← Back to Formal theory of consciousness built on ∞-categories

Owner tools

For the owner of Formal theory of consciousness built on ∞-categories (holon.sh).

Ownership

This launch is unclaimed.

Claim this launch to get an owner link, re-scan after fixes, track your score improvements, or remove your site from StackScope entirely.

Claim this launch

Start here

Two fast-win fixes from the list below, ordered by impact. Each is a drop-in change you can finish in under 30 minutes.

Add a robots.txt file
Add a privacy policy page

1 more score-affecting fix below, plus advisory items.

Fixes that improve your score

Security

HIGHAdd the missing security response headers
Missing 5 of 6 standard browser headers. Start with Referrer-Policy, X-Content-Type-Options, and X-Frame-Options (one line each), then roll out CSP in Report-Only mode.
WhyEach header limits a class of browser-side attack: clickjacking, XSS, MIME sniffing, plaintext fallback. Missing headers leave default-permissive behaviour in place.
WhereMost are one line each in your server config, reverse proxy, CDN, or framework headers.
Learn more
Why this matters & sources
Per-header consequence:
- Content-Security-Policy: Controls which scripts, styles, and fonts are allowed to run on your pages. Without it, an injected <script> tag runs with full access to your users' sessions and cookies.
- X-Frame-Options: Stops other sites loading yours inside an invisible iframe to trick users into clicking buttons they can't see (clickjacking).
- X-Content-Type-Options: Tells browsers not to guess file types. Without it, a user-uploaded image can be sniffed as JavaScript and executed.
- Referrer-Policy: Controls how much of the current URL is sent to third-party sites and analytics. The default leaks the full path, including query strings that may contain tokens or user IDs.
- Permissions-Policy: Turns off browser features your site doesn't use (camera, microphone, geolocation, payment) so an injected script can't trigger them.
CSP rollout: Content-Security-Policy is the hardest to get right. Start with Content-Security-Policy-Report-Only, which logs violations without blocking. Open DevTools Console, reload each page, and relax the policy until the console is clean. Rename the header to Content-Security-Policy to enforce. For real-user monitoring, point a report-to directive at a free collector (report-uri.com, Sentry, or a /api/csp-report route).

Legal & compliance

MEDIUMAdd a privacy policy page
WhyDocuments what personal data you collect and how you use it. Without one, it's hard to demonstrate basic GDPR / CCPA compliance to regulators or users.
WhereUse a free generator like Termly or Iubenda to produce one in minutes, then link from your footer.
Learn more

Discoverability

MEDIUMAdd a robots.txt file
WhyTells search engines and bots which pages to crawl and which to skip. Without one, crawlers default to indexing everything they can reach, including admin paths and staging URLs.
WhereCreate /robots.txt at the site root. Most frameworks have a built-in path (Next.js app/robots.ts, Astro public/robots.txt).
Learn more

Optional improvements

These don't change your StackScope score but cover SEO, agent-readiness, security-researcher discoverability, and compliance items worth addressing.

Security

LOWAdd /.well-known/security.txt
WhyLets security researchers report vulnerabilities responsibly through a published contact channel.
WhereCreate /.well-known/security.txt with a Contact: email and Expires: date.
Learn more

