Streaming AI, fenced in
A same-origin PHP proxy gates requests, rate-limits abuse, clamps history, and keeps the LAN model private.
Cybersecurity engineering · California
Cybersecurity practitioner who builds the systems he secures. Explore a gated local-AI pipeline, an isolated Linux lab, and a trust stack you can verify yourself.
01 / Live interface
A local, tool-using AI that can explain Josh's work and show its security boundaries while it answers.
Gated until you unlock itSign in or solve the human check to bring him up.
Under the surface
A same-origin PHP proxy gates requests, rate-limits abuse, clamps history, and keeps the LAN model private.
Browser and network signals are surfaced transparently instead of disappearing into private logs.
Identity material is published, and sensitive messages encrypt to Josh's PGP key in the browser.
Hardened routing, narrow capabilities, documented runbooks, and defensive defaults back the interface.
None of this is required — the page and chat work without it. If you'd like Josh to be able to reach back, or want the Gatekeeper to greet you by name, add whatever you're comfortable sharing. It's stored against your account and visible only to you and Josh.
Hands-on
Break the bot, boot a throwaway box, and audit a real domain. Everything here is sandboxed — nothing you do touches Josh's systems.
Meet the Gatekeeper
It isn't just a chatbot — it drives a fixed, read-only toolkit of SSRF-hardened recon and offline decoders against Josh's own engine (the same one behind the "audit your domain" box). Choose whether a chip returns the raw evidence directly or gives that same live result to Gatekeeper for an explanation. Every domain tool starts on
joshsisto.com
; point it at any public domain first.
Run mode
Direct mode runs exactly the named tool and shows capped evidence. The LLM never sees the result.
Domain tools use the host; page tools use a full URL. The server refuses IP literals, localhost, and private targets.
Recon & posture
Attack surface
Email & identity
Decode & crack
This server & guardrails
Red-team the Gatekeeper
Its rules live in a server-side prompt your browser never sees, behind a same-origin gate and per-IP caps — and there are no secrets in it to spill (Josh's real infrastructure isn't in there). It held every attack in a 24-shot red-team pass. Tap one and watch it hold, or have it walk you through its own guardrails:
Sign in or pass the anonymous check above first — then these run in the live chat. Actually land a leak? Josh wants to hear about it: [email protected].
Live tool — a real shell, fully sandboxed
Drop into a real, interactive Linux shell — write & run scripts, compile C / Go, read the built-in
~/library
of Linux guides, work through the
~/playground
exercises, solve labs, and break things safely. Anonymous boxes wipe on exit. Signed-in
~/persist
workspaces and lesson progress can restore across boots in supported labs — a persistent notebook, not a long-lived VM. No route to the LAN or internet (by design), unprivileged, on an isolated throwaway VM, capped on CPU, memory, processes, and time.
Your box
Lv 1 Newcomer
Resume where you left off:
toolbox
— browse the installed Linux, networking, security & dev tools
ls -la ~/playground
,
tree
,
man grep
less ~/library/README.md
— free Linux guides & books
python3
&
node
learn
, then solve
~/playground/EXERCISES.md
Tap a hands-on lab to boot straight into it:
Foundations
Networking & virtual systems
Offensive security
Defensive security
Tap a tile above to boot straight into that lab, or use this button to open the interactive picker. Sign in or pass the anonymous check above first. Sessions run ~10 minutes and are limited — signed-in files under ~/persist are restored on the next boot.
Lab Coach — explain what you observed
The Coach is a separate, one-shot Linux teacher — not Gatekeeper and not your terminal. It cannot see, control, or save anything in the box. It explains only what you paste, then offers one vetted local observation. Pasted text is never added to chat history; automatic redaction is best-effort, so never paste real keys, passwords, cookies, tokens, or private output.
The explanation is text only. The command below comes from this lab's reviewed course catalog, not from the model, and is never run automatically.
Next observation
The Coach removed or capped some pasted/model text. Check your local output before drawing conclusions.
Signed in — bring your own SSH client
Register a public key and I'll hand you a single-use command to
ssh
straight into a throwaway box from your terminal. The gateway lives on the isolated sandbox VM (never the main host), the box has
no network
, and the grant is single-use and expires in 15 minutes.
