Security and rollback

Security, validation and rollback are product features, not afterthoughts.

The product portal can be public. Operator, customer and control-plane authority cannot. Every later live effect must pass doctrine, scope, validation and rollback checks before it is considered safe.

Public routes stay separated from protected routesobserve_only is the default fallback when certainty is missingRollback criteria are required before later live action

Read the operating doctrine Check support and escalation entry

Reference Modeobserve_only

Portal Gateapproval_required

Homepage Status200

Response Time236.9 ms

HTML Size183,759 bytes

Sitemap Status200

Guardrails

The doctrine limits autonomy to safe, validated and reversible behavior

Autonomy is allowed only inside a defensive operating model. Protected routes stay closed, external writes require approval, and undefined scope is treated as a reason to fall back, not to guess.

No public operator or license endpoints
No unclear multi-domain action paths
No removal of rollback or validation requirements through licensing

Validation

Before-state, after-state and neighboring signals must agree

The system uses before-state evidence, primary metrics, neighboring signals, abort criteria and observation windows to decide whether a later pilot is healthy or requires rollback.

The current reference run already demonstrates the read-only baseline: status 200, response 236.9 ms, HTML 183,759 bytes, sitemap 200.

Immediate check plus 1d and 7d follow-up windows
Rollback required if primary metrics degrade or side effects grow
Learning engine records both wins and failed assumptions

Protected surface

What stays public and what must stay protected

Public content may include product pages, gated download explanations, support entry and documentation entry pages. Operator, customer, license and protected download paths remain blocked or non-public.

Public: product pages, docs entry, support, robots, sitemap, health
Protected: operator, admin, control-plane, customer and private download routes
Local operator console stays separate and localhost-only

FAQ

Frequently asked questions

Can a license override security limits or rollback rules?

No. Licensing can enable eligibility, but it cannot remove doctrine, validation or rollback guardrails.

What happens when source ownership or scope is unclear?

The system falls back to observe_only, blueprint_ready or approval_required instead of applying uncertain changes.

Are protected routes being opened by this public portal?

No. Route separation remains strict and protected prefixes stay blocked.

Next step

Security should accelerate trust, not slow product clarity

Continue into the plugin model to see how safe_mode, conflict checks and coexistence logic work together.

Open the plugin page Review gated access