Docs

Decision Model

This page explains execution behavior and safety boundaries. It describes system design, not legal guarantees.

Guard Chain (High Level)

Validate request shape and apply rate limit controls.
Confirm the target site exists and is active.
Enforce origin checks before processing.
Require DPA acceptance for service-provider enforcement posture.
Apply circuit-breaker safety before the final policy decision write; guard-denied evidence can be recorded after the target site is resolved.

Runtime Boundary Diagram

Public requests pass through ordered guards. Customer data flows through the user JWT path after Auth token validation.

Dual-Client and RLS Boundary

In `customer-api`, service role credentials are used only to validate the Supabase Auth token. Customer data operations run through the user JWT path with RLS enforcement or narrow auth.uid()-scoped database functions for internal-only evidence surfaces.

Learning Posture (Gated)

Autonomous apply remains disabled by default.
Regression checks are required before approval paths.
Operational rollout uses staged dry-run/canary controls.

Proof Mode: Response Contract Examples

Static, anonymized examples of common response families and what each indicates.

HTTP 400

Request is malformed or missing required inputs (for example, missing domain).

{
  "error": "Missing domain parameter"
}

HTTP 403

Request failed a compliance or origin gate and was blocked.

{
  "error": "compliance_halt",
  "message": "DPA_NOT_ACCEPTED"
}

HTTP 404

Target resource does not exist for the given domain or route.

{
  "error": "Resource not found"
}

HTTP 429

Rate limit gate rejected the request for abuse protection.

{
  "error": "Rate limit exceeded",
  "code": "rate_limited",
  "retry_after": 60
}

HTTP 503

Circuit breaker temporarily paused processing for safety and recovery.

{
  "error": "Service temporarily paused for this resource",
  "code": "circuit_open",
  "retry_after": 60
}