diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..b236b48
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,4 @@
+## 2024-05-24 - [Nginx Hardcoded Secret in Query Parameter]
+**Vulnerability:** A hardcoded secret token (`xrpc-9f8e7d6c5b4a`) was used to bypass an Nginx block for the `/xmlrpc.php` endpoint via an `$arg_token` check.
+**Learning:** Checking query parameters (`$arg_`) for authentication in Nginx exposes secrets in access logs and is a bad security pattern.
+**Prevention:** Unconditionally block potentially dangerous endpoints or implement proper upstream authentication. Never use hardcoded secrets in Nginx configuration files.
\ No newline at end of file
diff --git a/developer/Dockerfile b/developer/Dockerfile
index fa730aa..f189caa 100644
--- a/developer/Dockerfile
+++ b/developer/Dockerfile
@@ -106,7 +106,7 @@ RUN composer global config allow-plugins.pestphp/pest-plugin true && \
     laravel/pint:^1.0
 
 # FrankenPHP (static binary)
-RUN curl -fsSL "https://github.com/dunglas/frankenphp/releases/latest/download/frankenphp-linux-$(uname -m | sed 's/aarch64/arm64/' | sed 's/x86_64/x86_64/')" -o /usr/local/bin/frankenphp && \
+RUN curl -fsSL "https://github.com/dunglas/frankenphp/releases/latest/download/frankenphp-linux-$(uname -m)" -o /usr/local/bin/frankenphp && \
     chmod +x /usr/local/bin/frankenphp
 
 # ============================================================
diff --git a/server-php/config/conf.d/wordpress.conf b/server-php/config/conf.d/wordpress.conf
index 911ff19..efafd26 100644
--- a/server-php/config/conf.d/wordpress.conf
+++ b/server-php/config/conf.d/wordpress.conf
@@ -105,28 +105,11 @@ server {
         access_log off;
     }
 
-    # Block XML-RPC by default, allow with secret token
-    # Usage: /xmlrpc.php?token=YOUR_XMLRPC_TOKEN
+    # Block XML-RPC unconditionally
     location = /xmlrpc.php {
-        set $xmlrpc_allowed 0;
-
-        # Allow if valid token provided (set in environment or change here)
-        if ($arg_token = "xrpc-9f8e7d6c5b4a") {
-            set $xmlrpc_allowed 1;
-        }
-
-        # Block if no valid token
-        if ($xmlrpc_allowed = 0) {
-            return 403;
-        }
-
-        # Pass to PHP if allowed
-        try_files $uri =404;
-        fastcgi_split_path_info ^(.+\.php)(/.+)$;
-        fastcgi_pass unix:/run/php-fpm.sock;
-        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-        fastcgi_index index.php;
-        include fastcgi_params;
+        deny all;
+        access_log off;
+        log_not_found off;
     }
 
     # Deny access to hidden files