Feedback justinsforge never public endpoints

Never put public-facing or unauthenticated endpoints on justinsforge.com. It is a private attack surface (command-center domain) that should never be exposed to the public internet or to external recipients (e.g., email links).

Public services that need to be reached by external users (customers, email recipients, etc.) must live on brand domains or dedicated public domains, not on justinsforge.com.

Why: justinsforge.com is Justin's private infrastructure command center. Exposing it publicly turns it into an attack vector and leaks the existence/location of the control plane to everyone who receives an email or clicks a link.

How to apply: Before wiring any public endpoint, webhook, or unauthenticated URL: check if the domain is justinsforge.com. If yes, move it to a brand domain or purpose-built public domain. The only justinsforge.com services allowed are internal tools behind Cloudflare Access (auth required).

[auto-memory session 5560f8c9-c807-4188-aaa2-1bb67b265559, confidence 0.95, mode direct]