{"ok":true,"data":{"service":"phorm","baseUrl":"https://phorm.platphormnews.com","trustedDomains":["platphormnews.com","*.platphormnews.com"],"auth":{"sharedKey":"PLATPHORM_API_KEY","acceptedHeaders":["Authorization: Bearer $PLATPHORM_API_KEY","X-PlatPhorm-API-Key: $PLATPHORM_API_KEY"]},"publicReadAccess":["editor shell","public templates","discovery files","health summaries","OpenAPI","RSS/Atom/sitemap","read-only MCP introspection"],"protectedActions":["server-side design persistence","generation runs","exports","screenshot capture","BrowserOps and Evals reviews","Docs/Sheets/Decks reporting","network sync","MCP tool calls"],"localDraftPersistencePolicy":"Browser storage is used only for non-sensitive local drafts, prompt drafts, theme settings, selected templates, local generation summaries, and UI preferences. PLATPHORM_API_KEY, private prompts, protected screenshots, private designs, brand secrets, and sensitive artifacts must not be stored in browser storage.","trustedDomainPolicy":"Trusted domains are discovered from https://platphormnews.com/api/network/graph and pending domains from https://base.platphormnews.com/sitemap-index.xml. localhost, private IPs, link-local hosts, and metadata services are blocked for discovery/proxy/replay tasks.","routeStandard":["/api/health","/api/v1/health","/api/docs","/openapi.json","/openapi.yaml","/llms.txt","/llms-full.txt","/llms-index.json","/robots.txt","/sitemap.xml","/sitemap-main.xml","/sitemap-index.xml","/rss.xml","/feed.xml","/manifest.webmanifest","/.well-known/mcp.json","/.well-known/agents.json","/.well-known/agent-policy.json","/.well-known/ai-policy.json","/.well-known/ai-plugin.json","/.well-known/security.txt","/.well-known/trust.json","/api/mcp"],"vercelMetadataPolicy":"Safe Vercel request metadata may be captured with IP-like values hashed or omitted. x-vercel-ja4-digest is fingerprint-adjacent metadata and is only exposed publicly as hashed/redacted policy state. Authorization, X-PlatPhorm-API-Key, cookies, session tokens, raw JA4 digest values, and request bodies are never public.","tracePropagationPolicy":"Phorm accepts and propagates W3C traceparent/tracestate plus safe X-PlatPhorm trace headers. Trace payloads redact prompts, private content, auth headers, cookies, tokens, secrets, and sensitive brand data.","designDataExposurePolicy":"Public discovery never includes private designs, private prompts, protected exports, private screenshots, or sensitive brand data.","securityContact":"security@platphormnews.com","policy":"Web dashboard, public-safe discovery, browser-based operations, trusted-domain discovery, standard route compliance, Vercel metadata capture, trace inspection, and agentic workflow discovery are intentionally supported for public read-only debugging and operator workflows. Mutating, administrative, ingestion, replay, fork, remediation, deployment, sync, test-triggering, reporting, and write actions require PLATPHORM_API_KEY."}}