Email security

HIGHAdd an SPF record
No SPF TXT record found at the apex domain.
WhyWithout SPF and DMARC, receiving servers have fewer signals to reject spoofed mail using your domain.
WherePublish a TXT record at the apex like v=spf1 include:_spf.google.com ~all (replace the include: with your real sender, then end with ~all for soft-fail or -all for strict).
Learn more
HIGHAdd a DMARC record
No DMARC record at _dmarc.{your-domain}.
WhyDMARC tells receivers what to do when mail fails SPF or DKIM. Without one, they fall back to permissive defaults and your domain is more easily spoofed.
WhereAdd a TXT record at _dmarc.{your-domain}. Start with v=DMARC1; p=none; rua=mailto:[email protected] (monitoring), then move to p=quarantine and p=reject once you're sure your real mail passes.
Learn more
MEDIUMConfigure DKIM with your email provider
No DKIM record found at the common selectors we check.
WhyDKIM signs your outbound mail with a cryptographic key receivers can verify. Without it, receivers can't tell your real mail from a spoof.
WhereAsk your email provider for their DKIM setup. It's usually one TXT record at {selector}._domainkey.{your-domain}.
Learn more
Why this matters & sources
Selectors we probe: Resend, SendGrid, Postmark, Mailchimp, Brevo, Mailgun, HubSpot, Customer.io, ConvertKit, Cloudflare Email. If you use Google Workspace, Microsoft 365, or self-hosted email with a custom selector, you may already have DKIM published and we just don't see it.
LOWAdd MTA-STS
No MTA-STS DNS record published.
WhyPrevents mail to your domain being downgraded to plaintext mid-flight by a network attacker. Most launches don't have this, so deploying it puts you a tier above generic email-security checks.
WherePublish a TXT record at _mta-sts.{your-domain} plus a policy file at https://mta-sts.{your-domain}/.well-known/mta-sts.txt.
Learn more
LOWAdd a TLS-RPT record
No TLS-RPT record at _smtp._tls.{domain}.
WhyReceivers can tell you when STARTTLS handshakes to your mail server fail. Without it, silent TLS failures are invisible.
WherePublish one TXT record at _smtp._tls.{your-domain} like v=TLSRPTv1; rua=mailto:[email protected].
Learn more

Agent / AI

LOWAdd an llms.txt file
WhyHelps AI models understand your site's content and how to use it. Not yet a standard but gaining adoption.
WhereCreate /llms.txt at the site root with a brief overview and key URLs.
Learn more
LOWDeclare a Content-Signal in robots.txt
WhyStates how you'd like AI systems to use your content (training, search, agent input). Without it, AI crawlers fall back to whatever default policy each vendor applies.
WhereAdd a Content-Signal: line to your robots.txt.
Learn more
LOWAdd Link response headers
WhyLets agents discover your sitemap, privacy policy, and docs without parsing HTML, which most lightweight agents skip.
WhereSet Link: response headers in your server config or framework middleware.
Learn more

If a tip looks wrong (for example it says "add a consent banner" and you already have one) the detection's the bug, not you. StackScope sees what's public from the outside: HTTP response, rendered HTML, cookies, and DNS. We can miss vendors that load behind consent, are self-hosted, or use an install shape we haven't fingerprinted yet. Email [email protected] and we'll look into it.

Copy into Cursor, Claude, or ChatGPT

This prompt includes the detected stack and only the fixes StackScope found. It asks the AI to make concrete file-level changes, not a vague website review.

Score-affecting basics only. Ask your AI to handle these first; come back for the optional hardening once they're done.

Everything: score-affecting fixes plus optional email security, agent metadata, and best-practice items. Longer prompt, more for an "all in one" agent run.

I own https://holon.sh/. StackScope (https://stackscope.dev) analysed it on 10 April 2026 and scored it 4.4/10 against their production-readiness checklist. Please help me apply the fixes below. These are the score-affecting basics. We'll circle back to the optional hardening (email security, advanced agent metadata) later.

Tech stack StackScope detected on the site (use this when suggesting where each fix lives in the codebase):
docusaurus, fastly, github-pages, hsts, jsdelivr-cdn, njalla

