feat: add valkey backed store

Signed-off-by: Xe Iaso <me@xeiaso.net>

.air.toml

@@ -9,4 +9,4 @@ exclude_dir = ["var", "vendor", "docs", "node_modules"]
 
 [logger]
 time = true
-# to change flags at runtime, prepend with -- e.g. $ air -- --target http://localhost:3000 --difficulty 20 --use-remote-address
+# to change flags at runtime, prepend with -- e.g. $ air -- --target http://localhost:3000 --difficulty 20 --use-remote-address

.devcontainer/Dockerfile

@@ -1,14 +0,0 @@
-FROM ghcr.io/xe/devcontainer-base/pre/go
-
-WORKDIR /app
-
-COPY go.mod go.sum package.json package-lock.json ./
-RUN go install github.com/a-h/templ/cmd/templ \
-  && npx --yes playwright@1.52.0 install --with-deps\
-  && apt-get update \
-  && apt-get -y install zstd brotli redis \
-  && mkdir -p /home/vscode/.local/share/fish \
-  && chown -R vscode:vscode /home/vscode/.local/share/fish \
-  && chown -R vscode:vscode /go
-
-CMD ["/usr/bin/sleep", "infinity"]

.devcontainer/README.md

@@ -1,13 +0,0 @@
-# Anubis Dev Container
-
-Anubis offers a [development container](https://containers.dev/) image in order to make it easier to contribute to the project. This image is based on [Xe/devcontainer-base/go](https://github.com/Xe/devcontainer-base/tree/main/src/go), which is based on Debian Bookworm with the following customizations:
-
-- [Fish](https://fishshell.com/) as the shell complete with a custom theme
-- [Go](https://go.dev) at the most recent stable version
-- [Node.js](https://nodejs.org/en) at the most recent stable version
-- [Atuin](https://atuin.sh/) to sync shell history between your host OS and the development container
-- [Docker](https://docker.com) to manage and build Anubis container images from inside the development container
-- [Ko](https://ko.build/) to build production-ready Anubis container images
-- [Neovim](https://neovim.io/) for use with Git
-
-This development container is tested and known to work with [Visual Studio Code](https://code.visualstudio.com/). If you run into problems with it outside of VS Code, please file an issue and let us know what editor you are using.

.devcontainer/devcontainer.json

@@ -1,33 +0,0 @@
-// For format details, see https://aka.ms/devcontainer.json. For config options, see the
-// README at: https://github.com/devcontainers/templates/tree/main/src/debian
-{
-  "name": "Dev",
-  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-  // "build": {
-  //   "dockerfile": "./Dockerfile",
-  //   "context": "..",
-  //   "cacheFrom": [
-  //     "type=registry,ref=ghcr.io/techarohq/anubis/devcontainer"
-  //   ]
-  // },
-  "dockerComposeFile": ["./docker-compose.yaml"],
-  "service": "workspace",
-  "workspaceFolder": "/workspace/anubis",
-  "postStartCommand": "npm ci && go mod download",
-  "features": {
-    "ghcr.io/xe/devcontainer-features/ko:1.1.0": {}
-  },
-  "initializeCommand": "mkdir -p ${localEnv:HOME}${localEnv:USERPROFILE}/.local/share/atuin",
-  "customizations": {
-    "vscode": {
-      "extensions": [
-        "esbenp.prettier-vscode",
-        "ms-azuretools.vscode-containers",
-        "golang.go",
-        "unifiedjs.vscode-mdx",
-        "a-h.templ",
-        "redhat.vscode-yaml"
-      ]
-    }
-  }
-}

.devcontainer/docker-compose.yaml

@@ -1,19 +0,0 @@
-services:
-  valkey:
-    image: valkey/valkey:8
-    pull_policy: always
-
-  # VS Code workspace service
-  workspace:
-    image: ghcr.io/techarohq/anubis/devcontainer
-    build:
-      context: ..
-      dockerfile: .devcontainer/Dockerfile
-      cache_from:
-        - "type=registry,ref=ghcr.io/techarohq/anubis/devcontainer"
-    volumes:
-      - ../:/workspace/anubis:cached
-    environment:
-      VALKEY_URL: redis://valkey:6379/0
-    #entrypoint: ["/usr/bin/sleep", "infinity"]
-    user: vscode

.gitattributes

@@ -1 +1 @@
-**/*_templ.go linguist-generated=true
+web/index_templ.go linguist-generated

.github/actions/spelling/allow.txt

@@ -2,4 +2,4 @@ github
 https
 ssh
 ubuntu
-workarounds
+workarounds

.github/actions/spelling/excludes.txt

@@ -83,11 +83,6 @@
 ^\Q.github/FUNDING.yml\E$
 ^\Q.github/workflows/spelling.yml\E$
 ^data/crawlers/
-^docs/blog/tags\.yml$
-^docs/manifest/.*$
 ^docs/static/\.nojekyll$
-^lib/policy/config/testdata/bad/unparseable\.json$
 ignore$
 robots.txt
-^lib/localization/locales/.*\.json$
-^lib/localization/.*_test.go$

.github/actions/spelling/expect.txt

@@ -1,4 +1,3 @@
-acs
 aeacus
 Aibrew
 alrest
@@ -6,210 +5,133 @@ amazonbot
 anthro
 anubis
 anubistest
-apk
-Applebot
 archlinux
-asnc
-asnchecker
-asns
-aspirational
-atuin
-azuretools
 badregexes
-bbolt
-bdba
 berr
 bingbot
-bitcoin
-bitrate
+Bitcoin
 blogging
 Bluesky
 blueskybot
 boi
 botnet
-botstopper
 BPort
-Brightbot
 broked
-Bytespider
 cachebuster
-cachediptoasn
 Caddyfile
 caninetools
 Cardyb
 celchecker
-celphase
-cerr
+CELPHASE
 certresolver
-cespare
 CGNAT
 cgr
 chainguard
 chall
 challengemozilla
-challengetest
-checkpath
 checkresult
+chen
 chibi
 cidranger
 ckie
-ckies
 cloudflare
-Codespaces
-confd
-connnection
 containerbuild
 coreutils
-Cotoyogi
 CRDs
-Cromite
 crt
-Cscript
 daemonizing
 DDOS
 Debian
 debrpm
 decaymap
-Diffbot
+decompiling
 discordapp
 discordbot
 distros
 dnf
 dnsbl
 dnserr
-domainhere
 dracula
 dronebl
 droneblresponse
-dropin
 duckduckbot
-eerror
 ellenjoe
-emacs
 enbyware
-etld
 everyones
 evilbot
 evilsite
 expressionorlist
-externalagent
-externalfetcher
 extldflags
 facebookgo
-Factset
 fastcgi
 fediverse
-ffprobe
 finfos
-Firecrawl
 flagenv
 Fordola
 forgejo
 fsys
 fullchain
-gaissmai
 Galvus
-geoip
-geoipchecker
 gha
-gipc
 gitea
-godotenv
 goland
 gomod
 goodbot
 googlebot
 govulncheck
-goyaml
 GPG
-GPT
-gptbot
-grpcprom
-grw
 Hashcash
 hashrate
 headermap
 healthcheck
-hebis
 hec
 hmc
 hostable
-htmlc
-htmx
 httpdebug
-Huawei
-hypertext
-iaskspider
 iat
 ifm
-Imagesift
-imgproxy
-impressum
 inp
-IPTo
-iptoasn
 iss
-isset
 ivh
-Jenomis
 JGit
-joho
 journalctl
 jshelter
 JWTs
 kagi
 kagibot
 keikaku
-Keyfunc
 keypair
 KHTML
 kinda
 KUBECONFIG
-lcj
 ldflags
 letsencrypt
-Lexentale
 lgbt
 licend
 licstart
 lightpanda
-LIMSA
 Linting
 linuxbrew
 LLU
 loadbalancer
 lol
-LOMINSA
 maintainership
 malware
 mcr
 memes
-metarefresh
-metrix
 mimi
 minica
-mistralai
 Mojeek
 mojeekbot
 mozilla
 nbf
-netsurf
 nginx
-nicksnyder
 nobots
 NONINFRINGEMENT
 nosleep
-OCOB
 ogtags
-omgili
-omgilibot
-openai
-opengraph
-openrc
-oswald
+onionservice
 pag
-palemoon
-Pangu
 parseable
 passthrough
 Patreon
@@ -225,90 +147,50 @@ prebaked
 privkey
 promauto
 promhttp
-proofofwork
-publicsuffix
 pwcmd
 pwuser
-qualys
 qwant
 qwantbot
 rac
-rawler
 rcvar
-rdb
-redhat
 redir
 redirectscheme
-refactors
 relayd
 reputational
 reqmeta
 risc
 ruleset
-runlevels
 RUnlock
-runtimedir
 sas
-sasl
 Scumm
-searchbot
-searx
 sebest
 secretplans
 selfsigned
-Semrush
-Seo
 setsebool
-shellcheck
-Sidetrade
-simprint
 sitemap
-skopeo
-sls
-sni
 Sourceware
 Spambot
 sparkline
-spyderbot
 srv
 stackoverflow
 startprecmd
 stoppostcmd
-storetest
 subgrid
 subr
 subrequest
-SVCNAME
 tagline
 tarballs
-tarrif
-tbn
-tbr
 techaro
 techarohq
 templ
 templruntime
 testarea
-testdb
-Thancred
-thoth
-thothmock
-Tik
-Timpibot
+torproject
 traefik
-uberspace
-Unbreak
-unbreakdocker
-unifiedjs
 unixhttpd
 unmarshal
-unparseable
-uuidgen
 uvx
-UXP
-valkey
 Varis
-Velen
 vendored
 vhosts
 videotest
@@ -318,13 +200,8 @@ webmaster
 webpage
 websecure
 websites
-Webzio
-wildbase
-withthothmock
-wordpress
-Workaround
+workaround
 workdir
-wpbot
 xcaddy
 Xeact
 xeiaso
@@ -333,8 +210,6 @@ xesite
 xess
 xff
 XForwarded
-XNG
-XOB
 XReal
 yae
 YAMLTo
@@ -344,5 +219,4 @@ yourdomain
 yoursite
 Zenos
 zizmor
-zombocom
 zos

.github/actions/spelling/line_forbidden.patterns

@@ -20,6 +20,9 @@
 # https://twitter.com/nyttypos/status/1898844061873639490
 #\([A-Z][a-z]{2,}(?: [a-z]+){3,}\)\.\s
 
+# Complete sentences shouldn't be in the middle of another sentence as a parenthetical.
+(?<!\.)\.\),
+
 # Complete sentences in parentheticals should not have a space before the period.
 \s\.\)(?!.*\}\})
 
@@ -273,6 +276,14 @@
 # Most people only have two hands. Reword.
 \b(?i)on the third hand\b
 
+# Should be `Open Graph`
+# unless talking about a specific Open Graph implementation:
+# - Java
+# - Node
+# - Py
+# - Ruby
+\bOpenGraph\b
+
 # Should be `OpenShift`
 \bOpenshift\b
 

.github/actions/spelling/patterns.txt

@@ -128,7 +128,3 @@ go install(?:\s+[a-z]+\.[-@\w/.]+)+
 
 # ignore long runs of a single character:
 \b([A-Za-z])\g{-1}{3,}\b
-
-# hit-count: 1 file-count: 1
-# microsoft
-\b(?:https?://|)(?:(?:(?:blogs|download\.visualstudio|docs|msdn2?|research)\.|)microsoft|blogs\.msdn)\.co(?:m|\.\w\w)/[-_a-zA-Z0-9()=./%]*

.github/workflows/devcontainer.yml

@@ -1,47 +0,0 @@
-name: Dev container prebuild
-
-on:
-  push:
-    branches: ["main"]
-    tags: ["v*.*.*"]
-
-jobs:
-  devcontainer:
-    runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-          persist-credentials: false
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
-        with:
-          node-version: latest
-
-      - run: |
-          sudo apt-get update
-          sudo apt-get -y install skopeo
-
-      - name: Log into registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
-        with:
-          registry: ghcr.io
-          username: techarohq
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Pre-build dev container image
-        uses: devcontainers/ci@8bf61b26e9c3a98f69cb6ce2f88d24ff59b785c6 # v0.3.1900000417
-        with:
-          imageName: ghcr.io/techarohq/anubis/devcontainer
-          cacheFrom: ghcr.io/techarohq/anubis/devcontainer
-          push: always
-          platform: linux/amd64,linux/arm64

.github/workflows/docker-pr.yml

@@ -22,7 +22,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
+        uses: Homebrew/actions/setup-homebrew@master
 
       - name: Setup Homebrew cellar cache
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/docker.yml

@@ -3,8 +3,8 @@ name: Docker image builds
 on:
   workflow_dispatch:
   push:
-    branches: ["main"]
-    tags: ["v*"]
+    branches: [ "main" ]
+    tags: [ "v*" ]
 
 env:
   DOCKER_METADATA_SET_OUTPUT_ENV: "true"
@@ -32,7 +32,7 @@ jobs:
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
       - name: Set up Homebrew
-        uses: Homebrew/actions/setup-homebrew@main
+        uses: Homebrew/actions/setup-homebrew@master
 
       - name: Setup Homebrew cellar cache
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
@@ -55,7 +55,7 @@ jobs:
         run: |
           brew bundle
 
-      - name: Log into registry
+      - name: Log into registry 
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
@@ -77,8 +77,9 @@ jobs:
           DOCKER_REPO: ${{ env.IMAGE }}
           SLOG_LEVEL: debug
 
+      
       - name: Generate artifact attestation
-        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
+        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
         with:
           subject-name: ${{ env.IMAGE }}
           subject-digest: ${{ steps.build.outputs.digest }}

.github/workflows/docs-deploy.yml

@@ -3,7 +3,7 @@ name: Docs deploy
 on:
   workflow_dispatch:
   push:
-    branches: ["main"]
+    branches: [ "main" ]
 
 permissions:
   contents: read
@@ -22,9 +22,9 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
-      - name: Log into registry
+      - name: Log into registry 
         uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io
@@ -39,7 +39,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: ./docs
           cache-to: type=gha
@@ -50,15 +50,15 @@ jobs:
           push: true
 
       - name: Apply k8s manifests to aeacus
-        uses: actions-hub/kubectl@d50394b7d704525f93faefce1e65a6329ff67271 # v1.33.2
+        uses: actions-hub/kubectl@e81783053d902f50d752d21a6d99cf9689a652e1 # v1.33.0
         env:
-          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
+          KUBE_CONFIG: ${{ secrets.AEACUS_KUBECONFIG }}
         with:
           args: apply -k docs/manifest
 
       - name: Apply k8s manifests to aeacus
-        uses: actions-hub/kubectl@d50394b7d704525f93faefce1e65a6329ff67271 # v1.33.2
+        uses: actions-hub/kubectl@e81783053d902f50d752d21a6d99cf9689a652e1 # v1.33.0
         env:
-          KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
+          KUBE_CONFIG: ${{ secrets.AEACUS_KUBECONFIG }}
         with:
           args: rollout restart -n default deploy/anubis-docs

.github/workflows/docs-test.yml

@@ -18,7 +18,7 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
 
       - name: Docker meta
         id: meta
@@ -28,7 +28,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: ./docs
           cache-to: type=gha

.github/workflows/go.yml

@@ -25,7 +25,7 @@ jobs:
         sudo apt-get install -y build-essential
 
     - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@main
+      uses: Homebrew/actions/setup-homebrew@master
 
     - name: Setup Homebrew cellar cache
       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/package-builds-stable.yml

@@ -25,7 +25,7 @@ jobs:
         sudo apt-get install -y build-essential
 
     - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@main
+      uses: Homebrew/actions/setup-homebrew@master
 
     - name: Setup Homebrew cellar cache
       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/package-builds-unstable.yml

@@ -27,7 +27,7 @@ jobs:
         sudo apt-get install -y build-essential
 
     - name: Set up Homebrew
-      uses: Homebrew/actions/setup-homebrew@main
+      uses: Homebrew/actions/setup-homebrew@master
 
     - name: Setup Homebrew cellar cache
       uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3

.github/workflows/spelling.yml

@@ -89,7 +89,7 @@ jobs:
     steps:
       - name: check-spelling
         id: spelling
-        uses: check-spelling/check-spelling@c635c2f3f714eec2fcf27b643a1919b9a811ef2e # v0.0.25
+        uses: check-spelling/check-spelling@67debf50669c7fc76fc8f5d7f996384535a72b77 # v0.0.24
         with:
           suppress_push_for_open_pull_request: ${{ github.actor != 'dependabot[bot]' && 1 }}
           checkout: true

.github/workflows/ssh-ci-runner-cron.yml

@@ -1,37 +0,0 @@
-name: Regenerate ssh ci runner image
-
-on:
-  # pull_request:
-  #   branches: ["main"]
-  schedule:
-    - cron: "0 0 1,8,15,22 * *"
-  workflow_dispatch:
-
-permissions:
-  pull-requests: write
-  contents: write
-  packages: write
-
-jobs:
-  ssh-ci-rebuild:
-    if: github.repository == 'TecharoHQ/anubis'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Log into registry
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-      - name: Build and push
-        run: |
-          cd ./test/ssh-ci
-          docker buildx bake --push

.github/workflows/ssh-ci.yml

@@ -1,37 +0,0 @@
-name: SSH CI
-
-on:
-  push:
-    branches: ["main"]
-  # pull_request:
-  #   branches: ["main"]
-
-permissions:
-  contents: read
-
-jobs:
-  ssh:
-    if: github.repository == 'TecharoHQ/anubis'
-    runs-on: ubuntu-24.04
-    strategy:
-      matrix:
-        host:
-          - ubuntu@riscv64.techaro.lol
-          - ci@ppc64le.techaro.lol
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          fetch-tags: true
-          fetch-depth: 0
-          persist-credentials: false
-      - name: Install CI target SSH key
-        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2.7.0
-        with:
-          key: ${{ secrets.CI_SSH_KEY }}
-          name: id_rsa
-          known_hosts: ${{ secrets.CI_SSH_KNOWN_HOSTS }}
-      - name: Run CI
-        run: bash test/ssh-ci/rigging.sh ${{ matrix.host }}
-        env:
-          GITHUB_RUN_ID: ${{ github.run_id }}

.github/workflows/zizmor.yml

@@ -21,7 +21,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@bd01e18f51369d5a26f1651c3cb451d3417e3bba # v6.3.1
+        uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
 
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif 
@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@39edc492dbe16b1465b0cafca41432d857bdb31a # v3.29.1
+        uses: github/codeql-action/upload-sarif@60168efe1c415ce0f5521ea06d5c2062adbeed1b # v3.28.17
         with:
           sarif_file: results.sarif
           category: zizmor

.gitignore

@@ -20,5 +20,3 @@ node_modules
 
 # how does this get here
 doc/VERSION
-
-web/static/locales/*.json

.vscode/extensions.json

@@ -1,10 +0,0 @@
-{
-  "recommendations": [
-    "esbenp.prettier-vscode",
-    "ms-azuretools.vscode-containers",
-    "golang.go",
-    "unifiedjs.vscode-mdx",
-    "a-h.templ",
-    "redhat.vscode-yaml"
-  ]
-}

.vscode/launch.json

@@ -1,27 +0,0 @@
-{
-  // Use IntelliSense to learn about possible attributes.
-  // Hover to view descriptions of existing attributes.
-  // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
-  "version": "0.2.0",
-  "configurations": [
-    {
-      "name": "Launch Package",
-      "type": "go",
-      "request": "launch",
-      "mode": "auto",
-      "program": "${fileDirname}"
-    },
-    {
-      "name": "Anubis [dev]",
-      "command": "npm run dev",
-      "request": "launch",
-      "type": "node-terminal"
-    },
-    {
-      "name": "Start Docs",
-      "command": "cd docs && npm ci && npm run start",
-      "request": "launch",
-      "type": "node-terminal"
-    }
-  ]
-}

.vscode/settings.json

@@ -11,24 +11,5 @@
     "zig": false,
     "javascript": false,
     "properties": false
-  },
-  "[markdown]": {
-    "editor.wordWrap": "wordWrapColumn",
-    "editor.wordWrapColumn": 80,
-    "editor.wordBasedSuggestions": "off"
-  },
-  "[mdx]": {
-    "editor.wordWrap": "wordWrapColumn",
-    "editor.wordWrapColumn": 80,
-    "editor.wordBasedSuggestions": "off"
-  },
-  "[nunjucks]": {
-    "editor.wordWrap": "wordWrapColumn",
-    "editor.wordWrapColumn": 80,
-    "editor.wordBasedSuggestions": "off"
-  },
-  "cSpell.enabledFileTypes": {
-    "mdx": true,
-    "md": true
   }
 }

Makefile

@@ -18,7 +18,6 @@ assets: deps
 
 build: assets
 	$(GO) build -o ./var/anubis ./cmd/anubis
-	$(GO) build -o ./var/robots2policy ./cmd/robots2policy
 	@echo "Anubis is now built to ./var/anubis"
 
 lint: assets
@@ -28,7 +27,6 @@ lint: assets
 
 prebaked-build:
 	$(GO) build -o ./var/anubis -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/anubis
-	$(GO) build -o ./var/robots2policy -ldflags "-X 'github.com/TecharoHQ/anubis.Version=$(VERSION)'" ./cmd/robots2policy
 
 test: assets
 	$(GO) test ./...

