A safer path from pattern to publish.

One approved recipe becomes a copy-ready, privacy-checked content packet—with rollback built in and no custom-component permission required.

Trace the outcome ↓
{

The problem

A small content change carried a large permission burden.

Editors needed a consistent deadline callout, but the obvious route depended on a capability they did not have. Manual HTML also made privacy, drift, and rollback harder to see.
  1. 01Permission-dependent
  2. 02Hard to audit
  3. 03Rollback improvised

What changed

The workflow moved to the surface editors already own.

  1. 01
    BuildFill four governed inputs
  2. 02
    CheckRun the copied HTML through AFINA
  3. 03
    CapturePreserve the prior Source-view bytes
  4. 04
    Owner verifiesPaste, Save, and Preview in the test environment

Custom-component permission required: 0

How it was verified

Every claim has a receipt.

  1. 4governed inputs
  2. 9generated outputs bound to a public-safe receipt
  3. 18enumerated public-safety checks
  4. 1canonical lineage row
  5. =Deterministic round trip: equal to the current pattern builder after normalization
  6. Rollback evidence: captured prior bytes

Measured outcome

The useful change was not more software. It was less permission.

Before: Component creation or ungoverned hand assembly.

After: One generator-owned packet for an existing content source view.

  • Copy-ready output
  • Private-data shapes fail closed
  • Rollback is part of adoption, not an afterthought

Where the evidence stops.

Repository proof covers the packet, hostile-input checks, deterministic round trip, lineage, and rollback contract. Paste, Save, Preview, rendered TEST verification, approval, deployment, and Publish remain the owner's hand. SHA-256 proves byte integrity; source authenticity is vouched by the reviewed import PR, not a keyed signature.

Inspect the public receipt →

Source afd62e9b · payload baa524d4b94b9aff…