Purpose: Step‑by‑step instructions for Codex to generate a production‑grade personal brand website for John Schoonover and deploy it to a Synology RackStation at
theschoonover.net.
- Fast, accessible, private by default. Lighthouse 90+/95+ a11y. No third‑party trackers.
- Git‑driven content. MDX + static export where feasible.
- Small, composable PRs. Parallelize by surface area.
- Automate checks. CI runs typecheck, build, lint, a11y, Lighthouse CI.
- Framework: Astro (content‑first, MDX) with React islands. (Alt: Next.js static export.)
- Styles: Tailwind CSS + shadcn/ui, lucide icons.
- Content: MD/MDX in
/content. Images in/public. OG image generator. - Runtime: Node.js 20.11.x LTS (align with
nodeDocker base image for Synology compatibility). - Package Manager: pnpm 10.19.0. Keep the workspace
packageManagerfield authoritative and ensure every automation entry point (GitHub Actions, Docker images, local setup docs, etc.) installs the same pnpm release—either by pinning the version inpnpm/action-setup/corepackor delegating to Corepack—before runningpnpm install --frozen-lockfile. When bumping pnpm, search the entire repository (e.g.,rg "pnpm" .github docs infra) for hard-coded versions so workflows, scripts, and documentation stay in sync with the workspace pin. - Analytics (optional): Self‑hosted Plausible via Docker.
- Forms: API route with nodemailer to SMTP relay (Synology MailPlus or env‑provided SMTP). hCaptcha.
/ (repo root)
├─ apps/site/ # Astro app
│ ├─ src/
│ │ ├─ components/
│ │ ├─ layouts/
│ │ ├─ pages/
│ │ ├─ lib/
│ │ └─ styles/
│ ├─ public/
│ └─ astro.config.mjs
├─ content/ # MDX content (posts, case studies, talks)
│ ├─ case-studies/
│ ├─ posts/
│ ├─ talks/
│ └─ data/ # JSON/TS seed data (timeline, stats)
├─ downloads/ # CV PDF, one‑pager, PGP key, speaker kit
├─ infra/
│ ├─ docker-compose.yml
│ ├─ nginx/
│ │ └─ site.conf
│ └─ plausible/ (optional)
├─ .github/workflows/
│ └─ deploy.yml
├─ docs/
│ ├─ PRD.md
│ └─ OPS.md
├─ package.json
├─ pnpm-lock.yaml
└─ README.md
-
Agent A — App Scaffold & Design System
- Initialize Astro + Tailwind + shadcn/ui.
- Global theming (light/dark), typography scale, color tokens.
- Shared components:
Hero,StatBadge,Card,Timeline,Tag,Button,Callout,Figure,CodeBlock,ReadingProgress,CommandK.
-
Agent B — Content Model & MDX Pipelines
- MDX config, remark/rehype plugins (slug, autolink, footnotes).
- Content collections (Zod schemas) for posts/case studies/talks.
- JSON‑LD helpers (
Person,Article,BreadcrumbList).
-
Agent C — Pages & Routing
- Pages: Home, About, Experience/CV, Case Studies index+detail, Writing index+post, Talks & Media, Patents & IP, Contact, Legal.
- OG image generation (Satori/resvg or astro‑og‑image).
-
Agent D — Forms & Email
- Contact API (
/api/contact), hCaptcha verify, spam throttling, nodemailer SMTP relay. - Server‑side logging and error handling.
- Contact API (
-
Agent E — Infra (Docker, DSM, Reverse Proxy)
- Dockerfile +
docker-compose.yml. - Nginx conf with HSTS, CSP, security headers. Readme for DSM reverse proxy.
- Dockerfile +
-
Agent F — CI/CD & QA
- GitHub Actions: install/build/test/lint/a11y/LHCI.
- Artifact upload; deploy via SSH/rsync or container push + Watchtower.
- Agents A, B, E, F start in parallel (scaffold, content model, infra, CI).
- Agent C builds pages using A/B primitives.
- Agent D integrates once C has Contact page.
- Create GitHub labels:
feat,fix,infra,content,a11y,perf,docs. - Conventional commits; one scope per PR; size S/M.
- Branch protection: required checks (typecheck, build, test, a11y, LHCI).
SITE_URL(e.g., https://theschoonover.net)SMTP_HOST,SMTP_PORT,SMTP_USER,SMTP_PASS,SMTP_FROMHCAPTCHA_SECRET,HCAPTCHA_SITEKEYPLAUSIBLE_DOMAIN(optional)
Add .env.example; never commit real secrets.
pnpm typecheckandpnpm buildsucceed.pnpm test(unit) andpnpm a11y(axe) pass.- Lighthouse CI ≥ 90 Perf/SEO/Best; ≥ 95 Accessibility (mobile).
