From 65957eef59f99f34c12b6eda0f5dd7225de14c9c Mon Sep 17 00:00:00 2001
From: Jason Grey <jason@jason-grey.com>
Date: Wed, 13 May 2026 18:50:37 -0500
Subject: [PATCH] fix: anchor extension badges inside signed-section, not the
 viewport
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The site wraps only the article body in <signed-section> (it opens
after the page <h1> and closes before </article>), so the wrap is
already correct. But the browser extension positions its verification
badge with `position: absolute; top: -10px; right: 10px;` relative to
the nearest positioned ancestor. The <signed-section> only had
`style="display: block;"` inline, so the badge bubbled up the
ancestor tree to the viewport — appearing 10px below the top of the
*document*, off-screen once the user scrolled into the article.

Overrides the htmltrust-hugo module's partial to add
`position: relative;` to the inline style on the emitted
<signed-section>. With that, the absolutely-positioned badge anchors
to the top-right of the signed article body, where it's actually
visible.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../_partials/htmltrust-signed-section.html   | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 layouts/_partials/htmltrust-signed-section.html

diff --git a/layouts/_partials/htmltrust-signed-section.html b/layouts/_partials/htmltrust-signed-section.html
new file mode 100644
index 0000000..26289ac
--- /dev/null
+++ b/layouts/_partials/htmltrust-signed-section.html
@@ -0,0 +1,49 @@
+{{- /*
+htmltrust-signed-section.html — wraps .Content in a <signed-section> placeholder.
+
+Spec-conformant cryptographic signing (content-hash + signature) is NOT performed
+in this template. Hugo cannot do NFKC normalization or Ed25519 signing. This
+partial emits a structural placeholder; the companion `htmltrust-sign` CLI fills
+in the four required attributes (content-hash, signature, keyid, algorithm)
+after `hugo build`.
+
+Opt in per-page via frontmatter:
+
+  htmltrust:
+    sign: true
+    claims:
+      ContentType: "Article"
+      License: "CC-BY-4.0"
+
+Site-level defaults (config.toml):
+
+  [params.htmltrust]
+    keyid     = "did:web:example.com"
+    algorithm = "ed25519"
+*/ -}}
+{{- if and .Params.htmltrust .Params.htmltrust.sign -}}
+{{- $st := .Site.Params.htmltrust | default dict -}}
+{{- $keyid := .Params.htmltrust.keyid | default $st.keyid | default "" -}}
+{{- $algo := .Params.htmltrust.algorithm | default $st.algorithm | default "ed25519" -}}
+{{- $author := .Params.author | default .Site.Params.author | default "" -}}
+{{- $signedAt := "" -}}
+{{- if not .Date.IsZero -}}
+  {{- $signedAt = .Date.Format "2006-01-02T15:04:05Z07:00" -}}
+{{- end -}}
+<signed-section content-hash="" signature="" keyid="{{ $keyid }}" algorithm="{{ $algo }}" data-htmltrust-placeholder="true" style="display: block; position: relative;">
+{{- with $author }}
+  <meta name="author" content="{{ . }}">
+{{- end }}
+{{- with $signedAt }}
+  <meta name="signed-at" content="{{ . }}">
+{{- end }}
+{{- with .Params.htmltrust.claims }}
+{{- range $key, $value := . }}
+  <meta name="claim:{{ $key }}" content="{{ $value }}">
+{{- end }}
+{{- end }}
+{{ .Content }}
+</signed-section>
+{{- else -}}
+{{ .Content }}
+{{- end -}}