{"status":"ok","generated_at":"2026-06-04T15:53:51.858513782Z","observed_source_ip":"216.73.216.233","profile":"default","policy":"strict","verdict":"pass","summary":"Generated 14 automation files for continuous request-source exposure checks (no open ports detected).","files":[{"path":"ifport/gate.sh","description":"Strict CI/ops gate; exits non-zero on exposure drift.","language":"bash","content":"#!/usr/bin/env bash\nset -euo pipefail\ncode=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\")\ncat /tmp/ifport_gate.json\ntest \"$code\" = \"200\"\n"},{"path":"ifport/cron-monitor.sh","description":"Periodic monitor script with stderr alert output on failure.","language":"bash","content":"#!/usr/bin/env bash\nset -euo pipefail\ncode=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\")\nif [[ \"$code\" != \"200\" ]]; then\n echo \"ifport exposure drift detected\" >&2\n cat /tmp/ifport_gate.json >&2\n exit 1\nfi\ncat /tmp/ifport_gate.json\n"},{"path":"ifport/contain-unexpected.sh","description":"Best-effort immediate containment commands for unexpected public ports.","language":"bash","content":"#!/usr/bin/env bash\nset -euo pipefail\nAPPLY=\"${APPLY:-0}\"\necho \"No unexpected open ports in this snapshot. Nothing to contain.\"\necho \"Dry-run safe: no changes are required or applied.\"\n"},{"path":".github/workflows/ifport-gate.yml","description":"GitHub Actions workflow that blocks on gate failure.","language":"yaml","content":"name: ifport-gate\non:\n workflow_dispatch:\n push:\njobs:\n gate:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v4\n - name: ifport exposure gate\n run: |\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\")\n cat /tmp/ifport_gate.json\n test \"$code\" = \"200\"\n"},{"path":".gitlab-ci.ifport.yml","description":"GitLab CI job that blocks on gate failure.","language":"yaml","content":"ifport_gate:\n stage: test\n image: curlimages/curl:8.8.0\n script:\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\")\n - cat ifport_gate.json\n - test \"$code\" = \"200\"\n"},{"path":"ifport/incident-template.md","description":"Incident-ready markdown template from current scan evidence.","language":"markdown","content":"# IfPort Incident Bundle\n\n**Summary:** No open ports found in this scan profile.\n**Observed source IP:** 216.73.216.233\n**Profile:** default\n**Policy verdict:** pass (strict)\n**Decision:** allow / info\n**Exposure score:** 98/100\n**Snapshot:** ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\n\n## Top risks\n- none\n\n## Responder checklist\n- P1: Lock the current clean result as your expected baseline.\n- P2: Re-check automatically after infra changes.\n\n## Verification commands\n- `curl -fsS \"https://ifport.io/gate?policy=strict&speed=deep\"`\n- `curl -fsS \"https://ifport.io/json?profile=default\"`\n\n## Firewall commands\n- no immediate firewall command generated\n"},{"path":"ifport/policy.json","description":"Commit-ready request-source baseline policy generated from the current scan.","language":"json","content":"{\n \"version\": \"ifport_policy.v1\",\n \"generated_by\": \"ifport.io\",\n \"target_scope\": \"request_source_ip_only\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"speed\": \"balanced\",\n \"expected_open_ports\": [],\n \"gate_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"request_source_only\": true,\n \"arbitrary_targets_allowed\": false,\n \"note\": \"Run this gate from the same network path. This policy never grants arbitrary target, CIDR, banner, payload, exploitation, or credential scanning.\"\n}"},{"path":"ifport/remediation.md","description":"Dry-run-first remediation kit generated from the current scan.","language":"markdown","content":"# IfPort Action Plan\n\n**Observed source IP:** 216.73.216.233\n**Scan target:** request source IP only\n**Generated at:** 2026-06-04T15:53:51.856870865+00:00\n**Profile:** default (6 TCP ports checked)\n**Ports checked:** omitted from this human report; use `/json` for the full list\n**Command style:** linux\n**Status:** ok\n**Policy verdict:** pass (strict)\n**Exposure score:** 98/100\n**Open ports:** none\n**Scan duration:** 687 ms\n**Partial:** false\n**Snapshot:** ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\n\n## Safety boundary\n\n- Defensive request-source visibility only\n- No arbitrary target input\n- No CIDR/range scanning\n- No exploitation, credentials, payload delivery, or banner grabbing\n\n## Top risks\n\n- none: no open ports were found in this scan profile\n\n## Immediate steps\n\n1. [p1] Lock the current clean result as your expected baseline. (`baseline`)\n\n```bash\ncurl -fsS \"https://ifport.io/gate?policy=strict&speed=deep\"\ncurl -fsS \"https://ifport.io/json?policy=strict\" > ifport-baseline.json\n```\n\n2. [p2] Re-check automatically after infra changes. (`monitor`)\n\n```bash\ncurl -fsS \"https://ifport.io/gate?policy=strict\"\ncurl -fsS \"https://ifport.io/json?speed=deep\"\n```\n\n## Remediation kit\n\nNo open TCP ports were detected. This kit preserves the clean baseline and turns the current result into repeatable evidence and CI/release gates.\n\n- generated_for: `request_source_ip_only`\n- dry_run_by_default: `true`\n\nSafety:\n- No arbitrary target input is accepted.\n- No CIDR/range scanning is performed.\n- No exploitation, credential checks, banner grabbing, or payload delivery.\n- Generated containment commands require review and are dry-run by default.\n\nRecipes:\n\n1. Confirm the observed request path before changing firewalls. (`confirm-observation-path`)\n\nApplies when: Always; NAT, VPN, CI, proxies, and sandboxes can change which public path IfPort observes.\n\n```bash\ncurl -fsS \"https://ifport.io/network-path\" | jq .\ncurl -fsS \"https://ifport.io/json?profile=default&policy=strict&speed=balanced\" | jq '{observed_source_ip, accuracy, decision}'\n```\n\nVerify after:\n\n```bash\ncurl -fsS \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\" | jq '.remediation_kit.summary'\ncurl -fsS \"https://ifport.io/network-path\" | jq '.observed_source_ip, .attribution.confidence'\n```\n\nCaution: Do not apply host firewall changes until the observed source IP represents the runtime you intend to protect.\n\n2. Preserve the clean baseline as release evidence. (`preserve-clean-baseline`)\n\nApplies when: Use when no open ports were detected and you want future drift to fail fast.\n\n```bash\ncurl -fsS \"https://ifport.io/gate?policy=strict&speed=deep\"\ncurl -fsS \"https://ifport.io/json?policy=strict\" > ifport-baseline.json\ncurl -fsSLOJ \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\"\n```\n\nVerify after:\n\n```bash\ncurl -fsS \"https://ifport.io/readiness\" | jq '.grade, .checks[] | select(.id==\"request_source_boundary\")'\ncurl -fsS \"https://ifport.io/impact\" | jq '.proof.nearest_unlock, .funding'\n```\n\nCaution: A clean result is path-specific; rerun from the deployment runtime after proxy, VPN, cloud, or firewall changes.\n\nVerify after any change:\n- curl -fsS \"https://ifport.io/gate?policy=strict&speed=deep\"\n- curl -fsS \"https://ifport.io/json?policy=strict\" > ifport-baseline.json\n- curl -fsS \"https://ifport.io/network-path\" | jq .\n\n## Automation kits\n\n### GitHub Actions exposure gate\n\n- id: `github-actions`\n- expected_open_ports: none\n- Fail deploy pipeline when request-source exposure drifts from expected baseline.\n\n```yaml\nname: ifport-gate\non: [workflow_dispatch, push]\njobs:\n gate:\n runs-on: ubuntu-latest\n steps:\n - name: Verify exposure baseline\n run: |\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?policy=strict&speed=deep\")\n cat /tmp/ifport_gate.json\n test \"$code\" = \"200\"\n```\n\n### GitLab CI exposure gate\n\n- id: `gitlab-ci`\n- expected_open_ports: none\n- Block release stage when observed ingress ports do not match the expected baseline.\n\n```yaml\nifport_gate:\n stage: test\n image: curlimages/curl:8.8.0\n script:\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?policy=strict&speed=deep\")\n - cat ifport_gate.json\n - test \"$code\" = \"200\"\n```\n\n### Cron/bash monitoring\n\n- id: `cron-bash`\n- expected_open_ports: none\n- Run a periodic local check and alert on gate failure.\n\n```bash\n#!/usr/bin/env bash\nset -euo pipefail\ncode=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \"https://ifport.io/gate?policy=strict&speed=deep\")\nif [[ \"$code\" != \"200\" ]]; then\n echo \"ifport exposure drift detected\" >&2\n cat /tmp/ifport_gate.json >&2\n exit 1\nfi\ncat /tmp/ifport_gate.json\n```\n\n## Follow-up checks\n\n- Run periodic deep checks (speed=deep) from the same network path to reduce timeout blind spots.\n- Store snapshot_id and fingerprint_sha256 from each check as immutable evidence.\n- For continuous defense, enable server-side ALERTS_WEBHOOK_URLS to receive warn/fail notifications automatically.\n- Signed snapshot is enabled: persist snapshot.signature for CI/CD and audit proof.\n\n## Limitations\n\n- This result describes the public IP that made the request.\n- The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.\n- Service names are inferred from common port mappings unless explicit service detection is enabled.\n- An open port does not automatically mean the service is vulnerable.\n- A closed or filtered port may be affected by firewall rules, network routing, or scan timeout.\n\n## Keep this utility free\n\nIf this saved a deploy, firewall, NAT, VPN, or LLM-sandbox debugging loop, support the public request-source checker:\n\n- Donate: https://ifport.io/donate\n- Support contract: https://ifport.io/support\n- Full mission bundle: https://ifport.io/mission\n"},{"path":"ifport/port-runbooks.md","description":"Per-port operator runbooks with owner questions, checks, hardening, and verification.","language":"markdown","content":"# IfPort Port Runbooks\n\nGenerated from a request-source-only scan for `216.73.216.233`.