This repository is the source for the public vault at https://vault.jamesburchill.com.
The public homepage is index.md. This README is for operating the repository.
Content is written as Markdown and published as a static site with Eleventy and GitHub Pages. The Markdown files are the source of record; the generated website is the readable public view.
On every push to main, GitHub Actions builds the site and deploys the generated _site/ output to GitHub Pages.
index.mdcontrols the public homepage.search.mdcontrols/search/, the client-side search page powered by/search-index.json.about.mdcontrols/about/.now.mdcontrols/now/.content/YYYY/MM/*.mdcontains dated articles, notes, and source material.assets/YYYY/MM/contains images and supporting files for dated content.assets/contains shared site assets such as logos and icons.search-index.json.njk,feeds/vault.json.njk,feeds/rss.xml.njk,llms.txt.njk, andsitemap.xml.njkgenerate machine-readable discovery files.404.mdcontrols the GitHub Pages not-found page.redirects.njkgenerates static redirect pages for imported WordPress URLs usingoriginal_url.scripts/generate-provenance.mjswrites post-build provenance files into_site/.scripts/validate-provenance.mjschecks the generated provenance index, per-article documents, and rendered HTML hashes.
Use the Makefile helper:
make content "My New Piece"It creates:
content/YYYY/MM/my-new-piece.md
assets/YYYY/MM/
To backdate or future-date a piece:
make content "My New Piece" DATE=2026-05-10To preview what would be created without writing files:
make content-dry-run "My New Piece"New content should usually include front matter like this:
---
title: "Example Page"
date: 2026-05-10
slug: example-page
summary: "One-sentence summary for search and previews."
topics:
- publishing
- markdown
status: published
original_url: ""
featured_image: ""
canonical_url: ""
---Use original_url for imported legacy URLs. Use featured_image for social previews and article metadata. Leave canonical_url blank unless the canonical URL should deliberately point somewhere other than the generated vault URL.
Markdown files in content/YYYY/MM/ are canonical. JSON, RSS, llms.txt, and sitemap files are generated projections from that Markdown during the Eleventy build.
Generated public artefacts include:
/search/for in-site search over published article metadata./search-index.jsonfor lightweight search, AI, and discovery metadata./feeds/vault.jsonfor JSON Feed consumers./feeds/rss.xmlfor RSS readers./llms.txtfor AI-oriented discovery./sitemap.xmlfor crawler discovery./.well-known/provenance.jsonfor the site-level provenance index./content/YYYY/MM/slug/provenance.jsonldfor per-article provenance documents.
The generated JSON is not maintained by hand. Run make build or npm run build locally to validate content metadata and regenerate the public artefacts into _site/. The GitHub Pages workflow runs the same build on every push to main.
The build generates machine-readable provenance for every published dated article in content/YYYY/MM/*.md.
The site-level index is published at:
/.well-known/provenance.json
Each article gets a companion JSON-LD document beside the rendered page:
/content/YYYY/MM/slug/provenance.jsonld
The provenance files include the article URL, title, source path, rendered HTML hash, created and modified timestamps, build metadata, and a future signing extension point. The hash uses SHA-256 over the rendered HTML in _site/, not the Markdown source, because the public page is what readers and crawlers actually receive.
Timestamps use UTC ISO-8601. date front matter is used for creation. updated or modified front matter is used for modification when present; otherwise the generator falls back to Git history, then build time if Git metadata is unavailable.
Signing is optional. Local builds without PROVENANCE_SIGNING_PRIVATE_KEY_JWK emit unsigned provenance with an explicit signing.status value. Builds with PROVENANCE_SIGNING_PRIVATE_KEY_JWK emit Ed25519 signatures and publish the matching public key at /.well-known/provenance-key.jwk.
PROVENANCE_SIGNING_PRIVATE_KEY_JWK can contain either a full Ed25519 private JWK JSON object or a 32-byte hex Ed25519 seed. The latter is the output shape from:
openssl rand -hex 32Signatures cover the RFC 8785-style canonical JSON payload with the top-level signature field omitted. Ed25519 signatures can be verified with a public JWK from PROVENANCE_PUBLIC_KEY_JWK or from the generated site file /.well-known/provenance-key.jwk.
The expected signature shape is:
{
"signature": {
"type": "DataIntegrityProof",
"algorithm": "Ed25519",
"canonicalization": "RFC8785",
"key_id": "provenance-ed25519-2026-05",
"created": "2026-05-12T00:00:00.000Z",
"value": "base64url-signature"
}
}Validate provenance locally after a build:
npm run validate:provenanceTo require signatures during validation:
npm run validate:provenance:signaturesPut images for a dated piece in the matching assets folder:
assets/YYYY/MM/image-name.jpg
Reference them from Markdown with an absolute site path:
Site CSS constrains article images to the text width, so large source images can remain large on disk without breaking the page layout.
Install dependencies once:
npm installRun the local preview server:
make previewThen open the URL printed by Eleventy, usually http://127.0.0.1:8000 or the next available port.
Run a production build locally:
make buildor:
npm run buildThe temporary importer can pull public WordPress posts into the vault format:
make import-wordpress-dry-run
make import-wordpressReview imported Markdown and images before publishing.
In the GitHub repository settings, configure Pages to use GitHub Actions as the build and deployment source.
When the custom domain is ready, set vault.jamesburchill.com in GitHub Pages and point DNS at GitHub Pages.