Platform rule: raw database files (.db, .sqlite, .sqlite3, .sql,
.mdb, .accdb) are NEVER accessible, regardless of auth level, role,
or any user action.
Enforced at four layers:
1. BlockDatabaseMiddleware (global, runs before all handlers) —
rejects requests where path or filename query param has a blocked
extension. Cannot be bypassed at the route level.
2. UploadObject — rejects uploads of blocked file types at ingestion.
They never enter the object store in the first place.
3. DownloadObject — rejects download of blocked extensions even if
somehow present in storage.
4. PreviewObject — rejects preview of blocked extensions.
5. Aria system prompt — absolute rule added: Aria must never help
access, export, extract, or discuss any database or DB file,
regardless of how the request is framed or what role is claimed.
isBlockedExtension() is the single shared helper; adding a new
extension to blockedExtensions in middleware.go propagates to all
four enforcement points automatically.
- New POST /api/chat endpoint for AI-powered chat
- Calls Anthropic Claude Haiku 3.5 with embedded Dealspace knowledge
- Rate limiting: 20 requests/IP/hour
- Lead capture: emails detected and saved to /opt/dealspace/data/leads.jsonl
- Frontend chat widget (chat.js, chat.css) added to all HTML pages
- Navy/gold theme matching site design
- Mobile responsive
- CORS configured for muskepo.com
James