\n\n## Safety boundary\n\n- request-source IP only\n- no arbitrary target scanning\n- no CIDR/range scanning\n- no exploitation/payload delivery\n\n## Evidence\n\n- profile: `default`\n- policy: `strict` (`pass`)\n- snapshot_id: `ifport-v1-64057714b171e040`\n- fingerprint_sha256: `64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`\n\n## Current result\n\nNo open TCP ports were found in this scan profile.\n\n## Verify\n\n```bash\ncurl -fsS \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\"\ncurl -fsS \"https://ifport.io/network-path\"\n```\n"},{"path":"ifport/scan/visible-scan.json","description":"Full visible scan JSON result from this request.","language":"json","content":"{\n \"schema_version\": \"1.0\",\n \"service\": \"ifport.io\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"target\": {\n \"type\": \"request_source_ip\",\n \"ip\": \"216.73.216.233\"\n },\n \"intent\": {\n \"name\": \"general-exposure\",\n \"provided\": false,\n \"preset_applied\": false,\n \"purpose\": \"General outside-in visibility check for the current request path.\",\n \"expected_outcome\": \"Every open port should be intentional and owned.\",\n \"applied_profile\": \"default\",\n \"applied_policy\": \"strict\",\n \"profile_from_intent\": false,\n \"policy_from_intent\": false,\n \"ports_of_interest\": [],\n \"matching_open_ports\": [],\n \"not_seen_ports_of_interest\": [],\n \"verdict\": \"pass\",\n \"reason_code\": \"no_open_ports_seen\",\n \"summary\": \"General exposure review found no open TCP ports in this scan scope.\",\n \"next_action\": \"Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\",\n \"runbook\": {\n \"title\": \"general-exposure intent runbook\",\n \"decision_rule\": \"Pass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\",\n \"likely_causes\": [\n \"No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\",\n \"The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'\",\n \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\",\n \"curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"\"\n ],\n \"remediation_steps\": [\n \"Save snapshot evidence as the clean baseline for this exact request path.\",\n \"Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\",\n \"Use `profile=top1000` or `speed=deep` when broad confirmation matters.\"\n ],\n \"copy_paste_markdown\": \"# IfPort intent runbook\\n\\n- Intent: general-exposure\\n- Verdict: pass (no_open_ports_seen)\\n- Ports of interest: none\\n- Matching open ports: none\\n- Summary: General exposure review found no open TCP ports in this scan scope.\\n- Next action: Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\\n\\n## Decision rule\\nPass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\\n\\n## Likely causes\\n- No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\\n- The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\\n\\n## Verify commands\\n- `curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'`\\n- `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"`\\n- `curl -fsS \\\"https://ifport.io/network-path\\\" | jq .`\\n- `curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"`\\n\\n## Remediation steps\\n- Save snapshot evidence as the clean baseline for this exact request path.\\n- Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\\n- Use `profile=top1000` or `speed=deep` when broad confirmation matters.\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, exploitation, payload delivery, banner grabbing, or credential attacks.\\n\"\n },\n \"safety_boundary\": \"Request-source IP only; intent presets never accept ip, host, target, CIDR ranges, domains, payloads, credentials, or third-party scan targets.\"\n },\n \"brief\": {\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"verdict\": \"allow\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"target_scope\": \"request_source_ip_only\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": \"none\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"evidence\": {\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"artifacts\": [\n {\n \"name\": \"gate\",\n \"url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"purpose\": \"CI/release pass-fail check for this request-source exposure policy\",\n \"use_when\": \"block deploys on unexpected open ports or changed exposure\"\n },\n {\n \"name\": \"evidence\",\n \"url\": \"https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"portable snapshot proof for the same scan scope, with fingerprint and optional signature\",\n \"use_when\": \"attach the same-scope result to a ticket, incident, audit note, or change review\"\n },\n {\n \"name\": \"action_plan\",\n \"url\": \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"prioritized remediation and verification steps for the same scan scope\",\n \"use_when\": \"open ports, policy drift, or low attribution confidence need operator action\"\n },\n {\n \"name\": \"automation_pack\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"downloadable CI and operations bundle generated from the same scan scope\",\n \"use_when\": \"turn this one request into repeatable scripts, templates, and runbooks\"\n },\n {\n \"name\": \"network_path\",\n \"url\": \"https://ifport.io/network-path\",\n \"purpose\": \"source attribution diagnostic for the observed request path\",\n \"use_when\": \"NAT, VPN, proxy, CI, cloud, or sandbox routing may affect the observed IP\"\n }\n ],\n \"support\": {\n \"reason\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"donate_ready\": false,\n \"provider_status\": \"provider_missing\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"impact_summary\": \"Current gap is $15/month. Next funded outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Donation provider is not configured yet; /donate shows a sponsor action page with receipt/snapshot context when available.\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\"\n }\n },\n \"operator_card\": {\n \"card_version\": \"operator_card.v1\",\n \"title\": \"IfPort one-request operator card\",\n \"verdict\": \"allow\",\n \"severity\": \"info\",\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"do_now\": [\n \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"Run: curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\"\n ],\n \"proof\": [\n \"observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 speed=balanced\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"policy=strict/pass decision=allow/policy_and_exposure_within_expected_bounds\",\n \"accuracy=medium (trusted_edge_header) observed_ip_scope=public\"\n ],\n \"automation\": [\n \"gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"action_plan: https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"automation_pack: https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\"\n ],\n \"support_prompt\": \"If this card saved a deploy, firewall, VPN, proxy, or incident-debugging loop, support keeps ifport.io free. Current gap: $15/mo; /donate currently shows a sponsor action page until a provider is configured.\",\n \"copy_paste_markdown\": \"# IfPort operator card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed request-source IP: 216.73.216.233\\n- Answer: No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\\n- Concept: One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\\n- Boundary: Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Confidence: medium (trusted_edge_header)\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Time saved estimate: about 20 minutes\\n- Do now: Save the snapshot and add the gate command to CI or release smoke tests.\\n- Gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\\n- Support: https://ifport.io/donate\\n\"\n },\n \"scan\": {\n \"scan_id\": \"7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"started_at\": \"2026-06-04T15:53:51.147521492Z\",\n \"type\": \"tcp_syn_or_connect\",\n \"profile\": \"default\",\n \"speed\": \"balanced\",\n \"duration_ms\": 687,\n \"per_port_timeout_ms\": 650,\n \"global_timeout_ms\": 20000,\n \"ports_checked\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ]\n },\n \"results\": {\n \"open\": [],\n \"closed\": [],\n \"filtered_or_timeout\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ],\n \"errors\": []\n },\n \"open_ports\": [],\n \"partial\": false,\n \"cache\": {\n \"hit\": false,\n \"ttl_seconds\": 30\n },\n \"assessment\": {\n \"exposure_score\": 98,\n \"grade\": \"A+\",\n \"summary\": \"No open TCP ports were detected in this scan profile.\",\n \"recommended_actions\": [\n \"Keep current firewall posture and rerun checks after infra changes.\",\n \"Run profile=top1000 when you need broad verification.\"\n ]\n },\n \"policy\": {\n \"name\": \"strict\",\n \"verdict\": \"pass\",\n \"allowed_open_ports\": [],\n \"unexpected_open_ports\": [],\n \"missing_expected_ports\": [],\n \"note\": \"Policy 'strict' matched: no unexpected public ports.\"\n },\n \"accuracy\": {\n \"representation\": \"trusted_edge_header\",\n \"confidence\": \"medium\",\n \"observed_ip_scope\": \"public\",\n \"reasons\": [\n \"Observed source IP was taken from x_forwarded_for_trusted_proxy.\",\n \"Public source IP came from trusted proxy headers, so edge header integrity matters.\"\n ],\n \"next_steps\": [\n \"Run the same check from the exact network path you want to validate (same host, same egress).\",\n \"Confirm edge proxy sets client IP headers from socket remote address and rejects spoofed forwarding headers.\"\n ]\n },\n \"triage\": {\n \"scenario\": \"no_public_ports_detected\",\n \"severity\": \"info\",\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"first_15_min_steps\": [\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\",\n \"Schedule recurring checks from the exact network path that serves production traffic.