blog: securing notebooks (#617)

* feat(blog): draft security post

* toss the dynamic param

* prep for publish

* blog: dynamic cover media from frontmatter, scale down hero without media

- Add coverVideo to BlogPostFrontmatter type and parser
- Move hardcoded tada.mp4 into nteract-2.0.mdx frontmatter as coverVideo
- Hero section renders video/image from latest post, or nothing
- Smaller headline when no cover media is present
- Security post prose updates

* clean up more

* blog: inline CSP callout as prose line

* blog: correct daemon diagram to show GET-only blob server

The SocketDiagram claimed "NO HTTP SERVER" which is wrong — runtimed
exposes a read-only blob store on 127.0.0.1 with an OS-assigned port.
Redraw as two planes (Unix socket control, HTTP GET data), add CSP
allowlist to the iframe diagram, and tighten the local-only + Tauri
sections to match.

* slim down

* blog: lead security post with olive-garden demo, swap diagram for Figma SVG

Restructure the "Every output is isolated" section so the side-by-side
nteract vs JupyterLab screenshots run before the technical explanation.
Replace the inline SVG diagram with the polished Figma export served
from /public, drop the widget postMessage video into the placeholder
that was waiting for it, and update the blog test to expect both posts.

* blog: tighten trust-signature paragraph

* blog: add cover video + OG image, polish diagram and security prose

- Add coverVideo + ogImage frontmatter wiring
- Dark-transparent postMessage label in iframe isolation SVG so
  the dashed origin boundary bleeds through; light-gray text for
  contrast on the dark page
- Merge "What about agents?" into the control-socket paragraph
  (SSH analogy + MCP agents folded in)
- Fold the standalone "secrets only on your machine" paragraph
  into the control-socket block to tighten Your data, your machine
- Swap stale Tauri "allowlist" → "capabilities"
- Note CSP allows unsafe-inline/eval inside the opaque iframe
- "rotates every run" → "picked fresh each time the daemon starts"
- Blob store example: "Parquet, Arrow, output rendering assets"
  (drops the "plugin" framing)
- Drop the widget video placeholder, inline the postMessage demo

* blog: fix nested <p> hydration warning in BlogInlineCTA

Collapse the component's outer <p> into its <div className="not-prose">.
MDX was wrapping the component's children in a <p>, which landed inside
the <a>, producing a <p>-inside-<p> hydration error. The typography
classes move to the <div> with no visual change.

Author: rgbkrk

app/(blog)/blog/[slug]/page.tsx

@@ -13,18 +13,20 @@ type BlogPostPageProps = {
   }>;
 };
 
+const isDev = process.env.NODE_ENV === "development";
+
 export const dynamicParams = false;
 
 export async function generateStaticParams() {
-  const slugs = await getAllSlugs();
+  const slugs = await getAllSlugs({ includeUnpublished: isDev });
   return slugs.map((slug) => ({ slug }));
 }
 
 export async function generateMetadata({
   params,
 }: BlogPostPageProps): Promise<Metadata> {
   const { slug } = await params;
-  const post = await getPostBySlug(slug);
+  const post = await getPostBySlug(slug, { includeUnpublished: isDev });
 
   if (!post) {
     return {};
@@ -58,7 +60,7 @@ export async function generateMetadata({
 
 export default async function BlogPostPage({ params }: BlogPostPageProps) {
   const { slug } = await params;
-  const post = await getPostBySlug(slug);
+  const post = await getPostBySlug(slug, { includeUnpublished: isDev });
 
   if (!post) {
     notFound();

app/(blog)/blog/page.tsx

@@ -62,7 +62,9 @@ export default async function BlogPage() {
             </div>
 
             <Link href={`/blog/${latest.slug}`} className="group block">
-              <h1 className="mb-6 font-headline text-6xl font-bold leading-[0.9] tracking-tighter text-on-surface transition-colors group-hover:text-secondary md:text-8xl">
+              <h1
+                className={`mb-6 font-headline font-bold leading-[0.9] tracking-tighter text-on-surface transition-colors group-hover:text-secondary ${latest.coverVideo || latest.coverImage ? "text-6xl md:text-8xl" : "text-4xl md:text-5xl"}`}
+              >
                 {latest.title}
               </h1>
 
