Merge branch 'main' into prepare-caddy-embedding-core

Signed-off-by: Jason Cameron <git@jasoncameron.dev>

.github/actions/spelling/allow.txt

@@ -41,9 +41,3 @@ setuplistener
 mba
 xfu
 xou
-AWOO
-firewalls
-bindhosts
-handrolled
-xai
-gitlab

.github/workflows/asset-verification.yml

@@ -22,7 +22,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0

.github/workflows/docker-pr.yml

@@ -26,7 +26,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -37,7 +37,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/${{ github.repository }}
 

.github/workflows/docker.yml

@@ -36,7 +36,7 @@ jobs:
         run: |
           echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY,,}" >> $GITHUB_ENV
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -46,7 +46,7 @@ jobs:
       - uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
 
       - name: Log into registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
@@ -54,7 +54,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ${{ env.IMAGE }}
 

.github/workflows/docs-deploy.yml

@@ -22,10 +22,10 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Log into registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: techarohq
@@ -33,7 +33,7 @@ jobs:
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |
@@ -42,7 +42,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ./docs
           cache-to: type=gha
@@ -53,14 +53,14 @@ jobs:
           push: true
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@af0e87aaa9cd98820383c16cba28c644ba85c067 # v1.36.1
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:
           args: apply -k docs/manifest
 
       - name: Apply k8s manifests to limsa lominsa
-        uses: actions-hub/kubectl@af0e87aaa9cd98820383c16cba28c644ba85c067 # v1.36.1
+        uses: actions-hub/kubectl@934aaa4354bbbc3d2176ae8d7cae92d515032dff # v1.35.3
         env:
           KUBE_CONFIG: ${{ secrets.LIMSA_LOMINSA_KUBECONFIG }}
         with:

.github/workflows/docs-test.yml

@@ -18,11 +18,11 @@ jobs:
           persist-credentials: false
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
       - name: Docker meta
         id: meta
-        uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: ghcr.io/techarohq/anubis/docs
           tags: |
@@ -31,7 +31,7 @@ jobs:
 
       - name: Build and push
         id: build
-        uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
         with:
           context: ./docs
           cache-to: type=gha

.github/workflows/go.yml

@@ -24,7 +24,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -32,7 +32,7 @@ jobs:
           go-version: "stable"
 
       - name: Cache playwright binaries
-        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         id: playwright-cache
         with:
           path: |

.github/workflows/package-builds-stable.yml

@@ -25,7 +25,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0

.github/workflows/package-builds-unstable.yml

@@ -26,7 +26,7 @@ jobs:
           sudo apt-get update
           sudo apt-get install -y build-essential
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -41,7 +41,7 @@ jobs:
         run: |
           go tool yeet
 
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: packages
           path: var/*

.github/workflows/smoke-tests.yml

@@ -35,7 +35,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "24.11.0"
       - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
@@ -58,7 +58,7 @@ jobs:
         run: echo "ARTIFACT_NAME=${{ matrix.test }}" | sed 's|/|-|g' >> $GITHUB_ENV
 
       - name: Upload artifact
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         if: always()
         with:
           name: ${{ env.ARTIFACT_NAME }}

.github/workflows/ssh-ci-runner-cron.yml

@@ -24,13 +24,13 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
       - name: Log into registry
-        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
+        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Build and push
         run: |
           cd ./test/ssh-ci

.github/workflows/zizmor.yml

@@ -21,7 +21,7 @@ jobs:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
 
       - name: Run zizmor 🌈
         run: uvx zizmor --format sarif . > results.sarif
@@ -29,7 +29,7 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
         with:
           sarif_file: results.sarif
           category: zizmor

.ko.yaml

@@ -10,3 +10,4 @@ builds:
     ldflags:
       - -s -w
       - -extldflags "-static"
+      - -X github.com/TecharoHQ/anubis.Version={{.Env.VERSION}}

anubis.go

@@ -1,27 +1,12 @@
 // Package anubis contains the version number of Anubis.
 package anubis
 
-import (
-	"runtime/debug"
-	"time"
-)
-
-func init() {
-	bi, ok := debug.ReadBuildInfo()
-	if !ok {
-		return
-	}
-
-	// XXX(Xe): many things in this repo assume that the development version
-	// of anubis is `devel` and ReadBuildInfo returns `(devel)`. Shim the gap.
-	if bi.Main.Version != "(devel)" {
-		Version = bi.Main.Version
-	}
-}
+import "time"
 
 // Version is the current version of Anubis.
 //
-// This is set from the Go module runtime version.
+// This variable is set at build time using the -X linker flag. If not set,
+// it defaults to "devel".
 var Version = "devel"
 
 // CookieName is the name of the cookie that Anubis uses in order to validate

cmd/anubis/main.go

@@ -36,7 +36,6 @@ import (
 	"github.com/TecharoHQ/anubis/lib/thoth"
 	"github.com/TecharoHQ/anubis/web"
 	"github.com/facebookgo/flagenv"
-	"github.com/google/uuid"
 	_ "github.com/joho/godotenv/autoload"
 	healthv1 "google.golang.org/grpc/health/grpc_health_v1"
 )
@@ -194,9 +193,6 @@ func main() {
 	flagenv.Parse()
 	flag.Parse()
 
-	// Must be set before any concurrent UUID call.
-	uuid.EnableRandPool()
-
 	if *versionFlag {
 		fmt.Println("Anubis", anubis.Version)
 		return

data/botPolicies.yaml

@@ -41,9 +41,6 @@ bots:
   # Challenge Firefox AI previews
   - import: (data)/clients/x-firefox-ai.yaml
 
-  # x.ai has a scraper that is killing gitlab instances
-  - import: (data)/crawlers/xai.yaml
-
   # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
   - import: (data)/common/keep-internet-working.yaml
 

data/crawlers/xai.yaml

@@ -1,8 +0,0 @@
-- name: xai-crawler-and-asn
-  action: DENY
-  user_agent_regex: code-review-sourcing.*\+xai-research
-  remote_addresses:
-    - 69.12.56.0/21
-- name: xai-crawler-user-agent
-  action: DENY
-  user_agent_regex: code-review-sourcing.*\+xai-research

data/meta/default-config.yaml

@@ -25,9 +25,6 @@
 # Challenge Firefox AI previews
 - import: (data)/clients/x-firefox-ai.yaml
 
-# x.ai has a scraper that is killing gitlab instances
-- import: (data)/crawlers/xai.yaml
-
 # Allow common "keeping the internet working" routes (well-known, favicon, robots.txt)
 - import: (data)/common/keep-internet-working.yaml
 

docs/docs/CHANGELOG.md

@@ -13,37 +13,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- This changes the project to: -->
 
-- Patch [GHSA-6wcg-mqvh-fcvg](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg) by containing subrequest logic to Anubis instances in subrequest mode.
-- Implement robot9001 style delays on the honeypot feature so that the first hit takes 1 millisecond, the second takes 2, etc.
-- Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server).
+- Patch [GHSA-6wcg-mqvh-fcvg](https://github.com/TecharoHQ/anubis/security/advisories/GHSA-6wcg-mqvh-fcvg) by containing subrequest logic to Anubis instances in subrequest mode
+- Implement robot9001 style delays on the honeypot feature so that the first hit takes 1 millisecond, the second takes 2, etc
+- Move metrics server configuration to [the policy file](./admin/policies.mdx#metrics-server)
 - Expose [pprof endpoints](https://pkg.go.dev/net/http/pprof) on the metrics listener to enable profiling Anubis in production.
 - fix: prevent nil pointer panic in challenge validation when threshold rules match during PassChallenge (#1463)
-- Instruct reverse proxies to not cache error pages.
+- Instruct reverse proxies to not cache error pages
 - Fixed mixed tab/space indentation in Caddy documentation code block
 - Improve error messages and fix broken REDIRECT_DOMAINS link in docs ([#1193](https://github.com/TecharoHQ/anubis/issues/1193))
 - Add Bulgarian locale ([#1394](https://github.com/TecharoHQ/anubis/pull/1394))
 - Fixed case-sensitivity mismatch in geoipchecker.go
-- Use [Go's native version stamping](https://michael.stapelberg.ch/posts/2026-04-05-stamp-it-all-programs-must-report-their-version/) instead of a handrolled variant.
-- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465)).
-- Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls).
-- Enable [HTTP basic auth](./admin/policies.mdx#http-basic-authentication) for the metrics server.
-- Fix a bug in the dataset poisoning maze that could allow denial of service [#1580](https://github.com/TecharoHQ/anubis/issues/1580).
-- Add config option to add ASN to logs/metrics.
-- Log weight when issuing challenge.
-- Block x.ai's crawler for code review training.
-- Gate pprof endpoints behind `metrics.debug` in the policy file.
-- Limit naive honeypot r9k delay to one second.
-- Fix an obscure case where adding query values to a subrequest match could cause an invalid rule match when using path based matching for protected resources.
-- Fix an edge case where load average expression values could nil pointer dereference when Anubis just started up.
-- Fix an obscure case where Anubis in subrequest mode could allow redirects to invalid domains with strange instructions.
-- Fix `path_regex` and CEL `path` rules not matching when using Traefik `forwardAuth` middleware. Anubis now checks `X-Forwarded-Uri` (Traefik) in addition to `X-Original-URI` (nginx) when resolving the request path in subrequest mode ([#1628](https://github.com/TecharoHQ/anubis/issues/1628)).
-- Validate bounds in the CEL `randInt` helper so non-positive or platform-overflowing arguments surface a typed CEL error instead of an evaluator panic.
-- Fix a race in the bbolt store where the asynchronous cleanup scheduled by an expired read could delete a value that had just been refreshed; the delete now only fires when the key still carries the same expired generation it observed.
-- Marginally increase the performances of requests processing
-- Marginally improve the performances of PoW validation
-- Marginally improve the performances of challenges generation/display
-- Significantly improve the performances of the gzip middleware
-- Significantly improve the performances of the PoW validation
+- Fix CEL internal errors when iterating `headers`/`query` map wrappers by implementing map iterators for `HTTPHeaders` and `URLValues` ([#1465](https://github.com/TecharoHQ/anubis/pull/1465))
+- Enable [metrics serving via TLS](./admin/policies.mdx#tls), including [mutual TLS (mTLS)](./admin/policies.mdx#mtls)
+- Enable [HTTP basic auth](./admin/policies.mdx#http-basic-authentication) for the metrics server
+- Fix a bug in the dataset poisoning maze that could allow denial of service [#1580](https://github.com/TecharoHQ/anubis/issues/1580)
+- Add config option to add ASN to logs/metrics
+- Log weight when issuing challenge
+- Keep Anubis server URL state local to each `lib.Server` instance to make embedded use safer
+- Fix `path_regex` and CEL `path` rules not matching when using Traefik `forwardAuth` middleware. Anubis now checks `X-Forwarded-Uri` (Traefik) in addition to `X-Original-URI` (nginx) when resolving the request path in subrequest mode ([#1628](https://github.com/TecharoHQ/anubis/issues/1628))
 