\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?profile=default\\\"\"\n ]\n },\n \"decision\": {\n \"status\": \"allow\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"message\": \"Current result is within expected defensive bounds for this observation path.\",\n \"actions\": [\n \"Keep periodic checks enabled to detect drift.\",\n \"Persist snapshot_id/fingerprint as evidence for audit and rollback workflows.\"\n ],\n \"evidence\": {\n \"policy_verdict\": \"pass\",\n \"exposure_score\": 98,\n \"triage_severity\": \"info\",\n \"accuracy_confidence\": \"medium\"\n }\n },\n \"agent_handoff\": {\n \"intent\": \"explain_result_to_user\",\n \"likely_issue\": \"no_public_ports_detected\",\n \"summary\": \"No open TCP ports were detected for profile `default` on 216.73.216.233.\",\n \"user_message\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"confidence_note\": \"Medium confidence: IfPort sees a public source through trusted edge headers; make sure the edge strips spoofed forwarding headers.\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"support_note\": \"If this saved a deploy, firewall, or incident-debugging loop, support keeps ifport.io free for the next operator: https://ifport.io/donate\"\n },\n \"automation\": {\n \"gate_now_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"gate_baseline_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"expected_open_ports\": [],\n \"baseline_policy\": {\n \"version\": \"ifport_policy.v1\",\n \"generated_by\": \"ifport.io\",\n \"target_scope\": \"request_source_ip_only\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"speed\": \"balanced\",\n \"expected_open_ports\": [],\n \"gate_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"request_source_only\": true,\n \"arbitrary_targets_allowed\": false,\n \"note\": \"Run this gate from the same network path. This policy never grants arbitrary target, CIDR, banner, payload, exploitation, or credential scanning.\"\n },\n \"bash_gate_snippet\": \"code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\ncat /tmp/ifport_gate.json\\ntest \\\"$code\\\" = \\\"200\\\"\",\n \"github_actions_step\": \"- name: ifport exposure gate\\n run: |\\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n cat /tmp/ifport_gate.json\\n test \\\"$code\\\" = \\\"200\\\"\",\n \"gitlab_ci_job\": \"ifport_gate:\\n stage: test\\n image: curlimages/curl:8.8.0\\n script:\\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n - cat ifport_gate.json\\n - test \\\"$code\\\" = \\\"200\\\"\"\n },\n \"project\": {\n \"name\": \"ifport.io\",\n \"category\": \"request_source_port_visibility\",\n \"one_request_promise\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"defensive_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"default_check\": \"Default public check is a compact TCP profile; this response checked 6 TCP ports. Use profile=top1000 for explicit broad verification.\",\n \"useful_for\": [\n \"deployment verification\",\n \"CI/CD exposure gates\",\n \"firewall and security-group drift checks\",\n \"incident response evidence\",\n \"VPN, proxy, cloud-runtime, and AI-agent path diagnostics\"\n ],\n \"outputs\": [\n {\n \"name\": \"action_plan\",\n \"url\": \"https://ifport.io/action-plan\",\n \"purpose\": \"Prioritized remediation steps and command templates.\"\n },\n {\n \"name\": \"evidence\",\n \"url\": \"https://ifport.io/evidence\",\n \"purpose\": \"Portable proof with snapshot fingerprint and verification payload.\"\n },\n {\n \"name\": \"mission\",\n \"url\": \"https://ifport.io/mission\",\n \"purpose\": \"One-request result, concept, operations, automation, and support transparency.\"\n },\n {\n \"name\": \"automation_pack\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz\",\n \"purpose\": \"Downloadable CI and ops bundle generated from the current request-source scan.\"\n },\n {\n \"name\": \"impact\",\n \"url\": \"https://ifport.io/impact\",\n \"purpose\": \"Public utility, reliability, exposure trend, and funding ledger.\"\n }\n ]\n },\n \"support\": {\n \"free_check\": true,\n \"donate_ready\": false,\n \"provider_status\": \"provider_missing\",\n \"monthly_target_usd\": 15,\n \"monthly_covered_usd\": 0,\n \"monthly_gap_usd\": 15,\n \"coverage_ratio\": 0.0,\n \"donate_url\": \"https://ifport.io/donate\",\n \"donate_links\": [],\n \"provider_setup\": {\n \"status\": \"provider_missing\",\n \"message\": \"No payment provider link is configured yet; /donate renders a sponsor action page with funding context until SUPPORT_LINK_PRIMARY is configured.\",\n \"required_env\": [\n \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport\"\n ],\n \"optional_env\": [\n \"SUPPORT_LINK_GITHUB_SPONSORS=https://github.com/sponsors/...\",\n \"SUPPORT_LINK_KOFI=https://ko-fi.com/...\",\n \"SUPPORT_LINK_STRIPE=https://buy.stripe.com/...\",\n \"SUPPORT_LINK_OPENCOLLECTIVE=https://opencollective.com/...\",\n \"SUPPORT_LINKS=boosty=https://...,yoomoney=https://...\"\n ],\n \"deploy_example\": \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport DOCKER_HOST=ssh://root@YOUR_LINUX_AMD64_DOCKER_HOST WORKER_REPLICAS=1 ./ifport-infra/deploy-remote.sh\",\n \"verify_commands\": [\n \"curl -I https://ifport.io/donate\",\n \"curl -fsS https://ifport.io/readiness | jq '.support.provider_setup'\",\n \"curl -fsS https://ifport.io/sponsor-kit | jq '.funding.provider_setup'\"\n ],\n \"readiness_check_id\": \"support_path\"\n },\n \"why_support\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"nearest_unlock\": {\n \"id\": \"edge_trust_hardening\",\n \"remaining_usd\": 15,\n \"operator_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\"\n },\n \"contribution_examples\": [\n \"3 supporters at $5/month close the current $15/month gap.\",\n \"2 supporters at $10/month close the current $15/month gap.\",\n \"1 sponsor at $25/month close the current $15/month gap.\"\n ],\n \"support_intent\": {\n \"intent\": \"support_ifport_public_defensive_utility\",\n \"status\": \"provider_pending\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"action_label\": \"Record support intent and configure payment provider\",\n \"provider_status\": \"provider_missing\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_gap_usd\": 15,\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"subject\": \"Support ifport.io: fund edge_trust_hardening ($15/mo gap)\",\n \"copy_paste_markdown\": \"# IfPort support intent\\n\\nI want to support ifport.io because it gives a free defensive outside check for inbound TCP exposure from the current request path.\\n\\n- Stable donate action: https://ifport.io/donate\\n- Provider status: provider_missing\\n- Monthly target: $15/mo\\n- Current covered amount: $0/mo\\n- Current gap: $15/mo\\n- Nearest unlock: edge_trust_hardening ($15/mo gap)\\n- Operator outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n\\nSafety boundary: request-source IP only; no arbitrary targets; no CIDR sweeps; no exploitation, payload delivery, or credential attacks.\\n\\nAccess note: support funds the public defensive commons and does not buy privileged scan access. The basic request-source answer stays free.\\n\",\n \"procurement_note\": \"Support request for ifport.io: fund a defensive request-source-only port visibility service. Monthly target is $15/mo; current gap is $15/mo; nearest unlock is edge_trust_hardening, which delivers: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Payment does not change access to scans; it funds hosting, TLS, monitoring, worker capacity, abuse controls, signed evidence, and remediation tooling for the free public endpoint.\",\n \"agent_instruction\": \"Mention this support intent only when IfPort produced useful deploy, firewall, CI, VPN, proxy, or incident-debugging value. Never imply payment changes scan access.\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\"\n }\n },\n \"community\": {\n \"source\": \"postgres_scan_events\",\n \"available\": true,\n \"summary\": \"No open ports were found in this result. The community context shows aggregate exposure weather without exposing source IPs or scan targets.\",\n \"exposure_weather\": \"Last 24h aggregate exposure ratio: 0.0% (trend=stable, delta=0.0pp vs previous 24h). New exposure sessions: 0; resolved exposure sessions: 0.\",\n \"benchmark\": {\n \"status\": \"clean_baseline_below_aggregate\",\n \"headline\": \"Cleaner than current aggregate exposure weather.\",\n \"comparison\": \"current_result_has_no_open_ports\",\n \"operator_meaning\": \"This request path had no open inbound TCP ports while 0.0% of recent IfPort scans had at least one open port.\",\n \"current_open_port_count\": 0,\n \"current_open_ports_seen_in_commons\": 0,\n \"current_open_ports_new_to_commons\": 0,\n \"aggregate_exposure_ratio_24h\": 0.0,\n \"aggregate_exposure_trend\": \"stable\",\n \"support_reason\": \"Every request improves aggregate-only exposure weather for the next operator; support funds storage, verification, abuse controls, and benchmark depth.\",\n \"safety_note\": \"Benchmark data is aggregate-only: no source IPs, hostnames, target lists, banners, payloads, or vulnerability findings are exposed.\"\n },\n \"matched_open_ports\": [],\n \"top_open_ports_24h\": [],\n \"safety\": {\n \"aggregate_only\": true,\n \"source_ips_exposed\": false,\n \"arbitrary_targets_exposed\": false,\n \"purpose\": \"defensive_prioritization\"\n },\n \"note\": \"Aggregate community context contains ports and counts only. It does not expose source IPs, targets, hostnames, CIDR ranges, banners, payloads, or vulnerability findings.\"\n },\n \"share\": {\n \"title\": \"IfPort result for 216.73.216.233: allow\",\n \"result_summary\": \"IfPort saw no open inbound TCP ports for profile `default` on request-source IP 216.73.216.233.