Score-affecting fixes (these improve the StackScope score; [HIGH] = most impact):
- [HIGH] Add the missing security response headers. Missing 5 of 6 standard browser headers. Start with `Referrer-Policy`, `X-Content-Type-Options`, and `X-Frame-Options` (one line each), then roll out CSP in `Report-Only` mode. Why: Each header limits a class of browser-side attack: clickjacking, XSS, MIME sniffing, plaintext fallback. Missing headers leave default-permissive behaviour in place. Where: Most are one line each in your server config, reverse proxy, CDN, or framework headers. (https://owasp.org/www-project-secure-headers/)
- [MEDIUM] Add a robots.txt file. Why: Tells search engines and bots which pages to crawl and which to skip. Without one, crawlers default to indexing everything they can reach, including admin paths and staging URLs. Where: Create `/robots.txt` at the site root. Most frameworks have a built-in path (Next.js `app/robots.ts`, Astro `public/robots.txt`). (https://developers.google.com/search/docs/crawling-indexing/robots/intro)
- [MEDIUM] Add a privacy policy page. Why: Documents what personal data you collect and how you use it. Without one, it's hard to demonstrate basic GDPR / CCPA compliance to regulators or users. Where: Use a free generator like Termly or Iubenda to produce one in minutes, then link from your footer. (https://www.termly.io/products/privacy-policy-generator/)

For each item, tell me exactly which file to create or which code to change, and where it lives in a project using the stack above. If my framework has a native API for the task (e.g. Next.js metadata exports, `app/sitemap.ts`, Astro layouts, Nuxt `useHead`), prefer that over raw HTML or server config.

Full analysis: https://stackscope.dev/launch/iicxkfao/formal-theory-of-consciousness-built-on-categories

I own https://holon.sh/. StackScope (https://stackscope.dev) analysed it on 10 April 2026 and scored it 4.4/10 against their production-readiness checklist. Please help me apply the fixes below. This is a checklist, not a blocker list; Score-affecting fixes are the ones that move the number, Optional items are nice-to-haves with zero score impact that I can skip for an MVP.

Tech stack StackScope detected on the site (use this when suggesting where each fix lives in the codebase):
docusaurus, fastly, github-pages, hsts, jsdelivr-cdn, njalla

Score-affecting fixes (these improve the StackScope score; [HIGH] = most impact):
- [HIGH] Add the missing security response headers. Missing 5 of 6 standard browser headers. Start with `Referrer-Policy`, `X-Content-Type-Options`, and `X-Frame-Options` (one line each), then roll out CSP in `Report-Only` mode. Why: Each header limits a class of browser-side attack: clickjacking, XSS, MIME sniffing, plaintext fallback. Missing headers leave default-permissive behaviour in place. Where: Most are one line each in your server config, reverse proxy, CDN, or framework headers. (https://owasp.org/www-project-secure-headers/)
- [MEDIUM] Add a robots.txt file. Why: Tells search engines and bots which pages to crawl and which to skip. Without one, crawlers default to indexing everything they can reach, including admin paths and staging URLs. Where: Create `/robots.txt` at the site root. Most frameworks have a built-in path (Next.js `app/robots.ts`, Astro `public/robots.txt`). (https://developers.google.com/search/docs/crawling-indexing/robots/intro)
- [MEDIUM] Add a privacy policy page. Why: Documents what personal data you collect and how you use it. Without one, it's hard to demonstrate basic GDPR / CCPA compliance to regulators or users. Where: Use a free generator like Termly or Iubenda to produce one in minutes, then link from your footer. (https://www.termly.io/products/privacy-policy-generator/)

