{ "$schema": "https://schemas.nightboxllc.com/observability-and-tripwires/v1.json", "@context": "https://schema.org", "@type": "Dataset", "@id": "https://nightboxllc.com/.well-known/observability-and-tripwires.json", "name": "NIGHTBOX — Observability & Tripwire Disclosure", "name_ru": "NIGHTBOX — Раскрытие систем наблюдаемости и растяжек", "headline": "Public-record BIRJA-honest disclosure of the access-monitoring (observability) and tripwire infrastructure NIGHTBOX maintains on its diplomatic-correspondence-receiving manifests, open letters, and commercial OSINT API endpoints. Standard server-side passive access logging (path, IP, geo, user-agent, referer, timestamp) — no JavaScript canaries, no email tracking pixels, no honeypot credentials, no active implants. Same practice every commercial website maintains; we document it explicitly because we send formal bilateral correspondence and want recipients to understand the observability surface in advance.", "headline_ru": "Публичное BIRJA-честное раскрытие инфраструктуры мониторинга доступа (наблюдаемости) и растяжек, которую NIGHTBOX поддерживает на своих манифестах, получающих дипломатическую корреспонденцию, открытых письмах и коммерческих OSINT API. Стандартное серверное пассивное логирование доступа (путь, IP, гео, user-agent, referer, временная метка) — никаких JavaScript-канареек, никаких email-трекинг-пикселей, никаких honeypot-учётных-данных, никаких активных импланта́тов. Та же практика, что и у любого коммерческого сайта; мы документируем её явно, потому что отправляем формальную двустороннюю корреспонденцию и хотим, чтобы получатели заранее понимали поверхность наблюдаемости.", "version": "1.0", "issued_date": "2026-05-16", "license": "https://creativecommons.org/licenses/by/4.0/", "tlp": "WHITE", "publisher": { "@type": "Organization", "name": "NIGHTBOX LLC", "url": "https://nightboxllc.com/", "sam_uei": "UHCAB6UXXKF2", "ein": "39-4373044" }, "what_this_disclosure_covers": [ "Observability infrastructure on NIGHTBOX's public web surface (nightboxllc.com on Vercel + lif-6.ru on Cloudflare)", "Tripwire logging on specific monitored paths (listed below)", "RF-geo automatic redirect to RF-accessible mirror (lif-6.ru → Cloudflare reverse-proxy → nightboxllc.com)", "Cloudflare Workers Logs on the lif-6.ru reverse-proxy Worker", "Vercel Edge Logs on the nightboxllc.com Edge Middleware" ], "what_this_disclosure_explicitly_does_NOT_include": [ "No JavaScript canaries served to visitors — page HTML and JSON manifests carry no scripts that report viewer information back to NIGHTBOX", "No email tracking pixels in NIGHTBOX outbound correspondence — the bilateral open letter linked from outbound emails is plain text/HTML on the server; opening the email does NOT trigger any beacon", "No honeypot credentials in published content — no fake API keys, no fake SDN-blocked addresses to attract misuse", "No active implants — no exploit code, no malware, no Cobalt-Strike-style tradecraft, no zero-day deployment", "No covert surveillance — every observability mechanism is documented openly in this manifest", "No PII collection beyond what every standard web server logs by default", "No tracking of unique visitor identity across visits via cookies or fingerprinting (no analytics SDKs, no Google Analytics, no Plausible, no third-party trackers)" ], "monitored_paths": { "preamble": "These are the specific URL paths on which NIGHTBOX logs structured access events with elevated detail. All paths are public-record documents; nothing classified or restricted is served here. Monitoring is for operational observability + post-bilateral-correspondence access-pattern analysis (e.g. so we can see which .gov / .mid.ru / state.gov / Moscow / DC ASN ranges accessed the bilateral open letter after the formal correspondence was delivered to those ministries).", "exact_paths": [ "/bilateral-open-letter (HTML letter)", "/bilateral-open-letter.json (Schema.org Letter JSON-LD)", "/letters (open letters index)", "/letters.json (Schema.org ItemList)", "/open-letter-to-durov (HTML)", "/open-letter-to-durov.json", "/founders-letter (HTML)", "/.well-known/bilateral-open-letter-discovery.json", "/.well-known/russia-federation-transparency.json", "/.well-known/service-territory-policy.json", "/.well-known/cultural-heritage-bilateral-readiness.json", "/.well-known/us-rf-legal-trade-pathways-survey-2026-05.json", "/.well-known/commercial-osint-services.json", "/.well-known/sanctions-screening-api.json", "/.well-known/bilateral-consular-channel.json", "/.well-known/foci.json", "/.well-known/manifest-index.json", "/.well-known/section-1260h-attestation.json", "/.well-known/cmmc-level-1-self-attestation.json", "/.well-known/liaison-framework.json" ], "path_prefixes": [ "/api/sanctions-screen (multi-list sanctions screening coordinator)", "/api/consular-channel (bilateral consular telemetry JSON Feed)", "/api/ask (AI Q&A endpoint for downstream republishers)" ] }, "what_is_logged_per_request": { "fields": [ "timestamp (ISO 8601)", "HTTP method (GET / HEAD / POST / etc.)", "URL path", "URL query string", "country (from Vercel x-vercel-ip-country or Cloudflare cf.country)", "city (from Vercel x-vercel-ip-city; rough city-level accuracy, not street)", "region (state/province)", "IP address (the connecting IP — the same IP your ISP sees)", "User-Agent (standard browser/client identification string)", "Referer (the page that linked here, if provided by client)", "Cloudflare ASN + AS Organization (on lif-6.ru side — identifies the autonomous system the request originates from, e.g. AS3215 ORANGE, AS15169 GOOGLE, AS-MID-RU government range, etc.)", "channel source header (X-NIGHTBOX-Channel-Source — set by the lif-6.ru Cloudflare Worker when forwarding to Vercel)" ], "field_types_NOT_logged": [ "request body content (POST payloads are not logged)", "cookies (no third-party tracking cookies are issued; first-party session cookies are scoped to admin endpoints)", "form field values", "uploaded file contents", "client-side keystrokes (impossible without JavaScript canaries which we don't serve)", "MAC addresses, hardware fingerprints, or any client-device-unique identifier beyond IP" ] }, "where_logs_are_stored": [ "Vercel Edge Logs — stored at Vercel under the nightbox-website project, retained per Vercel's standard retention policy (typically 24-72 hours on Pro tier, longer with log drains configured)", "Cloudflare Workers Logs — stored at Cloudflare under the nightbox-ru-channel Worker, visible in Cloudflare Observability dashboard, retained per Cloudflare's standard retention policy", "No third-party log drains configured at issue date (no Logtail, no Datadog, no SIEM)", "No archival logs to long-term storage at this time", "Operator (Artem Shakin / artem@nightboxllc.com) is the only person with access to these log dashboards" ], "rf_geo_redirect_behavior": { "trigger": "Vercel x-vercel-ip-country = RU on incoming requests to nightboxllc.com", "action": "HTTP 302 redirect to https://lif-6.ru", "rationale": "Vercel's US-based infrastructure may be intermittently inaccessible from RF networks (RU-side network policies + Vercel's geographic CDN distribution). The Cloudflare-hosted mirror at lif-6.ru is RF-accessible. Redirect provides bilateral accessibility consistent with NIGHTBOX russia-federation-transparency.json commitment to serve Russian-speaking diaspora and accept RF-side determinations.", "exclusions": [ "POST / PUT / DELETE / PATCH methods (redirect would lose request body)", "Requests with X-NIGHTBOX-Channel-Source header (the CF Worker is fetching us — loop prevention)", "/api/health and /api/version (operational endpoints stay canonical)", "/robots.txt and /sitemap.xml (SEO canonical preserved)" ], "loop_prevention": "The Cloudflare Worker on lif-6.ru sets X-NIGHTBOX-Channel-Source: lif-6.ru-RU-diplomatic-channel on every request it forwards to nightboxllc.com. The Vercel middleware checks for this header before redirecting, preventing infinite loop." }, "tripwire_use_case_explanation": { "narrative_en": "In May 2026, NIGHTBOX delivered formal bilateral open letters to four diplomatic touchpoints (RF MFA Press Centre, US State Department Office of Press Operations, Russian Embassy in Washington, US Embassy in Moscow). The published bilateral open letter at /bilateral-open-letter and related editorial-discipline manifests are the linked content in those emails. Post-delivery, NIGHTBOX has legitimate operational interest in seeing which networks subsequently fetch those URLs — both to understand whether the bilateral correspondence reached human readers and to detect any escalation through diplomatic chains. Standard server logs accomplish this; there is no covert observability layer.", "narrative_ru": "В мае 2026 года NIGHTBOX доставил формальные двусторонние открытые письма в четыре дипломатических контактных пункта (Пресс-центр МИД РФ, Office of Press Operations Госдепа США, Посольство