 ## v1.25.0: Necron
 

docs/docs/admin/policies.mdx

@@ -138,24 +138,6 @@ metrics:
   socketMode: "0700" # must be a string
 ```
 
-### Debug routes
-
-Anubis' metrics server supports [pprof](https://pkg.go.dev/runtime/pprof), the Go standard library tool for profiling Go applications. This is very useful for debugging how Anubis works in the wild with regards to CPU, multicore, and RAM usage. pprof is very powerful and can expose command line arguments as part of the debugging setup (inside Google, everything is done with command line flags).
-
-Prior versions of Anubis exposed pprof endpoints on all TCP bindhosts by default. This means that machines with incorrectly configured firewalls can expose command line arguments to the public internet in the right conditions.
-
-In order to enable pprof profiling endpoints on the Metrics server, set the `debug` flag under the `metrics` block:
-
-```yaml
-metrics:
-  bind: ":9090"
-  network: "tcp"
-
-  debug: true
-```
-
-To err on the side of caution, this defaults to disabled. If this defaults migration breaks your configuration, please let us know in a ticket.
-
 ### TLS
 
 If you want to serve the metrics server over TLS, use the `tls` block:

internal/gzip.go

@@ -2,28 +2,11 @@ package internal
 
 import (
 	"compress/gzip"
-	"io"
 	"net/http"
 	"strings"
-	"sync"
 )
 
 func GzipMiddleware(level int, next http.Handler) http.Handler {
-	// Validate the level once at setup; gzip.NewWriterLevel only fails for
-	// invalid levels and we'd rather panic now than mid-request.
-	if _, err := gzip.NewWriterLevel(io.Discard, level); err != nil {
-		panic(err)
-	}
-
-	// Per-middleware pool of *gzip.Writer. Each entry carries ~40 KiB of
-	// deflate buffers; reusing them avoids that allocation on every request.
-	pool := sync.Pool{
-		New: func() any {
-			gz, _ := gzip.NewWriterLevel(io.Discard, level)
-			return gz
-		},
-	}
-
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if !strings.Contains(r.Header.Get("Accept-Encoding"), "gzip") {
 			next.ServeHTTP(w, r)
@@ -31,13 +14,11 @@ func GzipMiddleware(level int, next http.Handler) http.Handler {
 		}
 
 		w.Header().Set("Content-Encoding", "gzip")
-		gz := pool.Get().(*gzip.Writer)
-		gz.Reset(w)
-		defer func() {
-			gz.Close()
-			gz.Reset(io.Discard)
-			pool.Put(gz)
-		}()
+		gz, err := gzip.NewWriterLevel(w, level)
+		if err != nil {
+			panic(err)
+		}
+		defer gz.Close()
 
 		grw := gzipResponseWriter{ResponseWriter: w, sink: gz}
 		next.ServeHTTP(grw, r)

internal/hash.go

@@ -11,8 +11,9 @@ import (
 // SHA256sum computes a cryptographic hash. Still used for proof-of-work challenges
 // where we need the security properties of a cryptographic hash function.
 func SHA256sum(text string) string {
-	sum := sha256.Sum256([]byte(text))
-	return hex.EncodeToString(sum[:])
+	hash := sha256.New()
+	hash.Write([]byte(text))
+	return hex.EncodeToString(hash.Sum(nil))
 }
 
 // FastHash is a high-performance non-cryptographic hash function suitable for

internal/honeypot/naive/naive.go

@@ -169,7 +169,7 @@ func (i *Impl) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	millisecondAmount := min(math.Pow(float64(networkCount), 2), 1000)
+	millisecondAmount := math.Pow(float64(networkCount), 2)
 	time.Sleep(time.Duration(millisecondAmount) * time.Millisecond)
 
 	spins := i.makeSpins()

lib/anubis.go

@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
-	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
@@ -34,6 +33,7 @@ import (
 	"github.com/TecharoHQ/anubis/lib/policy"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
 	"github.com/TecharoHQ/anubis/lib/store"
+	"github.com/TecharoHQ/anubis/web"
 	iptoasnv1 "github.com/TecharoHQ/thoth-proto/gen/techaro/thoth/iptoasn/v1"
 
 	// challenge implementations
@@ -98,6 +98,8 @@ type Server struct {
 	OGTags      *ogtags.OGTagCache
 	logger      *slog.Logger
 	opts        Options
+	basePrefix  string
+	publicURL   string
 	ed25519Priv ed25519.PrivateKey
 	hs512Secret []byte
 }
@@ -124,6 +126,42 @@ func (s *Server) getRequestLogger(r *http.Request) (*slog.Logger, *http.Request)
 	return lg, r
 }
 
+func (s *Server) configuredBasePrefix() string {
+	if s.basePrefix != "" {
+		return s.basePrefix
+	}
+	return strings.TrimRight(s.opts.BasePrefix, "/")
+}
+
+func (s *Server) configuredPublicURL() string {
+	if s.publicURL != "" {
+		return s.publicURL
+	}
+	return s.opts.PublicUrl
+}
+
+func (s *Server) prefixedPath(path string) string {
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	return s.configuredBasePrefix() + path
+}
+
+func (s *Server) cookiePath() string {
+	basePrefix := s.configuredBasePrefix()
+	if basePrefix == "" {
+		return "/"
+	}
+	return basePrefix + "/"
+}
+
+func (s *Server) renderOptions() web.Options {
+	return web.Options{
+		BasePrefix: s.configuredBasePrefix(),
+		PublicURL:  s.configuredPublicURL(),
+	}
+}
+
 func (s *Server) getTokenKeyfunc() jwt.Keyfunc {
 	// return ED25519 key if HS512 is not set
 	if len(s.hs512Secret) == 0 {
@@ -163,7 +201,6 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	if err != nil {
 		return nil, err
 	}
-	idStr := id.String()
 
 	var randomData = make([]byte, 64)
 	if _, err := rand.Read(randomData); err != nil {
@@ -171,9 +208,9 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}
 
 	chall := challenge.Challenge{
-		ID:             idStr,
+		ID:             id.String(),
 		Method:         rule.Challenge.Algorithm,
-		RandomData:     hex.EncodeToString(randomData),
+		RandomData:     fmt.Sprintf("%x", randomData),
 		IssuedAt:       time.Now(),
 		Difficulty:     rule.Challenge.Difficulty,
 		PolicyRuleHash: rule.Hash(),
@@ -184,11 +221,11 @@ func (s *Server) issueChallenge(ctx context.Context, r *http.Request, lg *slog.L
 	}
 
 	j := store.JSON[challenge.Challenge]{Underlying: s.store}
-	if err := j.Set(ctx, "challenge:"+idStr, chall, 30*time.Minute); err != nil {
+	if err := j.Set(ctx, "challenge:"+id.String(), chall, 30*time.Minute); err != nil {
 		return nil, err
 	}
 
-	lg.Info("new challenge issued", "challenge", idStr, "weight", cr.Weight)
+	lg.Info("new challenge issued", "challenge", id.String(), "weight", cr.Weight)
 
 	return &chall, err
 }
@@ -242,17 +279,13 @@ func (s *Server) maybeReverseProxyOrPage(w http.ResponseWriter, r *http.Request)
 func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpStatusOnly bool) {
 	lg, r := s.getRequestLogger(r)
 
-	if val, _ := s.store.Get(r.Context(), "ogtags:allow:"+r.Host+r.URL.String()); val != nil {
+	if val, _ := s.store.Get(r.Context(), fmt.Sprintf("ogtags:allow:%s%s", r.Host, r.URL.String())); val != nil {
 		lg.Debug("serving opengraph tag asset")
 		s.ServeHTTPNext(w, r)
 		return
 	}
 
-	// Adjust cookie path if base prefix is not empty
-	cookiePath := "/"
-	if anubis.BasePrefix != "" {
-		cookiePath = strings.TrimSuffix(anubis.BasePrefix, "/") + "/"
-	}
+	cookiePath := s.cookiePath()
 
 	cr, rule, err := s.check(r, lg)
 	if err != nil {
@@ -346,11 +379,7 @@ func (s *Server) maybeReverseProxy(w http.ResponseWriter, r *http.Request, httpS
 }
 
 func (s *Server) checkRules(w http.ResponseWriter, r *http.Request, cr policy.CheckResult, lg *slog.Logger, rule *policy.Bot) bool {
-	// Adjust cookie path if base prefix is not empty
-	cookiePath := "/"
-	if anubis.BasePrefix != "" {
-		cookiePath = strings.TrimSuffix(anubis.BasePrefix, "/") + "/"
-	}
+	cookiePath := s.cookiePath()
 
 	localizer := localization.GetLocalizer(r)
 
@@ -513,11 +542,7 @@ func (s *Server) PassChallenge(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// Adjust cookie path if base prefix is not empty
-	cookiePath := "/"
-	if anubis.BasePrefix != "" {
-		cookiePath = strings.TrimSuffix(anubis.BasePrefix, "/") + "/"
-	}
+	cookiePath := s.cookiePath()
 
 	if _, err := r.Cookie(anubis.TestCookieName); errors.Is(err, http.ErrNoCookie) {
 		s.ClearCookie(w, CookieOpts{Path: cookiePath, Host: r.Host})

lib/anubis_test.go

@@ -2,6 +2,7 @@ package lib
 
 import (
 	"bytes"
+	"compress/gzip"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -501,8 +502,11 @@ func TestBasePrefix(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-			// Reset the global BasePrefix before each test
-			anubis.BasePrefix = ""
+			originalBasePrefix := anubis.BasePrefix
+			anubis.BasePrefix = "/not-this-server"
+			t.Cleanup(func() {
+				anubis.BasePrefix = originalBasePrefix
+			})
 
 			pol := loadPolicies(t, "", 4)
 
@@ -631,10 +635,96 @@ func TestBasePrefix(t *testing.T) {
 			if ckie.Path != expectedPath {
 				t.Errorf("cookie path is wrong, wanted %s, got: %s", expectedPath, ckie.Path)
 			}
+
+			if anubis.BasePrefix != "/not-this-server" {
+				t.Errorf("New should not overwrite anubis.BasePrefix, got %q", anubis.BasePrefix)
+			}
 		})
 	}
 }
 
+func TestBasePrefixUsesServerConfigNotPackageGlobal(t *testing.T) {
