Public Pages
Homepage, CAPPS routes, Guardian Shield, Health Shield, Trust Scanner, reports, proof pages and selected public docs.
CAPPS Access Boundary
Only chosen public routes are open. Repo, source, private and admin paths stay closed.
This boundary separates the public CAPPS proof layer from repository files, deployment scripts, package metadata, validator code, private books, logs, admin APIs and source directories.
Boundary State
public bundle allowlist
repo path deny rules
live exposure validator
hardened headers
Allowed Surface
Public access is limited to intentional static routes and public-safe manifests.
Public Data
Aggregate-only JSON manifests that avoid child records, private identity records, private health records, contact data and raw messages.
Public APIs
Only explicitly routed public API endpoints are exposed, with size limits, JSON boundaries and sanitized responses where applicable.
Denied Surface
Repo and operator materials are not public website assets.
Repositorydotfiles, git metadata, GitHub workflows, package files and lockfiles return 404.
Sourcevalidators, scripts, service code, extension source, build files and deployment helpers return 404.
Privateprivate books, logs, environment files, key files and credential-bearing artifacts return 404.
AdminAdmin and operator routes remain outside the public static bundle unless deliberately authenticated.
Hardening Gates
Future deploys must prove the boundary before and after upload.
Local Bundle Check
Fails if denied files or source directories appear inside the public bundle.
Live Exposure Check
Fails if denied live paths return success instead of 404.
Security Headers
Public responses keep CSP, frame blocking, referrer blocking, nosniff, HSTS and permissions restrictions.
Chosen Access Only
Private access must be separately approved, authenticated, audited and kept out of public fallback routing.