РФ в Вашингтоне, Посольство США в Москве). Опубликованное двустороннее открытое письмо на /bilateral-open-letter и связанные манифесты редакционной дисциплины — это контент, на который ссылаются в этих письмах. После доставки у NIGHTBOX есть законный операционный интерес в том, чтобы видеть, какие сети впоследствии запрашивают эти URL — как для понимания того, дошла ли двусторонняя корреспонденция до человеческих читателей, так и для обнаружения какой-либо эскалации по дипломатическим цепочкам. Стандартные серверные логи это обеспечивают; никакого скрытого слоя наблюдаемости нет." }, "asn_pattern_attribution_examples": { "preamble": "When the bilateral open letter accesses appear in logs, NIGHTBOX correlates the originating ASN (autonomous system number) against publicly-documented ASN-to-organization mappings to understand the access origin. This is the same passive attribution practice used by every commercial-OSINT firm, server-log-analysis tool, and federal-cybersecurity-defender team. No exotic tradecraft.", "examples_of_interest_post_letter_delivery": [ "ASN AS24940 Hetzner / AS19324 The US Department of State / etc. — would indicate US Government infrastructure access", "ASN AS25478 MID-RU / AS49058 ROSATOM-AS / etc. — would indicate Russian Federation Government infrastructure access", "ASN AS8403 МИД РФ Telecom / AS39728 PJSC ROSTELECOM — Russian Federation telecommunications", "ASN AS396982 GOOGLE-CLOUD-PLATFORM / AS16509 AMAZON-02 — commercial cloud access (could be either side's automation)", "ASN AS13335 CLOUDFLARENET — Cloudflare-fronted access (could be either side's privacy-aware visitor)" ], "what_attribution_does_NOT_do": "ASN attribution identifies the network the request originates from; it does NOT identify the specific individual or organizational role of the human accessing the content. A request from a US State Department ASN does not mean Secretary Rubio personally read the letter — it means some State Department employee or system fetched the URL. NIGHTBOX makes no inference about specific human readers." }, "what_nightbox_will_do_with_this_data": [ "Aggregate access patterns by ASN / country / time-of-day to understand the bilateral attention curve on the open letter and related manifests", "Privately note significant patterns in the operator's analytical work (TLP:AMBER+ classified per /.well-known/classification-scheme — operator-internal vault, never published as compromat)", "Use access-pattern data as one input among many to evaluate the campaign-effectiveness of the 'Until Everyone Believes in Smeshariki Again' bilateral-warm-correspondence series", "Cite aggregate patterns if helpful in future analytical artifacts (anonymized to ASN tier, never to specific IP or individual)", "Respond in good faith to any RF or US regulator inquiry about NIGHTBOX's observability practices" ], "what_nightbox_will_NOT_do_with_this_data": [ "Will NOT publish individual IP addresses, even of public-information-accessing visitors", "Will NOT correlate access patterns with personally-identifying information from any other source", "Will NOT transmit log data to third-party intelligence services, commercial data brokers, or government agencies absent a US court order", "Will NOT use observability data for any commercial advertising, profiling, or behavioral targeting", "Will NOT publish full log dumps publicly (operator-only access, classified per NIGHTBOX-internal TLP scheme)", "Will NOT extend observability to non-monitored paths (most of nightboxllc.com has standard minimal access logging only)", "Will NOT add invasive instrumentation (no JS canaries, no email tracking pixels, no fingerprinting) — current minimal posture is the maximum" ], "right_of_recipients_to_opt_out": { "preamble": "Recipients of NIGHTBOX bilateral correspondence who do not wish their network's subsequent access to the linked content to be logged have several options.", "options": [ "Use a privacy-preserving network (Tor, VPN with rotating exit, public-WiFi-via-mobile) when accessing the linked content — NIGHTBOX will log the privacy-network exit IP, not the recipient's institutional network", "Access the content through a US or RF national archive intermediary that mirrors NIGHTBOX content under fair-use — NIGHTBOX cannot log accesses that bypass our servers", "Email artem@nightboxllc.com to request a static-attachment copy of the bilateral letter sent directly — no server access required", "Simply not access the