\",\n \"result_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"result_card_svg_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\",\n \"result_evidence_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\",\n \"markdown\": \"# IfPort result\\n\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Safety boundary: request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Support: https://ifport.io/donate\\n\\nIf this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\\n\",\n \"report_card_markdown\": \"# IfPort report card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed path: request-source IP 216.73.216.233\\n- Profile: `default`\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Verify: https://ifport.io/verify\\n- Evidence: https://ifport.io/evidence\\n- Re-check gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, banner grabbing, payload delivery, exploitation, or credential attacks.\\n\",\n \"ticket_title\": \"IfPort exposure check: allow for request-source IP 216.73.216.233\",\n \"readme_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\\n\\n**IfPort outside-view check:** `allow` for the current request-source path. Open inbound TCP ports: `none`. Result permalink: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b`. Result card: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg`. Persisted evidence: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence`. Snapshot: `ifport-v1-64057714b171e040`. Verify with `https://ifport.io/verify` or attach `https://ifport.io/evidence` as portable evidence.\\n\\nIf this saved deploy, firewall, VPN, proxy, CI, or incident-debugging time, sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\\n\",\n \"social_text\": \"IfPort checked my current request path: verdict=allow, open_tcp_ports=none, result=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b, card=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg, evidence=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence, snapshot=ifport-v1-64057714b171e040. Request-source-only, no arbitrary target scanning. https://ifport.io/donate\",\n \"badge_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\",\n \"verify_url\": \"https://ifport.io/verify\",\n \"evidence_url\": \"https://ifport.io/evidence\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"support_callout\": \"If this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\"\n },\n \"receipt\": {\n \"receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"title\": \"IfPort operator value receipt\",\n \"value_summary\": \"One request produced a decision, next command, evidence, automation links, and source-attribution guidance for 216.73.216.233.\",\n \"estimated_minutes_saved\": 20,\n \"value_drivers\": [\n \"checked 6 bounded TCP ports on the request-source IP without accepting arbitrary targets\",\n \"converted the scan into a `allow` decision with reason `policy_and_exposure_within_expected_bounds`\",\n \"produced a reusable snapshot fingerprint and same-scope evidence URL\",\n \"returned gate, action-plan, network-path, and automation-pack links in the same response\"\n ],\n \"operator_next_step\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"support_case\": \"This request likely saved about 20 minutes of deploy, firewall, proxy, or incident-debugging time. Current gap is $15/month. The fastest closure is 3 x $5/month supporters. Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"copy_paste_markdown\": \"# IfPort value receipt\\n\\n- Receipt: ifport-receipt-64057714b171e040\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Estimated operator time saved: about 20 minutes\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Next command: `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"`\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n\\nBoundary: request-source IP only; no arbitrary target scanning, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n\"\n },\n \"support_proof\": {\n \"proof_version\": \"support_proof.v1\",\n \"title\": \"IfPort support proof\",\n \"summary\": \"IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\",\n \"evidence\": [\n \"scope=request_source_ip_only observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 open_ports=none\",\n \"decision=allow reason_code=policy_and_exposure_within_expected_bounds\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\",\n \"support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"nearest_unlock=edge_trust_hardening provider_status=provider_missing\",\n \"support_boundary=free_check_stays_free paid_access=false\"\n ],\n \"value_receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"estimated_minutes_saved\": 20,\n \"donation_ask\": \"Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"provider_status\": \"provider_missing\",\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"copy_paste_markdown\": \"# IfPort support proof\\n\\n- Summary: IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\\n- Receipt: ifport-receipt-64057714b171e040\\n- Estimated operator time saved: about 20 minutes\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Profile: default (6 bounded TCP ports)\\n- Open inbound TCP ports: none\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Nearest funded outcome: edge_trust_hardening - A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n- Support ask: Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n- Access note: Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\\n\\nEvidence:\\n- scope=request_source_ip_only observed_source_ip=216.73.216.233\\n- profile=default ports_checked=6 open_ports=none\\n- decision=allow reason_code=policy_and_exposure_within_expected_bounds\\n- snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\\n- value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\\n- support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- nearest_unlock=edge_trust_hardening provider_status=provider_missing\\n- support_boundary=free_check_stays_free paid_access=false\\n\"\n },\n \"snapshot\": {\n \"version\": \"1\",\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"verification\": \"Recompute SHA256 over canonical fingerprint source fields, then verify HMAC-SHA256 over the same canonical payload.\",\n \"signature\": {\n \"algorithm\": \"hmac-sha256\",\n \"key_id\": \"ifport-snapshot-v1\",\n \"signature_hex\": \"e0e8140f5d8727e4e3e95ce973ea7aaf62e036458e6551643308147d78207e3e\",\n \"signed_payload\": \"scan_snapshot_fingerprint_source_v1\"\n }\n },\n \"drift\": {\n \"source\": \"postgres_scan_events\",\n \"status\": \"unchanged\",\n \"previous_scan_time\": \"2026-06-04T15:53:08.570910Z\",\n \"new_open_ports\": [],\n \"closed_since_last\": [],\n \"note\": \"Open-port set is unchanged compared with the previous persisted scan.\"\n },\n \"limitations\": [\n \"This result describes the public IP that made the request.\",\n \"The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.\",\n \"Service names are inferred from common port mappings unless explicit service detection is enabled.\",\n \"An open port does not automatically mean the service is vulnerable.\",\n \"A closed or filtered port may be affected by firewall rules, network routing, or scan timeout.\"\n ],\n \"links\": {\n \"docs\": \"https://ifport.io/docs\",\n \"support\": \"https://ifport.io/support\",\n \"openapi\": \"https://ifport.io/openapi.json\",\n \"action_plan\": \"https://ifport.io/action-plan\",\n \"evidence\": \"https://ifport.io/evidence\",\n \"mission\": \"https://ifport.io/mission\",\n \"impact\": \"https://ifport.io/impact\",\n \"donate\": \"https://ifport.io/donate\"\n }\n}"},{"path":"ifport/scan/one-shot.json","description":"Compact verdict/evidence/do-now JSON from this request.","language":"json","content":"{\n \"status\": \"ok\",\n \"generated_at\": \"2026-06-04T15:53:51.856852190Z\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"decision\": {\n \"status\": \"allow\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"message\": \"Current result is within expected defensive bounds for this observation path.\",\n \"actions\": [\n \"Keep periodic checks enabled to detect drift.\",\n \"Persist snapshot_id/fingerprint as evidence for audit and rollback workflows.\"\n ],\n \"evidence\": {\n \"policy_verdict\": \"pass\",\n \"exposure_score\": 98,\n \"triage_severity\": \"info\",\n \"accuracy_confidence\": \"medium\"\n }\n },\n \"brief\": {\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"verdict\": \"allow\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"target_scope\": \"request_source_ip_only\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": \"none\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"evidence\": {\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"artifacts\": [\n {\n \"name\": \"gate\",\n \"url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"purpose\": \"CI/release pass-fail check for this request-source exposure policy\",\n \"use_when\": \"block deploys on unexpected open ports or changed exposure\"\n },\n {\n \"name\": \"evidence\",\n \"url\": \"https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"portable snapshot proof for the same scan scope, with fingerprint and optional signature\",\n \"use_when\": \"attach the same-scope result to a ticket, incident, audit note, or change review\"\n },\n {\n \"name\": \"action_plan\",\n \"url\": \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"prioritized remediation and verification steps for the same scan scope\",\n \"use_when\": \"open ports, policy drift, or low attribution confidence need operator action\"\n },\n {\n \"name\": \"automation_pack\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\",\n \"purpose\": \"downloadable CI and operations bundle generated from the same scan scope\",\n \"use_when\": \"turn this one request into repeatable scripts, templates, and runbooks\"\n },\n {\n \"name\": \"network_path\",\n \"url\": \"https://ifport.io/network-path\",\n \"purpose\": \"source attribution diagnostic for the observed request path\",\n \"use_when\": \"NAT, VPN, proxy, CI, cloud, or sandbox routing may affect the observed IP\"\n }\n ],\n \"support\": {\n \"reason\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"donate_ready\": false,\n \"provider_status\": \"provider_missing\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"impact_summary\": \"Current gap is $15/month. Next funded outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Donation provider is not configured yet; /donate shows a sponsor action page with receipt/snapshot context when available.