+	originalBasePrefix := anubis.BasePrefix
+	anubis.BasePrefix = "/global"
+	t.Cleanup(func() {
+		anubis.BasePrefix = originalBasePrefix
+	})
+
+	pol := loadPolicies(t, "", 4)
+	srv := spawnAnubis(t, Options{
+		Next:       http.NewServeMux(),
+		Policy:     pol,
+		BasePrefix: "/local/",
+	})
+
+	if anubis.BasePrefix != "/global" {
+		t.Fatalf("New should leave anubis.BasePrefix alone, got %q", anubis.BasePrefix)
+	}
+
+	req := httptest.NewRequest(http.MethodPost, "/local/.within.website/x/cmd/anubis/api/make-challenge?redir=/", nil)
+	req.Header.Set("X-Real-Ip", "127.0.0.1")
+	rr := httptest.NewRecorder()
+
+	srv.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("expected local server prefix route to work, got status %d body %q", rr.Code, rr.Body.String())
+	}
+}
+
+func TestRenderIndexUsesServerBasePrefixNotPackageGlobal(t *testing.T) {
+	originalBasePrefix := anubis.BasePrefix
+	anubis.BasePrefix = "/global"
+	t.Cleanup(func() {
+		anubis.BasePrefix = originalBasePrefix
+	})
+
+	pol := loadPolicies(t, "", 4)
+	srv := spawnAnubis(t, Options{
+		Next:       http.NewServeMux(),
+		Policy:     pol,
+		BasePrefix: "/local/",
+	})
+
+	req := httptest.NewRequest(http.MethodGet, "/local/protected", nil)
+	req.Header.Set("X-Real-Ip", "127.0.0.1")
+	req.Header.Set("User-Agent", "Mozilla/5.0")
+	req.Header.Set("Accept-Encoding", "gzip")
+	rr := httptest.NewRecorder()
+
+	srv.ServeHTTP(rr, req)
+
+	resp := rr.Result()
+	defer resp.Body.Close()
+
+	var body strings.Builder
+	reader := io.Reader(resp.Body)
+	if resp.Header.Get("Content-Encoding") == "gzip" {
+		gzipReader, err := gzip.NewReader(resp.Body)
+		if err != nil {
+			t.Fatalf("opening gzip response should not fail: %v", err)
+		}
+		defer gzipReader.Close()
+		reader = gzipReader
+	}
+	if _, err := io.Copy(&body, reader); err != nil {
+		t.Fatalf("reading challenge response should not fail: %v", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		t.Fatalf("expected challenge status %d, got %d body %q", http.StatusOK, resp.StatusCode, body.String())
+	}
+	if !strings.Contains(body.String(), "/local/.within.website/x/cmd/anubis/static/js/main.mjs") {
+		t.Fatalf("expected challenge assets to use server base prefix, body %q", body.String())
+	}
+	if strings.Contains(body.String(), "/global/.within.website") {
+		t.Fatalf("challenge body used package global base prefix: %q", body.String())
+	}
+	if anubis.BasePrefix != "/global" {
+		t.Fatalf("rendering should leave anubis.BasePrefix alone, got %q", anubis.BasePrefix)
+	}
+}
+
 func TestCustomStatusCodes(t *testing.T) {
 	h := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		t.Log(r.UserAgent())

lib/challenge/interface.go

@@ -44,11 +44,12 @@ func Methods() []string {
 }
 
 type IssueInput struct {
-	Impressum *config.Impressum
-	Rule      *policy.Bot
-	Challenge *Challenge
-	OGTags    map[string]string
-	Store     store.Interface
+	BasePrefix string
+	Impressum  *config.Impressum
+	Rule       *policy.Bot
+	Challenge  *Challenge
+	OGTags     map[string]string
+	Store      store.Interface
 }
 
 func (in *IssueInput) Valid() error {

lib/challenge/metarefresh/metarefresh.go

@@ -7,7 +7,6 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/a-h/templ"
@@ -28,7 +27,7 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 		return nil, err
 	}
 
-	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
+	u, err := r.URL.Parse(in.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
 	}
@@ -47,7 +46,7 @@ func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 
 	loc := localization.GetLocalizer(r)
 
-	result := page(u.String(), in.Rule.Challenge.Difficulty, showMeta, loc)
+	result := page(in.BasePrefix, u.String(), in.Rule.Challenge.Difficulty, showMeta, loc)
 
 	return result, nil
 }

lib/challenge/metarefresh/metarefresh.templ

@@ -7,10 +7,10 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-templ page(redir string, difficulty int, showMeta bool, loc *localization.SimpleLocalizer) {
+templ page(basePrefix, redir string, difficulty int, showMeta bool, loc *localization.SimpleLocalizer) {
 	<div class="centered-div">
-		<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
-		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<img id="image" style="width:100%;max-width:256px;" src={ basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" style="width:100%;max-width:256px;" src={ basePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
 		<p id="status">{ loc.T("loading") }</p>
 		<p>{ loc.T("connection_security") }</p>
 		if showMeta {

lib/challenge/metarefresh/metarefresh_templ.go

@@ -15,7 +15,7 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-func page(redir string, difficulty int, showMeta bool, loc *localization.SimpleLocalizer) templ.Component {
+func page(basePrefix, redir string, difficulty int, showMeta bool, loc *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -41,9 +41,9 @@ func page(redir string, difficulty int, showMeta bool, loc *localization.SimpleL
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var2 string
-		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `metarefresh.templ`, Line: 12, Col: 165}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `metarefresh.templ`, Line: 12, Col: 158}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
@@ -54,9 +54,9 @@ func page(redir string, difficulty int, showMeta bool, loc *localization.SimpleL
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var3 string
-		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `metarefresh.templ`, Line: 13, Col: 174}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `metarefresh.templ`, Line: 13, Col: 167}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {

lib/challenge/preact/preact.go

@@ -10,7 +10,6 @@ import (
 	"net/http"
 	"time"
 
-	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
@@ -43,7 +42,7 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 		return nil, err
 	}
 
-	u, err := r.URL.Parse(anubis.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
+	u, err := r.URL.Parse(in.BasePrefix + "/.within.website/x/cmd/anubis/api/pass-challenge")
 	if err != nil {
 		return nil, fmt.Errorf("can't render page: %w", err)
 	}
@@ -55,7 +54,7 @@ func (i *impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in
 
 	loc := localization.GetLocalizer(r)
 
-	result := page(u.String(), in.Challenge.RandomData, in.Rule.Challenge.Difficulty, loc)
+	result := page(in.BasePrefix, u.String(), in.Challenge.RandomData, in.Rule.Challenge.Difficulty, loc)
 
 	return result, nil
 }

lib/challenge/preact/preact.templ

@@ -5,10 +5,10 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-templ page(redir, challenge string, difficulty int, loc *localization.SimpleLocalizer) {
+templ page(basePrefix, redir, challenge string, difficulty int, loc *localization.SimpleLocalizer) {
 	<div class="centered-div">
 		<div id="app">
-			<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+			<img id="image" style="width:100%;max-width:256px;" src={ basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
 			<p id="status">{ loc.T("loading") }</p>
 			<p>{ loc.T("connection_security") }</p>
 		</div>
@@ -18,7 +18,7 @@ templ page(redir, challenge string, difficulty int, loc *localization.SimpleLoca
 			"difficulty":                  difficulty,
 			"connection_security_message": loc.T("connection_security"),
 			"loading_message":             loc.T("loading"),
-			"pensive_url":                 anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version,
+			"pensive_url":                 basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version,
 		})
 		@templ.ComponentFunc(renderAppJS)
 		<noscript>

lib/challenge/preact/preact_templ.go

@@ -13,7 +13,7 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-func page(redir, challenge string, difficulty int, loc *localization.SimpleLocalizer) templ.Component {
+func page(basePrefix, redir, challenge string, difficulty int, loc *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -39,9 +39,9 @@ func page(redir, challenge string, difficulty int, loc *localization.SimpleLocal
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var2 string
-		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `preact.templ`, Line: 11, Col: 166}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `preact.templ`, Line: 11, Col: 159}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
@@ -83,7 +83,7 @@ func page(redir, challenge string, difficulty int, loc *localization.SimpleLocal
 			"difficulty":                  difficulty,
 			"connection_security_message": loc.T("connection_security"),
 			"loading_message":             loc.T("loading"),
-			"pensive_url":                 anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version,