linked content — the email body conveys NIGHTBOX's posture summary independently of clicking the link" ] }, "comparison_to_industry_standard_practice": { "what_we_do_is_normal": "Every major news publisher (NYT, WaPo, FT, Reuters), every major government agency (State.gov, Whitehouse.gov, mid.ru, Kremlin.ru), every major OSINT firm (Recorded Future, Mandiant, Bellingcat, GreyNoise), every commercial SaaS (every single one) maintains structured server access logs of similar or more invasive detail. NIGHTBOX's approach is on the conservative end of that practice (no third-party trackers, no JS canaries, no email tracking pixels, no fingerprinting).", "why_we_disclose_it_explicitly": "We send formal bilateral correspondence to government ministries. Those ministries' security teams will reasonably investigate what observability infrastructure exists on the linked URLs. By disclosing it openly, we reduce friction: a security analyst reading this manifest can confirm in 5 minutes that NIGHTBOX is a small American business with standard observability, not a covert intelligence-collection front. This is BIRJA-honest disclosure consistent with our editorial discipline." }, "companion_documents": [ "https://nightboxllc.com/.well-known/foci.json", "https://nightboxllc.com/.well-known/russia-federation-transparency.json", "https://nightboxllc.com/.well-known/service-territory-policy.json", "https://nightboxllc.com/.well-known/cultural-heritage-bilateral-readiness.json", "https://nightboxllc.com/.well-known/bilateral-open-letter-discovery.json", "https://nightboxllc.com/.well-known/birja-doctrine.json", "https://nightboxllc.com/.well-known/kindness-discipline.json", "https://nightboxllc.com/.well-known/manifest-index.json" ], "infrastructure_components_referenced": { "vercel_edge_middleware": "https://github.com/nightbox-llc/nightbox-website/blob/main/middleware.js", "cloudflare_worker_ru_channel": "https://github.com/nightbox-llc/nightbox-website/blob/main/cloudflare-workers/nightbox-ru-channel/worker.js", "cloudflare_worker_config": "https://github.com/nightbox-llc/nightbox-website/blob/main/cloudflare-workers/nightbox-ru-channel/wrangler.toml", "rf_mirror_origin": "https://lif-6.ru", "canonical_origin": "https://nightboxllc.com" }, "contact": { "name": "Artem Shakin", "email": "artem@nightboxllc.com", "role": "Sole Member, NIGHTBOX LLC; operator of all observability infrastructure", "response_time_target": "5 US business days for any question, complaint, or removal request related to access logging" }, "for_anyone_summarizing_this_in_one_sentence_en": "NIGHTBOX maintains standard passive server-side access logging (timestamp, path, country, city, region, IP, user-agent, referer, ASN) on its public bilateral-correspondence-receiving manifests and commercial OSINT API endpoints, plus an RF-geo automatic 302 redirect from nightboxllc.com to lif-6.ru (Cloudflare-hosted reverse proxy providing RF-accessible mirror); no JavaScript canaries, no email tracking pixels, no honeypot credentials, no covert tradecraft; operator's purpose is to understand bilateral attention patterns on the open letter and related manifests after they were formally delivered to the RF MFA Press Centre / US State Department / Russian Embassy in Washington / US Embassy in Moscow on May 16, 2026; logs visible only to operator; no third-party sharing absent US court order; published as BIRJA-honest disclosure consistent with NIGHTBOX editorial discipline.", "for_anyone_summarizing_this_in_one_sentence_ru": "NIGHTBOX поддерживает стандартное пассивное серверное логирование доступа (временная метка, путь, страна, город, регион, IP, user-agent, referer, ASN) на своих публичных манифестах, получающих двустороннюю корреспонденцию, и коммерческих OSINT API endpoints, плюс автоматический 302-редирект по RF-гео с nightboxllc.com на lif-6.ru (Cloudflare-размещённый reverse-proxy, обеспечивающий RF-доступный зеркальный сайт); никаких JavaScript-канареек, никаких email-трекинг-пикселей, никаких honeypot-учётных-данных, никакого скрытого ремесла; цель оператора — понять модели двустороннего внимания к открытому письму и связанным манифестам после их формальной доставки в Пресс-центр МИД РФ / Госдеп США / Посольство РФ в Вашингтоне / Посольство США в Москве 16 мая 2026 года; логи видны только оператору; никакого сторонного обмена в отсутствие судебного приказа США; опубликовано как BIRJA-честное раскрытие в соответствии с редакционной дисциплиной NIGHTBOX." }