API boundaries

Modelsmith has API boundaries, but the public website should describe those boundaries by responsibility and trust level. It should not advertise private cluster state as a public endpoint or document endpoints that do not exist.

Boundary classes

Public website forms

Contact and design-partner forms accept user-submitted messages and route them to Agentsia. These routes do not expose Modelsmith training state.

Signed owner ingestion

Owner-facing Modelsmith snapshots are accepted only through a signed ingestion boundary. The producer sends a sanitised snapshot; the public website validates signature, timestamp, schema, and size before storage.

This boundary is for ingestion, not general querying of private Modelsmith state.

Owner read surface

Authenticated owner pages read the latest sanitised snapshot and related owner-safe records. They should expose short summaries, counts, statuses, review labels, and approved evidence fields.

Customer deployment APIs

Customer deployments may expose local serving, training, or promotion APIs inside the customer-controlled environment. Those APIs are deployment-specific and should be documented with the customer installation package, not as public website endpoints.

Redaction rules

Public and owner-safe APIs must not return:

• raw prompts, completions, datasets, or benchmark rows
• internal hostnames, filesystem paths, or adapter locations
• opaque artefact identifiers that can be joined back to private storage
• queue mutation controls outside the authenticated owner boundary
• secrets, tokens, cookies, or unsigned operational state