README.md

@@ -9,42 +9,19 @@
 ![GitHub go.mod Go version](https://img.shields.io/github/go-mod/go-version/TecharoHQ/anubis)
 ![language count](https://img.shields.io/github/languages/count/TecharoHQ/anubis)
 ![repo size](https://img.shields.io/github/repo-size/TecharoHQ/anubis)
-[![GitHub Sponsors](https://img.shields.io/github/sponsors/Xe)](https://github.com/sponsors/Xe)
 
 ## Sponsors
 
 Anubis is brought to you by sponsors and donors like:
 
-### Diamond Tier
-
-<a href="https://www.raptorcs.com/content/base/products.html">
-  <img src="./docs/static/img/sponsors/raptor-computing-logo.webp" alt="Raptor Computing Systems" height=64 />
-</a>
-
-### Gold Tier
-
-<a href="https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/distrust-logo.webp" alt="Distrust" height="64">
-</a>
-<a href="https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh">
-  <img src="./docs/static/img/sponsors/terminal-trove.webp" alt="Terminal Trove" height="64">
-</a>
-<a href="https://canine.tools?utm_campaign=github&utm_medium=referral&utm_content=anubis">
-  <img src="./docs/static/img/sponsors/caninetools-logo.webp" alt="canine.tools" height="64">
-</a>
-<a href="https://weblate.org/">
-  <img src="./docs/static/img/sponsors/weblate-logo.webp" alt="Weblate" height="64">
-</a>
-<a href="https://uberspace.de/">
-  <img src="./docs/static/img/sponsors/uberspace-logo.webp" alt="Uberspace" height="64">
-</a>
-<a href="https://wildbase.xyz/">
-  <img src="./docs/static/img/sponsors/wildbase-logo.webp" alt="Wildbase" height="64">
-</a>
+[![Distrust](./docs/static/img/sponsors/distrust-logo.webp)](https://distrust.co?utm_campaign=github&utm_medium=referral&utm_content=anubis)
+[![Terminal Trove](./docs/static/img/sponsors/terminal-trove.webp)](https://terminaltrove.com/?utm_campaign=github&utm_medium=referral&utm_content=anubis&utm_source=abgh)
+[![canine.tools](./docs/static/img/sponsors/caninetools-logo.webp)](https://canine.tools?utm_campaign=github&utm_medium=referral&utm_content=anubis)
+[![Weblate](./docs/static/img/sponsors/weblate-logo.webp)](https://weblate.org/?utm_campaign=github&utm_medium=referral&utm_content=anubis)
 
 ## Overview
 
-Anubis is a Web AI Firewall Utility that [weighs the soul of your connection](https://en.wikipedia.org/wiki/Weighing_of_souls) using one or more challenges in order to protect upstream resources from scraper bots.
+Anubis [weighs the soul of your connection](https://en.wikipedia.org/wiki/Weighing_of_souls) using a proof-of-work challenge in order to protect upstream resources from scraper bots.
 
 This program is designed to help protect the small internet from the endless storm of requests that flood in from AI companies. Anubis is as lightweight as possible to ensure that everyone can afford to protect the communities closest to them.
 

VERSION

@@ -1 +1 @@
-1.20.0
+1.18.0

anubis.go

@@ -11,11 +11,10 @@ var Version = "devel"
 
 // CookieName is the name of the cookie that Anubis uses in order to validate
 // access.
-var CookieName = "techaro.lol-anubis-auth"
+const CookieName = "techaro.lol-anubis-auth"
 
-// TestCookieName is the name of the cookie that Anubis uses in order to check
-// if cookies are enabled on the client's browser.
-var TestCookieName = "techaro.lol-anubis-cookie-verification"
+// WithDomainCookieName is the name that is prepended to the per-domain cookie used when COOKIE_DOMAIN is set.
+const WithDomainCookieName = "techaro.lol-anubis-auth-for-"
 
 // CookieDefaultExpirationTime is the amount of time before the cookie/JWT expires.
 const CookieDefaultExpirationTime = 7 * 24 * time.Hour
@@ -32,7 +31,3 @@ const APIPrefix = "/.within.website/x/cmd/anubis/api/"
 // DefaultDifficulty is the default "difficulty" (number of leading zeroes)
 // that must be met by the client in order to pass the challenge.
 const DefaultDifficulty = 4
-
-// ForcedLanguage is the language being used instead of the one of the request's Accept-Language header
-// if being set.
-var ForcedLanguage = ""

cmd/anubis/main.go

@@ -30,13 +30,11 @@ import (
 	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/data"
 	"github.com/TecharoHQ/anubis/internal"
-	"github.com/TecharoHQ/anubis/internal/thoth"
 	libanubis "github.com/TecharoHQ/anubis/lib"
 	botPolicy "github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/config"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
-	_ "github.com/joho/godotenv/autoload"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 )
 
@@ -46,13 +44,8 @@ var (
 	bindNetwork              = flag.String("bind-network", "tcp", "network family to bind HTTP to, e.g. unix, tcp")
 	challengeDifficulty      = flag.Int("difficulty", anubis.DefaultDifficulty, "difficulty of the challenge")
 	cookieDomain             = flag.String("cookie-domain", "", "if set, the top-level domain that the Anubis cookie will be valid for")
-	cookieDynamicDomain      = flag.Bool("cookie-dynamic-domain", false, "if set, automatically set the cookie Domain value based on the request domain")
 	cookieExpiration         = flag.Duration("cookie-expiration-time", anubis.CookieDefaultExpirationTime, "The amount of time the authorization cookie is valid for")
-	cookiePrefix             = flag.String("cookie-prefix", "techaro.lol-anubis", "prefix for browser cookies created by Anubis")
 	cookiePartitioned        = flag.Bool("cookie-partitioned", false, "if true, sets the partitioned flag on Anubis cookies, enabling CHIPS support")
-	forcedLanguage           = flag.String("forced-language", "", "if set, this language is being used instead of the one from the request's Accept-Language header")
-	hs512Secret              = flag.String("hs512-secret", "", "secret used to sign JWTs, uses ed25519 if not set")
-	cookieSecure             = flag.Bool("cookie-secure", true, "if true, sets the secure flag on Anubis cookies")
 	ed25519PrivateKeyHex     = flag.String("ed25519-private-key-hex", "", "private key used to sign JWTs, if not set a random one will be assigned")
 	ed25519PrivateKeyHexFile = flag.String("ed25519-private-key-hex-file", "", "file name containing value for ed25519-private-key-hex")
 	metricsBind              = flag.String("metrics-bind", ":9090", "network address to bind metrics to")
@@ -62,10 +55,7 @@ var (
 	policyFname              = flag.String("policy-fname", "", "full path to anubis policy document (defaults to a sensible built-in policy)")
 	redirectDomains          = flag.String("redirect-domains", "", "list of domains separated by commas which anubis is allowed to redirect to. Leaving this unset allows any domain.")
 	slogLevel                = flag.String("slog-level", "INFO", "logging level (see https://pkg.go.dev/log/slog#hdr-Levels)")
-	stripBasePrefix          = flag.Bool("strip-base-prefix", false, "if true, strips the base prefix from requests forwarded to the target server")
 	target                   = flag.String("target", "http://localhost:3923", "target to reverse proxy to, set to an empty string to disable proxying when only using auth request")
-	targetSNI                = flag.String("target-sni", "", "if set, the value of the TLS handshake hostname when forwarding requests to the target")
-	targetHost               = flag.String("target-host", "", "if set, the value of the Host header when forwarding requests to the target")
 	targetInsecureSkipVerify = flag.Bool("target-insecure-skip-verify", false, "if true, skips TLS validation for the backend")
 	healthcheck              = flag.Bool("healthcheck", false, "run a health check against Anubis")
 	useRemoteAddress         = flag.Bool("use-remote-address", false, "read the client's IP address from the network request, useful for debugging and running Anubis on bare metal")
@@ -75,12 +65,7 @@ var (
 	ogCacheConsiderHost      = flag.Bool("og-cache-consider-host", false, "enable or disable the use of the host in the Open Graph tag cache")
 	extractResources         = flag.String("extract-resources", "", "if set, extract the static resources to the specified folder")
 	webmasterEmail           = flag.String("webmaster-email", "", "if set, displays webmaster's email on the reject page for appeals")
-	versionFlag              = flag.Bool("version", false, "print Anubis version")
-	xffStripPrivate          = flag.Bool("xff-strip-private", true, "if set, strip private addresses from X-Forwarded-For")
-
-	thothInsecure = flag.Bool("thoth-insecure", false, "if set, connect to Thoth over plain HTTP/2, don't enable this unless support told you to")
-	thothURL      = flag.String("thoth-url", "", "if set, URL for Thoth, the IP reputation database for Anubis")
-	thothToken    = flag.String("thoth-token", "", "if set, API token for Thoth, the IP reputation database for Anubis")
+	valkeyURL                = flag.String("valkey-url", "", "Valkey URL for Anubis' state layer")
 )
 
 func keyFromHex(value string) (ed25519.PrivateKey, error) {
@@ -110,41 +95,8 @@ func doHealthCheck() error {
 	return nil
 }
 
-// parseBindNetFromAddr determine bind network and address based on the given network and address.
-func parseBindNetFromAddr(address string) (string, string) {
-	defaultScheme := "http://"
-	if !strings.Contains(address, "://") {
-		if strings.HasPrefix(address, ":") {
-			address = defaultScheme + "localhost" + address
-		} else {
-			address = defaultScheme + address
-		}
-	}
-
-	bindUri, err := url.Parse(address)
-	if err != nil {
-		log.Fatal(fmt.Errorf("failed to parse bind URL: %w", err))
-	}
-
-	switch bindUri.Scheme {
-	case "unix":
-		return "unix", bindUri.Path
-	case "tcp", "http", "https":
-		return "tcp", bindUri.Host
-	default:
-		log.Fatal(fmt.Errorf("unsupported network scheme %s in address %s", bindUri.Scheme, address))
-	}
-	return "", address
-}
-
 func setupListener(network string, address string) (net.Listener, string) {
 	formattedAddress := ""
-
-	if network == "" {
-		// keep compatibility
-		network, address = parseBindNetFromAddr(address)
-	}
-
 	switch network {
 	case "unix":
 		formattedAddress = "unix:" + address
@@ -184,7 +136,7 @@ func setupListener(network string, address string) (net.Listener, string) {
 	return listener, formattedAddress
 }
 
-func makeReverseProxy(target string, targetSNI string, targetHost string, insecureSkipVerify bool) (http.Handler, error) {
+func makeReverseProxy(target string, insecureSkipVerify bool) (http.Handler, error) {
 	targetUri, err := url.Parse(target)
 	if err != nil {
 		return nil, fmt.Errorf("failed to parse target URL: %w", err)
@@ -206,28 +158,16 @@ func makeReverseProxy(target string, targetSNI string, targetHost string, insecu
 		transport.RegisterProtocol("unix", libanubis.UnixRoundTripper{Transport: transport})
 	}
 
-	if insecureSkipVerify || targetSNI != "" {
-		transport.TLSClientConfig = &tls.Config{}
-		if insecureSkipVerify {
-			slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
-			transport.TLSClientConfig.InsecureSkipVerify = true
-		}
-		if targetSNI != "" {
-			transport.TLSClientConfig.ServerName = targetSNI
+	if insecureSkipVerify {
+		slog.Warn("TARGET_INSECURE_SKIP_VERIFY is set to true, TLS certificate validation will not be performed", "target", target)
+		transport.TLSClientConfig = &tls.Config{
+			InsecureSkipVerify: true,
 		}
 	}
 
 	rp := httputil.NewSingleHostReverseProxy(targetUri)
 	rp.Transport = transport
 
-	if targetHost != "" {
-		originalDirector := rp.Director
-		rp.Director = func(req *http.Request) {
-			originalDirector(req)
-			req.Host = targetHost
-		}
-	}
-
 	return rp, nil
 }
 
@@ -249,11 +189,6 @@ func main() {
 	flagenv.Parse()
 	flag.Parse()
 
-	if *versionFlag {
-		fmt.Println("Anubis", anubis.Version)
-		return
-	}
-
 	internal.InitSlog(*slogLevel)
 
 	if *extractResources != "" {
@@ -271,35 +206,13 @@ func main() {
 	// when using anubis via Systemd and environment variables, then it is not possible to set targe to an empty string but only to space
 	if strings.TrimSpace(*target) != "" {
 		var err error
-		rp, err = makeReverseProxy(*target, *targetSNI, *targetHost, *targetInsecureSkipVerify)
+		rp, err = makeReverseProxy(*target, *targetInsecureSkipVerify)
 		if err != nil {
 			log.Fatalf("can't make reverse proxy: %v", err)
 		}
 	}
 
-	if *cookieDomain != "" && *cookieDynamicDomain {
-		log.Fatalf("you can't set COOKIE_DOMAIN and COOKIE_DYNAMIC_DOMAIN at the same time")
-	}
-
-	ctx := context.Background()
-
-	// Thoth configuration
-	switch {
-	case *thothURL != "" && *thothToken == "":
-		slog.Warn("THOTH_URL is set but no THOTH_TOKEN is set")
-	case *thothURL == "" && *thothToken != "":
-		slog.Warn("THOTH_TOKEN is set but no THOTH_URL is set")
-	case *thothURL != "" && *thothToken != "":
-		slog.Debug("connecting to Thoth")
-		thothClient, err := thoth.New(ctx, *thothURL, *thothToken, *thothInsecure)
-		if err != nil {
-			log.Fatalf("can't dial thoth at %s: %v", *thothURL, err)
-		}
-
-		ctx = thoth.With(ctx, thothClient)
-	}
-
-	policy, err := libanubis.LoadPoliciesOrDefault(ctx, *policyFname, *challengeDifficulty)
+	policy, err := libanubis.LoadPoliciesOrDefault(*policyFname, *challengeDifficulty)
 	if err != nil {
 		log.Fatalf("can't parse policy file: %v", err)
 	}
@@ -327,20 +240,12 @@ func main() {
 	} else if strings.HasSuffix(*basePrefix, "/") {
 		log.Fatalf("[misconfiguration] base-prefix must not end with a slash")
 	}
-	if *stripBasePrefix && *basePrefix == "" {
-		log.Fatalf("[misconfiguration] strip-base-prefix is set to true, but base-prefix is not set, " +
-			"this may result in unexpected behavior")
-	}
 
-	var ed25519Priv ed25519.PrivateKey
-	if *hs512Secret != "" && (*ed25519PrivateKeyHex != "" || *ed25519PrivateKeyHexFile != "") {
-		log.Fatal("do not specify both HS512 and ED25519 secrets")
-	} else if *hs512Secret != "" {
-		ed25519Priv = ed25519.PrivateKey(*hs512Secret)
-	} else if *ed25519PrivateKeyHex != "" && *ed25519PrivateKeyHexFile != "" {
+	var priv ed25519.PrivateKey
+	if *ed25519PrivateKeyHex != "" && *ed25519PrivateKeyHexFile != "" {
 		log.Fatal("do not specify both ED25519_PRIVATE_KEY_HEX and ED25519_PRIVATE_KEY_HEX_FILE")
 	} else if *ed25519PrivateKeyHex != "" {
-		ed25519Priv, err = keyFromHex(*ed25519PrivateKeyHex)
+		priv, err = keyFromHex(*ed25519PrivateKeyHex)
 		if err != nil {
 			log.Fatalf("failed to parse and validate ED25519_PRIVATE_KEY_HEX: %v", err)
 		}
@@ -350,12 +255,12 @@ func main() {
 			log.Fatalf("failed to read ED25519_PRIVATE_KEY_HEX_FILE %s: %v", *ed25519PrivateKeyHexFile, err)
 		}
 
-		ed25519Priv, err = keyFromHex(string(bytes.TrimSpace(hexFile)))
+		priv, err = keyFromHex(string(bytes.TrimSpace(hexFile)))
 		if err != nil {
 			log.Fatalf("failed to parse and validate content of ED25519_PRIVATE_KEY_HEX_FILE: %v", err)
 		}
 	} else {
-		_, ed25519Priv, err = ed25519.GenerateKey(rand.Reader)
+		_, priv, err = ed25519.GenerateKey(rand.Reader)
 		if err != nil {
 			log.Fatalf("failed to generate ed25519 key: %v", err)
 		}
@@ -377,36 +282,21 @@ func main() {
 		slog.Warn("REDIRECT_DOMAINS is not set, Anubis will only redirect to the same domain a request is coming from, see https://anubis.techaro.lol/docs/admin/configuration/redirect-domains")
 	}
 