@@ -79,7 +81,9 @@ export default async function BlogPage() {
                 const rest2 = latest.description.slice(dot + 1).trim();
                 return (
                   <div className="mb-6 max-w-2xl space-y-2">
-                    <p className="font-headline text-2xl font-semibold tracking-tight text-on-surface/80 md:text-3xl">
+                    <p
+                      className={`font-headline font-semibold tracking-tight text-on-surface/80 ${latest.coverVideo || latest.coverImage ? "text-2xl md:text-3xl" : "text-lg md:text-xl"}`}
+                    >
                       {lead}
                     </p>
                     {rest2 && (
@@ -99,17 +103,33 @@ export default async function BlogPage() {
               </div>
             </Link>
 
-            {/* Hero preview */}
-            <Link href={`/blog/${latest.slug}`} className="mt-10 block overflow-hidden">
-              <video
-                src="https://pub-d6c6294d12e242e7acb5f8d1eaf78e06.r2.dev/tada.mp4"
-                autoPlay
-                muted
-                loop
-                playsInline
-                className="w-full"
-              />
-            </Link>
+            {/* Hero preview — driven by coverVideo / coverImage frontmatter */}
+            {latest.coverVideo ? (
+              <Link
+                href={`/blog/${latest.slug}`}
+                className="mt-10 block overflow-hidden"
+              >
+                <video
+                  src={latest.coverVideo}
+                  autoPlay
+                  muted
+                  loop
+                  playsInline
+                  className="w-full"
+                />
+              </Link>
+            ) : latest.coverImage ? (
+              <Link
+                href={`/blog/${latest.slug}`}
+                className="mt-10 block overflow-hidden"
+              >
+                <img
+                  src={latest.coverImage}
+                  alt={latest.title}
+                  className="w-full"
+                />
+              </Link>
+            ) : null}
           </>
         ) : (
           <div className="bg-surface-container-low px-6 py-10 text-on-surface-variant">

components/blog/iframe-isolation-diagram.tsx

@@ -0,0 +1,13 @@
+import { LightboxImage } from "./lightbox-image";
+
+export function IframeIsolationDiagram() {
+  return (
+    <div className="not-prose my-12 flex justify-center">
+      <LightboxImage
+        src="/iframe-isolation.svg"
+        alt="Diagram showing iframe isolation: parent window with Tauri APIs separated from an isolated blob: iframe by an opaque-origin boundary, with postMessage / JSON-RPC 2.0 as the only bridge."
+        className="w-full max-w-[700px]"
+      />
+    </div>
+  );
+}

components/blog/inline-cta.tsx

@@ -0,0 +1,34 @@
+import type { ReactNode } from "react";
+
+type BlogInlineCTAProps = {
+  href: string;
+  children: ReactNode;
+  /** Optional lead-in phrase rendered before the link */
+  lead?: string;
+};
+
+export function BlogInlineCTA({ href, children, lead }: BlogInlineCTAProps) {
+  const isExternal =
+    href.startsWith("http://") || href.startsWith("https://");
+
+  return (
+    <div className="not-prose font-body text-[0.95rem] leading-relaxed text-on-surface-variant/75">
+      {lead ? <span>{lead} </span> : null}
+      <a
+        href={href}
+        {...(isExternal
+          ? { target: "_blank", rel: "noopener noreferrer" }
+          : {})}
+        className="group inline-flex items-baseline gap-1.5 text-[#cbb5f4] underline decoration-[#a993d1]/40 decoration-from-font underline-offset-[5px] transition-colors hover:decoration-[#cbb5f4]"
+      >
+        {children}
+        <span
+          aria-hidden
+          className="inline-block translate-y-[1px] transition-transform group-hover:translate-x-0.5"
+        >
+          →
+        </span>
+      </a>
+    </div>
+  );
+}

