Standardise project against deployment standards

- Security headers: remove deprecated X-XSS-Protection, add HSTS in prod
- HTTP server: WriteTimeout 5s→10s, IdleTimeout 120s→60s per standard
- Workflow: checkout@v6, setup-go@v6, go-version-file: go.mod
- server-setup.sh: add app dir, .env template, systemd service with hardening
- .gitignore: add *.db, *.db-wal, *.db-shm
- .gitattributes: add *.sql (lf) and *.bat (crlf)
- Tests: verify HSTS in prod, absence of X-XSS-Protection

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: exploded

.gitattributes

@@ -18,8 +18,10 @@ scripts/*   text eol=lf
 *.yaml      text eol=lf
 *.json      text eol=lf
 *.md        text eol=lf
+*.sql       text eol=lf
 *.mod       text eol=lf
 *.sum       text eol=lf
+*.bat       text eol=crlf
 
 # True binaries — no line-ending conversion
 *.jpg       binary

.github/workflows/deploy.yml

@@ -11,13 +11,12 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.21'
-          cache: false
+          go-version-file: go.mod
 
       - name: Download dependencies
         run: go mod download
@@ -32,13 +31,12 @@ jobs:
     if: github.ref == 'refs/heads/master' && github.event_name == 'push'
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Set up Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
-          go-version: '1.21'
-          cache: false
+          go-version-file: go.mod
 
       - name: Download dependencies
         run: go mod download

.gitignore

@@ -21,6 +21,11 @@ Thumbs.db
 *.swp
 *.swo
 
+# Database files
+*.db
+*.db-wal
+*.db-shm
+
 # Build directories
 moon-env/
 dist/

CLAUDE.md

@@ -0,0 +1,56 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Build & Run
+
+```bash
+# Windows local dev (build + run, loads .env automatically):
+build.bat
+
+# Quick restart (skip rebuild):
+run.bat
+
+# Build only:
+go build -o moon.exe
+
+# Linux production binary (required for Linode deploy — must be static):
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o moon .
+```
+
+Requires a `.env` file with `GOOGLE_MAPS_API_KEY`. See `.env.example`.
+
+## Tests
+
+```bash
+go test -v ./...
+```
+
+Tests use `httptest` against handlers directly. Templates must be present in the working directory (they're parsed via `template.ParseGlob("*.html")` at init).
+
+## Deployment
+
+Push to `master` triggers GitHub Actions: runs tests, builds static Linux binary, SCPs to Linode, runs `deploy-moon` script. No manual deploy steps needed.
+
+The deploy script (`scripts/deploy-moon`) stops the service, replaces the binary (must `rm -f` first to avoid "text file busy"), copies web assets, restarts. It has self-update logic.
+
+## Architecture
+
+Single-file Go server (`moon.go`) with no framework. All handlers, middleware, and `main()` live in one file.
+
+**Request flow:** `main()` → `makeHTTPServer()` → `http.ServeMux` with middleware chain: `requestLogger(securityHeaders(mux))`. Static assets get an additional `cacheStaticAssets` wrapper.
+
+**Routes:**
+- `/` — home page with Google Maps, geolocation, moon rise/set display
+- `/about` — static about page
+- `/calendar` — full-month table of sun/moon rise/set times; server-rendered with `year`/`month`/`lat`/`lon`/`zon` query params
+- `/gettimes` — JSON API returning `riseset.RiseSet` for given `lon`/`lat`/`zon`
+- `/static/` — CSS, JS, background image
+
+**Templates:** Go `html/template` files at project root (`index.html`, `about.html`, `calendar.html`). Parsed once at init, with fallback to on-demand parsing. Google Maps API key is injected server-side into `index.html` (not exposed via JS endpoint).
+
+**Key dependency:** `github.com/exploded/riseset` — calculates rise/set times. Pinned to a pseudo-version commit hash in `go.mod`. Update with `go get github.com/exploded/riseset@<commit>`.
+
+**Frontend:** Vanilla JS + jQuery 3.7.1. `static/script.js` handles Google Maps (AdvancedMarkerElement), geolocation, timezone auto-detection, and AJAX calls to `/gettimes`. The `updateCalLink()` function keeps the calendar link in sync with current lat/lon/zon.
+
+**riseset API caveat:** Always check `AlwaysAbove`/`AlwaysBelow` before displaying `Rise`/`Set` values. Rise/Set are empty strings when the moon never rises or never sets.

