Add Preclude endpoint spoofing checklist documentation

[Copilot]

Adds a concise, scannable write-up of the requested “preclude malice” controls covering endpoint spoofing prevention and the PrecludeSWITCH baseline so the guidance is discoverable and actionable.

• Documentation
  • Introduce doc/preclude.md with the full Layer 2–7 hardening checklist, monitoring guidance, and the PrecludeSWITCH quick baseline.
• Discoverability
  • Link the new checklist from the README’s top navigation.

Example excerpt:

## “PrecludeSWITCH” quick baseline checklist
- Access ports: **802.1X**, **port-security**, **bpduguard**, **storm-control**
- Global: **dhcp snooping**, **DAI**, **ip source guard**
- Uplinks/trunks: only these are **trusted** for DHCP snooping; restrict allowed VLANs; lock trunking (no DTP)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• dl.google.com
  • Triggering command: /usr/lib/jvm/temurin-17-jdk-amd64/bin/java /usr/lib/jvm/temurin-17-jdk-amd64/bin/java --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.prefs/java.util.prefs=ALL-UNNAMED --add-opens=java.base/java.nio.charset=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.base/java.util.concurrent.atomic=ALL-UNNAMED --add-opens=java.xml/javax.xml.namespace=ALL-UNNAMED --add-opens=java.base/java.time=ALL-UNNAMED --add-opens jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED -Xmx2048M -Dfile.encoding=UTF-8 -Duser.country (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

https://docs.keymapper.club/, I want you to create the best keyboard function and update this with many features that only.preclude malicehttps://apt.izzysoft.de/fdroid/?## Preclude endpoint spoofing (host/IP/MAC/DNS) + “precludeSWITCH” (switch-level abuse)

1) Lock identity at Layer 2 (on the switch)

• Enable DHCP Snooping (trust only uplinks to your DHCP server)
• Enable Dynamic ARP Inspection (DAI) (requires DHCP snooping bindings)
• Enable IP Source Guard (blocks IP/MAC spoofing per port)
• Enable Port Security (limit MAC addresses per access port; sticky MAC if appropriate)
• Disable unused ports + put them in a dead VLAN
• BPDU Guard + Root Guard on access ports (prevents rogue switch/bridge insertion)
• Storm control (limits broadcast/multicast floods)

2) Stop rogue routing / gateway spoof

• Block/guard rogue DHCP: DHCP snooping + “DHCP guard” where available
• Gateway ARP protection: DAI + static ARP for critical infrastructure (optional)
• Router Advertisement (IPv6) guard if you use IPv6 (prevents rogue RA)

3) Prevent name/service spoofing (Layer 7)

• DNS security
  • Force clients to use only your resolvers (firewall: block outbound 53/853 except to approved DNS)
  • Use DoT/DoH policy via managed endpoints, or explicitly disable unmanaged DoH
  • Turn on DNSSEC validation at your resolver
• TLS & service identity
  • Prefer mTLS for internal services (client + server certs)
  • Use certificate pinning where feasible (apps/agents)
  • Enforce HSTS and modern TLS policies

4) Harden endpoints so spoof attempts don’t succeed

• 802.1X (wired + Wi‑Fi) with NAC posture checks (best control against “plug in anything”)
• EDR + host firewall: block lateral movement (SMB/RDP/WinRM) by default
• Disable LLMNR/NBNS/mDNS where not needed (common local spoof vectors)
• Patch + remove local admin; credential guard / LSASS protection on Windows

5) Monitoring & rapid containment

• Alerts for: new MAC on port, MAC flaps, new DHCP server, ARP anomalies, duplicate IP
• NetFlow/sFlow + switch syslog to SIEM
• Automated response: quarantine VLAN / port shutdown on high-confidence events

---

“PrecludeSWITCH” quick baseline checklist (most environments)

• Access ports: 802.1X, port-security, bpduguard, storm-control
• Global: dhcp snooping, DAI, ip source guard
• Uplinks/trunks: only these are trusted for DHCP snooping; restrict allowed VLANs; lock trunking (no DTP)

---

I can make this exact

Tell me:

1. Switch vendor/model (Cisco/Aruba/UniFi/Juniper/etc.)
2. Do you run IPv6?
3. DHCP server location (on-prem router, Windows DHCP, firewall, cloud)
4. How users connect (wired, Wi‑Fi, both)

…and I’ll give you the precise configuration steps/commands for your platform.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[montinode]

AntiReverssapp.get("/authenticate", async (req, res) => {
try {
const token = req.query.token;
const tokenType = req.query.stytch_token_type;

if (!token || typeof token !== "string") {
  return res.status(400).json({ error: "Missing or invalid token" });
}

// Handle Discovery authentication.
if (tokenType !== "discovery") {
  console.error(`Unrecognized token type: '${tokenType}'`);
  return res.status(400).json({ error: "Unrecognized token type" });
}

const authResp =
  await stytchClient.magicLinks.discovery.authenticate({
    discovery_magic_links_token: token,
  });

// Stytch's Node SDK typically throws on non-2xx, but keep this if you want:
if (authResp.status_code !== 200) {
  console.error("Authentication error", authResp);
  return res.status(502).json({ error: "Stytch authentication failed" });
}

// TODO: create your session / set cookie / redirect, etc.
return res.status(200).json({
  ok: true,
  // e.g. discovery_intermediate_session_token: authResp.discovery_intermediate_session_token
});

} catch (err) {
console.error("Authenticate route error:", err);
return res.status(500).json({ error: "Internal server error" });
}
});

[montinode]

@AIAttorneyMode Create Countersurveillance

[montinode]

𝖬𝖮𝖭𝖳𝖨𝖠𝖨