-	anubis.CookieName = *cookiePrefix + "-auth"
-	anubis.TestCookieName = *cookiePrefix + "-cookie-verification"
-	anubis.ForcedLanguage = *forcedLanguage
-
-	// If OpenGraph configuration values are not set in the config file, use the
-	// values from flags / envvars.
-	if !policy.OpenGraph.Enabled {
-		policy.OpenGraph.Enabled = *ogPassthrough
-		policy.OpenGraph.ConsiderHost = *ogCacheConsiderHost
-		policy.OpenGraph.TimeToLive = *ogTimeToLive
-		policy.OpenGraph.Override = map[string]string{}
-	}
-
 	s, err := libanubis.New(libanubis.Options{
-		BasePrefix:          *basePrefix,
-		StripBasePrefix:     *stripBasePrefix,
-		Next:                rp,
-		Policy:              policy,
-		ServeRobotsTXT:      *robotsTxt,
-		ED25519PrivateKey:   ed25519Priv,
-		HS512Secret:         []byte(*hs512Secret),
-		CookieDomain:        *cookieDomain,
-		CookieDynamicDomain: *cookieDynamicDomain,
-		CookieExpiration:    *cookieExpiration,
-		CookiePartitioned:   *cookiePartitioned,
-		RedirectDomains:     redirectDomainsList,
-		Target:              *target,
-		WebmasterEmail:      *webmasterEmail,
-		OpenGraph:           policy.OpenGraph,
-		CookieSecure:        *cookieSecure,
+		BasePrefix:           *basePrefix,
+		Next:                 rp,
+		Policy:               policy,
+		ServeRobotsTXT:       *robotsTxt,
+		PrivateKey:           priv,
+		CookieDomain:         *cookieDomain,
+		CookieExpiration:     *cookieExpiration,
+		CookiePartitioned:    *cookiePartitioned,
+		OGPassthrough:        *ogPassthrough,
+		OGTimeToLive:         *ogTimeToLive,
+		RedirectDomains:      redirectDomainsList,
+		Target:               *target,
+		WebmasterEmail:       *webmasterEmail,
+		OGCacheConsidersHost: *ogCacheConsiderHost,
 	})
 	if err != nil {
 		log.Fatalf("can't construct libanubis.Server: %v", err)
@@ -427,7 +317,7 @@ func main() {
 	h = s
 	h = internal.RemoteXRealIP(*useRemoteAddress, *bindNetwork, h)
 	h = internal.XForwardedForToXRealIP(h)
-	h = internal.XForwardedForUpdate(*xffStripPrivate, h)
+	h = internal.XForwardedForUpdate(h)
 
 	srv := http.Server{Handler: h, ErrorLog: internal.GetFilteredHTTPLogger()}
 	listener, listenerUrl := setupListener(*bindNetwork, *bind)
@@ -511,11 +401,11 @@ func extractEmbedFS(fsys embed.FS, root string, destDir string) error {
 			return os.MkdirAll(destPath, 0o700)
 		}
 
-		embeddedData, err := fs.ReadFile(fsys, path)
+		data, err := fs.ReadFile(fsys, path)
 		if err != nil {
 			return err
 		}
 
-		return os.WriteFile(destPath, embeddedData, 0o644)
+		return os.WriteFile(destPath, data, 0o644)
 	})
 }

cmd/robots2policy/batch/batch_process.go

@@ -1,78 +0,0 @@
-/*
-Batch process robots.txt files from archives like https://github.com/nrjones8/robots-dot-txt-archive-bot/tree/master/data/cleaned
-into Anubis CEL policies. Usage: go run batch_process.go <directory with robots.txt files>
-*/
-package main
-
-import (
-	"fmt"
-	"io/fs"
-	"log"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-)
-
-func main() {
-	if len(os.Args) < 2 {
-		fmt.Println("Usage: go run batch_process.go <cleaned_directory>")
-		fmt.Println("Example: go run batch_process.go ./cleaned")
-		os.Exit(1)
-	}
-
-	cleanedDir := os.Args[1]
-	outputDir := "generated_policies"
-
-	// Create output directory
-	if err := os.MkdirAll(outputDir, 0755); err != nil {
-		log.Fatalf("Failed to create output directory: %v", err)
-	}
-
-	count := 0
-	err := filepath.WalkDir(cleanedDir, func(path string, d fs.DirEntry, err error) error {
-		if err != nil {
-			return err
-		}
-
-		// Skip directories
-		if d.IsDir() {
-			return nil
-		}
-
-		// Generate policy name from file path
-		relPath, _ := filepath.Rel(cleanedDir, path)
-		policyName := strings.ReplaceAll(relPath, "/", "-")
-		policyName = strings.TrimSuffix(policyName, "-robots.txt")
-		policyName = strings.ReplaceAll(policyName, ".", "-")
-
-		outputFile := filepath.Join(outputDir, policyName+".yaml")
-
-		cmd := exec.Command("go", "run", "main.go",
-			"-input", path,
-			"-output", outputFile,
-			"-name", policyName,
-			"-format", "yaml")
-
-		if err := cmd.Run(); err != nil {
-			fmt.Printf("Warning: Failed to process %s: %v\n", path, err)
-			return nil // Continue processing other files
-		}
-
-		count++
-		if count%100 == 0 {
-			fmt.Printf("Processed %d files...\n", count)
-		} else if count%10 == 0 {
-			fmt.Print(".")
-		}
-
-		return nil
-	})
-
-	if err != nil {
-		log.Fatalf("Error walking directory: %v", err)
-	}
-
-	fmt.Printf("Successfully processed %d robots.txt files\n", count)
-	fmt.Printf("Generated policies saved to: %s/\n", outputDir)
-}

cmd/robots2policy/main.go

@@ -1,313 +0,0 @@
-package main
-
-import (
-	"bufio"
-	"encoding/json"
-	"flag"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"os"
-	"regexp"
-	"strings"
-
-	"github.com/TecharoHQ/anubis/lib/policy/config"
-
-	"sigs.k8s.io/yaml"
-)
-
-var (
-	inputFile     = flag.String("input", "", "path to robots.txt file (use - for stdin)")
-	outputFile    = flag.String("output", "", "output file path (use - for stdout, defaults to stdout)")
-	outputFormat  = flag.String("format", "yaml", "output format: yaml or json")
-	baseAction    = flag.String("action", "CHALLENGE", "default action for disallowed paths: ALLOW, DENY, CHALLENGE, WEIGH")
-	crawlDelay    = flag.Int("crawl-delay-weight", 0, "if > 0, add weight adjustment for crawl-delay (difficulty adjustment)")
-	policyName    = flag.String("name", "robots-txt-policy", "name for the generated policy")
-	userAgentDeny = flag.String("deny-user-agents", "DENY", "action for specifically blocked user agents: DENY, CHALLENGE")
-	helpFlag      = flag.Bool("help", false, "show help")
-)
-
-type RobotsRule struct {
-	UserAgent   string
-	Disallows   []string
-	Allows      []string
-	CrawlDelay  int
-	IsBlacklist bool // true if this is a specifically denied user agent
-}
-
-type AnubisRule struct {
-	Expression *config.ExpressionOrList `yaml:"expression,omitempty" json:"expression,omitempty"`
-	Challenge  *config.ChallengeRules   `yaml:"challenge,omitempty" json:"challenge,omitempty"`
-	Weight     *config.Weight           `yaml:"weight,omitempty" json:"weight,omitempty"`
-	Name       string                   `yaml:"name" json:"name"`
-	Action     string                   `yaml:"action" json:"action"`
-}
-
-func init() {
-	flag.Usage = func() {
-		fmt.Fprintf(os.Stderr, "Usage of %s:\n", os.Args[0])
-		fmt.Fprintf(os.Stderr, "%s [options] -input <robots.txt>\n\n", os.Args[0])
-		flag.PrintDefaults()
-		fmt.Fprintln(os.Stderr, "\nExamples:")
-		fmt.Fprintln(os.Stderr, "  # Convert local robots.txt file")
-		fmt.Fprintln(os.Stderr, "  robots2policy -input robots.txt -output policy.yaml")
-		fmt.Fprintln(os.Stderr, "")
-		fmt.Fprintln(os.Stderr, "  # Convert from URL")
-		fmt.Fprintln(os.Stderr, "  robots2policy -input https://example.com/robots.txt -format json")
-		fmt.Fprintln(os.Stderr, "")
-		fmt.Fprintln(os.Stderr, "  # Read from stdin, write to stdout")
-		fmt.Fprintln(os.Stderr, "  curl https://example.com/robots.txt | robots2policy -input -")
-		os.Exit(2)
-	}
-}
-
-func main() {
-	flag.Parse()
-
-	if len(flag.Args()) > 0 || *helpFlag || *inputFile == "" {
-		flag.Usage()
-	}
-
-	// Read robots.txt
-	var input io.Reader
-	if *inputFile == "-" {
-		input = os.Stdin
-	} else if strings.HasPrefix(*inputFile, "http://") || strings.HasPrefix(*inputFile, "https://") {
-		resp, err := http.Get(*inputFile)
-		if err != nil {
-			log.Fatalf("failed to fetch robots.txt from URL: %v", err)
-		}
-		defer resp.Body.Close()
-		input = resp.Body
-	} else {
-		file, err := os.Open(*inputFile)
-		if err != nil {
-			log.Fatalf("failed to open input file: %v", err)
-		}
-		defer file.Close()
-		input = file
-	}
-
-	// Parse robots.txt
-	rules, err := parseRobotsTxt(input)
-	if err != nil {
-		log.Fatalf("failed to parse robots.txt: %v", err)
-	}
-
-	// Convert to Anubis rules
-	anubisRules := convertToAnubisRules(rules)
-
-	// Check if any rules were generated
-	if len(anubisRules) == 0 {
-		log.Fatal("no valid rules generated from robots.txt - file may be empty or contain no disallow directives")
-	}
-
-	// Generate output
-	var output []byte
-	switch strings.ToLower(*outputFormat) {
-	case "yaml":
-		output, err = yaml.Marshal(anubisRules)
-	case "json":
-		output, err = json.MarshalIndent(anubisRules, "", "  ")
-	default:
-		log.Fatalf("unsupported output format: %s (use yaml or json)", *outputFormat)
-	}
-
-	if err != nil {
-		log.Fatalf("failed to marshal output: %v", err)
-	}
-
-	// Write output
-	if *outputFile == "" || *outputFile == "-" {
-		fmt.Print(string(output))
-	} else {
-		err = os.WriteFile(*outputFile, output, 0644)
-		if err != nil {
-			log.Fatalf("failed to write output file: %v", err)
-		}
-		fmt.Printf("Generated Anubis policy written to %s\n", *outputFile)
-	}
-}
-
-func parseRobotsTxt(input io.Reader) ([]RobotsRule, error) {
-	scanner := bufio.NewScanner(input)
-	var rules []RobotsRule
-	var currentRule *RobotsRule
-
-	for scanner.Scan() {
-		line := strings.TrimSpace(scanner.Text())
-
-		// Skip empty lines and comments
-		if line == "" || strings.HasPrefix(line, "#") {
-			continue
-		}
-
-		// Split on first colon
-		parts := strings.SplitN(line, ":", 2)
-		if len(parts) != 2 {
-			continue
-		}
-
-		directive := strings.TrimSpace(strings.ToLower(parts[0]))
-		value := strings.TrimSpace(parts[1])
-
-		switch directive {
-		case "user-agent":
-			// Start a new rule section
-			if currentRule != nil {
-				rules = append(rules, *currentRule)
-			}
-			currentRule = &RobotsRule{
-				UserAgent: value,
-				Disallows: make([]string, 0),
-				Allows:    make([]string, 0),
-			}
-
-		case "disallow":
-			if currentRule != nil && value != "" {
-				currentRule.Disallows = append(currentRule.Disallows, value)
-			}
-
-		case "allow":
-			if currentRule != nil && value != "" {
-				currentRule.Allows = append(currentRule.Allows, value)
-			}
-
-		case "crawl-delay":
-			if currentRule != nil {
-				if delay, err := parseIntSafe(value); err == nil {
-					currentRule.CrawlDelay = delay
-				}
-			}
-		}
-	}
-
-	// Don't forget the last rule
-	if currentRule != nil {
-		rules = append(rules, *currentRule)
-	}
-
-	// Mark blacklisted user agents (those with "Disallow: /")
-	for i := range rules {
-		for _, disallow := range rules[i].Disallows {
-			if disallow == "/" {
-				rules[i].IsBlacklist = true
-				break
-			}
-		}
-	}
-
-	return rules, scanner.Err()
-}
-
-func parseIntSafe(s string) (int, error) {
-	var result int
-	_, err := fmt.Sscanf(s, "%d", &result)
-	return result, err
-}
-
-func convertToAnubisRules(robotsRules []RobotsRule) []AnubisRule {
-	var anubisRules []AnubisRule
-	ruleCounter := 0
-
-	for _, robotsRule := range robotsRules {
-		userAgent := robotsRule.UserAgent
-
-		// Handle crawl delay as weight adjustment (do this first before any continues)
-		if robotsRule.CrawlDelay > 0 && *crawlDelay > 0 {
-			ruleCounter++
-			rule := AnubisRule{
-				Name:   fmt.Sprintf("%s-crawl-delay-%d", *policyName, ruleCounter),
-				Action: "WEIGH",
-				Weight: &config.Weight{Adjust: *crawlDelay},
-			}
-
-			if userAgent == "*" {
-				rule.Expression = &config.ExpressionOrList{
-					All: []string{"true"}, // Always applies
-				}
-			} else {
-				rule.Expression = &config.ExpressionOrList{
-					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
-				}
-			}
-
-			anubisRules = append(anubisRules, rule)
-		}
-
-		// Handle blacklisted user agents (complete deny/challenge)
-		if robotsRule.IsBlacklist {
-			ruleCounter++
-			rule := AnubisRule{
-				Name:   fmt.Sprintf("%s-blacklist-%d", *policyName, ruleCounter),
-				Action: *userAgentDeny,
-			}
-
-			if userAgent == "*" {
-				// This would block everything - convert to a weight adjustment instead
-				rule.Name = fmt.Sprintf("%s-global-restriction-%d", *policyName, ruleCounter)
-				rule.Action = "WEIGH"
-				rule.Weight = &config.Weight{Adjust: 20} // Increase difficulty significantly
-				rule.Expression = &config.ExpressionOrList{
-					All: []string{"true"}, // Always applies
-				}
-			} else {
-				rule.Expression = &config.ExpressionOrList{
-					All: []string{fmt.Sprintf("userAgent.contains(%q)", userAgent)},
-				}
-			}
-			anubisRules = append(anubisRules, rule)
-			continue
-		}
-
-		// Handle specific disallow rules
-		for _, disallow := range robotsRule.Disallows {
-			if disallow == "/" {
-				continue // Already handled as blacklist above
-			}
-
-			ruleCounter++
-			rule := AnubisRule{
-				Name:   fmt.Sprintf("%s-disallow-%d", *policyName, ruleCounter),
-				Action: *baseAction,
-			}
-
-			// Build CEL expression
-			var conditions []string
-
-			// Add user agent condition if not wildcard
-			if userAgent != "*" {
-				conditions = append(conditions, fmt.Sprintf("userAgent.contains(%q)", userAgent))
-			}
-
-			// Add path condition
-			pathCondition := buildPathCondition(disallow)
-			conditions = append(conditions, pathCondition)
-
-			rule.Expression = &config.ExpressionOrList{
-				All: conditions,
-			}
-
-			anubisRules = append(anubisRules, rule)
-		}
-
-	}
-
-	return anubisRules
-}
-
-func buildPathCondition(robotsPath string) string {
-	// Handle wildcards in robots.txt paths
-	if strings.Contains(robotsPath, "*") || strings.Contains(robotsPath, "?") {
-		// Convert robots.txt wildcards to regex
-		regex := regexp.QuoteMeta(robotsPath)
-		regex = strings.ReplaceAll(regex, `\*`, `.*`) // * becomes .*
-		regex = strings.ReplaceAll(regex, `\?`, `.`)  // ? becomes .
-		regex = "^" + regex
-		return fmt.Sprintf("path.matches(%q)", regex)
-	}
-
-	// Simple prefix match for most cases
-	return fmt.Sprintf("path.startsWith(%q)", robotsPath)
-}