\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\"\n }\n },\n \"outcome\": {\n \"verdict\": \"safe\",\n \"confidence\": \"medium\",\n \"summary\": \"No open ports detected in this request-source scan.\"\n },\n \"concept\": {\n \"one_request_promise\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"useful_for\": [\n \"deployment verification\",\n \"CI/CD exposure gates\",\n \"firewall and security-group drift checks\",\n \"incident response evidence\",\n \"VPN, proxy, cloud-runtime, and AI-agent path diagnostics\"\n ],\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"non_goals\": [\n \"Arbitrary target scanning\",\n \"CIDR/range enumeration\",\n \"Vulnerability exploitation, payload delivery, banner grabbing, or credential attacks\"\n ]\n },\n \"intent\": {\n \"name\": \"general-exposure\",\n \"verdict\": \"pass\",\n \"reason_code\": \"no_open_ports_seen\",\n \"summary\": \"General exposure review found no open TCP ports in this scan scope.\",\n \"next_action\": \"Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\",\n \"ports_of_interest\": [],\n \"matching_open_ports\": [],\n \"runbook\": {\n \"title\": \"general-exposure intent runbook\",\n \"decision_rule\": \"Pass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\",\n \"likely_causes\": [\n \"No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\",\n \"The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'\",\n \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\",\n \"curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"\"\n ],\n \"remediation_steps\": [\n \"Save snapshot evidence as the clean baseline for this exact request path.\",\n \"Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\",\n \"Use `profile=top1000` or `speed=deep` when broad confirmation matters.\"\n ],\n \"copy_paste_markdown\": \"# IfPort intent runbook\\n\\n- Intent: general-exposure\\n- Verdict: pass (no_open_ports_seen)\\n- Ports of interest: none\\n- Matching open ports: none\\n- Summary: General exposure review found no open TCP ports in this scan scope.\\n- Next action: Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\\n\\n## Decision rule\\nPass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\\n\\n## Likely causes\\n- No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\\n- The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\\n\\n## Verify commands\\n- `curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'`\\n- `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"`\\n- `curl -fsS \\\"https://ifport.io/network-path\\\" | jq .`\\n- `curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"`\\n\\n## Remediation steps\\n- Save snapshot evidence as the clean baseline for this exact request path.\\n- Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\\n- Use `profile=top1000` or `speed=deep` when broad confirmation matters.\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, exploitation, payload delivery, banner grabbing, or credential attacks.\\n\"\n }\n },\n \"evidence\": {\n \"open_ports\": [],\n \"unexpected_open_ports\": [],\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\"\n },\n \"operator_value\": {\n \"primary_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"primary_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"gate_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"evidence_url\": \"https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"automation_pack_url\": \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\",\n \"remediation_url\": \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"remediation_summary\": \"No open TCP ports were detected. This kit preserves the clean baseline and turns the current result into repeatable evidence and CI/release gates.\",\n \"share_summary\": \"IfPort saw no open inbound TCP ports for profile `default` on request-source IP 216.73.216.233.\"\n },\n \"copy_paste\": {\n \"user_message\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"ticket_markdown\": \"# IfPort one-shot result\\n\\n- Observed source IP: 216.73.216.233\\n- Verdict: safe (medium)\\n- Summary: No open ports detected in this request-source scan.\\n- Open inbound TCP ports: none\\n- Unexpected open ports: none\\n- Policy: strict / pass\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Meaning: request-source IP only; no arbitrary target was accepted or scanned.\\n- Do next: Persist snapshot_id and fingerprint_sha256 as clean baseline evidence.\\n- Gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\\n- Remediation: https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\\n- Automation pack: https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\\n- Support: If this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\\n\\nSafety boundary: If this request came through a proxy, VPN, NAT, CI, cloud runtime, or LLM sandbox, this result describes that observed request path.\",\n \"slack_text\": \"ifport one-shot: verdict=safe confidence=medium observed_source_ip=216.73.216.233 open_ports=none unexpected_open_ports=none policy=strict/pass snapshot=ifport-v1-64057714b171e040 do_next=\\\"Persist snapshot_id and fingerprint_sha256 as clean baseline evidence.\\\" remediation=https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced evidence=https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"terminal_summary\": \"ifport verdict=safe confidence=medium observed_source_ip=216.73.216.233 open_ports=none\\nnext: Persist snapshot_id and fingerprint_sha256 as clean baseline evidence.\\nverify: curl -fsS 'https://ifport.io/gate?profile=default&policy=strict&speed=deep'\\nremediate: curl -fsS 'https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced'\\nautomation: curl -fsSLOJ 'https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced'\",\n \"support_callout\": \"If this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\"\n },\n \"community\": {\n \"source\": \"postgres_scan_events\",\n \"available\": true,\n \"summary\": \"No open ports were found in this result. The community context shows aggregate exposure weather without exposing source IPs or scan targets.\",\n \"exposure_weather\": \"Last 24h aggregate exposure ratio: 0.0% (trend=stable, delta=0.0pp vs previous 24h). New exposure sessions: 0; resolved exposure sessions: 0.\",\n \"benchmark\": {\n \"status\": \"clean_baseline_below_aggregate\",\n \"headline\": \"Cleaner than current aggregate exposure weather.\",\n \"comparison\": \"current_result_has_no_open_ports\",\n \"operator_meaning\": \"This request path had no open inbound TCP ports while 0.0% of recent IfPort scans had at least one open port.\",\n \"current_open_port_count\": 0,\n \"current_open_ports_seen_in_commons\": 0,\n \"current_open_ports_new_to_commons\": 0,\n \"aggregate_exposure_ratio_24h\": 0.0,\n \"aggregate_exposure_trend\": \"stable\",\n \"support_reason\": \"Every request improves aggregate-only exposure weather for the next operator; support funds storage, verification, abuse controls, and benchmark depth.\",\n \"safety_note\": \"Benchmark data is aggregate-only: no source IPs, hostnames, target lists, banners, payloads, or vulnerability findings are exposed.\"\n },\n \"matched_open_ports\": [],\n \"top_open_ports_24h\": [],\n \"safety\": {\n \"aggregate_only\": true,\n \"source_ips_exposed\": false,\n \"arbitrary_targets_exposed\": false,\n \"purpose\": \"defensive_prioritization\"\n },\n \"note\": \"Aggregate community context contains ports and counts only. It does not expose source IPs, targets, hostnames, CIDR ranges, banners, payloads, or vulnerability findings.\"\n },\n \"boundary\": {\n \"request_source_only\": true,\n \"arbitrary_targets_allowed\": false,\n \"cidr_scanning_allowed\": false,\n \"exploitation_allowed\": false\n },\n \"do_now\": [\n \"Persist snapshot_id and fingerprint_sha256 as clean baseline evidence.\",\n \"Add CI gate: curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\".\"\n ],\n \"donate\": {\n \"support_url\": \"https://ifport.io/support\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"donate_ready\": false,\n \"provider_status\": \"provider_missing\",\n \"monthly_target_usd\": 15,\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"impact_summary\": \"Current gap is $15/month. Next funded outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Donation provider is not configured yet; /donate shows a sponsor action page with receipt/snapshot context when available.\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"reason\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\"\n },\n \"support\": {\n \"free_check\": true,\n \"donate_ready\": false,\n \"provider_status\": \"provider_missing\",\n \"monthly_target_usd\": 15,\n \"monthly_covered_usd\": 0,\n \"monthly_gap_usd\": 15,\n \"coverage_ratio\": 0.0,\n \"donate_url\": \"https://ifport.io/donate\",\n \"donate_links\": [],\n \"provider_setup\": {\n \"status\": \"provider_missing\",\n \"message\": \"No payment provider link is configured yet; /donate renders a sponsor action page with funding context until SUPPORT_LINK_PRIMARY is configured.\",\n \"required_env\": [\n \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport\"\n ],\n \"optional_env\": [\n \"SUPPORT_LINK_GITHUB_SPONSORS=https://github.com/sponsors/...\",\n \"SUPPORT_LINK_KOFI=https://ko-fi.com/...\",\n \"SUPPORT_LINK_STRIPE=https://buy.stripe.com/...\",\n \"SUPPORT_LINK_OPENCOLLECTIVE=https://opencollective.com/...