{"results":[{"id":"catbeez-arcade-app-binds-localhost-only","text":"The catbeez-arcade application binds to 127.0.0.1:8000 (localhost only) and is not directly accessible from the internet.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-arcade-caddy-reverse-proxy-to-8000","text":"Catbeez-arcade deployments use Caddy as a reverse proxy, terminating TLS on :443 and forwarding to the application on localhost:8000.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-arcade-dns-only-not-proxied","text":"Catbeez-arcade Cloudflare DNS records are set to DNS-only (not proxied), so TLS is handled by Caddy/Let's Encrypt rather than Cloudflare.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-arcade-manual-secret-injection","text":"Catbeez-arcade secrets (OAuth credentials, secret key, allowed emails) are entered interactively at startup rather than stored in automation or config files.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-arcade-port-80-required-for-acme","text":"Firewall port 80 must be opened for Let's Encrypt ACME challenges even though traffic is served on port 443.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-arcade-private-linode-image-37121878","text":"Catbeez-arcade uses a private Linode image `private/37121878` (Fedora 43 with Caddy pre-installed) to skip base configuration during provisioning.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-complete-deployment-pattern","text":"Catbeez demonstrates an FTL2 deployment pattern that combines three production concerns: layered security (localhost binding, Caddy TLS, firewalld drop zone, SSH source-IP restriction, SELinux), DNS-to-TLS automation (Cloudflare DNS-only records enabling Caddy ACME challenges), and hot-reload publishing (HTML5/WASM asset upload with dynamic discovery, no restart required) — illustrating how these concerns compose in a web application hosting scenario.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-dev-cloudflare-dns-automated","text":"The catbeez dev deployment automates DNS via `community.general.cloudflare_dns` module, unlike the prod deployment which uses manual Namecheap DNS.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-firewalld-drop-zone","text":"Catbeez deployments use firewalld's `drop` zone, which silently discards all uninvited traffic, with explicit allowances for HTTP, HTTPS, and restricted SSH.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-game-files-are-html-js-wasm","text":"Catbeez game assets consist of three file types: `.html`, `.js`, and `.wasm` — these are browser-based HTML5/WASM games.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-hot-reload-publishing","text":"Catbeez game publishing is a hot-reload pipeline: HTML5/WASM game assets are uploaded to the games directory, and the server discovers new files dynamically without restart, with the same publish script supporting both dev and prod environments via flag selection.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-layered-security","text":"Catbeez deployments implement layered security: application binds localhost-only, Caddy terminates TLS and reverse-proxies, firewalld drop zone silently discards uninvited traffic, SSH is restricted to a source IP range, and SELinux enforces network connect policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-prod-become-user-for-service-account","text":"The catbeez production deployment uses `become_user='catbeez'` to run application installation as the service user rather than as root.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-prod-game-files-uploaded-individually","text":"Game files are uploaded individually (3 files per game × 9 games = 27 copy calls) rather than as an archive.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-prod-manual-dns-at-namecheap","text":"The catbeez production deployment requires manual DNS A record creation at Namecheap — DNS is not automated in the prod deploy script.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-prod-ssh-restricted-to-source-ip","text":"The catbeez production deployment restricts SSH access to `136.56.0.0/16` via firewalld; HTTP/HTTPS are open to all.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-publish-games-dev-prod-environments","text":"`publish-games.py` supports dev and prod environments: dev uses `state.json` and hostname `arcade`; prod (via `--prod` flag) uses `state-prod.json` and hostname `catbeez-prod`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-publish-games-no-restart-needed","text":"The catbeez-arcade server discovers new game files dynamically — publishing games is purely a file upload to `/home/catbeez/games/` with no application restart required.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-publish-games-requires-existing-state-file","text":"The publish-games script reads an existing state file to extract host connection info — the state file must already exist from a prior provisioning run.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"catbeez-selinux-httpd-can-network-connect","text":"Catbeez deployments set the `httpd_can_network_connect` SELinux boolean so Caddy can reverse-proxy to localhost:8000 under SELinux enforcing mode.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":23,"limit":20,"offset":0}