components/blog/socket-diagram.tsx

@@ -0,0 +1,131 @@
+/**
+ * Two-surface architecture:
+ *   - Control plane: Unix socket (0600) ← App, agents
+ *   - Data plane: GET-only HTTP blob store on 127.0.0.1:<ephemeral> → iframes
+ * Both bind locally only; nothing is reachable off-host.
+ */
+export function SocketDiagram() {
+  return (
+    <div className="not-prose my-12 flex justify-center">
+      <svg
+        width="720"
+        height="340"
+        viewBox="0 0 720 340"
+        fill="none"
+        className="w-full max-w-[720px]"
+      >
+        <title>
+          runtimed exposes two local-only surfaces: a Unix socket for control
+          and a GET-only HTTP blob store for binary output data
+        </title>
+        <style>{`
+          .sd-label { fill: #e5e5e5; font-family: 'Space Grotesk', system-ui, sans-serif; font-size: 13px; font-weight: 600; }
+          .sd-sub { fill: #ababab; font-family: 'JetBrains Mono', monospace; font-size: 9px; letter-spacing: 0.15em; text-transform: uppercase; }
+          .sd-mono { fill: #ababab; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .sd-purple { fill: #a993d1; font-family: 'JetBrains Mono', monospace; font-size: 10px; letter-spacing: 0.05em; }
+          .sd-teal { fill: #7dd3c4; font-family: 'JetBrains Mono', monospace; font-size: 10px; letter-spacing: 0.05em; }
+          .sd-check { fill: #86efac; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .sd-circle { fill: none; stroke: #a993d1; stroke-width: 2; }
+          .sd-circle-fill { fill: #a993d1; opacity: 0.1; }
+          .sd-iframe { fill: none; stroke: #7dd3c4; stroke-width: 2; }
+          .sd-iframe-fill { fill: #7dd3c4; opacity: 0.08; }
+          .sd-ctrl-line { stroke: #a993d1; stroke-width: 1.5; stroke-dasharray: 4 4; opacity: 0.55; }
+          .sd-data-line { stroke: #7dd3c4; stroke-width: 1.5; opacity: 0.55; }
+          .sd-hex { fill: #0e0e0e; stroke: #a993d1; stroke-width: 2; }
+          .sd-hex-fill { fill: #a993d1; opacity: 0.15; }
+          .sd-divider { stroke: #484848; stroke-width: 1; stroke-dasharray: 2 4; opacity: 0.5; }
+          @keyframes sd-pulse { 0%, 100% { opacity: 0.25; } 50% { opacity: 0.8; } }
+          .sd-pulse { animation: sd-pulse 2.5s ease-in-out infinite; }
+        `}</style>
+
+        {/* ── Daemon (center hexagon) ── */}
+        <g transform="translate(360, 150)">
+          <polygon points="0,-44 38,-22 38,22 0,44 -38,22 -38,-22" className="sd-hex-fill" />
+          <polygon points="0,-44 38,-22 38,22 0,44 -38,22 -38,-22" className="sd-hex" />
+          <text y="-2" textAnchor="middle" className="sd-label" style={{ fontSize: "11px" }}>runtimed</text>
+          <text y="14" textAnchor="middle" className="sd-sub">daemon</text>
+        </g>
+
+        {/* ── Control-plane lines (left) ── */}
+        <line x1="130" y1="80" x2="322" y2="128" className="sd-ctrl-line" />
+        <line x1="130" y1="220" x2="322" y2="172" className="sd-ctrl-line" />
+
+        {/* Pulse dots */}
+        <circle r="2.5" fill="#a993d1" className="sd-pulse">
+          <animateMotion dur="2.2s" repeatCount="indefinite" path="M 130 80 L 322 128" />
+        </circle>
+        <circle r="2.5" fill="#a993d1" className="sd-pulse" style={{ animationDelay: "0.9s" }}>
+          <animateMotion dur="2.6s" repeatCount="indefinite" path="M 130 220 L 322 172" />
+        </circle>
+
+        <text x="220" y="116" textAnchor="middle" className="sd-sub" transform="rotate(-12, 220, 116)">unix socket</text>
+
+        {/* ── App (upper left) ── */}
+        <g transform="translate(100, 75)">
+          <circle r="30" className="sd-circle-fill" />
+          <circle r="30" className="sd-circle" />