+			"pensive_url":                 basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version,
 		}).Render(ctx, templ_7745c5c3_Buffer)
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err

lib/challenge/proofofwork/proofofwork.go

@@ -1,15 +1,14 @@
 package proofofwork
 
 import (
-	"crypto/sha256"
 	"crypto/subtle"
-	"encoding/hex"
 	"fmt"
 	"log/slog"
 	"net/http"
 	"strconv"
 	"strings"
 
+	"github.com/TecharoHQ/anubis/internal"
 	chall "github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/localization"
 	"github.com/a-h/templ"
@@ -30,7 +29,7 @@ func (i *Impl) Setup(mux *http.ServeMux) {}
 
 func (i *Impl) Issue(w http.ResponseWriter, r *http.Request, lg *slog.Logger, in *chall.IssueInput) (templ.Component, error) {
 	loc := localization.GetLocalizer(r)
-	return page(loc), nil
+	return page(in.BasePrefix, loc), nil
 }
 
 func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInput) error {
@@ -46,7 +45,7 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w nonce", chall.ErrMissingField))
 	}
 
-	_, err := strconv.Atoi(nonceStr)
+	nonce, err := strconv.Atoi(nonceStr)
 	if err != nil {
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: nonce: %w", chall.ErrInvalidFormat, err))
 
@@ -67,20 +66,11 @@ func (i *Impl) Validate(r *http.Request, lg *slog.Logger, in *chall.ValidateInpu
 		return chall.NewError("validate", "invalid response", fmt.Errorf("%w response", chall.ErrMissingField))
 	}
 
-	// Stream the challenge and nonce into a single sha256 hasher to avoid
-	// the intermediate "challenge + nonceStr" concatenation. Hex-encode
-	// the digest into a stack buffer so the comparison runs without
-	// allocating a heap string.
-	h := sha256.New()
-	h.Write([]byte(challenge))
-	h.Write([]byte(nonceStr))
-	var sumBuf [sha256.Size]byte
-	sum := h.Sum(sumBuf[:0])
-	var hexBuf [sha256.Size * 2]byte
-	hex.Encode(hexBuf[:], sum)
+	calcString := fmt.Sprintf("%s%d", challenge, nonce)
+	calculated := internal.SHA256sum(calcString)
 
-	if subtle.ConstantTimeCompare([]byte(response), hexBuf[:]) != 1 {
-		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted response %s but got %s", chall.ErrFailed, string(hexBuf[:]), response))
+	if subtle.ConstantTimeCompare([]byte(response), []byte(calculated)) != 1 {
+		return chall.NewError("validate", "invalid response", fmt.Errorf("%w: wanted response %s but got %s", chall.ErrFailed, calculated, response))
 	}
 
 	// compare the leading zeroes

lib/challenge/proofofwork/proofofwork.templ

@@ -5,12 +5,12 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-templ page(localizer *localization.SimpleLocalizer) {
+templ page(basePrefix string, localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
-		<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
-		<img style="display:none;" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
+		<img id="image" style="width:100%;max-width:256px;" src={ basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+		<img style="display:none;" style="width:100%;max-width:256px;" src={ basePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version }/>
 		<p id="status">{ localizer.T("loading") }</p>
-		<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
+		<script async type="module" src={ basePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version }></script>
 		<div id="progress" role="progressbar" aria-labelledby="status">
 			<div class="bar-inner"></div>
 		</div>

lib/challenge/proofofwork/proofofwork_templ.go

@@ -13,7 +13,7 @@ import (
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
-func page(localizer *localization.SimpleLocalizer) templ.Component {
+func page(basePrefix string, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -39,9 +39,9 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var2 string
-		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var2, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 165}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 10, Col: 158}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var2))
 		if templ_7745c5c3_Err != nil {
@@ -52,9 +52,9 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var3 string
-		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var3, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 11, Col: 174}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 11, Col: 167}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var3))
 		if templ_7745c5c3_Err != nil {
@@ -78,9 +78,9 @@ func page(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var5 string
-		templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var5, templ_7745c5c3_Err = templ.JoinStringErrs(basePrefix + "/.within.website/x/cmd/anubis/static/js/main.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 136}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `proofofwork.templ`, Line: 13, Col: 129}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var5))
 		if templ_7745c5c3_Err != nil {

lib/config.go

@@ -112,8 +112,7 @@ func New(opts Options) (*Server, error) {
 		opts.ED25519PrivateKey = priv
 	}
 
-	anubis.BasePrefix = strings.TrimRight(opts.BasePrefix, "/")
-	anubis.PublicUrl = opts.PublicUrl
+	opts.BasePrefix = strings.TrimRight(opts.BasePrefix, "/")
 
 	result := &Server{
 		next:        opts.Next,
@@ -121,6 +120,8 @@ func New(opts Options) (*Server, error) {
 		hs512Secret: opts.HS512Secret,
 		policy:      opts.Policy,
 		opts:        opts,
+		basePrefix:  opts.BasePrefix,
+		publicURL:   opts.PublicUrl,
 		OGTags: ogtags.NewOGTagCache(opts.Target, opts.Policy.OpenGraph, opts.Policy.Store, ogtags.TargetOptions{
 			Host:               opts.TargetHost,
 			SNI:                opts.TargetSNI,
@@ -131,28 +132,20 @@ func New(opts Options) (*Server, error) {
 	}
 
 	mux := http.NewServeMux()
-	xess.Mount(mux)
+	xessPrefix := result.prefixedPath(xess.BasePrefix)
+	mux.Handle(xessPrefix, internal.UnchangingCache(http.StripPrefix(xessPrefix, http.FileServerFS(xess.Static))))
 
-	// Helper to add global prefix
+	// Helper to add the server-local base prefix.
 	registerWithPrefix := func(pattern string, handler http.Handler, method string) {
 		if method != "" {
 			method = method + " " // methods must end with a space to register with them
 		}
 
-		// Ensure there's no double slash when concatenating BasePrefix and pattern
-		basePrefix := strings.TrimSuffix(anubis.BasePrefix, "/")
-		prefix := method + basePrefix
-
-		// If pattern doesn't start with a slash, add one
-		if !strings.HasPrefix(pattern, "/") {
-			pattern = "/" + pattern
-		}
-
-		mux.Handle(prefix+pattern, handler)
+		mux.Handle(method+result.prefixedPath(pattern), handler)
 	}
 
 	// Ensure there's no double slash when concatenating BasePrefix and StaticPath
-	stripPrefix := strings.TrimSuffix(anubis.BasePrefix, "/") + anubis.StaticPath
+	stripPrefix := result.prefixedPath(anubis.StaticPath)
 	registerWithPrefix(anubis.StaticPath, internal.UnchangingCache(internal.NoBrowsing(http.StripPrefix(stripPrefix, http.FileServerFS(web.Static)))), "")
 
 	if opts.ServeRobotsTXT {
@@ -166,9 +159,10 @@ func New(opts Options) (*Server, error) {
 
 	if opts.Policy.Impressum != nil {
 		registerWithPrefix(anubis.APIPrefix+"imprint", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			templ.Handler(
-				web.Base(opts.Policy.Impressum.Page.Title, opts.Policy.Impressum.Page, opts.Policy.Impressum, localization.GetLocalizer(r)),
-			).ServeHTTP(w, r)
+			handler := templ.Handler(
+				web.BaseWithOptions(result.renderOptions(), opts.Policy.Impressum.Page.Title, opts.Policy.Impressum.Page, opts.Policy.Impressum, localization.GetLocalizer(r)),
+			)
+			handler.ServeHTTP(w, r)
 		}), "GET")
 	}
 

lib/config/metrics.go

@@ -32,7 +32,6 @@ type Metrics struct {
 	Network    string            `json:"network" yaml:"network"`
 	SocketMode string            `json:"socketMode" yaml:"socketMode"`
 	TLS        *MetricsTLS       `json:"tls" yaml:"tls"`
-	Debug      bool              `json:"debug" yaml:"debug"`
 	BasicAuth  *MetricsBasicAuth `json:"basicAuth" yaml:"basicAuth"`
 }
 

lib/http.go

@@ -193,7 +193,7 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	localizer := localization.GetLocalizer(r)
 
 	if returnHTTPStatusOnly {
-		if s.opts.PublicUrl == "" {
+		if s.configuredPublicURL() == "" {
 			w.WriteHeader(http.StatusUnauthorized)
 			w.Write([]byte(localizer.T("authorization_required")))
 		} else {
@@ -263,11 +263,12 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 	}
 
 	in := &challenge.IssueInput{
-		Impressum: s.policy.Impressum,
-		Rule:      rule,
-		Challenge: chall,
-		OGTags:    ogTags,
-		Store:     s.store,
+		BasePrefix: s.configuredBasePrefix(),
+		Impressum:  s.policy.Impressum,
+		Rule:       rule,
+		Challenge:  chall,
+		OGTags:     ogTags,
+		Store:      s.store,
 	}
 
 	component, err := impl.Issue(w, r, lg, in)