-
pnpm dlx create-astro@latest apps/site(or template). - Add Tailwind; configure dark mode with
class. - Add shadcn/ui; set primary/neutral scales.
- Global layout, header, footer, nav, theme toggle, skip links.
- Setup
@astrojs/mdx, content collections with Zod. - Create schemas:
post,caseStudy,talk. - Remark/rehype plugins and code highlighting.
- Home: hero, stats, featured case studies, recent posts/talks, CTAs.
- About: bio (short/long), headshots, values.
- Experience/CV: printable layout + link to PDF; skills matrix.
- Case Studies: index + detail page (sticky ToC, reading progress).
- Writing: index + post; tags & pagination.
- Talks & Media: abstracts, links, speaker kit.
- Patents & IP: list + summaries.
- Contact: form + PGP key; hCaptcha widget.
- Legal: privacy, imprint.
-
/api/contactwith validation, rate‑limit, hCaptcha verify. - Nodemailer SMTP relay; env‑driven config.
- Dockerfile (multi‑stage) for Astro static + nginx (or node for SSR routes).
-
infra/docker-compose.ymlforweb,plausible(optional),mail-relay(optional). -
infra/nginx/site.confwith CSP/HSTS/security headers. -
docs/OPS.mdwith DSM reverse proxy steps, Let’s Encrypt, AAAA record.
-
.github/workflows/deploy.ymlbuild + deploy. - LHCI config; axe tests; Playwright smoke.
- Place seed MDX (below) and images in
public/. - Add
downloads/with placeholder CV.pdf and PGP public key.
Save the following files exactly as specified.
Path: content/case-studies/dual-siem-migration.mdx
---
title: "Dual‑SIEM Migration at Scale"
date: 2025-10-01
tags: [siem, data-platforms, migrations]
summary: "Designed and led a dual‑SIEM posture covering N sources / M BPS with zero downtime and measurable latency improvements."
metrics:
- "70% reduction in controllable event delay"
- "100% uptime during cutover window"
- "N→M ingestion sources with schema normalization"
---
import Figure from "../../apps/site/src/components/Figure.astro";
## TL;DR
Executed a risk‑aware, phased migration to a dual‑SIEM architecture with strict SLOs, delivering lower latency and higher operational resilience.
## Problem
Single‑vendor risk and scaling constraints threatened SLOs during peak ingest. Regulatory audit windows required continuity.
## Approach
- Capability map and parity matrix
- Source‑by‑source migration runbooks
- Schema normalization + field validation
- Shadow read + mirrored alerts before cutover
## Architecture
<Figure caption="High‑level dual‑SIEM topology with normalization + routing." src="/images/diagrams/dual-siem-topology.png" />
## Implementation
- Rules migration via translator + unit tests
- Deterministic routing with fingerprinting
- Real‑time dashboards and error budgets
## Results
- 70% reduction in controllable event delay
- Zero downtime during cutover
- Faster MTTD/MTTR across critical detections
## Lessons Learned
Prefer canonical events + adapters; treat rules as code with tests.Path: content/case-studies/enrichments-at-scale.mdx
---
title: "Enrichments‑at‑Scale for Reliable Detections"
date: 2025-09-15
tags: [data-engineering, siem, reliability]
summary: "Built a resilient enrichment pipeline with backpressure control and SLAs for upstream teams."
metrics:
- "p99 enrichment latency under 500ms"
- "Automatic degradation with hot‑path guarantees"
---
## TL;DR
Established contract‑driven enrichments with strict SLAs and graceful degradation to protect critical alert paths.
## Problem
Unbounded enrichments caused tail latencies and alert starvation during surges.
## Approach
- Bounded queues + circuit breakers
- Hot path vs. cold path segregation
- Cached lookups with TTL
## Architecture[Ingest] → [Normalizer] → [Router] → [Enrichment Hot Path] → [Detections] ↘ [Cold Path / Batch]
## Results
- p99 < 500ms under surge
- Clear SLAs and dashboards for upstream services
## Lessons Learned
SLAs + backpressure > ad‑hoc enrichments; design for partial failure.
Path: content/case-studies/real-time-visibility.mdx
---
title: "Real‑Time Operational Visibility"
date: 2025-08-10
tags: [observability, platform, leadership]
summary: "Delivered live SLO dashboards, budget burn alerts, and on‑call ergonomics for SIEM pipelines."
metrics:
- "Budget burn alerts minute‑granular"
- "On‑call triage time reduced by 40%"
---
## TL;DR
Turned opaque pipelines into transparent systems with SLOs, error budgets, and humane on‑call.