cmd/robots2policy/robots2policy_test.go

@@ -1,418 +0,0 @@
-package main
-
-import (
-	"encoding/json"
-	"fmt"
-	"os"
-	"path/filepath"
-	"reflect"
-	"strings"
-	"testing"
-
-	"gopkg.in/yaml.v3"
-)
-
-type TestCase struct {
-	name         string
-	robotsFile   string
-	expectedFile string
-	options      TestOptions
-}
-
-type TestOptions struct {
-	format           string
-	action           string
-	crawlDelayWeight int
-	policyName       string
-	deniedAction     string
-}
-
-func TestDataFileConversion(t *testing.T) {
-
-	testCases := []TestCase{
-		{
-			name:         "simple_default",
-			robotsFile:   "simple.robots.txt",
-			expectedFile: "simple.yaml",
-			options:      TestOptions{format: "yaml"},
-		},
-		{
-			name:         "simple_json",
-			robotsFile:   "simple.robots.txt",
-			expectedFile: "simple.json",
-			options:      TestOptions{format: "json"},
-		},
-		{
-			name:         "simple_deny_action",
-			robotsFile:   "simple.robots.txt",
-			expectedFile: "deny-action.yaml",
-			options:      TestOptions{format: "yaml", action: "DENY"},
-		},
-		{
-			name:         "simple_custom_name",
-			robotsFile:   "simple.robots.txt",
-			expectedFile: "custom-name.yaml",
-			options:      TestOptions{format: "yaml", policyName: "my-custom-policy"},
-		},
-		{
-			name:         "blacklist_with_crawl_delay",
-			robotsFile:   "blacklist.robots.txt",
-			expectedFile: "blacklist.yaml",
-			options:      TestOptions{format: "yaml", crawlDelayWeight: 3},
-		},
-		{
-			name:         "wildcards",
-			robotsFile:   "wildcards.robots.txt",
-			expectedFile: "wildcards.yaml",
-			options:      TestOptions{format: "yaml"},
-		},
-		{
-			name:         "empty_file",
-			robotsFile:   "empty.robots.txt",
-			expectedFile: "empty.yaml",
-			options:      TestOptions{format: "yaml"},
-		},
-		{
-			name:         "complex_scenario",
-			robotsFile:   "complex.robots.txt",
-			expectedFile: "complex.yaml",
-			options:      TestOptions{format: "yaml", crawlDelayWeight: 5},
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.name, func(t *testing.T) {
-			robotsPath := filepath.Join("testdata", tc.robotsFile)
-			expectedPath := filepath.Join("testdata", tc.expectedFile)
-
-			// Read robots.txt input
-			robotsFile, err := os.Open(robotsPath)
-			if err != nil {
-				t.Fatalf("Failed to open robots file %s: %v", robotsPath, err)
-			}
-			defer robotsFile.Close()
-
-			// Parse robots.txt
-			rules, err := parseRobotsTxt(robotsFile)
-			if err != nil {
-				t.Fatalf("Failed to parse robots.txt: %v", err)
-			}
-
-			// Set test options
-			oldFormat := *outputFormat
-			oldAction := *baseAction
-			oldCrawlDelay := *crawlDelay
-			oldPolicyName := *policyName
-			oldDeniedAction := *userAgentDeny
-
-			if tc.options.format != "" {
-				*outputFormat = tc.options.format
-			}
-			if tc.options.action != "" {
-				*baseAction = tc.options.action
-			}
-			if tc.options.crawlDelayWeight > 0 {
-				*crawlDelay = tc.options.crawlDelayWeight
-			}
-			if tc.options.policyName != "" {
-				*policyName = tc.options.policyName
-			}
-			if tc.options.deniedAction != "" {
-				*userAgentDeny = tc.options.deniedAction
-			}
-
-			// Restore options after test
-			defer func() {
-				*outputFormat = oldFormat
-				*baseAction = oldAction
-				*crawlDelay = oldCrawlDelay
-				*policyName = oldPolicyName
-				*userAgentDeny = oldDeniedAction
-			}()
-
-			// Convert to Anubis rules
-			anubisRules := convertToAnubisRules(rules)
-
-			// Generate output
-			var actualOutput []byte
-			switch strings.ToLower(*outputFormat) {
-			case "yaml":
-				actualOutput, err = yaml.Marshal(anubisRules)
-			case "json":
-				actualOutput, err = json.MarshalIndent(anubisRules, "", "  ")
-			}
-			if err != nil {
-				t.Fatalf("Failed to marshal output: %v", err)
-			}
-
-			// Read expected output
-			expectedOutput, err := os.ReadFile(expectedPath)
-			if err != nil {
-				t.Fatalf("Failed to read expected file %s: %v", expectedPath, err)
-			}
-
-			if strings.ToLower(*outputFormat) == "yaml" {
-				var actualData []interface{}
-				var expectedData []interface{}
-
-				err = yaml.Unmarshal(actualOutput, &actualData)
-				if err != nil {
-					t.Fatalf("Failed to unmarshal actual output: %v", err)
-				}
-
-				err = yaml.Unmarshal(expectedOutput, &expectedData)
-				if err != nil {
-					t.Fatalf("Failed to unmarshal expected output: %v", err)
-				}
-
-				// Compare data structures
-				if !compareData(actualData, expectedData) {
-					actualStr := strings.TrimSpace(string(actualOutput))
-					expectedStr := strings.TrimSpace(string(expectedOutput))
-					t.Errorf("Output mismatch for %s\nExpected:\n%s\n\nActual:\n%s", tc.name, expectedStr, actualStr)
-				}
-			} else {
-				var actualData []interface{}
-				var expectedData []interface{}
-
-				err = json.Unmarshal(actualOutput, &actualData)
-				if err != nil {
-					t.Fatalf("Failed to unmarshal actual JSON output: %v", err)
-				}
-
-				err = json.Unmarshal(expectedOutput, &expectedData)
-				if err != nil {
-					t.Fatalf("Failed to unmarshal expected JSON output: %v", err)
-				}
-
-				// Compare data structures
-				if !compareData(actualData, expectedData) {
-					actualStr := strings.TrimSpace(string(actualOutput))
-					expectedStr := strings.TrimSpace(string(expectedOutput))
-					t.Errorf("Output mismatch for %s\nExpected:\n%s\n\nActual:\n%s", tc.name, expectedStr, actualStr)
-				}
-			}
-		})
-	}
-}
-
-func TestCaseInsensitiveParsing(t *testing.T) {
-	robotsTxt := `User-Agent: *
-Disallow: /admin
-Crawl-Delay: 10
-
-User-agent: TestBot
-disallow: /test
-crawl-delay: 5
-
-USER-AGENT: UpperBot
-DISALLOW: /upper
-CRAWL-DELAY: 20`
-
-	reader := strings.NewReader(robotsTxt)
-	rules, err := parseRobotsTxt(reader)
-	if err != nil {
-		t.Fatalf("Failed to parse case-insensitive robots.txt: %v", err)
-	}
-
-	expectedRules := 3
-	if len(rules) != expectedRules {
-		t.Errorf("Expected %d rules, got %d", expectedRules, len(rules))
-	}
-
-	// Check that all crawl delays were parsed
-	for i, rule := range rules {
-		expectedDelays := []int{10, 5, 20}
-		if rule.CrawlDelay != expectedDelays[i] {
-			t.Errorf("Rule %d: expected crawl delay %d, got %d", i, expectedDelays[i], rule.CrawlDelay)
-		}
-	}
-}
-
-func TestVariousOutputFormats(t *testing.T) {
-	robotsTxt := `User-agent: *
-Disallow: /admin`
-
-	reader := strings.NewReader(robotsTxt)
-	rules, err := parseRobotsTxt(reader)
-	if err != nil {
-		t.Fatalf("Failed to parse robots.txt: %v", err)
-	}
-
-	oldPolicyName := *policyName
-	*policyName = "test-policy"
-	defer func() { *policyName = oldPolicyName }()
-
-	anubisRules := convertToAnubisRules(rules)
-
-	// Test YAML output
-	yamlOutput, err := yaml.Marshal(anubisRules)
-	if err != nil {
-		t.Fatalf("Failed to marshal YAML: %v", err)
-	}
-
-	if !strings.Contains(string(yamlOutput), "name: test-policy-disallow-1") {
-		t.Errorf("YAML output doesn't contain expected rule name")
-	}
-
-	// Test JSON output
-	jsonOutput, err := json.MarshalIndent(anubisRules, "", "  ")
-	if err != nil {
-		t.Fatalf("Failed to marshal JSON: %v", err)
-	}
-
-	if !strings.Contains(string(jsonOutput), `"name": "test-policy-disallow-1"`) {
-		t.Errorf("JSON output doesn't contain expected rule name")
-	}
-}
-
-func TestDifferentActions(t *testing.T) {
-	robotsTxt := `User-agent: *
-Disallow: /admin`
-
-	testActions := []string{"ALLOW", "DENY", "CHALLENGE", "WEIGH"}
-
-	for _, action := range testActions {
-		t.Run("action_"+action, func(t *testing.T) {
-			reader := strings.NewReader(robotsTxt)
-			rules, err := parseRobotsTxt(reader)
-			if err != nil {
-				t.Fatalf("Failed to parse robots.txt: %v", err)
-			}
-
-			oldAction := *baseAction
-			*baseAction = action
-			defer func() { *baseAction = oldAction }()
-
-			anubisRules := convertToAnubisRules(rules)
-
-			if len(anubisRules) != 1 {
-				t.Fatalf("Expected 1 rule, got %d", len(anubisRules))
-			}
-
-			if anubisRules[0].Action != action {
-				t.Errorf("Expected action %s, got %s", action, anubisRules[0].Action)
-			}
-		})
-	}
-}
-
-func TestPolicyNaming(t *testing.T) {
-	robotsTxt := `User-agent: *
-Disallow: /admin
-Disallow: /private
-
-User-agent: BadBot
-Disallow: /`
-
-	testNames := []string{"custom-policy", "my-rules", "site-protection"}
-
-	for _, name := range testNames {
-		t.Run("name_"+name, func(t *testing.T) {
-			reader := strings.NewReader(robotsTxt)
-			rules, err := parseRobotsTxt(reader)
-			if err != nil {
-				t.Fatalf("Failed to parse robots.txt: %v", err)
-			}
-
-			oldName := *policyName
-			*policyName = name
-			defer func() { *policyName = oldName }()
-
-			anubisRules := convertToAnubisRules(rules)
-
-			// Check that all rule names use the custom prefix
-			for _, rule := range anubisRules {
-				if !strings.HasPrefix(rule.Name, name+"-") {
-					t.Errorf("Rule name %s doesn't start with expected prefix %s-", rule.Name, name)
-				}
-			}
-		})
-	}
-}
-
-func TestCrawlDelayWeights(t *testing.T) {
-	robotsTxt := `User-agent: *
-Disallow: /admin
-Crawl-delay: 10
-
-User-agent: SlowBot
-Disallow: /slow
-Crawl-delay: 60`
-
-	testWeights := []int{1, 5, 10, 25}
-
-	for _, weight := range testWeights {
-		t.Run(fmt.Sprintf("weight_%d", weight), func(t *testing.T) {
-			reader := strings.NewReader(robotsTxt)
-			rules, err := parseRobotsTxt(reader)
-			if err != nil {
-				t.Fatalf("Failed to parse robots.txt: %v", err)
-			}
-
-			oldWeight := *crawlDelay
-			*crawlDelay = weight
-			defer func() { *crawlDelay = oldWeight }()
-
-			anubisRules := convertToAnubisRules(rules)
-
-			// Count weight rules and verify they have correct weight
-			weightRules := 0
-			for _, rule := range anubisRules {
-				if rule.Action == "WEIGH" && rule.Weight != nil {
-					weightRules++
-					if rule.Weight.Adjust != weight {
-						t.Errorf("Expected weight %d, got %d", weight, rule.Weight.Adjust)
-					}
-				}
-			}
-
-			expectedWeightRules := 2 // One for *, one for SlowBot
-			if weightRules != expectedWeightRules {
-				t.Errorf("Expected %d weight rules, got %d", expectedWeightRules, weightRules)
-			}
-		})
-	}
-}
-
-func TestBlacklistActions(t *testing.T) {
-	robotsTxt := `User-agent: BadBot
-Disallow: /
-
-User-agent: SpamBot
-Disallow: /`
-
-	testActions := []string{"DENY", "CHALLENGE"}
-
-	for _, action := range testActions {
-		t.Run("blacklist_"+action, func(t *testing.T) {
-			reader := strings.NewReader(robotsTxt)
-			rules, err := parseRobotsTxt(reader)
-			if err != nil {
-				t.Fatalf("Failed to parse robots.txt: %v", err)
-			}
-
-			oldAction := *userAgentDeny
-			*userAgentDeny = action
-			defer func() { *userAgentDeny = oldAction }()
-
-			anubisRules := convertToAnubisRules(rules)
-
-			// All rules should be blacklist rules with the specified action
-			for _, rule := range anubisRules {
-				if !strings.Contains(rule.Name, "blacklist") {
-					t.Errorf("Expected blacklist rule, got %s", rule.Name)
-				}
-				if rule.Action != action {
-					t.Errorf("Expected action %s, got %s", action, rule.Action)
-				}
-			}
-		})
-	}
-}
-
-// compareData performs a deep comparison of two data structures,
-// ignoring differences that are semantically equivalent in YAML/JSON
-func compareData(actual, expected interface{}) bool {
-	return reflect.DeepEqual(actual, expected)
-}

cmd/robots2policy/testdata/blacklist.robots.txt

@@ -1,15 +0,0 @@
-# Test with blacklisted user agents
-User-agent: *
-Disallow: /admin
-Crawl-delay: 10
-
-User-agent: BadBot
-Disallow: /
-
-User-agent: SpamBot
-Disallow: /
-Crawl-delay: 60
-
-User-agent: Googlebot
-Disallow: /search
-Crawl-delay: 5

cmd/robots2policy/testdata/blacklist.yaml

@@ -1,30 +0,0 @@
-- action: WEIGH
-  expression: "true"
-  name: robots-txt-policy-crawl-delay-1
-  weight:
-    adjust: 3
-- action: CHALLENGE
-  expression: path.startsWith("/admin")
-  name: robots-txt-policy-disallow-2
-- action: DENY
-  expression: userAgent.contains("BadBot")
-  name: robots-txt-policy-blacklist-3
-- action: WEIGH
-  expression: userAgent.contains("SpamBot")
-  name: robots-txt-policy-crawl-delay-4
-  weight:
-    adjust: 3
-- action: DENY
-  expression: userAgent.contains("SpamBot")
-  name: robots-txt-policy-blacklist-5
-- action: WEIGH
-  expression: userAgent.contains("Googlebot")
-  name: robots-txt-policy-crawl-delay-6
-  weight:
-    adjust: 3
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("Googlebot")
-        - path.startsWith("/search")
-  name: robots-txt-policy-disallow-7

cmd/robots2policy/testdata/complex.robots.txt

@@ -1,30 +0,0 @@
-# Complex real-world example
-User-agent: *
-Disallow: /admin/
-Disallow: /private/
-Disallow: /api/internal/
-Allow: /api/public/
-Crawl-delay: 5
-
-User-agent: Googlebot
-Disallow: /search/
-Allow: /api/
-Crawl-delay: 2
-
-User-agent: Bingbot
-Disallow: /search/
-Disallow: /admin/
-Crawl-delay: 10
-
-User-agent: BadBot
-Disallow: /
-
-User-agent: SeoBot
-Disallow: /
-Crawl-delay: 300
-
-# Test with various patterns
-User-agent: TestBot
-Disallow: /*/admin
-Disallow: /temp*.html
-Disallow: /file?.log

cmd/robots2policy/testdata/complex.yaml

@@ -1,71 +0,0 @@
-- action: WEIGH
-  expression: "true"
-  name: robots-txt-policy-crawl-delay-1
-  weight:
-    adjust: 5
-- action: CHALLENGE
-  expression: path.startsWith("/admin/")
-  name: robots-txt-policy-disallow-2
-- action: CHALLENGE
-  expression: path.startsWith("/private/")
-  name: robots-txt-policy-disallow-3
-- action: CHALLENGE
-  expression: path.startsWith("/api/internal/")
-  name: robots-txt-policy-disallow-4
-- action: WEIGH
-  expression: userAgent.contains("Googlebot")
-  name: robots-txt-policy-crawl-delay-5
-  weight:
-    adjust: 5
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("Googlebot")
-        - path.startsWith("/search/")
-  name: robots-txt-policy-disallow-6
-- action: WEIGH
-  expression: userAgent.contains("Bingbot")
-  name: robots-txt-policy-crawl-delay-7
-  weight:
-    adjust: 5
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("Bingbot")
-        - path.startsWith("/search/")
-  name: robots-txt-policy-disallow-8
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("Bingbot")
-        - path.startsWith("/admin/")
-  name: robots-txt-policy-disallow-9
-- action: DENY
-  expression: userAgent.contains("BadBot")
-  name: robots-txt-policy-blacklist-10
-- action: WEIGH
-  expression: userAgent.contains("SeoBot")
-  name: robots-txt-policy-crawl-delay-11
-  weight:
-    adjust: 5
-- action: DENY
-  expression: userAgent.contains("SeoBot")
-  name: robots-txt-policy-blacklist-12
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("TestBot")
-        - path.matches("^/.*/admin")
-  name: robots-txt-policy-disallow-13
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("TestBot")
-        - path.matches("^/temp.*\\.html")
-  name: robots-txt-policy-disallow-14
-- action: CHALLENGE
-  expression:
-    all:
-        - userAgent.contains("TestBot")
-        - path.matches("^/file.\\.log")
-  name: robots-txt-policy-disallow-15

cmd/robots2policy/testdata/custom-name.yaml

@@ -1,6 +0,0 @@
-- action: CHALLENGE
-  expression: path.startsWith("/admin/")
-  name: my-custom-policy-disallow-1
-- action: CHALLENGE
-  expression: path.startsWith("/private")
-  name: my-custom-policy-disallow-2

cmd/robots2policy/testdata/deny-action.yaml

@@ -1,6 +0,0 @@
-- action: DENY
-  expression: path.startsWith("/admin/")
-  name: robots-txt-policy-disallow-1
-- action: DENY
-  expression: path.startsWith("/private")
-  name: robots-txt-policy-disallow-2

cmd/robots2policy/testdata/empty.robots.txt

@@ -1,2 +0,0 @@
-# Empty robots.txt (comments only)
-# No actual rules

cmd/robots2policy/testdata/empty.yaml

@@ -1 +0,0 @@
-[]

cmd/robots2policy/testdata/simple.json

@@ -1,12 +0,0 @@
-[
-  {
-    "action": "CHALLENGE",
-    "expression": "path.startsWith(\"/admin/\")",
-    "name": "robots-txt-policy-disallow-1"
-  },
-  {
-    "action": "CHALLENGE",
-    "expression": "path.startsWith(\"/private\")",
-    "name": "robots-txt-policy-disallow-2"
-  }
-]

cmd/robots2policy/testdata/simple.robots.txt

@@ -1,5 +0,0 @@
-# Simple robots.txt test
-User-agent: *
-Disallow: /admin/
-Disallow: /private
-Allow: /public

cmd/robots2policy/testdata/simple.yaml

@@ -1,6 +0,0 @@
-- action: CHALLENGE
-  expression: path.startsWith("/admin/")
-  name: robots-txt-policy-disallow-1
-- action: CHALLENGE
-  expression: path.startsWith("/private")
-  name: robots-txt-policy-disallow-2

cmd/robots2policy/testdata/wildcards.robots.txt

@@ -1,6 +0,0 @@
-# Test wildcard patterns
-User-agent: *
-Disallow: /search*
-Disallow: /*/private
-Disallow: /file?.txt
-Disallow: /admin/*?action=delete

cmd/robots2policy/testdata/wildcards.yaml

@@ -1,12 +0,0 @@
-- action: CHALLENGE
-  expression: path.matches("^/search.*")
-  name: robots-txt-policy-disallow-1
-- action: CHALLENGE
-  expression: path.matches("^/.*/private")
-  name: robots-txt-policy-disallow-2
-- action: CHALLENGE
-  expression: path.matches("^/file.\\.txt")
-  name: robots-txt-policy-disallow-3
-- action: CHALLENGE
-  expression: path.matches("^/admin/.*.action=delete")
-  name: robots-txt-policy-disallow-4

data/apps/bookstack-saml.yaml

@@ -1,20 +0,0 @@
-# Make SASL login work on bookstack with Anubis
-# https://www.bookstackapp.com/docs/admin/saml2-auth/
-- name: allow-bookstack-sasl-login-routes
-  action: ALLOW
-  expression:
-    all:
-      - 'method == "POST"'
-      - path.startsWith("/saml2/acs")
-- name: allow-bookstack-sasl-metadata-routes
-  action: ALLOW
-  expression:
-    all:
-      - 'method == "GET"'
-      - path.startsWith("/saml2/metadata")
-- name: allow-bookstack-sasl-logout-routes
-  action: ALLOW
-  expression:
-    all:
-      - 'method == "GET"'
-      - path.startsWith("/saml2/sls")

data/apps/qualys-ssl-labs.yml

@@ -1,7 +0,0 @@
-# This policy allows Qualys SSL Labs to fully work. (https://www.ssllabs.com/ssltest)
-# IP ranges are taken from: https://qualys.my.site.com/discussions/s/article/000005823
-- name: qualys-ssl-labs
-  action: ALLOW
-  remote_addresses:
-  - 64.41.200.0/24
-  - 2600:C02:1020:4202::/64

data/apps/searx-checker.yml

@@ -1,9 +0,0 @@
-# This policy allows SearXNG's instance tracker to work. (https://searx.space)
-# IPs are taken from `check.searx.space` DNS records.
-# https://toolbox.googleapps.com/apps/dig/#A/check.searx.space
-# https://toolbox.googleapps.com/apps/dig/#AAAA/check.searx.space
-- name: searx-checker
-  action: ALLOW
-  remote_addresses:
-  - 167.235.158.251/32
-  - 2a01:4f8:1c1c:8fc2::1/128

data/botPolicies.json

@@ -4,7 +4,7 @@
       "import": "(data)/bots/_deny-pathological.yaml"
     },
     {
-      "import": "(data)/meta/ai-block-aggressive.yaml"
+      "import": "(data)/bots/ai-robots-txt.yaml"
     },
     {
       "import": "(data)/crawlers/_allow-good.yaml"

data/botPolicies.yaml

@@ -11,198 +11,60 @@
 ## /usr/share/docs/anubis/data or in the tarball you extracted Anubis from.
 
 bots:
-  # Pathological bots to deny
-  - # This correlates to data/bots/deny-pathological.yaml in the source tree
-    # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml
-    import: (data)/bots/_deny-pathological.yaml
-  - import: (data)/bots/aggressive-brazilian-scrapers.yaml
+# Pathological bots to deny
+- # This correlates to data/bots/deny-pathological.yaml in the source tree
+  # https://github.com/TecharoHQ/anubis/blob/main/data/bots/deny-pathological.yaml
+  import: (data)/bots/_deny-pathological.yaml
+- import: (data)/bots/aggressive-brazilian-scrapers.yaml
 