@@ -277,7 +278,8 @@ func (s *Server) RenderIndex(w http.ResponseWriter, r *http.Request, cr policy.C
 		return
 	}
 
-	page := web.BaseWithChallengeAndOGTags(
+	page := web.BaseWithChallengeAndOGTagsWithOptions(
+		s.renderOptions(),
 		localizer.T("making_sure_not_bot"),
 		component,
 		s.policy.Impressum,
@@ -323,15 +325,17 @@ func (s *Server) constructRedirectURL(r *http.Request) (string, error) {
 
 	redir := proto + "://" + host + uri
 	escapedURL := url.QueryEscape(redir)
-	return fmt.Sprintf("%s/.within.website/?redir=%s", s.opts.PublicUrl, escapedURL), nil
+	return fmt.Sprintf("%s/.within.website/?redir=%s", s.configuredPublicURL(), escapedURL), nil
 }
 
 func (s *Server) RenderBench(w http.ResponseWriter, r *http.Request) {
 	localizer := localization.GetLocalizer(r)
+	opts := s.renderOptions()
 
-	templ.Handler(
-		web.Base(localizer.T("benchmarking_anubis"), web.Bench(localizer), s.policy.Impressum, localizer),
-	).ServeHTTP(w, r)
+	handler := templ.Handler(
+		web.BaseWithOptions(opts, localizer.T("benchmarking_anubis"), web.BenchWithOptions(opts, localizer), s.policy.Impressum, localizer),
+	)
+	handler.ServeHTTP(w, r)
 }
 
 func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, message, code string) {
@@ -340,10 +344,12 @@ func (s *Server) respondWithError(w http.ResponseWriter, r *http.Request, messag
 
 func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg, code string, status int) {
 	localizer := localization.GetLocalizer(r)
+	opts := s.renderOptions()
 
-	component := web.Base(
+	component := web.BaseWithOptions(
+		opts,
 		localizer.T("oh_noes"),
-		web.ErrorPage(msg, s.opts.WebmasterEmail, code, localizer),
+		web.ErrorPageWithOptions(opts, msg, s.opts.WebmasterEmail, code, localizer),
 		s.policy.Impressum,
 		localizer,
 	)
@@ -352,17 +358,25 @@ func (s *Server) respondWithStatus(w http.ResponseWriter, r *http.Request, msg,
 }
 
 func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	if strings.HasPrefix(r.URL.Path, anubis.BasePrefix+anubis.StaticPath) {
+	if strings.HasPrefix(r.URL.Path, s.prefixedPath(anubis.StaticPath)) {
 		s.mux.ServeHTTP(w, r)
 		return
-	} else if strings.HasPrefix(r.URL.Path, anubis.BasePrefix+xess.BasePrefix) {
+	} else if strings.HasPrefix(r.URL.Path, s.prefixedPath(xess.BasePrefix)) {
 		s.mux.ServeHTTP(w, r)
 		return
 	}
 
 	// Forward robots.txt requests to mux when ServeRobotsTXT is enabled
 	if s.opts.ServeRobotsTXT {
-		path := strings.TrimPrefix(r.URL.Path, anubis.BasePrefix)
+		path := r.URL.Path
+		basePrefix := s.configuredBasePrefix()
+		if basePrefix != "" {
+			if !strings.HasPrefix(path, basePrefix) {
+				s.maybeReverseProxyOrPage(w, r)
+				return
+			}
+			path = strings.TrimPrefix(path, basePrefix)
+		}
 		if path == "/robots.txt" || path == "/.well-known/robots.txt" {
 			s.mux.ServeHTTP(w, r)
 			return
@@ -373,11 +387,11 @@ func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) stripBasePrefixFromRequest(r *http.Request) *http.Request {
-	if !s.opts.StripBasePrefix || s.opts.BasePrefix == "" {
+	basePrefix := s.configuredBasePrefix()
+	if !s.opts.StripBasePrefix || basePrefix == "" {
 		return r
 	}
 
-	basePrefix := strings.TrimSuffix(s.opts.BasePrefix, "/")
 	path := r.URL.Path
 
 	if !strings.HasPrefix(path, basePrefix) {
@@ -403,15 +417,14 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 		localizer := localization.GetLocalizer(r)
 
 		redir := r.FormValue("redir")
-		urlParsed, err := url.Parse(redir)
+		urlParsed, err := url.ParseRequestURI(redir)
 		if err != nil {
-			s.respondWithStatus(w, r, localizer.T("redirect_not_parseable"), makeCode(err), http.StatusBadRequest)
-			return
-		}
-
-		if urlParsed.Opaque != "" || (urlParsed.Scheme == "" && strings.HasPrefix(redir, "//")) {
-			s.respondWithStatus(w, r, localizer.T("invalid_redirect"), "", http.StatusBadRequest)
-			return
+			// if ParseRequestURI fails, try as relative URL
+			urlParsed, err = r.URL.Parse(redir)
+			if err != nil {
+				s.respondWithStatus(w, r, localizer.T("redirect_not_parseable"), makeCode(err), http.StatusBadRequest)
+				return
+			}
 		}
 
 		// validate URL scheme to prevent javascript:, data:, file:, tel:, etc.
@@ -442,9 +455,11 @@ func (s *Server) ServeHTTPNext(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
-		templ.Handler(
-			web.Base(localizer.T("you_are_not_a_bot"), web.StaticHappy(localizer), s.policy.Impressum, localizer),
-		).ServeHTTP(w, r)
+		opts := s.renderOptions()
+		handler := templ.Handler(
+			web.BaseWithOptions(opts, localizer.T("you_are_not_a_bot"), web.StaticHappyWithOptions(opts, localizer), s.policy.Impressum, localizer),
+		)
+		handler.ServeHTTP(w, r)
 	} else {
 		asn, asnDesc := asnFromContext(r.Context())
 		requestsProxied.WithLabelValues(r.Host, asn, asnDesc).Inc()

lib/http_test.go

@@ -223,17 +223,3 @@ func TestNoCacheOnError(t *testing.T) {
 		})
 	}
 }
-
-func TestRejectsHostlessRedirect(t *testing.T) {
-	pol := loadPolicies(t, "testdata/useragent.yaml", 0)
-	srv := spawnAnubis(t, Options{Policy: pol, RedirectDomains: []string{"allowed.example"}})
-	req := httptest.NewRequest(http.MethodGet, "https://anubis.example/.within.website/?redir=%2f%2fevil.example%2fphish", nil)
-	rr := httptest.NewRecorder()
-	srv.ServeHTTPNext(rr, req)
-	if rr.Code != http.StatusBadRequest {
-		t.Fatalf("expected hostless redirect to be rejected, got HTTP %d body %q", rr.Code, rr.Body.String())
-	}
-	if got := rr.Header().Get("Location"); got != "" {
-		t.Fatalf("expected no Location header on rejected redirect, got %q", got)
-	}
-}

lib/metrics/metrics.go

@@ -34,15 +34,11 @@ func (s *Server) Run(ctx context.Context, done func()) {
 
 func (s *Server) run(ctx context.Context, lg *slog.Logger) error {
 	mux := http.NewServeMux()
-
-	if s.Config.Debug {
-		mux.HandleFunc("GET /debug/pprof/", pprof.Index)
-		mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
-		mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
-		mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
-		mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
-	}
-
+	mux.HandleFunc("GET /debug/pprof/", pprof.Index)
+	mux.HandleFunc("GET /debug/pprof/cmdline", pprof.Cmdline)
+	mux.HandleFunc("GET /debug/pprof/profile", pprof.Profile)
+	mux.HandleFunc("GET /debug/pprof/symbol", pprof.Symbol)
+	mux.HandleFunc("GET /debug/pprof/trace", pprof.Trace)
 	mux.Handle("/metrics", promhttp.Handler())
 	mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
 		st, ok := internal.GetHealth("anubis")

lib/metrics/metrics_test.go

@@ -1,49 +0,0 @@
-package metrics
-
-import (
-	"context"
-	"io"
-	"log/slog"
-	"net"
-	"net/http"
-	"strings"
-	"testing"
-	"time"
-
-	"github.com/TecharoHQ/anubis/lib/config"
-)
-
-func TestMetricsPprofCmdlineExposedWithoutAuthentication(t *testing.T) {
-	ln, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatal(err)
-	}
-	addr := ln.Addr().String()
-	_ = ln.Close()
-
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	done := make(chan struct{})
-	srv := &Server{
-		Config: &config.Metrics{Network: "tcp", Bind: addr},
-		Log:    slog.Default(),
-	}
-	go srv.Run(ctx, func() { close(done) })
-
-	url := "http://" + addr + "/debug/pprof/cmdline"
-	var body []byte
-	resp, err := http.Get(url)
-	if err == nil {
-		body, err = io.ReadAll(resp.Body)
-		if err != nil {
-			t.Fatalf("can't read body: %v", err)
-		}
-		defer resp.Body.Close()
-	}
-	time.Sleep(50 * time.Millisecond)
-	if strings.Contains(string(body), "metrics.test") {
-		t.Fatalf("pprof is enabled by default, cmdline process arguments: %q", string(body))
-	}
-	cancel()
-	<-done
-}

lib/policy/bot.go

@@ -1,6 +1,8 @@
 package policy
 
 import (
+	"fmt"
+
 	"github.com/TecharoHQ/anubis/internal"
 	"github.com/TecharoHQ/anubis/lib/config"
 	"github.com/TecharoHQ/anubis/lib/policy/checker"
@@ -11,22 +13,9 @@ type Bot struct {
 	Challenge *config.ChallengeRules
 	Weight    *config.Weight
 	Name      string
-	// hash caches the result of Hash() when populated at parse time, see ParseConfig
-	hash   string
-	Action config.Rule
+	Action    config.Rule
 }
 
-// Hash returns a stable identifier for this Bot derived from its Name
-// and Rules. When the cached value is present (populated by
-// ParseConfig) it is returned directly; otherwise the hash is
-// recomputed on demand so callers do not have to know about the cache.
 func (b Bot) Hash() string {
-	if b.hash != "" {
-		return b.hash
-	}
-	var rulesHash string
-	if b.Rules != nil { // defensive, should never happen
-		rulesHash = b.Rules.Hash()
-	}
-	return internal.FastHash(b.Name + "::" + rulesHash)
+	return internal.FastHash(fmt.Sprintf("%s::%s", b.Name, b.Rules.Hash()))
 }

lib/policy/checker.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"net/http"
 	"net/netip"
-	"net/url"
 	"regexp"
 	"strings"
 