+          <rect x="-12" y="-9" width="24" height="16" rx="2" stroke="#a993d1" strokeWidth="1.5" fill="none" />
+          <line x1="-12" y1="-2" x2="12" y2="-2" stroke="#a993d1" strokeWidth="1" />
+          <circle cx="-8" cy="-6" r="1" fill="#a993d1" />
+          <text y="-42" textAnchor="middle" className="sd-label">nteract App</text>
+        </g>
+
+        {/* ── Agents (lower left) ── */}
+        <g transform="translate(100, 220)">
+          <circle r="30" className="sd-circle-fill" />
+          <circle r="30" className="sd-circle" />
+          <rect x="-8" y="-10" width="16" height="12" rx="2" stroke="#a993d1" strokeWidth="1.5" fill="none" />
+          <circle cx="-3" cy="-4" r="1.4" fill="#a993d1" />
+          <circle cx="3" cy="-4" r="1.4" fill="#a993d1" />
+          <path d="M -4 8 L 4 8" stroke="#a993d1" strokeWidth="1.5" />
+          <text y="48" textAnchor="middle" className="sd-label">MCP agents</text>
+          <text y="62" textAnchor="middle" className="sd-sub">claude · codex · warp</text>
+        </g>
+
+        {/* ── Data-plane line (right) ── */}
+        <line x1="400" y1="150" x2="560" y2="150" className="sd-data-line" />
+        <circle r="2.5" fill="#7dd3c4" className="sd-pulse" style={{ animationDelay: "0.3s" }}>
+          <animateMotion dur="2.4s" repeatCount="indefinite" path="M 400 150 L 560 150" />
+        </circle>
+        <text x="480" y="142" textAnchor="middle" className="sd-sub" style={{ letterSpacing: "0.1em" }}>http get</text>
+
+        {/* ── Iframe (right) ── */}
+        <g transform="translate(605, 150)">
+          <rect x="-45" y="-34" width="90" height="68" rx="3" className="sd-iframe-fill" />
+          <rect x="-45" y="-34" width="90" height="68" rx="3" className="sd-iframe" />
+          <line x1="-45" y1="-22" x2="45" y2="-22" stroke="#7dd3c4" strokeWidth="1" opacity="0.5" />
+          <circle cx="-38" cy="-28" r="1.5" fill="#7dd3c4" opacity="0.8" />
+          <circle cx="-32" cy="-28" r="1.5" fill="#7dd3c4" opacity="0.8" />
+          <circle cx="-26" cy="-28" r="1.5" fill="#7dd3c4" opacity="0.8" />
+          {/* output glyph */}
+          <path d="M -20 0 L -8 -12 L 6 4 L 20 -10" stroke="#7dd3c4" strokeWidth="1.5" fill="none" opacity="0.7" />
+          <circle cx="-20" cy="0" r="2" fill="#7dd3c4" />
+          <circle cx="-8" cy="-12" r="2" fill="#7dd3c4" />
+          <circle cx="6" cy="4" r="2" fill="#7dd3c4" />
+          <circle cx="20" cy="-10" r="2" fill="#7dd3c4" />
+          <text y="-52" textAnchor="middle" className="sd-label">Output iframes</text>
+          <text y="52" textAnchor="middle" className="sd-sub">blob: origin</text>
+        </g>
+
+        {/* ── Legend divider ── */}
+        <line x1="30" y1="272" x2="690" y2="272" className="sd-divider" />
+
+        {/* ── Legend: Control plane ── */}
+        <g transform="translate(60, 296)">
+          <rect x="0" y="-8" width="12" height="4" fill="#a993d1" opacity="0.55" />
+          <rect x="16" y="-8" width="4" height="4" fill="#a993d1" opacity="0.55" />
+          <rect x="24" y="-8" width="4" height="4" fill="#a993d1" opacity="0.55" />
+          <text x="40" y="-3" className="sd-purple">CONTROL</text>
+          <text x="40" y="14" className="sd-mono">unix socket · chmod 0600 · owner-only</text>
+        </g>
+
+        {/* ── Legend: Data plane ── */}
+        <g transform="translate(400, 296)">
+          <rect x="0" y="-8" width="28" height="4" fill="#7dd3c4" opacity="0.55" />
+          <text x="40" y="-3" className="sd-teal">DATA</text>
+          <text x="40" y="14" className="sd-mono">127.0.0.1:&lt;random&gt; · GET /blob/&#123;sha256&#125;</text>
+        </g>
+      </svg>
+    </div>
+  );
+}