\",\n \"SUPPORT_LINKS=boosty=https://...,yoomoney=https://...\"\n ],\n \"deploy_example\": \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport DOCKER_HOST=ssh://root@YOUR_LINUX_AMD64_DOCKER_HOST WORKER_REPLICAS=1 ./ifport-infra/deploy-remote.sh\",\n \"verify_commands\": [\n \"curl -I https://ifport.io/donate\",\n \"curl -fsS https://ifport.io/readiness | jq '.support.provider_setup'\",\n \"curl -fsS https://ifport.io/sponsor-kit | jq '.funding.provider_setup'\"\n ],\n \"readiness_check_id\": \"support_path\"\n },\n \"why_support\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"nearest_unlock\": {\n \"id\": \"edge_trust_hardening\",\n \"remaining_usd\": 15,\n \"operator_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\"\n },\n \"contribution_examples\": [\n \"3 supporters at $5/month close the current $15/month gap.\",\n \"2 supporters at $10/month close the current $15/month gap.\",\n \"1 sponsor at $25/month close the current $15/month gap.\"\n ],\n \"support_intent\": {\n \"intent\": \"support_ifport_public_defensive_utility\",\n \"status\": \"provider_pending\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"action_label\": \"Record support intent and configure payment provider\",\n \"provider_status\": \"provider_missing\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_gap_usd\": 15,\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"subject\": \"Support ifport.io: fund edge_trust_hardening ($15/mo gap)\",\n \"copy_paste_markdown\": \"# IfPort support intent\\n\\nI want to support ifport.io because it gives a free defensive outside check for inbound TCP exposure from the current request path.\\n\\n- Stable donate action: https://ifport.io/donate\\n- Provider status: provider_missing\\n- Monthly target: $15/mo\\n- Current covered amount: $0/mo\\n- Current gap: $15/mo\\n- Nearest unlock: edge_trust_hardening ($15/mo gap)\\n- Operator outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n\\nSafety boundary: request-source IP only; no arbitrary targets; no CIDR sweeps; no exploitation, payload delivery, or credential attacks.\\n\\nAccess note: support funds the public defensive commons and does not buy privileged scan access. The basic request-source answer stays free.\\n\",\n \"procurement_note\": \"Support request for ifport.io: fund a defensive request-source-only port visibility service. Monthly target is $15/mo; current gap is $15/mo; nearest unlock is edge_trust_hardening, which delivers: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Payment does not change access to scans; it funds hosting, TLS, monitoring, worker capacity, abuse controls, signed evidence, and remediation tooling for the free public endpoint.\",\n \"agent_instruction\": \"Mention this support intent only when IfPort produced useful deploy, firewall, CI, VPN, proxy, or incident-debugging value. Never imply payment changes scan access.\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\"\n }\n },\n \"receipt\": {\n \"receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"title\": \"IfPort operator value receipt\",\n \"value_summary\": \"One request produced a decision, next command, evidence, automation links, and source-attribution guidance for 216.73.216.233.\",\n \"estimated_minutes_saved\": 20,\n \"value_drivers\": [\n \"checked 6 bounded TCP ports on the request-source IP without accepting arbitrary targets\",\n \"converted the scan into a `allow` decision with reason `policy_and_exposure_within_expected_bounds`\",\n \"produced a reusable snapshot fingerprint and same-scope evidence URL\",\n \"returned gate, action-plan, network-path, and automation-pack links in the same response\"\n ],\n \"operator_next_step\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"support_case\": \"This request likely saved about 20 minutes of deploy, firewall, proxy, or incident-debugging time. Current gap is $15/month. The fastest closure is 3 x $5/month supporters. Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"copy_paste_markdown\": \"# IfPort value receipt\\n\\n- Receipt: ifport-receipt-64057714b171e040\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Estimated operator time saved: about 20 minutes\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Next command: `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"`\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n\\nBoundary: request-source IP only; no arbitrary target scanning, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n\"\n },\n \"support_proof\": {\n \"proof_version\": \"support_proof.v1\",\n \"title\": \"IfPort support proof\",\n \"summary\": \"IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\",\n \"evidence\": [\n \"scope=request_source_ip_only observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 open_ports=none\",\n \"decision=allow reason_code=policy_and_exposure_within_expected_bounds\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\",\n \"support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"nearest_unlock=edge_trust_hardening provider_status=provider_missing\",\n \"support_boundary=free_check_stays_free paid_access=false\"\n ],\n \"value_receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"estimated_minutes_saved\": 20,\n \"donation_ask\": \"Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"provider_status\": \"provider_missing\",\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"copy_paste_markdown\": \"# IfPort support proof\\n\\n- Summary: IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\\n- Receipt: ifport-receipt-64057714b171e040\\n- Estimated operator time saved: about 20 minutes\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Profile: default (6 bounded TCP ports)\\n- Open inbound TCP ports: none\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Nearest funded outcome: edge_trust_hardening - A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n- Support ask: Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n- Access note: Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\\n\\nEvidence:\\n- scope=request_source_ip_only observed_source_ip=216.73.216.233\\n- profile=default ports_checked=6 open_ports=none\\n- decision=allow reason_code=policy_and_exposure_within_expected_bounds\\n- snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\\n- value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\\n- support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- nearest_unlock=edge_trust_hardening provider_status=provider_missing\\n- support_boundary=free_check_stays_free paid_access=false\\n\"\n },\n \"limitations\": [\n \"This result describes the public IP that made the request.\",\n \"The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.\",\n \"Service names are inferred from common port mappings unless explicit service detection is enabled.\",\n \"An open port does not automatically mean the service is vulnerable.\",\n \"A closed or filtered port may be affected by firewall rules, network routing, or scan timeout.\"\n ],\n \"links\": {\n \"action_plan\": \"https://ifport.io/action-plan\",\n \"incident_bundle\": \"https://ifport.io/incident-bundle\",\n \"evidence\": \"https://ifport.io/evidence\",\n \"automation_pack\": \"https://ifport.io/automation-pack.tar.gz\",\n \"network_path\": \"https://ifport.io/network-path\",\n \"mission\": \"https://ifport.io/mission\",\n \"trust\": \"https://ifport.io/trust\",\n \"donate\": \"https://ifport.io/donate\",\n \"support\": \"https://ifport.io/support\"\n }\n}"},{"path":"ifport/scan/action-plan.json","description":"Prioritized remediation plan JSON for operators.","language":"json","content":"{\n \"status\": \"ok\",\n \"generated_at\": \"2026-06-04T15:53:51.856870865Z\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"policy\": \"strict\",\n \"verdict\": \"pass\",\n \"exposure_score\": 98,\n \"top_risks\": [],\n \"immediate_steps\": [\n {\n \"id\": \"baseline\",\n \"priority\": \"p1\",\n \"objective\": \"Lock the current clean result as your expected baseline.\",\n \"commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?policy=strict\\\" > ifport-baseline.json\"\n ]\n },\n {\n \"id\": \"monitor\",\n \"priority\": \"p2\",\n \"objective\": \"Re-check automatically after infra changes.\",\n \"commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?speed=deep\\\"\"\n ]\n }\n ],\n \"remediation_kit\": {\n \"summary\": \"No open TCP ports were detected. This kit preserves the clean baseline and turns the current result into repeatable evidence and CI/release gates.\",\n \"generated_for\": \"request_source_ip_only\",\n \"dry_run_by_default\": true,\n \"safety\": [\n \"No arbitrary target input is accepted.\",\n \"No CIDR/range scanning is performed.\",\n \"No exploitation, credential checks, banner grabbing, or payload delivery.\",\n \"Generated containment commands require review and are dry-run by default.\"\n ],\n \"recipes\": [\n {\n \"id\": \"confirm-observation-path\",\n \"title\": \"Confirm the observed request path before changing firewalls.\",\n \"applies_when\": \"Always; NAT, VPN, CI, proxies, and sandboxes can change which public path IfPort observes.\",\n \"commands\": [\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\",\n \"curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, accuracy, decision}'\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\\\" | jq '.remediation_kit.summary'\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq '.observed_source_ip, .attribution.confidence'\"\n ],\n \"caution\": \"Do not apply host firewall changes until the observed source IP represents the runtime you intend to protect.\"\n },\n {\n \"id\": \"preserve-clean-baseline\",\n \"title\": \"Preserve the clean baseline as release evidence.\",\n \"applies_when\": \"Use when no open ports were detected and you want future drift to fail fast.