{"schema_version":"1.0","service":"platphorm-evals","auth":{"sharedKeyName":"PLATPHORM_API_KEY","acceptedHeaders":["Authorization: Bearer $PLATPHORM_API_KEY","X-PlatPhorm-API-Key: $PLATPHORM_API_KEY"]},"publicAccess":{"enabled":true,"corsAllowedOrigins":["*"],"scope":"All public-safe read, discovery, dashboard, documentation, registry summary, health, feed, sitemap, OpenAPI, llms, MCP descriptor, and trust-policy surfaces are intentionally public."},"publicReadAccess":["all public-safe GET routes","dashboard summaries","health summaries","discovery files","MCP descriptor","registry services","documentation","feed and sitemap outputs"],"protectedActions":["registry sync","target imports","eval suite creation","eval run triggers","grader creation","release gate creation","regression creation","artifact publishing"],"trustedDomains":["platphormnews.com","*.platphormnews.com"],"dataExposureBoundaries":{"public":"read-only operational summaries, persisted eval summaries, registry summaries, docs, and discovery metadata","protected":"mutation actions and detailed operator workflows","secrets":"PLATPHORM_API_KEY is never returned in responses, discovery files, logs, traces, or screenshots","ja4Digest":"raw x-vercel-ja4-digest is fingerprint-adjacent metadata and is hashed or redacted before public display"},"policy":"Web dashboard, public-safe discovery, browser-based operations, trusted-domain discovery, standard route compliance, Vercel metadata capture, trace inspection, and agentic workflow discovery are intentionally supported for public read-only debugging and operator workflows. Mutating, administrative, ingestion, replay, fork, remediation, deployment, sync, test-triggering, reporting, and write actions require PLATPHORM_API_KEY.","provenancePolicy":"PlatPhorm Evals distinguishes public evaluation evidence fingerprints from user, browser, device, visitor, behavioral, request-header, and private workflow fingerprints. Public artifact fingerprints may be used for provenance and contract anchoring; visitor, browser, device, behavioral, request-header, IP, raw JA4, raw x-vercel-ja4-digest, session, private logs, private artifacts, protected run payloads, provider tokens, and private model-grade prompts are not public provenance and are never contract-anchor eligible.","agentVerificationPolicy":"Agents may read public Evals suites, public runs, public scorecards, public findings, Web4 status, provenance, route evidence, scorecards, and trust surfaces, but must not treat queued, running, missing, pending, failed, degraded, revoked, superseded, private, or protected evidence as verified."}