moon.go

@@ -66,12 +66,14 @@ func requestLogger(next http.Handler) http.Handler {
 }
 
 // Add security headers to all responses
-func securityHeaders(next http.Handler) http.Handler {
+func securityHeaders(isProd bool, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 		w.Header().Set("X-Frame-Options", "DENY")
-		w.Header().Set("X-XSS-Protection", "1; mode=block")
 		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		if isProd {
+			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		}
 		// CSP allows Google Maps with WebAssembly and all required resources
 		w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https://maps.googleapis.com https://code.jquery.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; img-src 'self' data: blob: https://*.googleapis.com https://*.gstatic.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' data: https://maps.googleapis.com https://*.gstatic.com; worker-src blob:")
 		next.ServeHTTP(w, r)
@@ -87,18 +89,18 @@ func cacheStaticAssets(next http.Handler) http.Handler {
 	})
 }
 
-func makeServerFromMux(mux *http.ServeMux) *http.Server {
+func makeServerFromMux(mux *http.ServeMux, isProd bool) *http.Server {
 	// set timeouts so that a slow or malicious client doesn't
 	// hold resources forever
 	return &http.Server{
 		ReadTimeout:  5 * time.Second,
-		WriteTimeout: 5 * time.Second,
-		IdleTimeout:  120 * time.Second,
-		Handler:      requestLogger(securityHeaders(mux)),
+		WriteTimeout: 10 * time.Second,
+		IdleTimeout:  60 * time.Second,
+		Handler:      requestLogger(securityHeaders(isProd, mux)),
 	}
 }
 
-func makeHTTPServer() *http.Server {
+func makeHTTPServer(isProd bool) *http.Server {
 	mux := &http.ServeMux{}
 	mux.HandleFunc("/", handleIndex)
 	mux.HandleFunc("/about", about)
@@ -111,7 +113,7 @@ func makeHTTPServer() *http.Server {
 	mux.Handle("/static/", http.StripPrefix("/static/", cacheStaticAssets(fileServer)))
 	// 404 handler for all other routes
 	mux.HandleFunc("/404", handle404)
-	return makeServerFromMux(mux)
+	return makeServerFromMux(mux, isProd)
 }
 
 func main() {
@@ -153,7 +155,7 @@ func main() {
 	log.Printf("Production: %v", flgProduction)
 	log.Printf("HTTP Port: %s", httpPort)
 
-	httpSrv := makeHTTPServer()
+	httpSrv := makeHTTPServer(flgProduction)
 	httpSrv.Addr = httpPort
 
 	// Start server in goroutine

moon_test.go

@@ -63,7 +63,7 @@ func TestGettimesMissingParams(t *testing.T) {
 
 // Test security headers middleware
 func TestSecurityHeaders(t *testing.T) {
-	handler := securityHeaders(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+	handler := securityHeaders(false, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
 	}))
 
@@ -81,7 +81,6 @@ func TestSecurityHeaders(t *testing.T) {
 	}{
 		{"X-Content-Type-Options", "nosniff"},
 		{"X-Frame-Options", "DENY"},
-		{"X-XSS-Protection", "1; mode=block"},
 		{"Referrer-Policy", "strict-origin-when-cross-origin"},
 	}
 
@@ -90,6 +89,36 @@ func TestSecurityHeaders(t *testing.T) {
 			t.Errorf("security header %s = %v, want %v", tt.header, got, tt.want)
 		}
 	}
+
+	// X-XSS-Protection should NOT be set (deprecated)
+	if got := rr.Header().Get("X-XSS-Protection"); got != "" {
+		t.Errorf("X-XSS-Protection should not be set, got %v", got)
+	}
+
+	// HSTS should NOT be set in non-prod mode
+	if got := rr.Header().Get("Strict-Transport-Security"); got != "" {
+		t.Errorf("HSTS should not be set in non-prod mode, got %v", got)
+	}
+}
+
+// Test HSTS header is set in prod mode
+func TestSecurityHeadersProd(t *testing.T) {
+	handler := securityHeaders(true, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req, err := http.NewRequest("GET", "/", nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	want := "max-age=63072000; includeSubDomains"
+	if got := rr.Header().Get("Strict-Transport-Security"); got != want {
+		t.Errorf("HSTS header = %v, want %v", got, want)
+	}
 }
 