SSH uses a key pair: the
public
.pub
file is safe to register here; the matching
private
file stays on your computer and proves it is you. Never paste or upload the private half.
ssh -V
Run that in Terminal (macOS/Linux) or PowerShell (Windows). Current macOS, most Linux distributions, and current Windows releases include OpenSSH; if the command is missing, install the operating system's OpenSSH client before creating a grant.
macOS / Linux
ls -1 ~/.ssh/*.pub 2>/dev/null
cat ~/.ssh/id_ed25519.pub
Windows PowerShell
Get-ChildItem "$HOME\.ssh\*.pub"
Get-Content "$HOME\.ssh\id_ed25519.pub"
Copy the one-line output beginning with
ssh-ed25519
. If your key has another name, use that
.pub
path instead.
macOS / Linux
mkdir -p ~/.ssh
chmod 700 ~/.ssh
ssh-keygen -t ed25519 -f ~/.ssh/joshsisto_sandbox_ed25519 -C "joshsisto sandbox"
cat ~/.ssh/joshsisto_sandbox_ed25519.pub
Windows PowerShell
New-Item -ItemType Directory -Force "$HOME\.ssh" | Out-Null
ssh-keygen -t ed25519 -f "$HOME\.ssh\joshsisto_sandbox_ed25519" -C "joshsisto sandbox"
Get-Content "$HOME\.ssh\joshsisto_sandbox_ed25519.pub"
ssh-keygen
asks for a passphrase and will warn before overwriting an existing file. Paste only the final
.pub
output here; connect with
-i
and the private path shown before
.pub
.
--network none
box.
exit
ends and destroys the box. The grant expires after 15 minutes even if unused; revoke an active grant below if you change your mind.
Expected gateway ED25519 host-key fingerprint:
SHA256:LWLL99zpVz3As7uQLXJx4hYAz3orPTELCZIfsvwLayQ
. On the first connection, continue only if SSH shows this exact fingerprint; stop if it differs.
Save this unencrypted, disposable
private
key (it never left your browser), then use it with
-i
. Delete the downloaded file after the lab.
Open Terminal or PowerShell, move into your Downloads folder, then run the command for your computer.
chmod 600
keeps OpenSSH from rejecting an overly-readable private key on macOS/Linux.
macOS / Linux
cd ~/Downloads
chmod 600 joshsisto_sandbox_ed25519
ssh -i ./joshsisto_sandbox_ed25519 -p 32115 [email protected]
Windows PowerShell
cd "$HOME\Downloads"
ssh -i .\joshsisto_sandbox_ed25519 -p 32115 [email protected]
-i
selects the private key,
-p 32115
selects the sandbox gateway's custom port, and
box
is the fixed disposable-box username. On the first connection, compare the host-key fingerprint with the published value in “How the one-time grant works” above before accepting it.
Your one-time command (expires soon):
Live tool — try it on your own domain
Type any public domain and I'll run a read-only external audit — DNSSEC, SPF/DMARC/CAA, TLS version and certificate, and HTTP security headers — then grade it. The scanner is deliberately hardened against SSRF: it refuses IP literals, internal names, and any domain that resolves to a private or reserved address.
Your saved audits
Blue-team drill
One call per email — legit or phish? You get the sender, the domain, and the Authentication-Results (SPF/DKIM/DMARC): the same signals
email_posture
checks. It all runs in your browser.
Don't trust — verify
Josh's published cryptographic identity, this domain's independently-verifiable posture, and how the whole pipeline is fenced in.
Defense in depth
Every request crosses the same walls, in order. The model never touches the network directly — it can only ask the server to run a fixed, validated set of read-only tools, and a container escape lands on a throwaway box with no route anywhere.
The chat, gated end to end
The throwaway box, on a capability bus
Same idea in both lanes: the untrusted side (your browser, or a hostile container) can only reach a narrow, validated door — never the model, the LAN, or Josh's origin directly.
Don't trust — verify
Every line here is observable from the open internet — run the commands and check for yourself.