@@ -115,9 +114,6 @@ func (pc *PathChecker) Check(r *http.Request) (bool, error) {
 			originalUrl = r.Header.Get("X-Forwarded-Uri")
 		}
 		if originalUrl != "" {
-			if parsed, err := url.ParseRequestURI(originalUrl); err == nil {
-				originalUrl = parsed.Path
-			}
 			if pc.regexp.MatchString(originalUrl) {
 				return true, nil
 			}

lib/policy/expressions/environment.go

@@ -222,16 +222,7 @@ func New(opts ...cel.EnvOption) (*cel.Env, error) {
 						return types.ValOrErr(val, "value is not an integer, but is %T", val)
 					}
 
-					if n <= 0 {
-						return types.NewErr("randInt bound must be positive, got %d", int64(n))
-					}
-
-					bound := int(n)
-					if types.Int(bound) != n {
-						return types.NewErr("randInt bound %d overflows platform int", int64(n))
-					}
-
-					return types.Int(rand.IntN(bound))
+					return types.Int(rand.IntN(int(n)))
 				}),
 			),
 		),

lib/policy/expressions/environment_test.go

@@ -9,7 +9,6 @@ import (
 
 	"github.com/TecharoHQ/anubis/internal/dns"
 	"github.com/TecharoHQ/anubis/lib/store/memory"
-	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
 )
@@ -689,14 +688,6 @@ func TestNewEnvironment(t *testing.T) {
 			description:   "should return values in correct range",
 			shouldCompile: true,
 		},
-		{
-			name:          "randInt-large-bound",
-			expression:    `randInt(2147483647) >= 0`,
-			variables:     map[string]any{},
-			expectBool:    boolPtr(true),
-			description:   "should accept int32-max bounds without overflow",
-			shouldCompile: true,
-		},
 		{
 			name:          "strings-extension-size",
 			expression:    `"hello".size() == 5`,
@@ -759,65 +750,3 @@ func TestNewEnvironment(t *testing.T) {
 func boolPtr(b bool) *bool {
 	return &b
 }
-
-func TestRandIntInvalidBounds(t *testing.T) {
-	env, err := New(cel.Variable("contentLength", cel.IntType))
-	if err != nil {
-		t.Fatalf("failed to create environment: %v", err)
-	}
-
-	tests := []struct {
-		name        string
-		expression  string
-		variables   map[string]any
-		wantErrText string
-		description string
-	}{
-		{
-			name:        "zero-bound-literal",
-			expression:  `randInt(0)`,
-			variables:   map[string]any{},
-			wantErrText: "randInt bound must be positive",
-			description: "randInt(0) should return a CEL error, not panic",
-		},
-		{
-			name:        "negative-bound-literal",
-			expression:  `randInt(-5)`,
-			variables:   map[string]any{},
-			wantErrText: "randInt bound must be positive",
-			description: "randInt(-5) should return a CEL error, not panic",
-		},
-		{
-			name:        "zero-bound-from-variable",
-			expression:  `randInt(contentLength)`,
-			variables:   map[string]any{"contentLength": 0},
-			wantErrText: "randInt bound must be positive",
-			description: "attacker-controlled zero contentLength should error gracefully",
-		},
-		{
-			name:        "negative-bound-from-variable",
-			expression:  `randInt(contentLength)`,
-			variables:   map[string]any{"contentLength": -1},
-			wantErrText: "randInt bound must be positive",
-			description: "attacker-controlled negative contentLength should error gracefully",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			prog, err := Compile(env, tt.expression)
-			if err != nil {
-				t.Fatalf("failed to compile expression %q: %v", tt.expression, err)
-			}
-
-			result, _, err := prog.Eval(tt.variables)
-			if err == nil {
-				t.Fatalf("%s: expected an evaluation error, got result %v", tt.description, result)
-			}
-
-			if !strings.Contains(err.Error(), tt.wantErrText) {
-				t.Errorf("%s: expected error containing %q, got %q", tt.description, tt.wantErrText, err.Error())
-			}
-		})
-	}
-}

lib/policy/expressions/loadavg.go

@@ -46,7 +46,7 @@ var (
 )
 
 func init() {
-	globalLoadAvg = &loadAvg{data: &load.AvgStat{}}
+	globalLoadAvg = &loadAvg{}
 	go globalLoadAvg.updateThread(context.Background())
 }
 

lib/policy/policy.go

@@ -219,7 +219,6 @@ func ParseConfig(ctx context.Context, fin io.Reader, fname string, defaultDiffic
 		result.Impressum = c.Impressum
 
 		parsedBot.Rules = cl
-		parsedBot.hash = parsedBot.Hash()
 
 		result.Bots = append(result.Bots, parsedBot)
 	}

lib/policy/policy_test.go

@@ -1,8 +1,6 @@
 package policy
 
 import (
-	"net/http"
-	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"testing"
@@ -87,27 +85,3 @@ func TestBadConfigs(t *testing.T) {
 		})
 	}
 }
-
-func TestPathCheckerStripsForwardedURIQuery(t *testing.T) {
-	checker, err := NewPathChecker("^/admin$", true)
-	if err != nil {
-		t.Fatal(err)
-	}
-	req := httptest.NewRequest(http.MethodGet, "https://anubis.local/.within.website/x/cmd/anubis/api/check", nil)
-	req.Header.Set("X-Forwarded-Uri", "/admin?x=1")
-	matched, err := checker.Check(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !matched {
-		t.Fatalf("expected exact path checker to match forwarded URI when query string is appended")
-	}
-	req.Header.Set("X-Forwarded-Uri", "/admin")
-	matched, err = checker.Check(req)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if !matched {
-		t.Fatalf("expected exact path checker to match forwarded URI without query string")
-	}
-}

lib/store/bbolt/bbolt.go

@@ -50,33 +50,6 @@ func (s *Store) Delete(ctx context.Context, key string) error {
 	})
 }
 
-// deleteIfExpired removes key only if it still carries the exact expiry that an
-// expired Get observed and that expiry is still in the past.
-//
-// Get runs in a read-only transaction, so it can only schedule cleanup
-// asynchronously. Between observing the expiry and this delete running, another
-// request may Set a fresh value for the same key. Re-reading and matching the
-// observed expiry inside the write transaction makes the timestamp act as a
-// generation token: a refreshed value carries a different, future expiry and is
-// therefore left untouched (see AWOO-015).
-func (s *Store) deleteIfExpired(ctx context.Context, key string, observed time.Time) error {
-	return s.bdb.Update(func(tx *bbolt.Tx) error {
-		valueBkt := tx.Bucket([]byte(key))
-		if valueBkt == nil {
-			return nil
-		}
-
-		expiry, err := time.Parse(time.RFC3339Nano, string(valueBkt.Get([]byte("expiry"))))
-		if err != nil || !expiry.Equal(observed) || !time.Now().After(expiry) {
-			// Unparseable, refreshed to a different generation, or no longer
-			// expired: leave it for cleanup or a later Get to handle.
-			return nil
-		}
-
-		return tx.DeleteBucket([]byte(key))
-	})
-}
-
 // Get a value from the datastore.
 //
 // Because each value is stored in its own bucket with data and expiry keys,
@@ -104,7 +77,7 @@ func (s *Store) Get(ctx context.Context, key string) ([]byte, error) {
 		}
 
 		if time.Now().After(expiry) {
-			go s.deleteIfExpired(context.Background(), key, expiry)
+			go s.Delete(context.Background(), key)
 			return fmt.Errorf("%w: %q", store.ErrNotFound, key)
 		}
 

lib/store/bbolt/bbolt_test.go

@@ -4,10 +4,8 @@ import (
 	"encoding/json"
 	"path/filepath"
 	"testing"
-	"time"
 
 	"github.com/TecharoHQ/anubis/lib/store/storetest"
-	"go.etcd.io/bbolt"
 )
 
 func TestImpl(t *testing.T) {
@@ -22,154 +20,3 @@ func TestImpl(t *testing.T) {
 
 	storetest.Common(t, Factory{}, json.RawMessage(data))
 }
-
-// newTestStore returns a Store backed by a throwaway bbolt database that is
-// closed when the test finishes.
-func newTestStore(t *testing.T) *Store {
-	t.Helper()
-
-	db, err := bbolt.Open(filepath.Join(t.TempDir(), "db"), 0600, nil)
-	if err != nil {
-		t.Fatalf("can't open bbolt database: %v", err)
-	}
-	t.Cleanup(func() { db.Close() })
-
-	return &Store{bdb: db}
-}
-
-// mustSet writes a value with the given relative expiry, failing the test on error.
-func mustSet(t *testing.T, s *Store, key, value string, expiry time.Duration) {
-	t.Helper()
-
-	if err := s.Set(t.Context(), key, []byte(value), expiry); err != nil {
-		t.Fatalf("Set(%q): %v", key, err)
-	}
-}
-
-// readExpiry returns the expiry timestamp currently stored for key, as a Get
-// would parse it. It fails the test if the bucket or expiry is missing.
-func readExpiry(t *testing.T, s *Store, key string) time.Time {
-	t.Helper()
-
-	var out time.Time
-	if err := s.bdb.View(func(tx *bbolt.Tx) error {
-		b := tx.Bucket([]byte(key))
-		if b == nil {
-			t.Fatalf("bucket %q missing", key)
-		}
-
-		expiry, err := time.Parse(time.RFC3339Nano, string(b.Get([]byte("expiry"))))
-		if err != nil {
-			return err
-		}
-		out = expiry
-		return nil
-	}); err != nil {
-		t.Fatalf("reading expiry for %q: %v", key, err)
-	}
-
-	return out
-}
-
-// rawData reads the raw data value for key directly, bypassing the expiry check
-// in Get so tests can observe whether a bucket physically exists. It returns nil
-// when the bucket is absent.
-func rawData(t *testing.T, s *Store, key string) []byte {
-	t.Helper()
-
-	var out []byte
-	if err := s.bdb.View(func(tx *bbolt.Tx) error {
