{
  "evidence_version": 1,
  "domain": "socialmedia2.com",
  "gate": "H2",
  "hosted_ci": false,
  "no_paid_operations": true,
  "pages_project": "polis-socialmedia2",
  "repository": "https://github.com/ChrisRoyse/Polis",
  "review_packet": "https://socialmedia2.com/review/pentest-request.json",
  "secret_values_public": false,
  "source_deployment_manifest": "deploy/socialmedia2.com/cloudflare-pages.json",
  "test_constraints": {
    "allowed_without_prior_coordination": [
      "static content review",
      "non-destructive GET and HEAD requests",
      "signed Stripe webhook verification using reviewer-provided test payloads",
      "repository source review"
    ],
    "coordination_addresses": [
      "security@socialmedia2.com",
      "review@socialmedia2.com"
    ],
    "forbidden_without_written_approval": [
      "live customer charges",
      "destructive payloads",
      "denial-of-service testing",
      "credential stuffing",
      "social engineering",
      "paid Cloudflare or Stripe operations"
    ]
  },
  "routes": [
    {
      "path": "/",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "static landing page",
      "citizen_data": false
    },
    {
      "path": "/pilot/",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "pilot intake handoff page",
      "citizen_data": false
    },
    {
      "path": "/review/",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "external review handoff page",
      "citizen_data": false
    },
    {
      "path": "/review/pentest-request.json",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "H2 independent pentest request packet",
      "citizen_data": false
    },
    {
      "path": "/review/legal-review-request.json",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "X4 independent legal-review request packet",
      "citizen_data": false
    },
    {
      "path": "/review/attack-surface.json",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "H2 route-level attack-surface packet",
      "citizen_data": false
    },
    {
      "path": "/status/",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "public non-secret BUILD_DONE status page",
      "citizen_data": false
    },
    {
      "path": "/status/build-done-blockers.json",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "public non-secret blocker manifest",
      "citizen_data": false
    },
    {
      "path": "/observability/",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "citizen-data-free observability dashboard",
      "citizen_data": false
    },
    {
      "path": "/observability/metrics.json",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "aggregate metrics JSON",
      "citizen_data": false
    },
    {
      "path": "/observability/structured-logs.jsonl",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "sample structured logs",
      "citizen_data": false
    },
    {
      "path": "/observability/audit-log.jsonl",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "sample append-only audit log",
      "citizen_data": false
    },
    {
      "path": "/.well-known/security.txt",
      "methods": [
        "GET",
        "HEAD"
      ],
      "surface": "security contact policy",
      "citizen_data": false
    },
    {
      "path": "/api/stripe/webhook",
      "methods": [
        "POST"
      ],
      "surface": "Cloudflare Pages Function for Stripe webhook signature verification",
      "citizen_data": false,
      "requires_valid_signature": true,
      "secrets_store": "infisical:/polis/socialmedia2_com"
    }
  ]
}