Colophon
How this site is built.
The publish boundary, practicing what it documents.
This site is the third boundary in the lab's three-boundary model: it publishes a redacted projection of the infrastructure that anyone can read, without exposing anything the other two boundaries guard. That is not just a design goal. It is enforced at build time, in two independent steps that must both pass before a build can ship.
Built on its own principles
The physical-layer data visible in the interactive exploreroriginates in the same inventory.yaml that serves as the single source of truth in the Describe boundary. It never crosses the boundary raw. An allowlist projection runs first, emitting only the fields explicitly marked as publishable. Everything else defaults to private. The projection is fail-closed: an untagged field does not appear in the output; it is absent.
The tripwire
An independent scan then runs over the compiled output looking for anything secret-shaped: IP addresses, credential-like strings, host-specific identifiers. If it finds a match, the build exits non-zero and the site does not ship. This is not documentation of intent — it is a hard gate. The tripwire runs after the allowlist projection, so even a bug in the projection cannot silently produce a clean build. Both checks must pass. See Publish for the full boundary design.
The public build never receives inventory.yaml directly. By the time the Astro compiler sees any lab data, it is pre-sanitized JSON that has already cleared the allowlist projection and the tripwire. There is no code path in this site that reads the source file.
The stack
The architecture is deliberately minimal. Astro 7 compiles the site to static HTML at build time: no server process, no server-side rendering, no API routes. The pages you are reading are Astro components — hand-authored prose, not generated output.
The one interactive piece is the infrastructure explorer, a React Flow island client-hydrated from a sanitized JSON payload that is generated as part of the same build pipeline. The island runs entirely in the browser and makes no requests to any lab system. It is interactive in the UI sense; it is inert in the network sense.
The design system
Three typefaces carry the visual hierarchy. Instrument Serif handles the display layer: page headlines, pull quotes, and the stand lines that open each section. It is a high-contrast transitional serif that reads well at large sizes on dark backgrounds. DM Sans handles body text and UI chrome — a geometric grotesque that stays legible at small sizes without feeling clinical.DM Mono renders labels, chips, code fragments, and nav group headings: the data layer, where monospace signals precision.
The color story is copper on warm charcoal. Copper is used sparingly: active nav states, accent borders on callouts, inline links, and numbers in stat displays. Everything else recedes into a warm gray scale. The palette is dark by default, not as a stylistic gesture but because the subject matter is infrastructure running in a rack — not a product landing page in morning light.
What this site is not
The site carries no live data. Nothing it displays changes after the build runs. There is no polling loop, no webhook listener, no cron job refreshing a feed from the lab. The explorer's graph is a curated representation today; when the allowlist generator is wired in, its physical layer will be derived from the same inventory as everything else.
No path runs from this site back into the lab. There is no outbound API call, no server-side handler, no form that submits to a lab system. The boundary between Publish and the two boundaries behind it is strictly one-directional: data flows out at build time, and that is the only crossing it makes.
The site cannot leak the lab's secrets. They were never compiled into it.