components/blog/tauri-comparison.tsx

@@ -0,0 +1,102 @@
+/**
+ * Side-by-side comparison of Electron vs Tauri security models.
+ * Electron: Node.js flows into renderer. Tauri: wall between webview and native.
+ */
+export function TauriComparison() {
+  return (
+    <div className="not-prose my-12 flex justify-center">
+      <svg
+        width="700"
+        height="280"
+        viewBox="0 0 700 280"
+        fill="none"
+        className="w-full max-w-[700px]"
+      >
+        <title>Comparison of Electron and Tauri security models</title>
+        <style>{`
+          .tc-label { fill: #e5e5e5; font-family: 'Space Grotesk', system-ui, sans-serif; font-size: 14px; font-weight: 600; }
+          .tc-sublabel { fill: #ababab; font-family: 'JetBrains Mono', monospace; font-size: 9px; letter-spacing: 0.15em; text-transform: uppercase; }
+          .tc-item { fill: #ababab; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .tc-danger { fill: #ef4444; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .tc-safe { fill: #22c55e; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .tc-accent { fill: #a993d1; font-family: 'JetBrains Mono', monospace; font-size: 10px; }
+          .tc-box { fill: none; stroke: #484848; stroke-width: 1.5; rx: 6; }
+          .tc-box-fill { fill: #484848; opacity: 0.05; rx: 6; }
+          .tc-box-good { fill: none; stroke: #a993d1; stroke-width: 1.5; rx: 6; }
+          .tc-box-good-fill { fill: #a993d1; opacity: 0.05; rx: 6; }
+          .tc-flow { stroke: #ef4444; stroke-width: 1.5; opacity: 0.5; marker-end: url(#tc-arrow-red); }
+          .tc-wall { stroke: #22c55e; stroke-width: 2.5; opacity: 0.6; }
+          .tc-divider { stroke: #333333; stroke-width: 1; stroke-dasharray: 4 4; }
+        `}</style>
+
+        <defs>
+          <marker id="tc-arrow-red" markerWidth="8" markerHeight="6" refX="8" refY="3" orient="auto">
+            <path d="M 0 0 L 8 3 L 0 6" fill="none" stroke="#ef4444" strokeWidth="1" />
+          </marker>
+        </defs>
+
+        {/* ── Divider ── */}
+        <line x1="350" y1="10" x2="350" y2="270" className="tc-divider" />
+
+        {/* ════════════════ ELECTRON (left) ════════════════ */}
+        <text x="175" y="28" textAnchor="middle" className="tc-label" style={{ opacity: 0.5 }}>Electron</text>
+
+        {/* Renderer box */}
+        <rect x="30" y="50" width="140" height="120" className="tc-box-fill" />
+        <rect x="30" y="50" width="140" height="120" className="tc-box" />
+        <text x="100" y="72" textAnchor="middle" className="tc-sublabel">renderer</text>
+        <text x="50" y="95" className="tc-item">Chromium</text>
+        <text x="50" y="115" className="tc-danger">Node.js ⚠</text>
+        <text x="50" y="135" className="tc-danger">require()</text>
+        <text x="50" y="155" className="tc-danger">child_process</text>
+
+        {/* Node.js backend box */}
+        <rect x="190" y="50" width="140" height="120" className="tc-box-fill" />
+        <rect x="190" y="50" width="140" height="120" className="tc-box" />
