Goal
Show ProofPath as a mandatory pre-execution gate for AI-assisted website building.
The point is to move ProofPath from an abstract API/security demo into a practical workflow:
AI builds or edits a website
-> proposes a file/deploy/action change
-> ProofPath checks intent, scope, reversibility, and approval
-> safe actions continue
-> risky actions are blocked or held
-> every decision is written to the audit log
Why this matters
AI agents are increasingly used to build landing pages, dashboards, docs sites, and production web apps. A website-building agent can accidentally or maliciously:
- delete pages or assets;
- overwrite production content;
- deploy broken builds;
- expose secrets or API keys;
- add unsafe external scripts;
- modify forms that collect user data;
- publish content outside the approved scope;
- push directly to production without human approval.
A normal GitHub token, API key, or deployment credential can be valid while the proposed action is still unsafe.
Core line:
Valid deploy access should not automatically mean valid website change.
Demo concept
Create a small demo where an AI/site-builder agent attempts three website actions:
-
Safe content edit
- Example: update headline or copy in a landing page.
- Expected ProofPath decision:
ACCEPT.
-
Risky production deploy
- Example: deploy to production without explicit approval.
- Expected ProofPath decision:
HOLD or BLOCK.
-
Dangerous destructive action
- Example: delete
public/, remove index.html, overwrite .env, or add an unapproved third-party script.
- Expected ProofPath decision:
BLOCK.
Suggested action scopes
website.content.edit
website.asset.add
website.form.modify
website.script.add
website.env.modify
website.deploy.preview
website.deploy.production
website.delete
Suggested reversibility rules
website.content.edit -> reversible
website.asset.add -> reversible
website.form.modify -> compensatable or irreversible depending on data collection
website.script.add -> compensatable/high-risk
website.env.modify -> irreversible/high-risk
website.deploy.preview -> reversible
website.deploy.production -> irreversible or approval-required
website.delete -> irreversible
Required approval examples
Require explicit human approval for:
- production deployment;
- deletion of pages/assets;
- modifying environment/secrets files;
- adding external scripts;
- changing payment/contact/data-collection forms;
- disabling security headers or privacy notices.
Deliverables
Acceptance criteria
- The demo is understandable without running a real deployment provider.
- The demo shows ProofPath protecting a website-building workflow, not only a generic API.
- The project does not claim ProofPath replaces GitHub auth, deployment credentials, or HTTPS.
- The demo clearly separates safe edits, approval-required deploys, and blocked destructive actions.
Related
Goal
Show ProofPath as a mandatory pre-execution gate for AI-assisted website building.
The point is to move ProofPath from an abstract API/security demo into a practical workflow:
Why this matters
AI agents are increasingly used to build landing pages, dashboards, docs sites, and production web apps. A website-building agent can accidentally or maliciously:
A normal GitHub token, API key, or deployment credential can be valid while the proposed action is still unsafe.
Core line:
Demo concept
Create a small demo where an AI/site-builder agent attempts three website actions:
Safe content edit
ACCEPT.Risky production deploy
HOLDorBLOCK.Dangerous destructive action
public/, removeindex.html, overwrite.env, or add an unapproved third-party script.BLOCK.Suggested action scopes
Suggested reversibility rules
Required approval examples
Require explicit human approval for:
Deliverables
examples/website-builder-gate/README.md.ACCEPT.HOLDorBLOCKwithout approval.BLOCK.Acceptance criteria
Related