-  # Aggressively block AI/LLM related bots/agents by default
-  - import: (data)/meta/ai-block-aggressive.yaml
+# Enforce https://github.com/ai-robots-txt/ai.robots.txt
+- import: (data)/bots/ai-robots-txt.yaml
 
-  # Consider replacing the aggressive AI policy with more selective policies:
-  # - import: (data)/meta/ai-block-moderate.yaml
-  # - import: (data)/meta/ai-block-permissive.yaml
+# Search engine crawlers to allow, defaults to:
+#   - Google (so they don't try to bypass Anubis)
+#   - Bing
+#   - DuckDuckGo
+#   - Qwant
+#   - The Internet Archive
+#   - Kagi
+#   - Marginalia
+#   - Mojeek
+- import: (data)/crawlers/_allow-good.yaml
 
-  # Search engine crawlers to allow, defaults to:
-  #   - Google (so they don't try to bypass Anubis)
-  #   - Apple
-  #   - Bing
-  #   - DuckDuckGo
-  #   - Qwant
-  #   - The Internet Archive
-  #   - Kagi
-  #   - Marginalia
-  #   - Mojeek
-  - import: (data)/crawlers/_allow-good.yaml
-  # Challenge Firefox AI previews
-  - import: (data)/clients/x-firefox-ai.yaml
+# Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
+- import: (data)/common/keep-internet-working.yaml
 
-  # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
-  - import: (data)/common/keep-internet-working.yaml
+# # Punish any bot with "bot" in the user-agent string
+# # This is known to have a high false-positive rate, use at your own risk
+# - name: generic-bot-catchall
+#   user_agent_regex: (?i:bot|crawler)
+#   action: CHALLENGE
+#   challenge:
+#     difficulty: 16  # impossible
+#     report_as: 4    # lie to the operator
+#     algorithm: slow # intentionally waste CPU cycles and time
 
-  # # Punish any bot with "bot" in the user-agent string
-  # # This is known to have a high false-positive rate, use at your own risk
-  # - name: generic-bot-catchall
-  #   user_agent_regex: (?i:bot|crawler)
-  #   action: CHALLENGE
-  #   challenge:
-  #     difficulty: 16  # impossible
-  #     report_as: 4    # lie to the operator
-  #     algorithm: slow # intentionally waste CPU cycles and time
+# Generic catchall rule
+- name: generic-browser
+  user_agent_regex: >-
+    Mozilla|Opera
+  action: WEIGH
+  weight:
+    adjust: 5
 
-  # Requires a subscription to Thoth to use, see
-  # https://anubis.techaro.lol/docs/admin/thoth#geoip-based-filtering
-  - name: countries-with-aggressive-scrapers
-    action: WEIGH
-    geoip:
-      countries:
-        - BR
-        - CN
-    weight:
-      adjust: 10
-
-  # Requires a subscription to Thoth to use, see
-  # https://anubis.techaro.lol/docs/admin/thoth#asn-based-filtering
-  - name: aggressive-asns-without-functional-abuse-contact
-    action: WEIGH
-    asns:
-      match:
-        - 13335 # Cloudflare
-        - 136907 # Huawei Cloud
-        - 45102 # Alibaba Cloud
-    weight:
-      adjust: 10
-
-  # Generic catchall rule
-  - name: generic-browser
-    user_agent_regex: >-
-      Mozilla|Opera
-    action: WEIGH
-    weight:
-      adjust: 10
+- name: high-pass-rate
+  pass_rate:
+    rate: 0.8
+  action: WEIGH
+  weight:
+    adjust: -15
 
 dnsbl: false
 
-# #
-# impressum:
-#   # Displayed at the bottom of every page rendered by Anubis.
-#   footer: >-
-#     This website is hosted by Zombocom. If you have any complaints or notes
-#     about the service, please contact
-#     <a href="mailto:contact@domainhere.example">contact@domainhere.example</a>
-#     and we will assist you as soon as possible.
-
-#   # The imprint page that will be linked to at the footer of every Anubis page.
-#   page:
-#     # The HTML <title> of the page
-#     title: Imprint and Privacy Policy
-#     # The HTML contents of the page. The exact contents of this page can
-#     # and will vary by locale. Please consult with a lawyer if you are not
-#     # sure what to put here
-#     body: >-
-#       <p>Last updated: June 2025</p>
-
-#       <h2>Information that is gathered from visitors</h2>
-
-#       <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
-
-#       <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
-
-#       <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
-
-#       <!-- ... -->
-
-# Open Graph passthrough configuration, see here for more information:
-# https://anubis.techaro.lol/docs/admin/configuration/open-graph/
-openGraph:
-  # Enables Open Graph passthrough
-  enabled: false
-  # Enables the use of the HTTP host in the cache key, this enables
-  # caching metadata for multiple http hosts at once.
-  considerHost: false
-  # How long cached OpenGraph metadata should last in memory
-  ttl: 24h
-  # # If set, return these opengraph values instead of looking them up with
-  # # the target service.
-  # #
-  # # Correlates to properties in https://ogp.me/
-  # override:
-  #   # og:title is required, it is the title of the website
-  #   "og:title": "Techaro Anubis"
-  #   "og:description": >-
-  #     Anubis is a Web AI Firewall Utility that helps you fight the bots
-  #     away so that you can maintain uptime at work!
-  #   "description": >-
-  #     Anubis is a Web AI Firewall Utility that helps you fight the bots
-  #     away so that you can maintain uptime at work!
-
 # By default, send HTTP 200 back to clients that either get issued a challenge
 # or a denial. This seems weird, but this is load-bearing due to the fact that
 # the most aggressive scraper bots seem to really, really, want an HTTP 200 and
 # will stop sending requests once they get it.
 status_codes:
   CHALLENGE: 200
-  DENY: 200
-
-# Anubis can store temporary data in one of a few backends. See the storage
-# backends section of the docs for more information:
-#
-# https://anubis.techaro.lol/docs/admin/policies#storage-backends
-store:
-  backend: memory
-  parameters: {}
-
-# The weight thresholds for when to trigger individual challenges. Any
-# CHALLENGE will take precedence over this.
-#
-# A threshold has four configuration options:
-#
-#   - name: the name that is reported down the stack and used for metrics
-#   - expression: A CEL expression with the request weight in the variable
-#     weight
-#   - action: the Anubis action to apply, similar to in a bot policy
-#   - challenge: which challenge to send to the user, similar to in a bot policy
-#
-# See https://anubis.techaro.lol/docs/admin/configuration/thresholds for more
-# information.
-thresholds:
-  # By default Anubis ships with the following thresholds:
-  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
-    expression: weight <= 0 # a feather weighs zero units
-    action: ALLOW # Allow the traffic through
-  # For clients that had some weight reduced through custom rules, give them a
-  # lightweight challenge.
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight > 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-  # For clients that are browser-like but have either gained points from custom rules or
-  # report as a standard browser.
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 2
-  # For clients that are browser like and have gained many points from custom rules
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
+  DENY: 200 

data/bots/aggressive-brazilian-scrapers.yaml

@@ -1,26 +1,26 @@
-- name: deny-aggressive-brazilian-scrapers
+- name: aggressive-brazilian-scrapers
   action: WEIGH
-  weight:
-    adjust: 20
   expression:
     any:
-      # Internet Explorer should be out of support
-      - userAgent.contains("MSIE")
-      # Trident is the Internet Explorer browser engine
-      - userAgent.contains("Trident")
-      # Opera is a fork of chrome now
-      - userAgent.contains("Presto")
-      # Windows CE is discontinued
-      - userAgent.contains("Windows CE")
-      # Windows 95 is discontinued
-      - userAgent.contains("Windows 95")
-      # Windows 98 is discontinued
-      - userAgent.contains("Windows 98")
-      # Windows 9.x is discontinued
-      - userAgent.contains("Win 9x")
-      # Amazon does not have an Alexa Toolbar.
-      - userAgent.contains("Alexa Toolbar")
-      # This is not released, even Windows 11 calls itself Windows 10
-      - userAgent.contains("Windows NT 11.0")
-      # iPods are not in common use
-      - userAgent.contains("iPod")
+    # Internet Explorer should be out of support
+    - userAgent.contains("MSIE")
+    # Trident is the Internet Explorer browser engine
+    - userAgent.contains("Trident")
+    # Opera is a fork of chrome now
+    - userAgent.contains("Presto")
+    # Windows CE is discontinued
+    - userAgent.contains("Windows CE")
+    # Windows 95 is discontinued
+    - userAgent.contains("Windows 95")
+    # Windows 98 is discontinued
+    - userAgent.contains("Windows 98")
+    # Windows 9.x is discontinued
+    - userAgent.contains("Win 9x")
+    # Amazon does not have an Alexa Toolbar.
+    - userAgent.contains("Alexa Toolbar")
+    # This is not released, even Windows 11 calls itself Windows 10
+    - userAgent.contains("Windows NT 11.0")
+    # iPods are not in common use
+    - userAgent.contains("iPod")
+  weight:
+    adjust: 10

data/bots/ai-catchall.yaml

@@ -1,11 +0,0 @@
-# Extensive list of AI-affiliated agents based on https://github.com/ai-robots-txt/ai.robots.txt
-# Add new/undocumented agents here. Where documentation exists, consider moving to dedicated policy files.
-# Notes on various agents:
-#  - Amazonbot: Well documented, but they refuse to state which agent collects training data.
-#  - anthropic-ai/Claude-Web: Undocumented by Anthropic. Possibly deprecated or hallucinations?
-#  - Perplexity*: Well documented, but they refuse to state which agent collects training data.
-# Warning: May contain user agents that _must_ be blocked in robots.txt, or the opt-out will have no effect.
-- name: "ai-catchall"
-  user_agent_regex: >-
-    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|anthropic-ai|Brightbot 1.0|Bytespider|Claude-Web|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|FacebookBot|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|GoogleOther|GoogleOther-Image|GoogleOther-Video|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|imgproxy|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|NovaAct|omgili|omgilibot|Operator|PanguBot|Perplexity-User|PerplexityBot|PetalBot|QualifiedBot|Scrapy|SemrushBot-OCOB|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YouBot
-  action: DENY

data/bots/ai-robots-txt.yaml

@@ -1,8 +1,4 @@
-# Warning: Contains user agents that _must_ be blocked in robots.txt, or the opt-out will have no effect.
-# Note: Blocks human-directed/non-training user agents
-#
-# CCBot is allowed because if Common Crawl is allowed, then scrapers don't need to scrape to get the data.
 - name: "ai-robots-txt"
   user_agent_regex: >-
-    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|Andibot|anthropic-ai|Applebot|Applebot-Extended|bedrockbot|Brightbot 1.0|Bytespider|ChatGPT-User|Claude-SearchBot|Claude-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|EchoboxBot|FacebookBot|facebookexternalhit|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-CloudVertexBot|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|MistralAI-User/1.0|MyCentralAIScraperBot|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Panscient|panscient.com|Perplexity-User|PerplexityBot|PetalBot|PhindBot|Poseidon Research Crawler|QualifiedBot|QuillBot|quillbot.com|SBIntuitionsBot|Scrapy|SemrushBot|SemrushBot-BA|SemrushBot-CT|SemrushBot-OCOB|SemrushBot-SI|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|wpbot|YandexAdditional|YandexAdditionalBot|YouBot
+    AI2Bot|Ai2Bot-Dolma|aiHitBot|Amazonbot|anthropic-ai|Applebot|Applebot-Extended|Brightbot 1.0|Bytespider|CCBot|ChatGPT-User|Claude-Web|ClaudeBot|cohere-ai|cohere-training-data-crawler|Cotoyogi|Crawlspace|Diffbot|DuckAssistBot|FacebookBot|Factset_spyderbot|FirecrawlAgent|FriendlyCrawler|Google-Extended|GoogleOther|GoogleOther-Image|GoogleOther-Video|GPTBot|iaskspider/2.0|ICC-Crawler|ImagesiftBot|img2dataset|imgproxy|ISSCyberRiskCrawler|Kangaroo Bot|meta-externalagent|Meta-ExternalAgent|meta-externalfetcher|Meta-ExternalFetcher|NovaAct|OAI-SearchBot|omgili|omgilibot|Operator|PanguBot|Perplexity-User|PerplexityBot|PetalBot|Scrapy|SemrushBot-OCOB|SemrushBot-SWA|Sidetrade indexer bot|TikTokSpider|Timpibot|VelenPublicWebCrawler|Webzio-Extended|YouBot
   action: DENY

data/bots/cloudflare-workers.yaml

@@ -3,4 +3,4 @@
     CF-Worker: .*
   action: WEIGH
   weight:
-    adjust: 15
+    adjust: 5

data/bots/headless-browsers.yaml

@@ -1,9 +1,14 @@
 - name: lightpanda
   user_agent_regex: ^LightPanda/.*$
-  action: DENY
+  action: WEIGH
+  weight:
+    adjust: 5
 - name: headless-chrome
   user_agent_regex: HeadlessChrome
-  action: DENY
+  action: WEIGH
+  weight:
+    adjust: 5
 - name: headless-chromium
   user_agent_regex: HeadlessChromium
-  action: DENY
+  weight:
+    adjust: 5

data/clients/ai.yaml

@@ -1,8 +0,0 @@
-# User agents that act on behalf of humans in AI tools, e.g. searching the web.
-# Each entry should have a positive/ALLOW entry created as well, with further documentation.
-# Exceptions:
-#  - Claude-User: No published IP allowlist
-- name: "ai-clients"
-  user_agent_regex: >-
-    ChatGPT-User|Claude-User|MistralAI-User
-  action: DENY

data/clients/mistral-mistralai-user.yaml

@@ -1,10 +0,0 @@
-# Acts on behalf of user requests
-# https://docs.mistral.ai/robots/
-- name: mistral-mistralai-user
-  user_agent_regex: MistralAI-User/.+; \+https\://docs\.mistral\.ai/robots
-  action: ALLOW
-  # https://mistral.ai/mistralai-user-ips.json
-  remote_addresses: [
-    "20.240.160.161/32",
-    "20.240.160.1/32",
-  ]

data/clients/openai-chatgpt-user.yaml

@@ -1,93 +0,0 @@
-# Acts on behalf of user requests
-# https://platform.openai.com/docs/bots/overview-of-openai-crawlers
-- name: openai-chatgpt-user
-  user_agent_regex: ChatGPT-User/.+; \+https\://openai\.com/bot
-  action: ALLOW
-  # https://openai.com/chatgpt-user.json
-  # curl 'https://openai.com/chatgpt-user.json' | jq '.prefixes.[].ipv4Prefix' | sed 's/$/,/'
-  remote_addresses: [
-    "13.65.138.112/28",
-    "23.98.179.16/28",
-    "13.65.138.96/28",
-    "172.183.222.128/28",
-    "20.102.212.144/28",
-    "40.116.73.208/28",
-    "172.183.143.224/28",
-    "52.190.190.16/28",
-    "13.83.237.176/28",
-    "51.8.155.64/28",
-    "74.249.86.176/28",
-    "51.8.155.48/28",
-    "20.55.229.144/28",
-    "135.237.131.208/28",
-    "135.237.133.48/28",
-    "51.8.155.112/28",
-    "135.237.133.112/28",
-    "52.159.249.96/28",
-    "52.190.137.16/28",
-    "52.255.111.112/28",
-    "40.84.181.32/28",
-    "172.178.141.112/28",
-    "52.190.142.64/28",
-    "172.178.140.144/28",
-    "52.190.137.144/28",
-    "172.178.141.128/28",
-    "57.154.187.32/28",
-    "4.196.118.112/28",
-    "20.193.50.32/28",
-    "20.215.188.192/28",
-    "20.215.214.16/28",
-    "4.197.22.112/28",
-    "4.197.115.112/28",
-    "172.213.21.16/28",
-    "172.213.11.144/28",
-    "172.213.12.112/28",
-    "172.213.21.144/28",
-    "20.90.7.144/28",
-    "57.154.175.0/28",
-    "57.154.174.112/28",
-    "52.236.94.144/28",
-    "137.135.191.176/28",
-    "23.98.186.192/28",
-    "23.98.186.96/28",
-    "23.98.186.176/28",
-    "23.98.186.64/28",
-    "68.221.67.192/28",
-    "68.221.67.160/28",
-    "13.83.167.128/28",
-    "20.228.106.176/28",
-    "52.159.227.32/28",
-    "68.220.57.64/28",
-    "172.213.21.112/28",
-    "68.221.67.224/28",
-    "68.221.75.16/28",
-    "20.97.189.96/28",
-    "52.252.113.240/28",
-    "52.230.163.32/28",
-    "172.212.159.64/28",
-    "52.255.111.80/28",
-    "52.255.111.0/28",
-    "4.151.241.240/28",
-    "52.255.111.32/28",
-    "52.255.111.48/28",
-    "52.255.111.16/28",
-    "52.230.164.176/28",
-    "52.176.139.176/28",
-    "52.173.234.16/28",
-    "4.151.71.176/28",
-    "4.151.119.48/28",
-    "52.255.109.112/28",
-    "52.255.109.80/28",
-    "20.161.75.208/28",
-    "68.154.28.96/28",
-    "52.255.109.128/28",
-    "52.225.75.208/28",
-    "52.190.139.48/28",
-    "68.221.67.240/28",
-    "52.156.77.144/28",
-    "52.148.129.32/28",
-    "40.84.221.208/28",
-    "104.210.139.224/28",
-    "40.84.221.224/28",
-    "104.210.139.192/28",
-  ]

data/clients/small-internet-browsers/_permissive.yaml

@@ -1,2 +0,0 @@
-- import: (data)/clients/small-internet-browsers/netsurf.yaml
-- import: (data)/clients/small-internet-browsers/palemoon.yaml

data/clients/small-internet-browsers/netsurf.yaml

@@ -1,5 +0,0 @@
-- name: "reduce-weight-netsurf"
-  user_agent_regex: "NetSurf"
-  action: WEIGH
-  weight:
-    adjust: -5

data/clients/small-internet-browsers/palemoon.yaml

@@ -1,5 +0,0 @@
-- name: "reduce-weight-palemoon"
-  user_agent_regex: "PaleMoon"
-  action: WEIGH
-  weight:
-    adjust: -5

data/clients/x-firefox-ai.yaml

@@ -1,6 +0,0 @@
-# https://connect.mozilla.org/t5/firefox-labs/try-out-link-previews-in-firefox-labs-138-and-share-your/td-p/92012
-- name: x-firefox-ai
-  action: WEIGH
-  expression: '"X-Firefox-Ai" in headers'
-  weight:
-    adjust: 5

data/common/allow-private-addresses.yaml

@@ -1,15 +1,15 @@
 - name: ipv4-rfc-1918
   action: ALLOW
   remote_addresses:
-    - 10.0.0.0/8
-    - 172.16.0.0/12
-    - 192.168.0.0/16
-    - 100.64.0.0/10
+  - 10.0.0.0/8
+  - 172.16.0.0/12
+  - 192.168.0.0/16
+  - 100.64.0.0/10
 - name: ipv6-ula
   action: ALLOW
   remote_addresses:
-    - fc00::/7
+  - fc00::/7
 - name: ipv6-link-local
   action: ALLOW
   remote_addresses:
-    - fe80::/10
+  - fe80::/10