## Approach
- Golden signals (ingest, queue, process, emit)
- Error budget burn alerts and runbooks
- Unified dashboards + chat‑opsCompanion assets: Architecture diagram (
real-time-visibility-architecture.png) stored atapps/site/public/images/case-studies/and budget burn chart (real-time-visibility-burn.png) atapps/site/public/images/charts/. Reference via/images/...paths inside MDX.
Path: content/posts/product-vs-platform.mdx
---
title: "Product vs. Platform: Picking the Right Lens for Security Engineering"
date: 2025-09-22
tags: [leadership, strategy]
summary: "How reframing work as products or platforms clarifies investments and outcomes."
---
Short intro paragraph…
## When to think "Product"
- Clear user and value stream
- SLAs and roadmaps
## When to think "Platform"
- Leverage and common capabilities
- Internal developer experienceCompanion assets: Place supporting diagrams (e.g.,
product-vs-platform-lens.svg) inapps/site/public/images/posts/and screenshots inapps/site/public/images/posts/screens/. Ensure MDX imports use absolute public URLs.
Path: content/data/patents.json
[
{"title": "Parse Failure Fingerprinting for Intelligent Drop Control", "status": "Filed", "year": 2025},
{"title": "UID‑Based Drop Control in High‑Throughput Pipelines", "status": "Draft", "year": 2025}
]- Add dynamic OG component generating per‑page images with title and tag pills.
- Keyboard traps: none. Focus order logical. Skip link visible on focus.
- Color contrast ≥ 4.5:1. Headings hierarchical.
- Form errors announced via ARIA. Labels tied to inputs.
- Initial JS ≤ 200KB. Lazy‑load non‑critical.
- Images responsive (
srcset) and compressed. Preload fonts.
- DSM → Application Portal → Reverse Proxy:
theschoonover.net→web:80. - DSM → Certificate: Let’s Encrypt; enable HSTS.
- AAAA record for IPv6 if available.
- Optional: Cloudflare proxy in front; keep origin SSL full strict.
- RackStation hardware guardrails: Assume Intel Atom C3538 (4 cores/8 threads) with 12GB RAM allocated to Docker, 4TB usable SSD volume, and 200Mbps symmetric WAN uplink.
- Container sizing targets: App container ≤ 512MB RSS baseline; Plausible stack ≤ 2GB combined; reserve ≥20% headroom for DSM services.
- Concurrency assumptions: ≤50 concurrent sessions, peak 5 req/s sustained; favor static export and tuned Node workers within CPU budget.
-
On push to
main:pnpm i --frozen-lockfilepnpm typecheck && pnpm build- Run axe + LHCI
- Upload artifact
dist/ - Option A (rsync):
rsyncto RackStation bind mount path for nginx container. - Option B (containers): Build/push image
registry/site:SHA; Watchtower restarts service on RackStation.
- All pages shipped with seed content and pass checks.
- Contact form delivers email via SMTP, with server logs.
- Deployed behind DSM reverse proxy with HTTPS and security headers.
- Newsletter (self‑hosted), Consulting page, Case study PDF export, Command‑K quick finder.
pnpm dlx create-astro@latest apps/site
pnpm i
pnpm dev
pnpm build
pnpm test
Codex: Execute tasks in the order and roles above. Open PRs per task group with checklists, attach Lighthouse/Axe results, and reference file paths exactly as listed so the seeds land in the correct locations.
When any personal-brand surface (hero, footer, contact, command palette, etc.) fails to meet expectations, establish a scoped
AGENTS.md alongside that surface before making corrective changes. The scoped file must:
- Outline tone, visual priorities, and CTA hierarchy for the surface.
- List the canonical data sources (e.g.,
data/profile.json, content collections) that feed the surface. - Capture the QA loop required before merge (copy review, responsive sweep, accessibility spot-check).
Do not proceed with fixes until the scoped guardrail doc exists and the checklist is acknowledged in the PR description.
docs/OPS.mdminimum contents: Deployment runbook (RackStation steps, Docker Compose commands), backup/restore procedures, incident response contacts, environment variable matrix, and rollback instructions. Owner: Agent E (Infra) with review from Agent F (QA).- Content Guide (
docs/content-guide.mdor README section): Voice/tone guardrails, MDX formatting conventions, asset naming/location rules, metadata/frontmatter checklist, accessibility reminders (alt text, captions). Owner: Agent B (Content) with sign-off from John. - Support docs:
docs/analytics.md: Event taxonomy, dashboards, reporting cadence, data retention notes. Owner: Agent F (QA/Analytics).docs/search-indexing.md: Search/tag indexing approach, rebuild steps, failure playbook. Owner: Agent A (App Scaffold).
- Pre-merge checklist: Confirm docs updated, owners tagged in review, and README links to each document.