Optional best-practice improvements (no score impact):
- [HIGH] Add an SPF record. No SPF TXT record found at the apex domain. Why: Without SPF and DMARC, receiving servers have fewer signals to reject spoofed mail using your domain. Where: Publish a TXT record at the apex like `v=spf1 include:_spf.google.com ~all` (replace the `include:` with your real sender, then end with `~all` for soft-fail or `-all` for strict). (https://www.cloudflare.com/learning/dns/dns-records/dns-spf-record/)
- [HIGH] Add a DMARC record. No DMARC record at `_dmarc.{your-domain}`. Why: DMARC tells receivers what to do when mail fails SPF or DKIM. Without one, they fall back to permissive defaults and your domain is more easily spoofed. Where: Add a TXT record at `_dmarc.{your-domain}`. Start with `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com` (monitoring), then move to `p=quarantine` and `p=reject` once you're sure your real mail passes. (https://dmarc.org/overview/)
- [MEDIUM] Configure DKIM with your email provider. No DKIM record found at the common selectors we check. Why: DKIM signs your outbound mail with a cryptographic key receivers can verify. Without it, receivers can't tell your real mail from a spoof. Where: Ask your email provider for their DKIM setup. It's usually one TXT record at `{selector}._domainkey.{your-domain}`. (https://www.cloudflare.com/learning/dns/dns-records/dns-dkim-record/)
- [LOW] Add /.well-known/security.txt. Why: Lets security researchers report vulnerabilities responsibly through a published contact channel. Where: Create `/.well-known/security.txt` with a `Contact:` email and `Expires:` date. (https://securitytxt.org/)
- [LOW] Add an llms.txt file. Why: Helps AI models understand your site's content and how to use it. Not yet a standard but gaining adoption. Where: Create `/llms.txt` at the site root with a brief overview and key URLs. (https://llmstxt.org/)
- [LOW] Declare a Content-Signal in robots.txt. Why: States how you'd like AI systems to use your content (training, search, agent input). Without it, AI crawlers fall back to whatever default policy each vendor applies. Where: Add a `Content-Signal:` line to your `robots.txt`. (https://contentsignals.org/)
- [LOW] Add Link response headers. Why: Lets agents discover your sitemap, privacy policy, and docs without parsing HTML, which most lightweight agents skip. Where: Set `Link:` response headers in your server config or framework middleware. (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Link)
- [LOW] Add MTA-STS. No MTA-STS DNS record published. Why: Prevents mail to your domain being downgraded to plaintext mid-flight by a network attacker. Most launches don't have this, so deploying it puts you a tier above generic email-security checks. Where: Publish a TXT record at `_mta-sts.{your-domain}` plus a policy file at `https://mta-sts.{your-domain}/.well-known/mta-sts.txt`. (https://datatracker.ietf.org/doc/html/rfc8461)
- [LOW] Add a TLS-RPT record. No TLS-RPT record at `_smtp._tls.{domain}`. Why: Receivers can tell you when STARTTLS handshakes to your mail server fail. Without it, silent TLS failures are invisible. Where: Publish one TXT record at `_smtp._tls.{your-domain}` like `v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com`. (https://datatracker.ietf.org/doc/html/rfc8460)

For each item, tell me exactly which file to create or which code to change, and where it lives in a project using the stack above. If my framework has a native API for the task (e.g. Next.js metadata exports, `app/sitemap.ts`, Astro layouts, Nuxt `useHead`), prefer that over raw HTML or server config.

Full analysis: https://stackscope.dev/launch/iicxkfao/formal-theory-of-consciousness-built-on-categories

Using an autonomous agent?

Point the agent at this SKILL.md URL and ask it to follow the skill. The framing stops agents defaulting to an open-ended page review.

https://stackscope.dev/launch/iicxkfao/skill.md

Share your score

Your score card renders automatically when you share the link.

Or embed a badge

Two badge options. Pick whichever fits your story.

Current score

Shows the latest score and updates within a few minutes of any recrawl. Best for ongoing display: if you fix something and recrawl, the badge reflects the new score automatically.

<a href="https://stackscope.dev/launch/iicxkfao/formal-theory-of-consciousness-built-on-categories"><img src="https://stackscope.dev/badge/iicxkfao/current.svg" alt="StackScope score for Formal theory of consciousness built on ∞-categories" height="24" /></a>

Launch score

Pinned to your launch-day snapshot and never changes. Marked with a small gold corner ribbon. Best for press kits, launch retrospectives, or anywhere you want a permanent record of how you shipped.

<a href="https://stackscope.dev/launch/iicxkfao/formal-theory-of-consciousness-built-on-categories"><img src="https://stackscope.dev/badge/iicxkfao.svg" alt="StackScope launch score for Formal theory of consciousness built on ∞-categories" height="24" /></a>

Using a Content-Security-Policy? Both badges are <img> tags from our domain, so your CSP needs to allow them. Add stackscope.dev to your img-src directive (example: img-src 'self' stackscope.dev;). Without it, browsers silently block the badge and visitors see a broken image.