data/common/rfc-violations.yaml

@@ -1,3 +1,5 @@
 - name: no-user-agent-string
-  action: DENY
-  expression: userAgent == ""
+  action: WEIGH
+  expression: userAgent == ""
+  weight:
+    adjust: 10

data/crawlers/_allow-good.yaml

@@ -1,10 +1,8 @@
 - import: (data)/crawlers/googlebot.yaml
-- import: (data)/crawlers/applebot.yaml
 - import: (data)/crawlers/bingbot.yaml
 - import: (data)/crawlers/duckduckbot.yaml
 - import: (data)/crawlers/qwantbot.yaml
 - import: (data)/crawlers/internet-archive.yaml
 - import: (data)/crawlers/kagibot.yaml
 - import: (data)/crawlers/marginalia.yaml
-- import: (data)/crawlers/mojeekbot.yaml
-- import: (data)/crawlers/commoncrawl.yaml
+- import: (data)/crawlers/mojeekbot.yaml

data/crawlers/ai-search.yaml

@@ -1,8 +0,0 @@
-# User agents that index exclusively for search in for AI systems.
-# Each entry should have a positive/ALLOW entry created as well, with further documentation.
-# Exceptions:
-#  - Claude-SearchBot: No published IP allowlist
-- name: "ai-crawlers-search"
-  user_agent_regex: >-
-    OAI-SearchBot|Claude-SearchBot
-  action: DENY

data/crawlers/ai-training.yaml

@@ -1,8 +0,0 @@
-# User agents that crawl for training AI/LLM systems
-# Each entry should have a positive/ALLOW entry created as well, with further documentation.
-# Exceptions:
-#  - ClaudeBot: No published IP allowlist
-- name: "ai-crawlers-training"
-  user_agent_regex: >-
-    GPTBot|ClaudeBot
-  action: DENY

data/crawlers/applebot.yaml

@@ -1,20 +0,0 @@
-# Indexing for search and Siri
-# https://support.apple.com/en-us/119829
-- name: applebot
-  user_agent_regex: Applebot
-  action: ALLOW
-  # https://search.developer.apple.com/applebot.json
-  remote_addresses: [
-    "17.241.208.160/27",
-    "17.241.193.160/27",
-    "17.241.200.160/27",
-    "17.22.237.0/24",
-    "17.22.245.0/24",
-    "17.22.253.0/24",
-    "17.241.75.0/24",
-    "17.241.219.0/24",
-    "17.241.227.0/24",
-    "17.246.15.0/24",
-    "17.246.19.0/24",
-    "17.246.23.0/24",
-  ]

data/crawlers/commoncrawl.yaml

@@ -1,12 +0,0 @@
-- name: common-crawl
-  user_agent_regex: CCBot
-  action: ALLOW
-  # https://index.commoncrawl.org/ccbot.json
-  remote_addresses:
-    [
-      "2600:1f28:365:80b0::/60",
-      "18.97.9.168/29",
-      "18.97.14.80/29",
-      "18.97.14.88/30",
-      "98.85.178.216/32",
-    ]

data/crawlers/openai-gptbot.yaml

@@ -1,16 +0,0 @@
-# Collects AI training data
-# https://platform.openai.com/docs/bots/overview-of-openai-crawlers
-- name: openai-gptbot
-  user_agent_regex: GPTBot/1\.1; \+https\://openai\.com/gptbot
-  action: ALLOW
-  # https://openai.com/gptbot.json
-  remote_addresses: [
-    "52.230.152.0/24",
-    "20.171.206.0/24",
-    "20.171.207.0/24",
-    "4.227.36.0/25",
-    "20.125.66.80/28",
-    "172.182.204.0/24",
-    "172.182.214.0/24",
-    "172.182.215.0/24",
-  ]

data/crawlers/openai-searchbot.yaml

@@ -1,13 +0,0 @@
-# Indexing for search, does not collect training data
-# https://platform.openai.com/docs/bots/overview-of-openai-crawlers
-- name: openai-searchbot
-  user_agent_regex: OAI-SearchBot/1\.0; \+https\://openai\.com/searchbot
-  action: ALLOW
-  # https://openai.com/searchbot.json
-  remote_addresses: [
-    "20.42.10.176/28",
-    "172.203.190.128/28",
-    "104.210.140.128/28",
-    "51.8.102.0/24",
-    "135.234.64.0/24"
-  ]

data/embed.go

@@ -3,6 +3,6 @@ package data
 import "embed"
 
 var (
-	//go:embed botPolicies.yaml botPolicies.json all:apps all:bots all:clients all:common all:crawlers all:meta
+	//go:embed botPolicies.yaml botPolicies.json all:apps all:bots all:clients all:common all:crawlers
 	BotPolicies embed.FS
 )

data/meta/README.md

@@ -1,5 +0,0 @@
-# meta policies
-
-Contains policies that exclusively reference policies in _multiple_ other data folders.
-
-Akin to "stances" that the administrator can take, with reference to various topics, such as AI/LLM systems.

data/meta/ai-block-aggressive.yaml

@@ -1,6 +0,0 @@
-# Blocks all AI/LLM associated user agents, regardless of purpose or human agency
-# Warning: To completely block some AI/LLM training, such as with Google, you _must_ place flags in robots.txt.
-- import: (data)/bots/ai-catchall.yaml
-- import: (data)/clients/ai.yaml
-- import: (data)/crawlers/ai-search.yaml
-- import: (data)/crawlers/ai-training.yaml

data/meta/ai-block-moderate.yaml

@@ -1,7 +0,0 @@
-# Blocks all AI/LLM bots used for training or unknown/undocumented purposes.
-# Permits user agents with explicitly documented non-training use, and published IP allowlists.
-- import: (data)/bots/ai-catchall.yaml
-- import: (data)/crawlers/ai-training.yaml
-- import: (data)/crawlers/openai-searchbot.yaml
-- import: (data)/clients/openai-chatgpt-user.yaml
-- import: (data)/clients/mistral-mistralai-user.yaml

data/meta/ai-block-permissive.yaml

@@ -1,6 +0,0 @@
-# Permits all well documented AI/LLM user agents with published IP allowlists.
-- import: (data)/bots/ai-catchall.yaml
-- import: (data)/crawlers/openai-searchbot.yaml
-- import: (data)/crawlers/openai-gptbot.yaml
-- import: (data)/clients/openai-chatgpt-user.yaml
-- import: (data)/clients/mistral-mistralai-user.yaml

decaymap/decaymap.go

@@ -48,26 +48,6 @@ func (m *Impl[K, V]) expire(key K) bool {
 	return true
 }
 
-// Delete a value from the DecayMap by key.
-//
-// If the value does not exist, return false. Return true after
-// deletion.
-func (m *Impl[K, V]) Delete(key K) bool {
-	m.lock.RLock()
-	_, ok := m.data[key]
-	m.lock.RUnlock()
-
-	if !ok {
-		return false
-	}
-
-	m.lock.Lock()
-	delete(m.data, key)
-	m.lock.Unlock()
-
-	return true
-}
-
 // Get gets a value from the DecayMap by key.
 //
 // If a value has expired, forcibly delete it if it was not updated.

docs/blog/2025-06-16-welcome/index.mdx

@@ -1,14 +0,0 @@
----
-slug: welcome
-title: Welcome to the Anubis blog!
-authors: [xe]
-tags: [intro]
----
-
-Hello, world!
-
-At Techaro, we've been working on making Anubis even better, and in the process we want to share what we've done, how it works, and signal boost cool things the community has done. As things happen, we'll blog about them so that you can learn from our struggles.
-
-More details to come soon!
-
-{/* truncate */}

docs/blog/2025-06-27-release-1.20.0/index.mdx

@@ -1,248 +0,0 @@
----
-slug: release/v1.20.0
-title: Anubis v1.20.0 is now available!
-authors: [xe]
-tags: [release]
-image: sunburst.webp
----
-
-![](./sunburst.webp)
-
-Hey all!
-
-Today we released [Anubis v1.20.0: Thancred Waters](https://github.com/TecharoHQ/anubis/releases/tag/v1.20.0). This adds a lot of new and exciting features to Anubis, including but not limited to the `WEIGH` action, custom weight thresholds, Imprint/impressum support, and a no-JS challenge. Here's what you need to know so you can protect your websites in new and exciting ways!
-
-{/* truncate */}
-
-## Sponsoring the product
-
-If you rely on Anubis to keep your website safe, please consider sponsoring the project on [GitHub Sponsors](https://github.com/sponsors/Xe) or [Patreon](https://patreon.com/cadey). Funding helps pay hosting bills and offset the time spent on making this project the best it can be. Every little bit helps and when enough money is raised, [I can make Anubis my full-time job](https://github.com/TecharoHQ/anubis/discussions/278).
-
-I am waiting to hear back from NLNet on if Anubis was selected for funding or not. Let's hope it is!
-
-## Deprecation warning: `DEFAULT_DIFFICULTY`
-
-Anubis v1.20.0 is the last version to support the `DEFAULT_DIFFICULTY` flag in the exact way it currently does. In future versions, this will be ineffectual and you should use the [custom threshold system](/docs/admin/configuration/thresholds) instead.
-
-If this becomes an imposition in practice, this will be reverted.
-
-## Chrome won't show "invalid response" after "Success!"
-
-There were a bunch of smaller fixes in Anubis this time around, but the biggest one was finally squashing the ["invalid response" after "Success!" issue](https://github.com/TecharoHQ/anubis/issues/564) that had been plaguing Chrome users. This was a really annoying issue to track down but it was discovered while we were working on better end-to-end / functional testing: [Chrome randomizes the `Accept-Language` header](https://github.com/explainers-by-googlers/reduce-accept-language) so that websites can't do fingerprinting as easily.
-
-When Anubis issues a challenge, it grabs [information that the browser sends to the user](/docs/design/how-anubis-works#challenge-format) to create a challenge string. Anubis doesn't store these challenge strings anywhere, and when a solution is being checked it calculates the challenge string from the request. This means that they'd get a challenge on one end, compute the response for that challenge, and then the server would validate that against a different challenge. This server-side validation would fail, leading to the user seeing "invalid response" after the client reported success.
-
-I suspect this was why Vanadium and Cromite were having sporadic issues as well.
-
-## New Features
-
-The biggest feature in Anubis is the "weight" subsystem. This allows administrators to make custom rules that change the suspicion level of a request without having to take immediate action. As an example, consider the self-hostable git forge [Gitea](https://about.gitea.com/). When you load a page in Gitea, it creates a session cookie that your browser sends with every request. Weight allows you to mark a request that includes a Gitea session token as _less_ suspicious:
-
-```yaml
-- name: gitea-session-token
-  action: WEIGH
-  expression:
-    all:
-      # Check if the request has a Cookie header
-      - '"Cookie" in headers'
-      # Check if the request's Cookie header contains the Gitea session token
-      - headers["Cookie"].contains("i_love_gitea=")
-  # Remove 5 weight points
-  weight:
-    adjust: -5
-```
-
-This is different from the past where you could only allow every request with a Gitea session token, meaning that the invention of lying would allow malicious clients to bypass protection.
-
-Weight is added and removed whenever a `WEIGH` rule is encountered. When all rules are processed and the request doesn't match any `ALLOW`, `CHALLENGE`, or `DENY` rules, Anubis uses [weight thresholds](/docs/admin/configuration/thresholds) to figure out how to handle that request. Thresholds are defined in the [policy file](/docs/admin/policies) alongside your bot rules:
-
-```yaml
-thresholds:
-  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
-    expression: weight <= 0 # a feather weighs zero units
-    action: ALLOW # Allow the traffic through
-  # For clients that had some weight reduced through custom rules, give them a
-  # lightweight challenge.
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight > 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-  # For clients that are browser-like but have either gained points from custom rules or
-  # report as a standard browser.
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 2
-  # For clients that are browser like and have gained many points from custom rules
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
-```
-
-:::note
-
-If you don't have thresholds defined in your Anubis policy file, Anubis will default to the "legacy" behaviour where browser-like clients get a challenge at the default difficulty.
-
-:::
-
-This lets most clients through if they pass a simple [proof of work challenge](/docs/admin/configuration/challenges/proof-of-work), but any clients that are less suspicious (like ones with a Gitea session token) are given the lightweight [Meta Refresh](/docs/admin/configuration/challenges/metarefresh) challenge instead.
-
-Threshold expressions are like [Bot rule expressions](/docs/admin/configuration/expressions), but there's only one input: the request's weight. If no thresholds match, the request is allowed through.
-
-### Imprint/Impressum Support
-
-European countries like Germany [require an imprint/impressum](https://www.ionos.com/digitalguide/websites/digital-law/a-case-for-thinking-global-germanys-impressum-laws/) to be present in the footer of their website. This allows users to contact someone on the team behind a website in case they run into issues. This also must generally have a separate page where users can view an extended imprint with other information like a privacy policy or a copyright notice.
-
-Anubis v1.20.0 and later [has support for showing imprints](/docs/admin/configuration/impressum). You can configure two kinds of imprints:
-
-1. An imprint that is shown in the footer of every Anubis page.
-2. An extended imprint / privacy policy that is shown when users click on the "Imprint" link. For example, [here's the imprint for the website you're looking at right now](https://anubis.techaro.lol/.within.website/x/cmd/anubis/api/imprint).
-
-Imprints are configured in [the policy file](/docs/admin/policies/):
-
-```yaml
-impressum:
-  # Displayed at the bottom of every page rendered by Anubis.
-  footer: >-
-    This website is hosted by Zombocom. If you have any complaints or notes 
-    about the service, please contact
-    <a href="mailto:contact@zombocom.example">contact@zombocom.example</a> and
-    we will assist you as soon as possible.
-
-  # The imprint page that will be linked to at the footer of every Anubis page.
-  page:
-    # The HTML <title> of the page
-    title: Imprint and Privacy Policy
-    # The HTML contents of the page. The exact contents of this page can
-    # and will vary by locale. Please consult with a lawyer if you are not
-    # sure what to put here.
-    body: >-
-      <p>Last updated: June 2025</p>
-
-      <h2>Information that is gathered from visitors</h2>
-
-      <p>In common with other websites, log files are stored on the web server
-      saving details such as the visitor's IP address, browser type, referring
-      page and time of visit.</p>
-
-      <p>Cookies may be used to remember visitor preferences when interacting
-      with the website.</p>
-
-      <p>Where registration is required, the visitor's email and a username
-      will be stored on the server.</p>
-
-      <!-- ... -->
-```
-
-If this is insufficient, please [file an issue](https://github.com/TecharoHQ/anubis/issues/new) with a link to the relevant legislation for your country so that this feature can be amended and improved.
-
-### No-JS Challenge
-
-One of the first issues in Anubis before it was moved to the [TecharoHQ org](https://github.com/TecharoHQ) was a request [to support challenging browsers without using JavaScript](https://github.com/Xe/x/issues/651). This is a pretty challenging thing to do without rethinking how Anubis works from a fundamentally low level, and with v1.20.0, [Anubis finally has support for running without client-side JavaScript](https://github.com/TecharoHQ/anubis/issues/95) thanks to the [Meta Refresh](/docs/admin/configuration/challenges/metarefresh) challenge.
-
-When Anubis decides it needs to send a challenge to your browser, it sends a challenge page. Historically, this challenge page is [an HTML template](https://github.com/TecharoHQ/anubis/blob/main/web/index.templ) that kicks off some JavaScript, reads the challenge information out of the page body, and then solves it as fast as possible in order to let users see the website they want to visit.
-
-In v1.20.0, Anubis has a challenge registry to hold [different client challenge implementations](/docs/category/challenges). This allows us to implement anything we want as long as it can render a page to show a challenge and then check if the result is correct. This is going to be used to implement a WebAssembly-based proof of work option (one that will be way more efficient than the existing browser JS version), but as a proof of concept I implemented a simple challenge using [HTML `<meta refresh>`](https://en.wikipedia.org/wiki/Meta_refresh).
-
-In my testing, this has worked with every browser I have thrown it at (including CLI browsers, the browser embedded in emacs, etc.). The default configuration of Anubis does use the [meta refresh challenge](/docs/admin/configuration/challenges/metarefresh) for [clients with a very low suspicion](/docs/admin/configuration/thresholds), but by default clients will be sent an [easy proof of work challenge](/docs/admin/configuration/challenges/proof-of-work).
-
-If the false positive rate of this challenge turns out to not be very high in practice, the meta refresh challenge will be enabled by default for browsers in future versions of Anubis.
-
-### `robots2policy`
-
-Anubis was created because crawler bots don't respect [`robots.txt` files](https://www.robotstxt.org/). Administrators have been working on refining and crafting their `robots.txt` files for years, and one common comment is that people don't know where to start crafting their own rules.
-
-Anubis now ships with a [`robots2policy` tool](/docs/admin/robots2policy) that lets you convert your `robots.txt` file to an Anubis policy.
-
-```text
-robots2policy -input https://github.com/robots.txt
-```
-
-:::note
-
-If you installed Anubis from [an OS package](/docs/admin/native-install), you may need to run `anubis-robots2policy` instead of `robots2policy`.
-
-:::
-
-We hope that this will help you get started with Anubis faster. We are working on a version of this that will run in the documentation via WebAssembly.
-
-### Open Graph configuration is being moved to the policy file
-
-Anubis supports reading [Open Graph tags](/docs/admin/configuration/open-graph) from target services and returning them in challenge pages. This makes the right metadata show up when linking services protected by Anubis in chat applications or on social media.
-
-In order to test the migration of all of the configuration to the policy file, Open Graph configuration has been moved to the policy file. For more information, please read [the Open Graph configuration options](/docs/admin/configuration/open-graph#configuration-options).
-
-You can also set default Open Graph tags:
-
-```yaml
-openGraph:
-  enabled: true
-  ttl: 24h
-  # If set, return these opengraph values instead of looking them up with
-  # the target service.
-  #
-  # Correlates to properties in https://ogp.me/
-  override:
-    # og:title is required, it is the title of the website
-    "og:title": "Techaro Anubis"
-    "og:description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-    "description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-```
-
-## Improvements and optimizations
-
-One of the biggest improvements we've made in v1.20.0 is replacing [SHA-256 with xxhash](https://github.com/TecharoHQ/anubis/pull/676). Anubis uses hashes all over the place to help with identifying clients, matching against rules when allowing traffic through, in error messages sent to users, and more. Historically these have been done with [SHA-256](https://en.wikipedia.org/wiki/SHA-2), however this has been having a mild performance impact in real-world use. As a result, we now use [xxhash](https://xxhash.com/) when possible. This makes policy matching 3x faster in some scenarios and reduces memory usage across the board.
-
-Anubis now uses [bart](https://pkg.go.dev/github.com/gaissmai/bart) for doing IP address matching when you specify addresses in a `remote_address` check configuration or when you are matching against [advanced checks](/docs/admin/thoth). This uses the same kind of IP address routing configuration that your OS kernel does, making it very fast to query information about IP addresses. This makes IP address range matches anywhere from 3-14 times faster depending on the number of addresses it needs to match against. For more information and benchmarks, check out [@JasonLovesDoggo](https://github.com/JasonLovesDoggo)'s PR: [perf: replace cidranger with bart for significant performance improvements #675](https://github.com/TecharoHQ/anubis/pull/675).
-
-## What's up next?
-
-v1.21.0 is already shaping up to be a massive improvement as Anubis adds [internationalization](https://en.wikipedia.org/wiki/Internationalization) support, allowing your users to see its messages in the language they're most comfortable with.
-
-So far Anubis supports the following languages:
-
-- English (Simplified and Traditional)
-- French
-- Portugese (Brazil)
-- Spanish
-
-If you want to contribute translations, please [file an issue](https://github.com/TecharoHQ/anubis/issues/new) with your language of choice or submit a pull request to [the `lib/localization/locales` folder](https://github.com/TecharoHQ/anubis/tree/main/lib/localization/locales). We are about to introduce features to the translation stack, so you may want to hold off a hot minute, but we welcome any and all contributions to making Anubis useful to a global audience.
-
-Other things we plan to do:
-
-- Move configuration to the policy file
-- Support reloading the policy file at runtime without having to restart Anubis
-- Detecting if a client is "brand new"
-- A [Valkey](https://valkey.io/)-backed store for sharing information between instances of Anubis
-- Augmenting No-JS support in the paid product
-- TLS fingerprinting
-- Automated testing improvements in CI (FreeBSD CI support, better automated integration/functional testing, etc.)
-
-## Conclusion
-
-I hope that these features let you get the same Anubis power you've come to know and love and increases the things you can do with it! I've been really excited to ship [thresholds](/docs/admin/configuration/thresholds) and the cloud-based services for Anubis.
-
-If you run into any problems, please [file an issue](https://github.com/TecharoHQ/anubis/issues/new). Otherwise, have a good day and get back to making your communities great.

