SBP-001 — Public Static Site
Scope
This blueprint applies to any Atlantis system that is a static or near-static public-facing site with no commerce, no live data intake, and no authenticated user accounts. If a system collects leads, PII, or payment, it belongs under SBP-002 (Lead Capture / Revenue Intake) instead — see that blueprint's scope before assigning this one.
Applies to: - atlantisits.co (main business site) - apps.atlantisits.ai (Apps Hub / directory) - docs.atlantisits.info (MkDocs Knowledge Base) - Marketing pages - Static public landing pages
Required Diagram
graph TD
classDef internal fill:#1e293b,stroke:#3b82f6,stroke-width:2px,color:#ffffff;
classDef warning fill:#2a1f15,stroke:#facc15,stroke-width:2px,color:#ffffff;
Public["Public internet"]:::internal
CF["Cloudflare DNS<br/>CNAME, DNS-only (grey cloud)"]:::internal
Vercel["Vercel hosting<br/>Static deploy, no backend"]:::internal
Co["atlantisits.co<br/>Main business site<br/>CTA: mailto only, no form"]:::internal
Apps["Apps Hub<br/>apps.atlantisits.ai<br/>Links to other apps"]:::internal
Docs["docs.atlantisits.info<br/>MkDocs Knowledge Base<br/>Static build output"]:::internal
OpsCheck["Open review item<br/>Ops Suite cards may expose<br/>internal links - see SBP-003"]:::warning
Public --> CF
CF -->|"atlantisits.co"| Vercel
CF -->|"apps.atlantisits.ai"| Vercel
CF -->|"docs.atlantisits.info"| Vercel
Vercel --> Co
Vercel --> Apps
Vercel --> Docs
Apps -.->|"flagged, unresolved"| OpsCheck All three sites sit fully on the public side of the trust boundary — no secrets in browser, no PII collected, no authenticated routes. The one open item is the Apps Hub → Operations Suite card link path, flagged for Jimmy review (see "Filled Entry: Apps Hub" below); resolving that closes the only unresolved edge in this diagram.
Required Controls
| Control | Description |
|---|---|
| No secrets in source | No API keys, tokens, PATs, or credentials in repo, browser-visible code, or build output. |
| No internal links exposed accidentally | No links to .lan hostnames, internal IPs, internal-only ports, or unreleased/unannounced subdomains. |
| Safe outbound links | All outbound links reviewed — no dead links, no links to unrelated/unintended destinations. |
| Clear public/private boundaries | The page should make no claims or expose no content that implies access to private/internal Atlantis systems. |
| Basic CSP and headers where applicable | Content-Security-Policy and standard security headers set where the hosting platform supports it (Vercel default headers are acceptable baseline). |
| Domain and deployment record | Domain, DNS provider, hosting platform, and repo are documented below for each assigned system. |
TDLC Stage Gate for This Blueprint
Per CB-005's TDLC model, a system under SBP-001 should clear these controls before promotion:
| TDLC Stage | Gate Requirement |
|---|---|
| Lab → Internal Alpha | Domain decided, repo created, no secrets present in initial commit. |
| Internal Alpha → Beta | All controls above checked; Shane has reviewed live preview. |
| Beta → Production | DNS live, Cloudflare/Vercel domain confirmed, no internal links present, public readiness checklist item ("Security Blueprint assigned for every public app") satisfied. |
| Production → Monitoring | No further security-relevant changes without re-running this checklist. |
Filled Entry: atlantisits.co
| Field | Value |
|---|---|
| System | atlantisits.co — Atlantis ITS main business site |
| Repo | atlantis-co (GitHub/Forgejo — confirm current canonical location) |
| Hosting | Vercel |
| DNS | Cloudflare, CNAME → cname.vercel-dns.com, DNS-only (grey cloud, not proxied) |
| Exposure category | Public |
| Secrets present? | None expected — static brand/marketing site, no backend. |
| Internal links present? | None expected. Cross-links to apps.atlantisits.ai and docs.atlantisits.info are intentional public cross-links per the June 2026 motion/content brief, not internal exposure. |
| CTA mechanism | mailto: Request a Demo link — no form, no data intake. Stays under SBP-001 as long as this remains true; if a form is ever added, this system should be re-classified under SBP-002. |
| Last security-relevant review | June 17, 2026 motion/content refresh (brand alignment, GSAP reveal pattern, mobile breakpoint check) — see project notes for that session. |
| TDLC stage | Production |
| Open items | None blocking from a security-control standpoint as of this writing. Confirm CSP/security headers are set in Vercel project settings if not already default. |