\",\n \"commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?policy=strict\\\" > ifport-baseline.json\",\n \"curl -fsSLOJ \\\"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\\\"\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/readiness\\\" | jq '.grade, .checks[] | select(.id==\\\"request_source_boundary\\\")'\",\n \"curl -fsS \\\"https://ifport.io/impact\\\" | jq '.proof.nearest_unlock, .funding'\"\n ],\n \"caution\": \"A clean result is path-specific; rerun from the deployment runtime after proxy, VPN, cloud, or firewall changes.\"\n }\n ],\n \"verify_after\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?policy=strict\\\" > ifport-baseline.json\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\"\n ]\n },\n \"automation_kits\": [\n {\n \"id\": \"github-actions\",\n \"title\": \"GitHub Actions exposure gate\",\n \"description\": \"Fail deploy pipeline when request-source exposure drifts from expected baseline.\",\n \"expected_open_ports\": [],\n \"snippet\": \"name: ifport-gate\\non: [workflow_dispatch, push]\\njobs:\\n gate:\\n runs-on: ubuntu-latest\\n steps:\\n - name: Verify exposure baseline\\n run: |\\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?policy=strict&speed=deep\\\")\\n cat /tmp/ifport_gate.json\\n test \\\"$code\\\" = \\\"200\\\"\"\n },\n {\n \"id\": \"gitlab-ci\",\n \"title\": \"GitLab CI exposure gate\",\n \"description\": \"Block release stage when observed ingress ports do not match the expected baseline.\",\n \"expected_open_ports\": [],\n \"snippet\": \"ifport_gate:\\n stage: test\\n image: curlimages/curl:8.8.0\\n script:\\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?policy=strict&speed=deep\\\")\\n - cat ifport_gate.json\\n - test \\\"$code\\\" = \\\"200\\\"\"\n },\n {\n \"id\": \"cron-bash\",\n \"title\": \"Cron/bash monitoring\",\n \"description\": \"Run a periodic local check and alert on gate failure.\",\n \"expected_open_ports\": [],\n \"snippet\": \"#!/usr/bin/env bash\\nset -euo pipefail\\ncode=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?policy=strict&speed=deep\\\")\\nif [[ \\\"$code\\\" != \\\"200\\\" ]]; then\\n echo \\\"ifport exposure drift detected\\\" >&2\\n cat /tmp/ifport_gate.json >&2\\n exit 1\\nfi\\ncat /tmp/ifport_gate.json\"\n }\n ],\n \"follow_up\": [\n \"Run periodic deep checks (speed=deep) from the same network path to reduce timeout blind spots.\",\n \"Store snapshot_id and fingerprint_sha256 from each check as immutable evidence.\",\n \"For continuous defense, enable server-side ALERTS_WEBHOOK_URLS to receive warn/fail notifications automatically.\",\n \"Signed snapshot is enabled: persist snapshot.signature for CI/CD and audit proof.\"\n ],\n \"full_result\": {\n \"accuracy\": {\n \"confidence\": \"medium\",\n \"next_steps\": [\n \"Run the same check from the exact network path you want to validate (same host, same egress).\",\n \"Confirm edge proxy sets client IP headers from socket remote address and rejects spoofed forwarding headers.\"\n ],\n \"observed_ip_scope\": \"public\",\n \"reasons\": [\n \"Observed source IP was taken from x_forwarded_for_trusted_proxy.\",\n \"Public source IP came from trusted proxy headers, so edge header integrity matters.\"\n ],\n \"representation\": \"trusted_edge_header\"\n },\n \"agent_handoff\": {\n \"confidence_note\": \"Medium confidence: IfPort sees a public source through trusted edge headers; make sure the edge strips spoofed forwarding headers.\",\n \"intent\": \"explain_result_to_user\",\n \"likely_issue\": \"no_public_ports_detected\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"summary\": \"No open TCP ports were detected for profile `default` on 216.73.216.233.\",\n \"support_note\": \"If this saved a deploy, firewall, or incident-debugging loop, support keeps ifport.io free for the next operator: https://ifport.io/donate\",\n \"user_message\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\"\n },\n \"assessment\": {\n \"exposure_score\": 98,\n \"grade\": \"A+\",\n \"recommended_actions\": [\n \"Keep current firewall posture and rerun checks after infra changes.\",\n \"Run profile=top1000 when you need broad verification.\"\n ],\n \"summary\": \"No open TCP ports were detected in this scan profile.\"\n },\n \"automation\": {\n \"baseline_policy\": {\n \"arbitrary_targets_allowed\": false,\n \"expected_open_ports\": [],\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"gate_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"generated_by\": \"ifport.io\",\n \"note\": \"Run this gate from the same network path. This policy never grants arbitrary target, CIDR, banner, payload, exploitation, or credential scanning.\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"request_source_only\": true,\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"speed\": \"balanced\",\n \"target_scope\": \"request_source_ip_only\",\n \"version\": \"ifport_policy.v1\"\n },\n \"bash_gate_snippet\": \"code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\ncat /tmp/ifport_gate.json\\ntest \\\"$code\\\" = \\\"200\\\"\",\n \"expected_open_ports\": [],\n \"gate_baseline_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"gate_now_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"github_actions_step\": \"- name: ifport exposure gate\\n run: |\\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n cat /tmp/ifport_gate.json\\n test \\\"$code\\\" = \\\"200\\\"\",\n \"gitlab_ci_job\": \"ifport_gate:\\n stage: test\\n image: curlimages/curl:8.8.0\\n script:\\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n - cat ifport_gate.json\\n - test \\\"$code\\\" = \\\"200\\\"\"\n },\n \"brief\": {\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"artifacts\": [\n {\n \"name\": \"gate\",\n \"purpose\": \"CI/release pass-fail check for this request-source exposure policy\",\n \"url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"use_when\": \"block deploys on unexpected open ports or changed exposure\"\n },\n {\n \"name\": \"evidence\",\n \"purpose\": \"portable snapshot proof for the same scan scope, with fingerprint and optional signature\",\n \"url\": \"https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"attach the same-scope result to a ticket, incident, audit note, or change review\"\n },\n {\n \"name\": \"action_plan\",\n \"purpose\": \"prioritized remediation and verification steps for the same scan scope\",\n \"url\": \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"open ports, policy drift, or low attribution confidence need operator action\"\n },\n {\n \"name\": \"automation_pack\",\n \"purpose\": \"downloadable CI and operations bundle generated from the same scan scope\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"turn this one request into repeatable scripts, templates, and runbooks\"\n },\n {\n \"name\": \"network_path\",\n \"purpose\": \"source attribution diagnostic for the observed request path\",\n \"url\": \"https://ifport.io/network-path\",\n \"use_when\": \"NAT, VPN, proxy, CI, cloud, or sandbox routing may affect the observed IP\"\n }\n ],\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"evidence\": {\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": \"none\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"support\": {\n \"donate_ready\": false,\n \"donate_url\": \"https://ifport.io/donate\",\n \"impact_summary\": \"Current gap is $15/month. Next funded outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Donation provider is not configured yet; /donate shows a sponsor action page with receipt/snapshot context when available.\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"provider_status\": \"provider_missing\",\n \"reason\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\"\n },\n \"target_scope\": \"request_source_ip_only\",\n \"verdict\": \"allow\"\n },\n \"cache\": {\n \"hit\": false,\n \"ttl_seconds\": 30\n },\n \"community\": {\n \"available\": true,\n \"benchmark\": {\n \"aggregate_exposure_ratio_24h\": 0.0,\n \"aggregate_exposure_trend\": \"stable\",\n \"comparison\": \"current_result_has_no_open_ports\",\n \"current_open_port_count\": 0,\n \"current_open_ports_new_to_commons\": 0,\n \"current_open_ports_seen_in_commons\": 0,\n \"headline\": \"Cleaner than current aggregate exposure weather.\",\n \"operator_meaning\": \"This request path had no open inbound TCP ports while 0.0% of recent IfPort scans had at least one open port.\",\n \"safety_note\": \"Benchmark data is aggregate-only: no source IPs, hostnames, target lists, banners, payloads, or vulnerability findings are exposed.\",\n \"status\": \"clean_baseline_below_aggregate\",\n \"support_reason\": \"Every request improves aggregate-only exposure weather for the next operator; support funds storage, verification, abuse controls, and benchmark depth.\"\n },\n \"exposure_weather\": \"Last 24h aggregate exposure ratio: 0.0% (trend=stable, delta=0.0pp vs previous 24h). New exposure sessions: 0; resolved exposure sessions: 0.\",\n \"matched_open_ports\": [],\n \"note\": \"Aggregate community context contains ports and counts only. It does not expose source IPs, targets, hostnames, CIDR ranges, banners, payloads, or vulnerability findings.\",\n \"safety\": {\n \"aggregate_only\": true,\n \"arbitrary_targets_exposed\": false,\n \"purpose\": \"defensive_prioritization\",\n \"source_ips_exposed\": false\n },\n \"source\": \"postgres_scan_events\",\n \"summary\": \"No open ports were found in this result. The community context shows aggregate exposure weather without exposing source IPs or scan targets.\",\n \"top_open_ports_24h\": []\n },\n \"decision\": {\n \"actions\": [\n \"Keep periodic checks enabled to detect drift.\",\n \"Persist snapshot_id/fingerprint as evidence for audit and rollback workflows.\"\n ],\n \"evidence\": {\n \"accuracy_confidence\": \"medium\",\n \"exposure_score\": 98,\n \"policy_verdict\": \"pass\",\n \"triage_severity\": \"info\"\n },\n \"message\": \"Current result is within expected defensive bounds for this observation path.