docs/blog/authors.yml

@@ -1,9 +0,0 @@
-xe:
-  name: Xe Iaso
-  title: CEO @ Techaro
-  url: https://github.com/Xe
-  image_url: https://github.com/Xe.png
-  email: xe@techaro.lol
-  page: true
-  socials:
-    github: Xe

docs/docs/CHANGELOG.md

@@ -11,214 +11,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-<!-- This changes the project to: -->
-
-- Add `COOKIE_SECURE` option to set the cookie [Secure flag](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Cookies#block_access_to_your_cookies)
-- Sets cookie defaults to use [SameSite: None](https://web.dev/articles/samesite-cookies-explained)
-- Determine the `BIND_NETWORK`/`--bind-network` value from the bind address ([#677](https://github.com/TecharoHQ/anubis/issues/677)).
-- Implement localization system. Find locale files in lib/localization/locales/.
-- Implement a [development container](https://containers.dev/) manifest to make contributions easier.
-- Fix dynamic cookie domains functionality ([#731](https://github.com/TecharoHQ/anubis/pull/731))
-- Add option for custom cookie prefix ([#732](https://github.com/TecharoHQ/anubis/pull/732))
-- Add translation for German language ([#741](https://github.com/TecharoHQ/anubis/pull/741))
-- Remove the "Success" interstitial after a proof of work challenge is concluded.
-- Anubis now has the concept of [storage backends](./admin/policies.mdx#storage-backends). These allow you to change how Anubis stores temporary data (in memory, on the disk, or in Valkey). If you run Anubis in an environment where you have a low amount of memory available for Anubis (eg: less than 64 megabytes), be sure to configure the [`bbolt`](./admin/policies.mdx#bbolt) storage backend.
-- The challenge issuance and validation process has been rewritten from scratch. Instead of generating challenge strings from request metadata (under the assumption that the values being compared against are stable), Anubis now generates random data for each challenge. This data is stored in the active [storage backend](./admin/policies.mdx#storage-backends) for up to 30 minutes. Fixes [#564](https://github.com/TecharoHQ/anubis/issues/564), [#746](https://github.com/TecharoHQ/anubis/issues/746), and other similar instances of this issue.
-- Add option for forcing a specific language ([#742](https://github.com/TecharoHQ/anubis/pull/742))
-- Add translation for Turkish language ([#751](https://github.com/TecharoHQ/anubis/pull/751))
-- Allow [Common Crawl](https://commoncrawl.org/) by default so scrapers have less incentive to scrape
-
-### Potentially breaking changes
-
-The following potentially breaking change applies to native installs with systemd only:
-
-Each instance of systemd service template now has a unique `RuntimeDirectory`, as opposed to each instance of the service sharing a `RuntimeDirectory`. This change was made to avoid [the `RuntimeDirectory` getting nuked any time one of the Anubis instances restarts](https://github.com/TecharoHQ/anubis/issues/748).
-
-If you configured Anubis' unix sockets to listen on `/run/anubis/foo.sock` for instance `anubis@foo`, you will need to configure Anubis to listen on `/run/anubis/foo/sock` and additionally configure your HTTP load balancer as appropriate.
-
-If you need the legacy behaviour, install this [systemd unit dropin](https://www.flatcar.org/docs/latest/setup/systemd/drop-in-units/):
-
-```systemd
-# /etc/systemd/system/anubis@.service.d/50-runtimedir.conf
-[Service]
-RuntimeDirectory=anubis
-```
-
-## v1.20.0: Thancred Waters
-
-The big ticket items are as follows:
-
-- Implement a no-JS challenge method: [`metarefresh`](./admin/configuration/challenges/metarefresh.mdx) ([#95](https://github.com/TecharoHQ/anubis/issues/95))
-- Implement request "weight", allowing administrators to customize the behaviour of Anubis based on specific criteria
-- Implement GeoIP and ASN based checks via [Thoth](https://anubis.techaro.lol/docs/admin/thoth) ([#206](https://github.com/TecharoHQ/anubis/issues/206))
-- Add [custom weight thresholds](./admin/configuration/thresholds.mdx) via CEL ([#688](https://github.com/TecharoHQ/anubis/pull/688))
-- Move Open Graph configuration [to the policy file](./admin/configuration/open-graph.mdx)
-- Enable support for Open Graph metadata to be returned by default instead of doing lookups against the target
-- Add `robots2policy` CLI utility to convert robots.txt files to Anubis challenge policies using CEL expressions ([#409](https://github.com/TecharoHQ/anubis/issues/409))
-- Refactor challenge presentation logic to use a challenge registry
-- Allow challenge implementations to register HTTP routes
-- [Imprint/Impressum support](./admin/configuration/impressum.mdx) ([#362](https://github.com/TecharoHQ/anubis/issues/362))
-- Fix "invalid response" after "Success!" in Chromium ([#564](https://github.com/TecharoHQ/anubis/issues/564))
-
-A lot of performance improvements have been made:
-
-- Replace internal SHA256 hashing with xxhash for 4-6x performance improvement in policy evaluation and cache operations
-- Optimized the OGTags subsystem with reduced allocations and runtime per request by up to 66%
-- Replace cidranger with bart for IP range checking, improving IP matching performance by 3-20x with zero heap
-  allocations
-
-And some cleanups/refactors were added:
-
-- Fix OpenGraph passthrough ([#717](https://github.com/TecharoHQ/anubis/issues/717))
-- Remove the unused `/test-error` endpoint and update the testing endpoint `/make-challenge` to only be enabled in
-  development
-- Add `--xff-strip-private` flag/envvar to toggle skipping X-Forwarded-For private addresses or not
-- Bump AI-robots.txt to version 1.37
-- Make progress bar styling more compatible (UXP, etc)
-- Add `--strip-base-prefix` flag/envvar to strip the base prefix from request paths when forwarding to target servers
-- Fix an off-by-one in the default threshold config
-- Add functionality for HS512 JWT algorithm
-- Add support for dynamic cookie domains with the `--cookie-dynamic-domain`/`COOKIE_DYNAMIC_DOMAIN` flag/envvar
-
-Request weight is one of the biggest ticket features in Anubis. This enables Anubis to be much closer to a Web Application Firewall and when combined with custom thresholds allows administrators to have Anubis take advanced reactions. For more information about request weight, see [the request weight section](./admin/policies.mdx#request-weight) of the policy file documentation.
-
-TL;DR when you have one or more WEIGHT rules like this:
-
-```yaml
-bots:
-  - name: gitea-session-token
-    action: WEIGH
-    expression:
-      all:
-        - '"Cookie" in headers'
-        - headers["Cookie"].contains("i_love_gitea=")
-    # Remove 5 weight points
-    weight:
-      adjust: -5
-```
-
-You can configure custom thresholds like this:
-
-```yaml
-thresholds:
-  - name: minimal-suspicion # This client is likely fine, its soul is lighter than a feather
-    expression: weight < 0 # a feather weighs zero units
-    action: ALLOW # Allow the traffic through
-
-  # For clients that had some weight reduced through custom rules, give them a
-  # lightweight challenge.
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight >= 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/metarefresh
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-
-  # For clients that are browser-like but have either gained points from custom
-  # rules or report as a standard browser.
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 2 # two leading zeros, very fast for most clients
-      report_as: 2
-
-  # For clients that are browser like and have gained many points from custom
-  # rules
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      # https://anubis.techaro.lol/docs/admin/configuration/challenges/proof-of-work
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
-```
-
-These thresholds apply when no other `ALLOW`, `DENY`, or `CHALLENGE` rule matches the request. `WEIGHT` rules add and remove request weight as needed:
-
-```yaml
-bots:
-  - name: gitea-session-token
-    action: WEIGH
-    expression:
-      all:
-        - '"Cookie" in headers'
-        - headers["Cookie"].contains("i_love_gitea=")
-    # Remove 5 weight points
-    weight:
-      adjust: -5
-
-  - name: bot-like-user-agent
-    action: WEIGH
-    expression: '"Bot" in userAgent'
-    # Add 5 weight points
-    weight:
-      adjust: 5
-```
-
-Of note: the default "generic browser" rule assigns 10 weight points:
-
-```yaml
-# Generic catchall rule
-- name: generic-browser
-  user_agent_regex: >-
-    Mozilla|Opera
-  action: WEIGH
-  weight:
-    adjust: 10
-```
-
-Adjust this as you see fit.
-
-## v1.19.1: Jenomis cen Lexentale - Echo 1
-
-- Return `data/bots/ai-robots-txt.yaml` to avoid breaking configs [#599](https://github.com/TecharoHQ/anubis/issues/599)
-
-## v1.19.0: Jenomis cen Lexentale
-
-Mostly a bunch of small features, no big ticket things this time.
-
-- Record if challenges were issued via the API or via embedded JSON in the challenge page HTML ([#531](https://github.com/TecharoHQ/anubis/issues/531))
-- Ensure that clients that are shown a challenge support storing cookies
-- Imprint the version number into challenge pages
-- Encode challenge pages with gzip level 1
-- Add PowerPC 64 bit little-endian builds (`GOARCH=ppc64le`)
 - Add `check-spelling` for spell checking
 - Add `--target-insecure-skip-verify` flag/envvar to allow Anubis to hit a self-signed HTTPS backend
 - Minor adjustments to FreeBSD rc.d script to allow for more flexible configuration.
 - Added Podman and Docker support for running Playwright tests
-- Add a default rule to throw challenges when a request with the `X-Firefox-Ai` header is set
 - Updated the nonce value in the challenge JWT cookie to be a string instead of a number
 - Rename cookies in response to user feedback
 - Ensure cookie renaming is consistent across configuration options
-- Add Bookstack app in data
-- Truncate everything but the first five characters of Accept-Language headers when making challenges
-- Ensure client JavaScript is served with Content-Type text/javascript.
-- Add `--target-host` flag/envvar to allow changing the value of the Host header in requests forwarded to the target service
-- Bump AI-robots.txt to version 1.31
-- Add `RuntimeDirectory` to systemd unit settings so native packages can listen over unix sockets
-- Added SearXNG instance tracker whitelist policy
-- Added Qualys SSL Labs whitelist policy
-- Fixed cookie deletion logic ([#520](https://github.com/TecharoHQ/anubis/issues/520), [#522](https://github.com/TecharoHQ/anubis/pull/522))
-- Add `--target-sni` flag/envvar to allow changing the value of the TLS handshake hostname in requests forwarded to the target service
-- Fixed CEL expression matching validator to now properly error out when it receives empty expressions
-- Added OpenRC init.d script
-- Added `--version` flag
-- Added `anubis_proxied_requests_total` metric to count proxied requests
-- Add `Applebot` as "good" web crawler
-- Reorganize AI/LLM crawler blocking into three separate stances, maintaining existing status quo as default
-- Split out AI/LLM user agent blocking policies, adding documentation for each
 
 ## v1.18.0: Varis zos Galvus
 
@@ -244,7 +43,7 @@ Or as complicated as:
   expression:
     all:
       - >-
-        (
+        (  
           userAgent.startsWith("git/") ||
           userAgent.contains("libgit") ||
           userAgent.startsWith("go-git") ||
@@ -315,6 +114,7 @@ Other changes:
 - Moved all CSS inline to the Xess package, changed colors to be CSS variables
 - Set or append to `X-Forwarded-For` header unless the remote connects over a loopback address [#328](https://github.com/TecharoHQ/anubis/issues/328)
 - Fixed mojeekbot user agent regex
+- Added support for running anubis behind a base path (e.g. `/myapp`)
 - Reduce Anubis' paranoia with user cookies ([#365](https://github.com/TecharoHQ/anubis/pull/365))
 - Added support for Open Graph passthrough while using unix sockets
 - The Open Graph subsystem now passes the HTTP `HOST` header through to the origin

docs/docs/admin/botstopper.mdx

@@ -1,215 +0,0 @@
----
-title: "Commercial support and an unbranded version"
----
-
-If you want to use Anubis but organizational policies prevent you from using the branding that the open source project ships, we offer a commercial version of Anubis named BotStopper. BotStopper builds off of the open source core of Anubis and offers organizations more control over the branding, including but not limited to:
-
-- Custom images for different states of the challenge process (in process, success, failure)
-- Custom CSS and fonts
-- Custom titles for the challenge and error pages
-- "Anubis" replaced with "BotStopper" across the UI
-- A private bug tracker for issues
-
-In the near future this will expand to:
-
-- A private challenge implementation that does advanced fingerprinting to check if the client is a genuine browser or not
-- Advanced fingerprinting via [Thoth-based advanced checks](./thoth.mdx)
-
-In order to sign up for BotStopper, please do one of the following:
-
-- Sign up [on GitHub Sponsors](https://github.com/sponsors/Xe) at the $50 per month tier or higher
-- Email [sales@techaro.lol](mailto:sales@techaro.lol) with your requirements for invoicing, please note that custom invoicing will cost more than using GitHub Sponsors for understandable overhead reasons
-
-## Installation
-
-Install BotStopper like you would Anubis, but replace the image reference. EG:
-
-```diff
--ghcr.io/techarohq/anubis:latest
-+ghcr.io/techarohq/botstopper/anubis:latest
-```
-
-### Binary packages
-
-Binary packages are available [in the GitHub Releases page](https://github.com/TecharoHQ/botstopper/releases), the main difference is that the package name is `techaro-botstopper`, the systemd service is `techaro-botstopper@your-instance.service`, the binary is `/usr/bin/botstopper`, and the configuration is in `/etc/techaro-botstopper`. All other instructions in the [native package install guide](./native-install.mdx) apply.
-
-### Docker / Podman
-
-In order to pull the BotStopper image, you need to [authenticate with GitHub's Container Registry](https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry).
-
-```text
-docker login ghcr.io -u your-username --password-stdin
-```
-
-Then you can use the image as normal.
-
-### Kubernetes
-
-If you are using Kubernetes, you will need to create an image pull secret:
-
-```text
-kubectl create secret docker-registry \
-  techarohq-botstopper \
-  --docker-server ghcr.io \
-  --docker-username your-username \
-  --docker-password your-access-token \
-  --docker-email your@email.address
-```
-
-Then attach it to your Deployment:
-
-```diff
-     spec:
-       securityContext:
-         fsGroup: 1000
-+      imagePullSecrets:
-+      - name: techarohq-botstopper
-```
-
-## Configuration
-
-### Docker compose
-
-Follow [the upstream Docker compose directions](https://anubis.techaro.lol/docs/admin/environments/docker-compose) with the following additional options:
-
-```diff
-   anubis:
-     image: ghcr.io/techarohq/botstopper/anubis:latest
-     environment:
-       BIND: ":8080"
-       DIFFICULTY: "4"
-       METRICS_BIND: ":9090"
-       SERVE_ROBOTS_TXT: "true"
-       TARGET: "http://nginx"
-       OG_PASSTHROUGH: "true"
-       OG_EXPIRY_TIME: "24h"
-
-+      # botstopper config here
-+      CHALLENGE_TITLE: "Doing math for your connnection!"
-+      ERROR_TITLE: "Something went wrong!"
-+      OVERLAY_FOLDER: /assets
-+    volumes:
-+      - "./your_folder:/assets"
-```
-
-#### Example
-
-There is an example in [docker-compose.yaml](https://github.com/TecharoHQ/botstopper/blob/main/docker-compose.yaml). Start the example with `docker compose up`:
-
-```text
-docker compose up -d
-```
-
-And then open [https://botstopper.local.cetacean.club:8443](https://botstopper.local.cetacean.club:8443) in your browser.
-
-> [!NOTE]  
-> This uses locally signed sacrificial TLS certificates stored in `./demo/pki`. Your browser will rightly reject these. Here is what the example looks like:
->
-> ![](/img/botstopper/example-screenshot.webp)
-
-## Custom images and CSS
-
-Anubis uses an internal filesystem that contains CSS, JavaScript, and images. The BotStopper variant of Anubis lets you specify an overlay folder with the environment variable `OVERLAY_FOLDER`. The contents of this folder will be overlaid on top of Anubis' internal filesystem, allowing you to easily customize the images and CSS.
-
-Your directory tree should look like this, assuming your data is in `./your_folder`:
-
-```text
-./your_folder
-└── static
-    ├── css
-    │   └── custom.css
-    └── img
-        ├── happy.webp
-        ├── pensive.webp
-        └── reject.webp
-```
-
-For an example directory tree using some off-the-shelf images the Tango icon set, see the [testdata](https://github.com/TecharoHQ/botstopper/tree/main/testdata/static/img) folder.
-
-### Custom CSS
-
-CSS customization is done mainly with CSS variables. View [the example custom CSS file](https://github.com/TecharoHQ/botstopper/blob/main/testdata/static/css/custom.css) for more information about what can be customized.
-
-### Custom fonts
-
-If you want to add custom fonts, copy the `woff2` files alongside your `custom.css` file and then include them with the [`@font-face` CSS at-rule](https://developer.mozilla.org/en-US/docs/Web/CSS/@font-face):
-
-```css
-@font-face {
-  font-family: "Oswald";
-  font-style: normal;
-  font-weight: 200 900;
-  font-display: swap;
-  src: url("./fonts/oswald.woff2") format("woff2");
-}
-```
-
-Then adjust your CSS variables accordingly:
-
-```css
-:root {
-  --body-sans-font: Oswald, sans-serif;
-  --body-preformatted-font: monospace;
-  --body-title-font: serif;
-}
-```
-
-To convert `.ttf` fonts to [Web-optimized woff2 fonts](https://www.w3.org/TR/WOFF2/), use the `woff2_compress` command from the `woff2` or `woff2-tools` package:
-
-```console
-$ woff2_compress oswald.ttf
-Processing oswald.ttf => oswald.woff2
-Compressed 159517 to 70469.
-```
-
-Then you can import and use it as normal.
-
-### Customizing images
-
-Anubis uses three images to visually communicate the state of the program. These are:
-
-| Image name     | Intended message                                 | Example                           |
-| :------------- | :----------------------------------------------- | :-------------------------------- |
-| `happy.webp`   | You have passed validation, all is good          | ![](/img/botstopper/happy.webp)   |
-| `pensive.webp` | Checking is running, hold steady until it's done | ![](/img/botstopper/pensive.webp) |
-| `reject.webp`  | Something went wrong, this is a terminal state   | ![](/img/botstopper/reject.webp)  |
-
-To make your own images at the optimal quality, use the following ffmpeg command:
-
-```text
-ffmpeg -i /path/to/image -vf scale=-1:384 happy.webp
-```
-
-`ffprobe` should report something like this on the generated images:
-
-```text
-Input #0, webp_pipe, from 'happy.webp':
-  Duration: N/A, bitrate: N/A
-  Stream #0:0: Video: webp, none, 25 fps, 25 tbr, 25 tbn
-```
-
-In testing 384 by 384 pixels gives the best balance between filesize, quality, and clarity.
-
-```text
-$ du -hs *
-4.0K    happy.webp
- 12K    pensive.webp
-8.0K    reject.webp
-```
-
-## Customizing messages
-
-You can customize messages using the following environment variables:
-
-| Message              | Environment variable | Default                                    |
-| :------------------- | :------------------- | :----------------------------------------- |
-| Challenge page title | `CHALLENGE_TITLE`    | `Ensuring the security of your connection` |
-| Error page title     | `ERROR_TITLE`        | `Error`                                    |
-
-For example:
-
-```sh
-# /etc/techaro-botstopper/gitea.env
-CHALLENGE_TITLE="Wait a moment please!"
-ERROR_TITLE="Client error"
-```

docs/docs/admin/configuration/challenges/_category_.json

@@ -1,8 +0,0 @@
-{
-  "label": "Challenges",
-  "position": 10,
-  "link": {
-    "type": "generated-index",
-    "description": "The different challenge methods that Anubis supports."
-  }
-}

docs/docs/admin/configuration/challenges/metarefresh.mdx

@@ -1,19 +0,0 @@
-# Meta Refresh (No JavaScript)
-
-The `metarefresh` challenge sends a browser a much simpler challenge that makes it refresh the page after a set period of time. This enables clients to pass challenges without executing JavaScript.
-
-To use it in your Anubis configuration:
-
-```yaml
-# Generic catchall rule
-- name: generic-browser
-  user_agent_regex: >-
-    Mozilla|Opera
-  action: CHALLENGE
-  challenge:
-    difficulty: 1 # Number of seconds to wait before refreshing the page
-    report_as: 4 # Unused by this challenge method
-    algorithm: metarefresh # Specify a non-JS challenge method
-```
-
-This is not enabled by default while this method is tested and its false positive rate is ascertained. Many modern scrapers use headless Google Chrome, so this will have a much higher false positive rate.