Filled Entry: Apps Hub (apps.atlantisits.ai)
| Field | Value |
|---|---|
| System | apps.atlantisits.ai — Apps Hub / directory page (v2) |
| Repo | Separate repo per linked app (Pop Off, IceBreakrz, Horizon Runway, etc. each have their own); Apps Hub itself is its own deployment — confirm exact repo name. |
| Hosting | Vercel |
| DNS | Cloudflare, CNAME → cname.vercel-dns.com, DNS-only (grey cloud, not proxied) — same pattern as all .ai subdomains. |
| Exposure category | Public |
| Secrets present? | None expected — this is a links/cards directory page, not a backend service. |
| Internal links present? | Needs verification. Apps Hub v2 added Operations Suite cards (AA-NOC, Repo Radar, Pulse) per the June TN session. These ops tools are internal/Tailscale-protected systems — confirm their cards either link to nothing (display-only) or to an appropriately gated entry point, not directly to a raw internal .lan URL or unauthenticated internal dashboard. This is the single most likely control gap for this system — flag for Jimmy review before treating this blueprint entry as fully satisfied. |
| Linked apps | Pop Off (popoff.atlantisits.ai), IceBreakrz (icebreakrz.atlantisits.ai), Horizon Runway (horizon.atlantisits.ai), Lead Engine (engine.atlantisits.ai), Operations Suite cards (AA-NOC, Repo Radar, Pulse — via ops.atlantisits.ai or similar). |
| TDLC stage | Active / Production, but Internal-Link control above is unverified — recommend treating as "Production with open finding" rather than fully clean until checked. |
| Open items | Verify Operations Suite card links do not expose internal-only endpoints directly to public traffic. Confirm exact current repo name (multiple naming patterns referenced across past sessions — atlantis-apps, apps-hub, etc. — pin down the actual one). |
Filled Entry: docs.atlantisits.info (MkDocs Knowledge Base)
| Field | Value |
|---|---|
| System | docs.atlantisits.info — MkDocs Knowledge Base (How-To Guides, KB, SOP, Tech Orders, Runbooks, Incidents, Changelog) |
| Repo | atlantis-mkdocs — local source confirmed at C:\AtlantisITS\atlantis-mkdocs\docs\Info\ |
| Hosting | Vercel |
| DNS | Cloudflare, CNAME → cname.vercel-dns.com, DNS-only (grey cloud, not proxied) — same pattern as .ai/.co |
| Exposure category | Public — confirmed reachable with zero auth, no login wall |
| Secrets present? | None expected in document content reviewed so far. Not yet fully audited — recommend a pass over all published sop/, how-to/, runbooks/ content before treating this as fully clean, since these docs sometimes reference internal infrastructure details (ports, hostnames, file paths) that are fine in Forgejo but worth a second look once published to a public site. |
| Internal links present? | One confirmed low-risk item: SOP-002 (printer guide) publishes a device email-print address and serial number. Low actual risk (worst case is junk print jobs), but worth knowing it's effectively public now that the page is confirmed fetchable with no auth. No internal .lan hostnames or credentials found in what's been reviewed. |
| Known gap — staleness | Live site confirmed running roughly 3 months behind actual current docs (index footer reads "Last updated: March 18, 2026"; SOP set on the live site stops at SOP-002 while local disk already has SOP-001 through at least SOP-004, and the incidents index only lists INC-001 despite newer local content). This is a build/deploy gap, not a security control failure, but it means anyone treating the public site as current documentation is working from stale information. Tracked separately as the MkDocs index-regeneration/deploy-pipeline task (Cowork audit in progress as of this writing). |
| CTA mechanism | None — reference/documentation only, no forms, no data intake. |
| TDLC stage | Production (live, public), but flagged "Production with open findings" — same posture as the Apps Hub entry above — pending the staleness fix and the secrets/internal-reference audit pass. |
| Open items | Resolve the build/deploy staleness gap (separate active task). Run a full secrets/internal-reference sweep over all published doc categories, not just the SOP-002 sample reviewed so far. |
Notes for Future SBP-001 Assignments
When assigning a new system to this blueprint, fill in the same table structure as above. Any system that later adds a form, login, payment, or live data intake should be migrated to SBP-002 rather than patched in place — re-classification, not control bolt-on.