{"schema_version":"1.0","service":"platphorm-sandbox","baseUrl":"https://sandbox.platphormnews.com","policy":"Web sandbox exploration, public-safe dry-run planning, public-safe template discovery, browser-based local drafts, validation, trusted-domain discovery, standard route compliance, Vercel metadata capture, trace-linked public evidence, and MCP/API test discovery are intentionally supported for public read-only debugging and operator workflows. Provider-backed sandbox creation, command execution, file reads and writes, snapshots, publishing, global policy changes, provider credential changes, unbounded compute, raw audit export, registry mutation, deployment mutation, and sensitive administrative actions require PLATPHORM_API_KEY.","auth":{"platformKey":"PLATPHORM_API_KEY","acceptedHeaders":["Authorization: Bearer $PLATPHORM_API_KEY","X-PlatPhorm-API-Key: $PLATPHORM_API_KEY"]},"publicReadOnlyAccess":["landing page","public templates","public dry-run planning","browser-local draft workspaces","local validation","public-safe command logs","public-safe sandbox run summaries","public docs","discovery files","health summaries","route compliance summaries","read-only MCP introspection","RSS/feed/sitemap outputs"],"protectedActions":["provider-backed sandbox creation","provider command execution","provider file reads and writes","provider snapshots","global sandbox policy mutation","provider credential changes","unbounded command execution","raw audit export","cross-user sandbox access","destructive provider actions outside the session sandbox","registry mutation","trusted-domain mutation","report publishing","sensitive audit details"],"localDraftPersistencePolicy":{"preferred":"IndexedDB","localStorage":"small UI preferences only","forbidden":["PLATPHORM_API_KEY","secrets","protected tool params","private API payloads","sensitive artifacts"]},"trustedDomainPolicy":{"allow":["platphormnews.com","*.platphormnews.com"],"block":["localhost","private IPs","link-local addresses","metadata service addresses"]},"routeStandard":["/api/health","/api/v1/health","/api/docs","/openapi.yaml","/asyncapi.yaml","/llms.txt","/llms-full.txt","/llms-index.json","/robots.txt","/sitemap.xml","/sitemap-index.xml","/rss.xml","/feed.xml","/manifest.webmanifest","/.well-known/web4.json","/.well-known/provenance.json","/.well-known/mcp.json","/.well-known/agents.json","/.well-known/agent-policy.json","/.well-known/ai-policy.json","/.well-known/ai-plugin.json","/.well-known/security.txt","/.well-known/trust.json","/api/mcp"],"vercelMetadataPolicy":"Only safe request/response metadata is captured; IPs are hashed and auth/cookies are never stored.","tracePropagationPolicy":"W3C traceparent and safe PlatPhorm trace headers are accepted and propagated on outbound calls.","xVercelJa4DigestPolicy":"Raw x-vercel-ja4-digest is fingerprint-adjacent metadata. It is hashed for public display and never emitted raw in public UI, RSS, sitemap, llms, OpenAPI examples, client logs, or public traces.","publicFingerprintPolicy":"PlatPhorm Sandbox distinguishes public execution evidence fingerprints from user, browser, device, visitor, behavioral, request-header, and private workflow fingerprints. Public artifact fingerprints may be used for provenance and contract anchoring; visitor, browser, device, raw JA4, raw x-vercel-ja4-digest, session, private log, private file, private artifact, provider token, and protected workflow fingerprints are never public provenance.","agentEvidencePolicy":"Agents may read public Sandbox templates, public runs, public artifacts, Web4 status, provenance, route evidence, scorecards, and trust surfaces. Agents must not treat queued, running, missing, pending, failed, degraded, revoked, superseded, private, or protected evidence as verified.","dataExposurePolicy":"Public views contain public-safe summaries only. Provider tokens, service keys, private command secrets, raw request metadata, and sensitive artifacts are never exposed publicly.","securityContact":"security@platphormnews.com","updatedAt":"2026-06-03T06:32:08.973Z"}