Initial commit: Brass & Sigil monorepo

Self-hosted Minecraft modpack distribution + administration system.

- launcher/  Avalonia 12 desktop client; single-file win-x64 publish.
             Microsoft auth via XboxAuthNet, manifest+SHA-1 mod sync,
             portable install path, sidecar settings.
- server/    brass-sigil-server daemon (.NET 8, linux-x64). Wraps the
             MC subprocess, embedded Kestrel admin panel with cookie
             auth + rate limiting, RCON bridge, scheduled backups,
             BlueMap CLI integration with player markers + skin proxy,
             friend-side whitelist request flow, world wipe with seed
             selection (keep current / random / custom).
- pack/      pack.lock.json (Modrinth + manual CurseForge entries),
             data-only tweak source under tweaks/, build outputs in
             overrides/ (gitignored).
- scripts/   Build-Pack / Build-Tweaks / Update-Pack / Check-Updates
             plus Deploy-Brass.ps1 unified one-shot deploy with
             version-bump pre-flight and daemon-state detection.

server/deploy/Caddyfile

@@ -0,0 +1,50 @@
+# Caddyfile for the brass-sigil-server web panel.
+#
+# Caddy auto-fetches and renews a Let's Encrypt cert for your domain,
+# so HTTPS just works once DNS is pointed at the server and ports 80 + 443
+# are open.
+#
+# Prereqs:
+#   1. A domain name (e.g. panel.example.com) with an A/AAAA record pointing
+#      at this server's public IP. Let's Encrypt does NOT issue certs for
+#      raw IPs -- you need a hostname.
+#   2. Inbound 80 (for the HTTP-01 ACME challenge) and 443 (for the panel)
+#      open in your firewall and in any cloud security group.
+#   3. Caddy installed:
+#        sudo apt install caddy            # Debian / Ubuntu
+#        brew install caddy                # macOS
+#        winget install CaddyServer.Caddy  # Windows
+#   4. brass-sigil-server running on localhost:8080 with webHost: localhost
+#      and webPassword set (use `brass-sigil-server set-password` if you
+#      haven't already).
+#
+# Install:
+#   Linux package: replace /etc/caddy/Caddyfile with this file, then
+#     sudo systemctl reload caddy
+#   Manual:        caddy run --config Caddyfile
+
+panel.example.com {
+    encode gzip
+
+    reverse_proxy localhost:8080 {
+        # SSE log stream uses chunked streaming responses -- Caddy must not
+        # buffer them, otherwise console updates arrive in batches every minute
+        # instead of in real time.
+        flush_interval -1
+
+        # Pass the real client IP through. brass-sigil-server's ForwardedHeaders
+        # middleware honours this so the per-IP login rate limit partitions
+        # correctly (10 attempts / minute / IP).
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Real-IP       {remote_host}
+    }
+
+    # Sensible hardening defaults.
+    header {
+        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        X-Content-Type-Options    "nosniff"
+        X-Frame-Options           "DENY"
+        Referrer-Policy           "strict-origin-when-cross-origin"
+        -Server
+    }
+}