+        <text x="260" y="72" textAnchor="middle" className="tc-sublabel">main process</text>
+        <text x="210" y="95" className="tc-item">Node.js</text>
+        <text x="210" y="115" className="tc-item">Full fs access</text>
+        <text x="210" y="135" className="tc-item">Shell commands</text>
+        <text x="210" y="155" className="tc-item">No restrictions</text>
+
+        {/* Flow arrow — Node.js leaks into renderer */}
+        <line x1="190" y1="110" x2="170" y2="110" className="tc-flow" />
+
+        {/* Electron verdict */}
+        <text x="175" y="200" textAnchor="middle" className="tc-danger" style={{ fontSize: "9px", letterSpacing: "0.15em" }}>FULL NATIVE ACCESS FROM RENDERER</text>
+        <text x="175" y="218" textAnchor="middle" className="tc-item" style={{ fontSize: "9px", opacity: 0.5 }}>One nodeIntegration: true away</text>
+        <text x="175" y="236" textAnchor="middle" className="tc-item" style={{ fontSize: "9px", opacity: 0.5 }}>from compromise</text>
+
+        {/* ════════════════ TAURI (right) ════════════════ */}
+        <text x="525" y="28" textAnchor="middle" className="tc-label">Tauri</text>
+
+        {/* Webview box */}
+        <rect x="380" y="50" width="140" height="120" className="tc-box-good-fill" />
+        <rect x="380" y="50" width="140" height="120" className="tc-box-good" />
+        <text x="450" y="72" textAnchor="middle" className="tc-sublabel">webview</text>
+        <text x="400" y="95" className="tc-safe">Native webview</text>
+        <text x="400" y="115" className="tc-safe">No Node.js</text>
+        <text x="400" y="135" className="tc-safe">No require()</text>
+        <text x="400" y="155" className="tc-safe">No fs, no shell</text>
+
+        {/* Capability wall */}
+        <line x1="535" y1="52" x2="535" y2="168" className="tc-wall" />
+        <text x="535" y="180" textAnchor="middle" className="tc-sublabel" style={{ fill: "#22c55e", fontSize: "7px" }}>CAPABILITY</text>
+        <text x="535" y="190" textAnchor="middle" className="tc-sublabel" style={{ fill: "#22c55e", fontSize: "7px" }}>BOUNDARY</text>
+
+        {/* Rust backend box */}
+        <rect x="550" y="50" width="130" height="120" className="tc-box-good-fill" />
+        <rect x="550" y="50" width="130" height="120" className="tc-box-good" />
+        <text x="615" y="72" textAnchor="middle" className="tc-sublabel">rust backend</text>
+        <text x="570" y="95" className="tc-accent">Explicit grants</text>
+        <text x="570" y="115" className="tc-accent">Per-capability</text>
+        <text x="570" y="135" className="tc-accent">Allowlist only</text>
+        <text x="570" y="155" className="tc-accent">Type-safe IPC</text>
+
+        {/* Tauri verdict */}
+        <text x="525" y="218" textAnchor="middle" className="tc-safe" style={{ fontSize: "9px", letterSpacing: "0.15em" }}>WEBVIEW IS A DEAD END</text>
+        <text x="525" y="236" textAnchor="middle" className="tc-item" style={{ fontSize: "9px", opacity: 0.5 }}>Nothing to hijack</text>
+      </svg>
+    </div>
+  );
+}