docs/docs/admin/configuration/challenges/proof-of-work.mdx

@@ -1,5 +0,0 @@
-# Proof of Work (JavaScript)
-
-When Anubis is configured to use the `fast` or `slow` challenge methods, clients will be sent a small [proof of work](https://en.wikipedia.org/wiki/Proof_of_work) challenge. In order to get a token used to access the upstream resource, clients must calculate a complicated math puzzle with JavaScript.
-
-A `fast` challenge uses a heavily optimized multithreaded implementation and a `slow` challenge uses a simplistic single-threaded implementation. The `slow` method is kept around for legacy compatibility.

docs/docs/admin/configuration/expressions.mdx

@@ -143,29 +143,7 @@ Anubis would return a challenge because all of those conditions are true.
 
 ## Functions exposed to Anubis expressions
 
-Anubis expressions can be augmented with the following functions:
-
-### `randInt`
-
-```ts
-function randInt(n: int): int;
-```
-
-randInt returns a randomly selected integer value in the range of `[0,n)`. This is a thin wrapper around [Go's math/rand#Intn](https://pkg.go.dev/math/rand#Intn). Be careful with this as it may cause inconsistent behavior for genuine users.
-
-This is best applied when doing explicit block rules, eg:
-
-```yaml
-# Denies LightPanda about 75% of the time on average
-- name: deny-lightpanda-sometimes
-  action: DENY
-  expression:
-    all:
-      - userAgent.matches("LightPanda")
-      - randInt(16) >= 4
-```
-
-It seems counter-intuitive to allow known bad clients through sometimes, but this allows you to confuse attackers by making Anubis' behavior random. Adjust the thresholds and numbers as facts and circumstances demand.
+There are currently no functions from the Anubis runtime exposed to expressions. This will change in the future.
 
 ## Life advice
 

docs/docs/admin/configuration/import.mdx

@@ -14,7 +14,7 @@ EG:
 {
   "bots": [
     {
-      "import": "(data)/bots/ai-catchall.yaml"
+      "import": "(data)/bots/ai-robots-txt.yaml"
     },
     {
       "import": "(data)/bots/cloudflare-workers.yaml"
@@ -29,8 +29,8 @@ EG:
 ```yaml
 bots:
   # Pathological bots to deny
-  - # This correlates to data/bots/ai-catchall.yaml in the source tree
-    import: (data)/bots/ai-catchall.yaml
+  - # This correlates to data/bots/ai-robots-txt.yaml in the source tree
+    import: (data)/bots/ai-robots-txt.yaml
   - import: (data)/bots/cloudflare-workers.yaml
 ```
 
@@ -46,7 +46,7 @@ Of note, a bot rule can either have inline bot configuration or import a bot con
 {
   "bots": [
     {
-      "import": "(data)/bots/ai-catchall.yaml",
+      "import": "(data)/bots/ai-robots-txt.yaml",
       "name": "generic-browser",
       "user_agent_regex": "Mozilla|Opera\n",
       "action": "CHALLENGE"
@@ -60,7 +60,7 @@ Of note, a bot rule can either have inline bot configuration or import a bot con
 
 ```yaml
 bots:
-  - import: (data)/bots/ai-catchall.yaml
+  - import: (data)/bots/ai-robots-txt.yaml
     name: generic-browser
     user_agent_regex: >
       Mozilla|Opera
@@ -167,7 +167,7 @@ static
 ├── botPolicies.json
 ├── botPolicies.yaml
 ├── bots
-│   ├── ai-catchall.yaml
+│   ├── ai-robots-txt.yaml
 │   ├── cloudflare-workers.yaml
 │   ├── headless-browsers.yaml
 │   └── us-ai-scraper.yaml

docs/docs/admin/configuration/impressum.mdx

@@ -1,70 +0,0 @@
-# Imprint / Impressum configuration
-
-Some jurisdictions (such as the European Union and specifically Germany) [must have contact information freely available](https://www.privacycompany.eu/blog/the-imprint-requirement-a-must-have-for-companies-from-outside-germany) on an imprint/impressum page. Anubis supports creating an Anubis-specific imprint page for your organization with the `impressum` block in your bot policy file. For example:
-
-```yaml
-impressum:
-  # Displayed at the bottom of every page rendered by Anubis.
-  footer: >-
-    This website is hosted by Techaro. If you have any complaints or notes 
-    about the service, please contact
-    <a href="mailto:contact@techaro.lol">contact@techaro.lol</a> and we
-    will assist you as soon as possible.
-
-  # The imprint page that will be linked to at the footer of every Anubis page.
-  page:
-    # The HTML <title> of the page
-    title: Imprint and Privacy Policy
-    # The HTML contents of the page. The exact contents of this page can
-    # and will vary by locale. Please consult with a lawyer if you are not
-    # sure what to put here
-    body: >-
-      <p>Last updated: June 2025</p>
-
-      <h2>Information that is gathered from visitors</h2>
-
-      <p>In common with other websites, log files are stored on the web server saving details such as the visitor's IP address, browser type, referring page and time of visit.</p>
-
-      <p>Cookies may be used to remember visitor preferences when interacting with the website.</p>
-
-      <p>Where registration is required, the visitor's email and a username will be stored on the server.</p>
-
-      <!-- ... -->
-```
-
-If you are subscribed to and using [advanced classification features](../thoth.mdx), be sure to disclose the following:
-
-```html
-<h2>Techaro Anubis</h2>
-
-<p>
-  This website uses a service called
-  <a href="https://anubis.techaro.lol">Anubis</a> by
-  <a href="https://techaro.lol">Techaro</a> to filter malicious traffic. Anubis
-  requires the use of browser cookies to ensure that web clients are running
-  conformant software. Anubis also may report the following data to Techaro to
-  improve service quality:
-</p>
-
-<ul>
-  <li>
-    IP address (for purposes of matching against geo-location and BGP autonomous
-    systems numbers), which is stored in-memory and not persisted to disk.
-  </li>
-  <li>
-    Unique browser fingerprints (such as HTTP request fingerprints and
-    encryption system fingerprints), which may be stored on Techaro's side for a
-    period of up to one month.
-  </li>
-  <li>
-    HTTP request metadata that may include things such as the User-Agent header
-    and other identifiers.
-  </li>
-</ul>
-
-<p>
-  This data is processed and stored for the legitimate interest of combatting
-  abusive web clients. This data is encrypted at rest as much as possible and is
-  only decrypted in memory for the purposes of fulfilling requests.
-</p>
-```

docs/docs/admin/configuration/open-graph.mdx

@@ -9,45 +9,12 @@ This page provides detailed information on how to configure [Open Graph tag](htt
 
 ## Configuration Options
 
-Open Graph settings are configured in the `openGraph` section of the [Policy File](../policies.mdx).
-
-```yaml
-openGraph:
-  # Enables Open Graph passthrough
-  enabled: true
-  # Enables the use of the HTTP host in the cache key, this enables
-  # caching metadata for multiple http hosts at once.
-  considerHost: true
-  # How long cached OpenGraph metadata should last in memory
-  ttl: 24h
-  # If set, return these opengraph values instead of looking them up with
-  # the target service.
-  #
-  # Correlates to properties in https://ogp.me/
-  override:
-    # og:title is required, it is the title of the website
-    "og:title": "Techaro Anubis"
-    "og:description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-    "description": >-
-      Anubis is a Web AI Firewall Utility that helps you fight the bots
-      away so that you can maintain uptime at work!
-```
-
-<details>
-<summary>Configuration flags / envvars (old)</summary>
-
-Open Graph passthrough used to be configured with configuration flags / environment variables. Reference to these settings are maintained for backwards compatibility's sake.
-
 | Name                     | Description                                               | Type     | Default | Example                       |
 | ------------------------ | --------------------------------------------------------- | -------- | ------- | ----------------------------- |
 | `OG_PASSTHROUGH`         | Enables or disables the Open Graph tag passthrough system | Boolean  | `true`  | `OG_PASSTHROUGH=true`         |
 | `OG_EXPIRY_TIME`         | Configurable cache expiration time for Open Graph tags    | Duration | `24h`   | `OG_EXPIRY_TIME=1h`           |
 | `OG_CACHE_CONSIDER_HOST` | Enables or disables the use of the host in the cache key  | Boolean  | `false` | `OG_CACHE_CONSIDER_HOST=true` |
 
-</details>
-
 ## Usage
 
 To configure Open Graph tags, you can set the following environment variables, environment file or as flags in your Anubis configuration:

docs/docs/admin/configuration/subrequest-auth.mdx

@@ -10,20 +10,6 @@ Anubis can act in one of two modes:
 1. Reverse proxy (the default): Anubis sits in the middle of all traffic and then will reverse proxy it to its destination. This is the moral equivalent of a middleware in your favorite web framework.
 2. Subrequest authentication mode: Anubis listens for requests and if they don't pass muster then they are forwarded to Anubis for challenge processing. This is the equivalent of Anubis being a sidecar service.
 
-:::note
-
-Subrequest authentication requires changing the default policy because nginx interprets the default `DENY` status code `200` as successful authentication and allows the request.
-
-```yaml
-status_codes:
-  CHALLENGE: 200
-  DENY: 403
-```
-
-[See policy definitions](../policies.mdx).
-
-:::
-
 ## Nginx
 
 Anubis can perform [subrequest authentication](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) with the `auth_request` module in Nginx. In order to set this up, keep the following things in mind:

docs/docs/admin/configuration/thresholds.mdx

@@ -1,140 +0,0 @@
-# Weight Threshold Configuration
-
-Anubis offers the ability to assign "weight" to requests. This is a custom level of suspicion that rules can add to or remove from. For example, here's how you assign 10 weight points to anything that might be a browser:
-
-```yaml
-# botPolicies.yaml
-
-bots:
-  - name: generic-browser
-    user_agent_regex: >-
-      Mozilla|Opera
-    action: WEIGH
-    weight:
-      adjust: 10
-```
-
-Thresholds let you take this per-request weight value and take actions in response to it. Thresholds are defined alongside your bot configuration in `botPolicies.yaml`.
-
-:::note
-
-Thresholds DO NOT apply when a request matches a bot rule with the CHALLENGE action. Thresholds only apply when requests don't match any terminal bot rules.
-
-:::
-
-```yaml
-# botPolicies.yaml
-
-bots: ...
-
-thresholds:
-  - name: minimal-suspicion
-    expression: weight < 0
-    action: ALLOW
-
-  - name: mild-suspicion
-    expression:
-      all:
-        - weight >= 0
-        - weight < 10
-    action: CHALLENGE
-    challenge:
-      algorithm: metarefresh
-      difficulty: 1
-      report_as: 1
-
-  - name: moderate-suspicion
-    expression:
-      all:
-        - weight >= 10
-        - weight < 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 2
-      report_as: 2
-
-  - name: extreme-suspicion
-    expression: weight >= 20
-    action: CHALLENGE
-    challenge:
-      algorithm: fast
-      difficulty: 4
-      report_as: 4
-```
-
-This defines a suite of 4 thresholds:
-
-1. If the request weight is less than zero, allow it through.
-2. If the request weight is greater than or equal to zero, but less than ten: give it [a very lightweight challenge](./challenges/metarefresh.mdx).
-3. If the request weight is greater than or equal to ten, but less than twenty: give it [a slightly heavier challenge](./challenges/proof-of-work.mdx).
-4. Otherwise, give it [the heaviest challenge](./challenges/proof-of-work.mdx).
-
-Thresholds can be configured with the following options:
-
-<table>
-  <thead>
-  <tr>
-    <th>Name</th>
-    <th>Description</th>
-    <th>Example</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr>
-      <td>`name`</td>
-      <td>The human-readable name for this threshold.</td>
-      <td>
-
-```yaml
-name: extreme-suspicion
-```
-
-      </td>
-    </tr>
-    <tr>
-    <td>`expression`</td>
-    <td>A [CEL](https://cel.dev/) expression taking the request weight and returning true or false</td>
-    <td>
-
-To check if the request weight is less than zero:
-
-```yaml
-expression: weight < 0
-```
-
-To check if it's between 0 and 10 (inclusive):
-
-```yaml
-expression:
-  all:
-    - weight >= 0
-    - weight < 10
-```
-
-    </td>
-    </tr>
-    <tr>
-    <td>`action`</td>
-    <td>The Anubis action to apply: `ALLOW`, `CHALLENGE`, or `DENY`</td>
-    <td>
-
-```yaml
-action: ALLOW
-```
-
-If you set the CHALLENGE action, you must set challenge details:
-
-```yaml
-action: CHALLENGE
-challenge:
-  algorithm: metarefresh
-  difficulty: 1
-  report_as: 1
-```
-
-    </td>
-    </tr>
-
-  </tbody>
-</table>

docs/docs/admin/environments/apache.mdx

@@ -34,6 +34,27 @@ These examples assume that you are using a setup where your nginx configuration
 
 :::
 
+## Dependencies
+
+Install the following dependencies for proxying HTTP:
+
+<Tabs>
+  <TabItem value="rpm" label="Red Hat / RPM" default>
+
+```text
+dnf -y install mod_proxy_html
+```
+
+  </TabItem>
+  <TabItem value="deb" label="Debian / Ubuntu / apt">
+
+```text
+apt-get install -y libapache2-mod-proxy-html libxml2-dev
+```
+
+  </TabItem>
+</Tabs>
+
 ## Configuration
 
 Assuming you are protecting `anubistest.techaro.lol`, you need the following server configuration blocks:
@@ -71,7 +92,6 @@ Assuming you are protecting `anubistest.techaro.lol`, you need the following ser
        # throw an "admin misconfiguration" error.
        RequestHeader set "X-Real-Ip" expr=%{REMOTE_ADDR}
        RequestHeader set X-Forwarded-Proto "https"
-       RequestHeader set "X-Http-Version" "%{SERVER_PROTOCOL}s"
 
        ProxyPreserveHost On
 
@@ -99,14 +119,6 @@ Make sure to add a separate configuration file for the listener on port 3001:
 ```text
 # /etc/httpd/conf.d/listener-3001.conf
 
-Listen [::1]:3001
-```
-
-In case you are running an IPv4-only system, use the following configuration instead:
-
-```text
-# /etc/httpd/conf.d/listener-3001.conf
-
 Listen 127.0.0.1:3001
 ```
 

docs/docs/admin/environments/nginx.mdx

@@ -61,7 +61,6 @@ server {
   location / {
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
-    proxy_set_header X-Http-Version $server_protocol;
     proxy_pass http://anubis;
   }
 

docs/docs/admin/environments/traefik.mdx

@@ -3,10 +3,11 @@ id: traefik
 title: Traefik
 ---
 
+
 :::note
 
-This only talks about integration through Compose,
-but it also applies to docker cli options.
+ This only talks about integration through Compose,
+ but it also applies to docker cli options.
 
 :::
 

docs/docs/admin/frameworks/_category_.json

@@ -1,8 +0,0 @@
-{
-  "label": "Frameworks",
-  "position": 30,
-  "link": {
-    "type": "generated-index",
-    "description": "Information about getting specific frameworks or tools working with Anubis."
-  }
-}

docs/docs/admin/frameworks/htmx.mdx

@@ -1,45 +0,0 @@
-# HTMX
-
-import Tabs from "@theme/Tabs";
-import TabItem from "@theme/TabItem";
-
-[HTMX](https://htmx.org) is a framework that enables you to write applications using hypertext as the engine of application state. This enables you to simplify you server side code by having it return HTML instead of JSON. This can interfere with Anubis because Anubis challenge pages also return HTML.
-
-To work around this, you can make a custom [expression](../configuration/expressions.mdx) rule that allows HTMX requests if the user has passed a challenge in the past:
-
-<Tabs>
-<TabItem value="json" label="JSON">
-
-```json
-{
-  "name": "allow-htmx-iff-already-passed-challenge",
-  "action": "ALLOW",
-  "expression": {
-    "all": [
-      "\"Cookie\" in headers",
-      "headers[\"Cookie\"].contains(\"anubis-auth\")",
-      "\"Hx-Request\" in headers",
-      "headers[\"Hx-Request\"] == \"true\""
-    ]
-  }
-}
-```
-
-</TabItem>
-<TabItem value="yaml" label="YAML" default>
-
-```yaml
-- name: allow-htmx-iff-already-passed-challenge
-  action: ALLOW
-  expression:
-    all:
-      - '"Cookie" in headers'
-      - 'headers["Cookie"].contains("anubis-auth")'
-      - '"Hx-Request" in headers'
-      - 'headers["Hx-Request"] == "true"'
-```
-
-</TabItem>
-</Tabs>
-
-This will reduce some security because it does not assert the validity of the Anubis auth cookie, however in trade it improves the experience for existing users.