-		b := tx.Bucket([]byte(key))
-		if b == nil {
-			return nil
-		}
-		data := b.Get([]byte("data"))
-		out = make([]byte, len(data))
-		copy(out, data)
-		return nil
-	}); err != nil {
-		t.Fatalf("reading data for %q: %v", key, err)
-	}
-
-	return out
-}
-
-// TestDeleteIfExpired guards against AWOO-015: a stale async delete scheduled by
-// an expired Get must not erase a value that was refreshed (or otherwise differs
-// from) the generation it observed.
-func TestDeleteIfExpired(t *testing.T) {
-	const key = "challenge"
-
-	for _, tt := range []struct {
-		setup       func(t *testing.T, s *Store) time.Time
-		name        string
-		wantValue   string
-		wantPresent bool
-	}{
-		{
-			name: "deletes the observed expired generation",
-			setup: func(t *testing.T, s *Store) time.Time {
-				mustSet(t, s, key, "old", -time.Minute)
-				return readExpiry(t, s, key)
-			},
-			wantPresent: false,
-		},
-		{
-			name: "preserves a refreshed generation",
-			setup: func(t *testing.T, s *Store) time.Time {
-				mustSet(t, s, key, "old", -time.Minute)
-				observed := readExpiry(t, s, key)
-				mustSet(t, s, key, "fresh", time.Hour)
-				return observed
-			},
-			wantPresent: true,
-			wantValue:   "fresh",
-		},
-		{
-			name: "skips on generation mismatch",
-			setup: func(t *testing.T, s *Store) time.Time {
-				mustSet(t, s, key, "old", -time.Minute)
-				// An expiry we never wrote: even though the stored value is
-				// expired, it is a different generation and must be left alone.
-				return time.Now().Add(-2 * time.Hour)
-			},
-			wantPresent: true,
-			wantValue:   "old",
-		},
-		{
-			name: "skips a non-expired observation",
-			setup: func(t *testing.T, s *Store) time.Time {
-				mustSet(t, s, key, "live", time.Hour)
-				return readExpiry(t, s, key)
-			},
-			wantPresent: true,
-			wantValue:   "live",
-		},
-		{
-			name: "no-op when bucket is absent",
-			setup: func(t *testing.T, s *Store) time.Time {
-				return time.Now().Add(-time.Hour)
-			},
-			wantPresent: false,
-		},
-	} {
-		t.Run(tt.name, func(t *testing.T) {
-			s := newTestStore(t)
-			observed := tt.setup(t, s)
-
-			if err := s.deleteIfExpired(t.Context(), key, observed); err != nil {
-				t.Fatalf("deleteIfExpired(%q): %v", key, err)
-			}
-
-			got := rawData(t, s, key)
-			switch {
-			case tt.wantPresent && got == nil:
-				t.Fatalf("key %q: want present with value %q, got deleted", key, tt.wantValue)
-			case tt.wantPresent && string(got) != tt.wantValue:
-				t.Errorf("key %q: want value %q, got %q", key, tt.wantValue, string(got))
-			case !tt.wantPresent && got != nil:
-				t.Errorf("key %q: want deleted, got value %q", key, string(got))
-			}
-		})
-	}
-}

web/index.go

@@ -7,17 +7,43 @@ import (
 
 	"github.com/a-h/templ"
 
+	"github.com/TecharoHQ/anubis"
 	"github.com/TecharoHQ/anubis/lib/challenge"
 	"github.com/TecharoHQ/anubis/lib/config"
 	"github.com/TecharoHQ/anubis/lib/localization"
 )
 
+// Options carries per-server render state for Anubis pages. Embedders can
+// render multiple Server instances in one process without mutating package
+// globals.
+type Options struct {
+	BasePrefix string
+	PublicURL  string
+}
+
+// DefaultOptions preserves the legacy package-global behavior for callers that
+// render web components directly.
+func DefaultOptions() Options {
+	return Options{
+		BasePrefix: anubis.BasePrefix,
+		PublicURL:  anubis.PublicUrl,
+	}
+}
+
 func Base(title string, body templ.Component, impressum *config.Impressum, localizer *localization.SimpleLocalizer) templ.Component {
-	return base(title, body, impressum, nil, nil, localizer)
+	return BaseWithOptions(DefaultOptions(), title, body, impressum, localizer)
+}
+
+func BaseWithOptions(opts Options, title string, body templ.Component, impressum *config.Impressum, localizer *localization.SimpleLocalizer) templ.Component {
+	return base(opts, title, body, impressum, nil, nil, localizer)
 }
 
 func BaseWithChallengeAndOGTags(title string, body templ.Component, impressum *config.Impressum, challenge *challenge.Challenge, rules *config.ChallengeRules, ogTags map[string]string, localizer *localization.SimpleLocalizer) templ.Component {
-	return base(title, body, impressum, struct {
+	return BaseWithChallengeAndOGTagsWithOptions(DefaultOptions(), title, body, impressum, challenge, rules, ogTags, localizer)
+}
+
+func BaseWithChallengeAndOGTagsWithOptions(opts Options, title string, body templ.Component, impressum *config.Impressum, challenge *challenge.Challenge, rules *config.ChallengeRules, ogTags map[string]string, localizer *localization.SimpleLocalizer) templ.Component {
+	return base(opts, title, body, impressum, struct {
 		Rules     *config.ChallengeRules `json:"rules"`
 		Challenge any                    `json:"challenge"`
 	}{
@@ -27,11 +53,27 @@ func BaseWithChallengeAndOGTags(title string, body templ.Component, impressum *c
 }
 
 func ErrorPage(msg, mail, code string, localizer *localization.SimpleLocalizer) templ.Component {
-	return errorPage(msg, mail, code, localizer)
+	return ErrorPageWithOptions(DefaultOptions(), msg, mail, code, localizer)
+}
+
+func ErrorPageWithOptions(opts Options, msg, mail, code string, localizer *localization.SimpleLocalizer) templ.Component {
+	return errorPage(opts, msg, mail, code, localizer)
+}
+
+func StaticHappy(localizer *localization.SimpleLocalizer) templ.Component {
+	return StaticHappyWithOptions(DefaultOptions(), localizer)
+}
+
+func StaticHappyWithOptions(opts Options, localizer *localization.SimpleLocalizer) templ.Component {
+	return staticHappy(opts, localizer)
 }
 
 func Bench(localizer *localization.SimpleLocalizer) templ.Component {
-	return bench(localizer)
+	return BenchWithOptions(DefaultOptions(), localizer)
+}
+
+func BenchWithOptions(opts Options, localizer *localization.SimpleLocalizer) templ.Component {
+	return bench(opts, localizer)
 }
 
 func honeypotLink(href string) templ.Component {

web/index.templ

@@ -9,12 +9,12 @@ import (
 	"github.com/google/uuid"
 )
 
-templ base(title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string, localizer *localization.SimpleLocalizer) {
+templ base(opts Options, title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string, localizer *localization.SimpleLocalizer) {
 	<!DOCTYPE html>
 	<html lang={ localizer.GetLang() }>
 		<head>
 			<title>{ title }</title>
-			<link rel="stylesheet" href={ anubis.BasePrefix + xess.URL }/>
+			<link rel="stylesheet" href={ opts.BasePrefix + xess.URL }/>
 			<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
 			<meta name="robots" content="noindex,nofollow"/>
 			for key, value := range ogTags {
@@ -60,11 +60,11 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
     	</style>
 			@templ.JSONScript("anubis_version", anubis.Version)
 			@templ.JSONScript("anubis_challenge", challenge)
-			@templ.JSONScript("anubis_base_prefix", anubis.BasePrefix)
-			@templ.JSONScript("anubis_public_url", anubis.PublicUrl)
+			@templ.JSONScript("anubis_base_prefix", opts.BasePrefix)
+			@templ.JSONScript("anubis_public_url", opts.PublicURL)
 		</head>
 		<body id="top">
-			@honeypotLink(anubis.BasePrefix + fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString()))
+			@honeypotLink(opts.BasePrefix + fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString()))
 			<main>
 				<h1 id="title" class="centered-div">{ title }</h1>
 				@body
@@ -79,7 +79,7 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
 						if impressum != nil {
 							<p>
 								@templ.Raw(impressum.Footer)
-								-- <a href={ templ.SafeURL(anubis.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)) }>Imprint</a>
+								-- <a href={ templ.SafeURL(opts.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)) }>Imprint</a>
 							</p>
 						}
 						<p>{ localizer.T("version_info") } <code>{ anubis.Version }</code>.</p>
@@ -90,9 +90,9 @@ templ base(title string, body templ.Component, impressum *config.Impressum, chal
 	</html>
 }
 
-templ errorPage(message, mail, code string, localizer *localization.SimpleLocalizer) {
+templ errorPage(opts Options, message, mail, code string, localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
-		<img id="image" alt="Sad Anubis" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version }/>
+		<img id="image" alt="Sad Anubis" style="width:100%;max-width:256px;" src={ opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version }/>
 		<p>{ message }.</p>
 		if code != "" {
 			<code><pre>{ code }</pre></code>
@@ -110,19 +110,19 @@ templ errorPage(message, mail, code string, localizer *localization.SimpleLocali
 	</div>
 }
 
-templ StaticHappy(localizer *localization.SimpleLocalizer) {
+templ staticHappy(opts Options, localizer *localization.SimpleLocalizer) {
 	<div class="centered-div">
 		<img
