You are reading the third boundary.

This page is an artifact of the boundary it describes. Every word here passed through the same allowlist projection it explains. The data that did not pass through is invisible not because it was hidden, but because it was never sent. That distinction is the entire point.

A projection, not a redaction

The lab's source of truth lives in inventory.yaml inside theDescribe boundary. That file holds every host, network, VLAN, service route, and known issue in the lab. It is not published here. It is not copied here with sensitive fields removed. That distinction matters: a redaction is a scrub that can be done wrong. A projection only emits what is explicitly allowlisted. If the allowlist does not name it, it produces no output. Not an empty string, not a placeholder. Nothing.

The allowlist runs at build time. Each field in the inventory carries a publication status. Fields marked publishable cross the boundary; all others do not exist in the build context. The result is a strict subset of the real shape of the lab, constructed from scratch by the projection step rather than arrived at by subtraction. The mechanism is fail-closed: adding a new field to the inventory keeps it private by default until an author deliberately marks it publishable.

Secrets are not scrubbed from this site. They were never compiled in.

Two independent guards

The allowlist projection is the first guard. It is not the only one.

An independent tripwire runs on the build output after the projection step and before the site is assembled. It scans for anything that looks like it should not be public: patterns characteristic of internal IP addresses, API tokens, host credentials, and identifiers that are not meant to travel. If the scanner finds a match, the build fails. The site does not ship.

Two independent mechanisms must both fail simultaneously for a secret to reach the public. The projection must emit something it should not, and the tripwire must fail to catch it. Either failure alone is recoverable. Both failing together is the actual threat model, and designing for it means no single point of failure controls the outcome.

Static by construction

The public build never sees inventory.yaml. The build toolchain receives only the pre-sanitized output of the projection step: a curated data structure whose contents were already verified by the tripwire. There is no configuration to tweak, no environment variable to expose, no code path that would cause raw inventory data to flow downstream. The build is one-way. Air-gap here means not that secrets are locked up tightly, but that the path that would carry them does not exist.

What ships is a fully static build: compiled HTML, CSS, and JavaScript. No server, no database, no server-side rendering touching live data. There is no runtime connection to the lab, no webhook listening for state changes, no endpoint that reflects anything internal. The pipeline terminates at publication. It does not reach back.