# Infrastructure & Trust

A project site about proof-bound local AI has to be proof-bound itself. The infrastructure layer is not cosmetic: if the domain does not resolve, redirects are broken, certificates fail, or machine-readable files are missing, the site cannot carry technical authority.

## Launch-gate infrastructure matrix

| Layer | Required state | Why it matters |
| --- | --- | --- |
| A / AAAA | Root and `www` resolve to active IPv4 and, where available, IPv6 routes. | Basic reachability and crawler access. |
| HTTPS | Valid TLS certificate, forced HTTPS, no mixed-content assets. | Trust, browser security, and agent fetch reliability. |
| HSTS | Enable after HTTPS is stable; use a cautious ramp before preload. | Prevents protocol downgrade once configured correctly. |
| CAA | Restrict certificate issuance to the intended certificate authority. | Limits unauthorized certificate issuance. |
| DNSSEC | Publish DS/DNSKEY where registrar and DNS host support it. | Improves DNS integrity for a technical brand. |
| SPF / DKIM / DMARC | Publish strict mail authentication for any sending domain. | Reduces spoofing risk for the maintainer and project. |
| robots.txt | Allow public crawl, publish sitemap, do not block project docs. | Prevents accidental invisibility. |
| llms.txt | Root file exists and links to core project pages and docs. | Gives agents a curated map instead of forcing blind scraping. |
| /docs and /.uai | Static public routes are reachable from the root package. | Preserves durable memory and source report access. |
| Markdown negotiation | `Accept: text/markdown` can return Markdown for project pages. | Reduces token waste while preserving the same semantic content. |

## Headers emitted by the site

The site now sends conservative front-end headers when plain PHP serves public pages:

- `X-Content-Type-Options: nosniff`
- `Referrer-Policy: strict-origin-when-cross-origin`
- `Permissions-Policy` restricting camera, microphone, geolocation, payment, USB, and serial access by default
- `Strict-Transport-Security` only when the request is already HTTPS

These do not replace server configuration. They provide a baseline while the deployment host should still own TLS, redirects, HTTP/2 or HTTP/3, compression, caching, and WAF behavior.

## Host-neutral verification commands

```bash
dig Runtime.MiRust.com A +short
dig Runtime.MiRust.com AAAA +short
dig Runtime.MiRust.com CAA +short
dig Runtime.MiRust.com TXT +short
curl -I https://Runtime.MiRust.com/
curl -I https://Runtime.MiRust.com/llms.txt
curl -H "Accept: text/markdown" https://Runtime.MiRust.com/architecture/
curl https://Runtime.MiRust.com/.uai/index.uai
curl https://Runtime.MiRust.com/docs/index.md
curl https://Runtime.MiRust.com/.well-known/security.txt
```

## What the plain PHP package controls

- Theme-rendered pages and semantic HTML.
- Dynamic `llms.txt`, `llms-full.txt`, sitemap XML, Markdown alternates, and robots output.
- Root package static `/docs`, `/.uai`, and `/.well-known/security.txt` files.
- Public contact path for maintainer follow-up.
- No external front-end dependencies or CDN assets.

## What deployment controls

- Registrar status and domain lock.
- Authoritative DNS provider and DNSSEC.
- TLS certificate lifecycle.
- HTTP to HTTPS redirect.
- Server compression and object/page cache.
- WAF and bot policy.
- Email authentication records.