 // Test cache headers middleware

scripts/server-setup.sh

@@ -53,10 +53,77 @@ chmod 600 "$KEY_DIR/authorized_keys"
 chown -R "$DEPLOY_USER:$DEPLOY_USER" "$KEY_DIR"
 
 # ---------------------------------------------------------------
-# 3. Create the server-side deploy script (runs as root via sudo)
-#
-#    Reads User/Group directly from the installed service file so
-#    this script never needs to hardcode a username.
+# 3. Create application directory
+# ---------------------------------------------------------------
+APP_DIR="/var/www/moon"
+if [ -d "$APP_DIR" ]; then
+    echo "[ok] Application directory $APP_DIR already exists"
+else
+    mkdir -p "$APP_DIR"
+    chown www-data:www-data "$APP_DIR"
+    echo "[ok] Created application directory $APP_DIR"
+fi
+
+# ---------------------------------------------------------------
+# 4. Create .env template
+# ---------------------------------------------------------------
+ENV_FILE="$APP_DIR/.env"
+if [ -f "$ENV_FILE" ]; then
+    echo "[ok] .env file already exists at $ENV_FILE (not overwriting)"
+else
+    cat > "$ENV_FILE" << 'ENV_TEMPLATE'
+# Google Maps API Configuration
+GOOGLE_MAPS_API_KEY=your_google_maps_api_key_here
+
+# Production flag
+PROD=True
+
+# Port the server listens on (default: 8484)
+PORT=8484
+
+# Monitor portal log shipping (optional)
+MONITOR_URL=
+MONITOR_API_KEY=
+ENV_TEMPLATE
+    chown www-data:www-data "$ENV_FILE"
+    chmod 600 "$ENV_FILE"
+    echo "[ok] Created .env template at $ENV_FILE (edit with real values)"
+fi
+
+# ---------------------------------------------------------------
+# 5. Create systemd service
+# ---------------------------------------------------------------
+SERVICE_FILE="/etc/systemd/system/moon.service"
+cat > "$SERVICE_FILE" << 'SERVICE'
+[Unit]
+Description=Moon Rise and Set Times
+After=network.target
+
+[Service]
+Type=simple
+User=www-data
+Group=www-data
+WorkingDirectory=/var/www/moon
+EnvironmentFile=/var/www/moon/.env
+ExecStart=/var/www/moon/moon
+Restart=on-failure
+RestartSec=5
+
+# Security hardening
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=full
+ProtectHome=true
+
+[Install]
+WantedBy=multi-user.target
+SERVICE
+
+systemctl daemon-reload
+echo "[ok] Created systemd service at $SERVICE_FILE"
+
+# ---------------------------------------------------------------
+# 6. Create the server-side deploy script (runs as root via sudo)
 # ---------------------------------------------------------------
 cat > /usr/local/bin/deploy-moon << 'DEPLOY_SCRIPT'
 #!/bin/bash
@@ -125,7 +192,7 @@ chmod +x /usr/local/bin/deploy-moon
 echo "[ok] Created /usr/local/bin/deploy-moon"
 
 # ---------------------------------------------------------------
-# 4. Configure sudoers — only allow the one deploy script
+# 7. Configure sudoers — only allow the one deploy script
 # ---------------------------------------------------------------
 SUDOERS_FILE="/etc/sudoers.d/moon-deploy"
 
@@ -141,7 +208,7 @@ visudo -c -f "$SUDOERS_FILE"
 echo "[ok] sudoers entry created at $SUDOERS_FILE"
 
 # ---------------------------------------------------------------
-# 5. Print next steps
+# 8. Print next steps
 # ---------------------------------------------------------------
 echo ""
 echo "=== Setup complete. Add these secrets to your GitHub repository: ==="