 			style="display:none;"
 			style="width:100%;max-width:256px;"
-			src={ "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
+			src={ opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
     anubis.Version }
 		/>
 		<p>{ localizer.T("static_check_endpoint") }</p>
 	</div>
 }
 
-templ bench(localizer *localization.SimpleLocalizer) {
+templ bench(opts Options, localizer *localization.SimpleLocalizer) {
 	<div style="height:20rem;display:flex">
 		<table style="margin-top:1rem;display:grid;grid-template:auto 1fr/auto auto;gap:0 0.5rem">
 			<thead
@@ -145,9 +145,9 @@ templ bench(localizer *localization.SimpleLocalizer) {
 			></tbody>
 		</table>
 		<div class="centered-div">
-			<img id="image" style="width:100%;max-width:256px;" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
+			<img id="image" style="width:100%;max-width:256px;" src={ opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version }/>
 			<p id="status" style="max-width:256px">{ localizer.T("loading") }</p>
-			<script async type="module" src={ anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version }></script>
+			<script async type="module" src={ opts.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version }></script>
 			<div id="sparkline"></div>
 			<noscript>
 				<p>{ localizer.T("benchmark_requires_js") }</p>

web/index_templ.go

@@ -17,7 +17,7 @@ import (
 	"github.com/google/uuid"
 )
 
-func base(title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string, localizer *localization.SimpleLocalizer) templ.Component {
+func base(opts Options, title string, body templ.Component, impressum *config.Impressum, challenge any, ogTags map[string]string, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -69,9 +69,9 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var4 templ.SafeURL
-		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinURLErrs(anubis.BasePrefix + xess.URL)
+		templ_7745c5c3_Var4, templ_7745c5c3_Err = templ.JoinURLErrs(opts.BasePrefix + xess.URL)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 17, Col: 61}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 17, Col: 59}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var4))
 		if templ_7745c5c3_Err != nil {
@@ -125,11 +125,11 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templ.JSONScript("anubis_base_prefix", anubis.BasePrefix).Render(ctx, templ_7745c5c3_Buffer)
+		templ_7745c5c3_Err = templ.JSONScript("anubis_base_prefix", opts.BasePrefix).Render(ctx, templ_7745c5c3_Buffer)
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = templ.JSONScript("anubis_public_url", anubis.PublicUrl).Render(ctx, templ_7745c5c3_Buffer)
+		templ_7745c5c3_Err = templ.JSONScript("anubis_public_url", opts.PublicURL).Render(ctx, templ_7745c5c3_Buffer)
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -137,7 +137,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
-		templ_7745c5c3_Err = honeypotLink(anubis.BasePrefix+fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString())).Render(ctx, templ_7745c5c3_Buffer)
+		templ_7745c5c3_Err = honeypotLink(opts.BasePrefix+fmt.Sprintf("%shoneypot/%s/init", anubis.APIPrefix, uuid.NewString())).Render(ctx, templ_7745c5c3_Buffer)
 		if templ_7745c5c3_Err != nil {
 			return templ_7745c5c3_Err
 		}
@@ -245,9 +245,9 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 				return templ_7745c5c3_Err
 			}
 			var templ_7745c5c3_Var13 templ.SafeURL
-			templ_7745c5c3_Var13, templ_7745c5c3_Err = templ.JoinURLErrs(templ.SafeURL(anubis.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)))
+			templ_7745c5c3_Var13, templ_7745c5c3_Err = templ.JoinURLErrs(templ.SafeURL(opts.BasePrefix + fmt.Sprintf("%simprint", anubis.APIPrefix)))
 			if templ_7745c5c3_Err != nil {
-				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 82, Col: 98}
+				return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 82, Col: 96}
 			}
 			_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var13))
 			if templ_7745c5c3_Err != nil {
@@ -292,7 +292,7 @@ func base(title string, body templ.Component, impressum *config.Impressum, chall
 	})
 }
 
-func errorPage(message, mail, code string, localizer *localization.SimpleLocalizer) templ.Component {
+func errorPage(opts Options, message, mail, code string, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -318,9 +318,9 @@ func errorPage(message, mail, code string, localizer *localization.SimpleLocaliz
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var17 string
-		templ_7745c5c3_Var17, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var17, templ_7745c5c3_Err = templ.JoinStringErrs(opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/reject.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 95, Col: 181}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 95, Col: 179}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var17))
 		if templ_7745c5c3_Err != nil {
@@ -446,7 +446,7 @@ func errorPage(message, mail, code string, localizer *localization.SimpleLocaliz
 	})
 }
 
-func StaticHappy(localizer *localization.SimpleLocalizer) templ.Component {
+func staticHappy(opts Options, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -472,7 +472,7 @@ func StaticHappy(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var26 string
-		templ_7745c5c3_Var26, templ_7745c5c3_Err = templ.JoinStringErrs("/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
+		templ_7745c5c3_Var26, templ_7745c5c3_Err = templ.JoinStringErrs(opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/happy.webp?cacheBuster=" +
 			anubis.Version)
 		if templ_7745c5c3_Err != nil {
 			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 119, Col: 18}
@@ -502,7 +502,7 @@ func StaticHappy(localizer *localization.SimpleLocalizer) templ.Component {
 	})
 }
 
-func bench(localizer *localization.SimpleLocalizer) templ.Component {
+func bench(opts Options, localizer *localization.SimpleLocalizer) templ.Component {
 	return templruntime.GeneratedTemplate(func(templ_7745c5c3_Input templruntime.GeneratedComponentInput) (templ_7745c5c3_Err error) {
 		templ_7745c5c3_W, ctx := templ_7745c5c3_Input.Writer, templ_7745c5c3_Input.Context
 		if templ_7745c5c3_CtxErr := ctx.Err(); templ_7745c5c3_CtxErr != nil {
@@ -606,9 +606,9 @@ func bench(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var35 string
-		templ_7745c5c3_Var35, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var35, templ_7745c5c3_Err = templ.JoinStringErrs(opts.BasePrefix + "/.within.website/x/cmd/anubis/static/img/pensive.webp?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 148, Col: 166}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 148, Col: 164}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var35))
 		if templ_7745c5c3_Err != nil {
@@ -632,9 +632,9 @@ func bench(localizer *localization.SimpleLocalizer) templ.Component {
 			return templ_7745c5c3_Err
 		}
 		var templ_7745c5c3_Var37 string
-		templ_7745c5c3_Var37, templ_7745c5c3_Err = templ.JoinStringErrs(anubis.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
+		templ_7745c5c3_Var37, templ_7745c5c3_Err = templ.JoinStringErrs(opts.BasePrefix + "/.within.website/x/cmd/anubis/static/js/bench.mjs?cacheBuster=" + anubis.Version)
 		if templ_7745c5c3_Err != nil {
-			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 150, Col: 138}
+			return templ.Error{Err: templ_7745c5c3_Err, FileName: `index.templ`, Line: 150, Col: 136}
 		}
 		_, templ_7745c5c3_Err = templ_7745c5c3_Buffer.WriteString(templ.EscapeString(templ_7745c5c3_Var37))
 		if templ_7745c5c3_Err != nil {

web/index_test.go

@@ -59,7 +59,7 @@ func TestBasePrefixInLinks(t *testing.T) {
 
 			// Render the base template to a buffer
 			var buf strings.Builder
-			component := base(tt.name, templ.NopComponent, impressum, nil, nil, localizer)
+			component := base(Options{BasePrefix: tt.basePrefix}, tt.name, templ.NopComponent, impressum, nil, nil, localizer)
 			err := component.Render(context.Background(), &buf)
 			if err != nil {
 				t.Fatalf("failed to render template: %v", err)

yeetfile.js

@@ -17,8 +17,8 @@ $`npm run assets`;
       },
 
       build: ({ bin, etc, systemd, doc }) => {
-        $`go build -o ${bin}/anubis -ldflags '-s -w -extldflags "-static" ./cmd/anubis`;
-        $`go build -o ${bin}/anubis-robots2policy -ldflags '-s -w -extldflags "-static"' ./cmd/robots2policy`;
+        $`go build -o ${bin}/anubis -ldflags '-s -w -extldflags "-static" -X "github.com/TecharoHQ/anubis.Version=${git.tag()}"' ./cmd/anubis`;
+        $`go build -o ${bin}/anubis-robots2policy -ldflags '-s -w -extldflags "-static" -X "github.com/TecharoHQ/anubis.Version=${git.tag()}"' ./cmd/robots2policy`;
 
         file.install("./run/anubis@.service", `${systemd}/anubis@.service`);
         file.install("./run/default.env", `${etc}/default.env`);