The public shell communicates review gates, rate limits, and rollback posture without exposing private endpoints, host topology, or internal failure details.
Each public route now lands inside the same navigation and footer system.
Empty, loading, denied, retry, and release-aware cues stay explicit in the UI.
Local rendering does not replace later two-FTP host evidence and smoke gates.
The foundation shell makes non-happy paths visible at the screen level so later runtime wiring does not hide denial, retry, loading, or release dependencies.
Internal mailer workflows require signed requests, timestamps, nonces, and payload integrity checks.
Contact and demo forms already inherit first-party abuse scoring, honeypot, and rate-limit posture.
Sensitive outcomes stay in private audit records while public pages show only safe trust language.
Host paths, stack versions, and private APIs are deliberately excluded from this screen.