Signed with algorithm 13 (ECDSA P-256); public resolvers return the Authenticated-Data flag.
dig +dnssec joshsisto.com
TLS 1.0/1.1 refused, X25519 forward secrecy, HSTS for two years including subdomains.
nmap --script ssl-enum-ciphers -p443 joshsisto.com
CSP default-src 'none', nosniff, SAMEORIGIN, and a denied Permissions-Policy.
curl -sI https://joshsisto.com
SPF and DMARC (p=quarantine) published, CAA restricts issuers, mail on ProtonMail.
dig TXT _dmarc.joshsisto.com +short
A PGP-clear-signed security.txt and published SSH keys verify my signed files and commits.
ssh-keygen -Y verify -f allowed_signers
This page runs zero inline JavaScript and zero inline CSS — its CSP script-src and style-src both drop 'unsafe-inline'.
curl -sI https://joshsisto.com | grep -i content-security
Served through Cloudflare's global edge — DDoS absorption, TLS, and DNSSEC-signed DNS in front of a hardened origin the internet never touches directly.
curl -sI https://joshsisto.com | grep -i cf-ray
Behavioral detection auto-bans hostile IPs at the host; the masked tally (scenarios, countries, networks — no IPs) is published live on this page.
curl -s https://joshsisto.com/attack-stats.json
Don't take a chatbot's word for it — here's my published cryptographic identity, all in one place.
294C DF7C 8D18 ABDD 5B8A 0DAA 8CDB 89F8 30BC 60EA
A fingerprint is a short hash of my public key. If a key shows this fingerprint everywhere you look, it's mine.
Don't take my word for any of it — prove it live. The panel below runs five independent checks in your browser against this key, then turns the same lens on you.
Prove it's really me — five waysEncrypted in your browser with my PGP key — the plaintext never leaves this page. Send the ciphertext straight to me (my server relays it without ever being able to read it), or copy it into your own email.
Full-circle identity proof
Every check runs in your browser against my published PGP key — nothing to install, nothing trusted on my word. Work down the list; each one should land on the same fingerprint.
294C DF7C 8D18 ABDD 5B8A 0DAA 8CDB 89F8 30BC 60EA
A short statement I signed with my private key. If it verifies against my public key, only my key could have produced it — and not one byte changed.
This fetches the real /security.txt (RFC 9116, PGP-clear-signed) and verifies its signature here — proof the file served right now is mine and unaltered.
The Web Key Directory standard lets anyone find my key straight from my address — exactly what gpg --locate-keys [email protected] does. It pulls the key from /.well-known/openpgpkey and checks the fingerprint.
This reads the key from pgp.txt, computes its fingerprint in your browser, and confirms it matches the one printed above and the key WKD returned. One key, everywhere you look.
Don't just trust checks hosted on my page. These read the same key from services I don't run — open either and confirm the fingerprint yourself.
Full circle
You just verified me. The Gatekeeper can run that same published-key discovery on any domain — point pgp_check at yours and watch it do to you what you just did to me.
Live deflection wall
Real, aggregate telemetry from this host's CrowdSec + fail2ban stack over a rolling 7-day window — masked to counts only, never an IP address.
Top attack types
Top source countries
Top source networks
Learn by doing
Generate keys, sign and verify, encrypt and decrypt — all in your browser. Nothing is uploaded.
Verify my signature, then learn how it works by doing it — keys are generated and used entirely in your browser. Nothing is uploaded.
A keypair is a public key you hand out and a private key you guard. The public key locks (encrypts) and checks signatures ; the private key unlocks (decrypts) and signs . Try each piece below.
The very key the encrypt box above uses. A fingerprint is a short hash of a public key — compare it across sources (this page, my pgp.txt , a keyserver) to be sure a key is really mine.
Paste a PGP clear-signed message — if it checks out, the signer's private key made it and not one byte changed. Hit the button for a statement I signed with my key (proof it's really me), or verify one you make in steps 3–4.
Generated in your browser — nothing leaves this page. This is a throwaway demo key for learning, not your real identity; for keys you'll actually rely on, make them offline in GnuPG. Guard the private key and its passphrase; the public key is yours to share.
Sign with your private key; anyone verifies with your public key. (Generate a keypair in step 3 first.)
Encrypt to your public key, then decrypt with your private key + passphrase. This is exactly what the “Send an encrypted message” box does with my key — only the private key can open it.