotation (Prevent Disk Full Outages)
+
+A server will inevitably crash when `/var/log` consumes 100% of the disk.
+
+```bash
+# /etc/logrotate.d/myapp
+
+/var/www/myapp/logs/*.log {
+    daily                # Rotate every day
+    missingok            # Ignore if file is missing
+    rotate 14            # Keep 14 days of history
+    compress             # Gzip old logs
+    delaycompress        # Don't compress the one created yesterday
+    notifempty           # Do nothing if log is empty
+    copytruncate         # Copy then clear (avoids disrupting Node's open file handles)
+}
+```
+
+---