Intranet

Lightweight local HTTP file server — no Apache/nginx needed, no root required. Serves static files, mounts plugin directories, and runs index.py entry points as CGI.

Entry point: INLINECODE1

Setup

See SETUP.md for prerequisites and setup instructions.

Commands

CODEBLOCK0

Directory Layout

CODEBLOCK1

Config lives in {workspace}/intranet/config.json, webroot is {workspace}/intranet/www/. The config file is never exposed to HTTP.

Plugins

Plugins mount external directories at URL prefixes. Configure in config.json:

CODEBLOCK2

Plugin config supports simple (static only) or extended (with CGI hash) format:

CODEBLOCK3

• - Plugin paths must be inside the workspace
• If CGI is enabled and a plugin has a hash, index.py at the plugin root handles all sub-paths — but only if its SHA-256 matches
• Plugins without a hash are static-only (CGI blocked even when globally enabled)
• Generate a hash: INLINECODE8

CGI Execution

Off by default. Enable in config.json:

CODEBLOCK4

When enabled, only files named index.py can execute as CGI:

• - Webroot: index.py in any subdirectory handles that directory's requests
• Plugins: index.py at the plugin root handles all plugin sub-paths
• All other .py files → 403 Forbidden (never served, never executed)
• Scripts must have the executable bit set (chmod +x)

Security

• - Webroot isolation — config.json is outside the webroot (www/), never served
• CGI off by default — must be explicitly enabled via "cgi": true in config.json
• Path containment — all resolved paths must stay within their base directory. Symlinks are followed but the resolved target is checked for containment.
• Plugin allowlist — only directories explicitly registered in config.json are served; must be inside workspace
• CGI restricted to index.py — no arbitrary script execution; plugin CGI requires SHA-256 hash in config.json. Webroot CGI does not require a hash (webroot files are under your direct control)
• All .py files blocked except index.py entry points (not served as text, not executed)
• Host allowlist — optional allowed_hosts restricts which Host headers are accepted
• Token auth — optional bearer token via --token flag or config.json. Browser clients visit ?token=SECRET once → session cookie set → all subsequent navigation works. API clients use Authorization: Bearer <token> header.
• Path traversal protection — all paths resolved and validated before serving
• Default bind: 127.0.0.1 (loopback only). LAN access via --host 0.0.0.0 requires both token auth and allowed_hosts in config.json.

Workspace Detection

The server auto-detects the workspace by walking up from $PWD (or the script location) looking for a skills/ directory. The detected path is printed on startup so you can verify it.

To skip autodiscovery, set INTRANET_WORKSPACE to the workspace root:

CODEBLOCK5

Notes

• - All state files are inside the workspace:

• - No files are written outside the workspace
• 30-second timeout on CGI execution (when enabled)