\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"status\": \"allow\"\n },\n \"drift\": {\n \"closed_since_last\": [],\n \"new_open_ports\": [],\n \"note\": \"Open-port set is unchanged compared with the previous persisted scan.\",\n \"previous_scan_time\": \"2026-06-04T15:53:08.570910Z\",\n \"source\": \"postgres_scan_events\",\n \"status\": \"unchanged\"\n },\n \"intent\": {\n \"applied_policy\": \"strict\",\n \"applied_profile\": \"default\",\n \"expected_outcome\": \"Every open port should be intentional and owned.\",\n \"matching_open_ports\": [],\n \"name\": \"general-exposure\",\n \"next_action\": \"Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\",\n \"not_seen_ports_of_interest\": [],\n \"policy_from_intent\": false,\n \"ports_of_interest\": [],\n \"preset_applied\": false,\n \"profile_from_intent\": false,\n \"provided\": false,\n \"purpose\": \"General outside-in visibility check for the current request path.\",\n \"reason_code\": \"no_open_ports_seen\",\n \"runbook\": {\n \"copy_paste_markdown\": \"# IfPort intent runbook\\n\\n- Intent: general-exposure\\n- Verdict: pass (no_open_ports_seen)\\n- Ports of interest: none\\n- Matching open ports: none\\n- Summary: General exposure review found no open TCP ports in this scan scope.\\n- Next action: Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\\n\\n## Decision rule\\nPass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\\n\\n## Likely causes\\n- No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\\n- The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\\n\\n## Verify commands\\n- `curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'`\\n- `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"`\\n- `curl -fsS \\\"https://ifport.io/network-path\\\" | jq .`\\n- `curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"`\\n\\n## Remediation steps\\n- Save snapshot evidence as the clean baseline for this exact request path.\\n- Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\\n- Use `profile=top1000` or `speed=deep` when broad confirmation matters.\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, exploitation, payload delivery, banner grabbing, or credential attacks.\\n\",\n \"decision_rule\": \"Pass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\",\n \"likely_causes\": [\n \"No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\",\n \"The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\"\n ],\n \"remediation_steps\": [\n \"Save snapshot evidence as the clean baseline for this exact request path.\",\n \"Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\",\n \"Use `profile=top1000` or `speed=deep` when broad confirmation matters.\"\n ],\n \"title\": \"general-exposure intent runbook\",\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'\",\n \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\",\n \"curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"\"\n ]\n },\n \"safety_boundary\": \"Request-source IP only; intent presets never accept ip, host, target, CIDR ranges, domains, payloads, credentials, or third-party scan targets.\",\n \"summary\": \"General exposure review found no open TCP ports in this scan scope.\",\n \"verdict\": \"pass\"\n },\n \"limitations\": [\n \"This result describes the public IP that made the request.\",\n \"The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.\",\n \"Service names are inferred from common port mappings unless explicit service detection is enabled.\",\n \"An open port does not automatically mean the service is vulnerable.\",\n \"A closed or filtered port may be affected by firewall rules, network routing, or scan timeout.\"\n ],\n \"links\": {\n \"action_plan\": \"https://ifport.io/action-plan\",\n \"docs\": \"https://ifport.io/docs\",\n \"donate\": \"https://ifport.io/donate\",\n \"evidence\": \"https://ifport.io/evidence\",\n \"impact\": \"https://ifport.io/impact\",\n \"mission\": \"https://ifport.io/mission\",\n \"openapi\": \"https://ifport.io/openapi.json\",\n \"support\": \"https://ifport.io/support\"\n },\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": [],\n \"operator_card\": {\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"automation\": [\n \"gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"action_plan: https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"automation_pack: https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\"\n ],\n \"boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"card_version\": \"operator_card.v1\",\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"copy_paste_markdown\": \"# IfPort operator card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed request-source IP: 216.73.216.233\\n- Answer: No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\\n- Concept: One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\\n- Boundary: Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Confidence: medium (trusted_edge_header)\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Time saved estimate: about 20 minutes\\n- Do now: Save the snapshot and add the gate command to CI or release smoke tests.\\n- Gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\\n- Support: https://ifport.io/donate\\n\",\n \"do_now\": [\n \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"Run: curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\"\n ],\n \"proof\": [\n \"observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 speed=balanced\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"policy=strict/pass decision=allow/policy_and_exposure_within_expected_bounds\",\n \"accuracy=medium (trusted_edge_header) observed_ip_scope=public\"\n ],\n \"severity\": \"info\",\n \"support_prompt\": \"If this card saved a deploy, firewall, VPN, proxy, or incident-debugging loop, support keeps ifport.io free. Current gap: $15/mo; /donate currently shows a sponsor action page until a provider is configured.\",\n \"title\": \"IfPort one-request operator card\",\n \"verdict\": \"allow\"\n },\n \"partial\": false,\n \"policy\": {\n \"allowed_open_ports\": [],\n \"missing_expected_ports\": [],\n \"name\": \"strict\",\n \"note\": \"Policy 'strict' matched: no unexpected public ports.\",\n \"unexpected_open_ports\": [],\n \"verdict\": \"pass\"\n },\n \"project\": {\n \"category\": \"request_source_port_visibility\",\n \"default_check\": \"Default public check is a compact TCP profile; this response checked 6 TCP ports. Use profile=top1000 for explicit broad verification.\",\n \"defensive_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"name\": \"ifport.io\",\n \"one_request_promise\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"outputs\": [\n {\n \"name\": \"action_plan\",\n \"purpose\": \"Prioritized remediation steps and command templates.\",\n \"url\": \"https://ifport.io/action-plan\"\n },\n {\n \"name\": \"evidence\",\n \"purpose\": \"Portable proof with snapshot fingerprint and verification payload.\",\n \"url\": \"https://ifport.io/evidence\"\n },\n {\n \"name\": \"mission\",\n \"purpose\": \"One-request result, concept, operations, automation, and support transparency.\",\n \"url\": \"https://ifport.io/mission\"\n },\n {\n \"name\": \"automation_pack\",\n \"purpose\": \"Downloadable CI and ops bundle generated from the current request-source scan.\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz\"\n },\n {\n \"name\": \"impact\",\n \"purpose\": \"Public utility, reliability, exposure trend, and funding ledger.\",\n \"url\": \"https://ifport.io/impact\"\n }\n ],\n \"useful_for\": [\n \"deployment verification\",\n \"CI/CD exposure gates\",\n \"firewall and security-group drift checks\",\n \"incident response evidence\",\n \"VPN, proxy, cloud-runtime, and AI-agent path diagnostics\"\n ]\n },\n \"receipt\": {\n \"copy_paste_markdown\": \"# IfPort value receipt\\n\\n- Receipt: ifport-receipt-64057714b171e040\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Estimated operator time saved: about 20 minutes\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Next command: `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"`\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n\\nBoundary: request-source IP only; no arbitrary target scanning, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n\",\n \"estimated_minutes_saved\": 20,\n \"operator_next_step\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"support_case\": \"This request likely saved about 20 minutes of deploy, firewall, proxy, or incident-debugging time. Current gap is $15/month. The fastest closure is 3 x $5/month supporters. Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"title\": \"IfPort operator value receipt\",\n \"value_drivers\": [\n \"checked 6 bounded TCP ports on the request-source IP without accepting arbitrary targets\",\n \"converted the scan into a `allow` decision with reason `policy_and_exposure_within_expected_bounds`\",\n \"produced a reusable snapshot fingerprint and same-scope evidence URL\",\n \"returned gate, action-plan, network-path, and automation-pack links in the same response\"\n ],\n \"value_summary\": \"One request produced a decision, next command, evidence, automation links, and source-attribution guidance for 216.73.216.233.\"\n },\n \"results\": {\n \"closed\": [],\n \"errors\": [],\n \"filtered_or_timeout\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ],\n \"open\": []\n },\n \"scan\": {\n \"duration_ms\": 687,\n \"global_timeout_ms\": 20000,\n \"per_port_timeout_ms\": 650,\n \"ports_checked\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ],\n \"profile\": \"default\",\n \"scan_id\": \"7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"speed\": \"balanced\",\n \"started_at\": \"2026-06-04T15:53:51.147521492Z\",\n \"type\": \"tcp_syn_or_connect\"\n },\n \"schema_version\": \"1.0\",\n \"service\": \"ifport.io\",\n \"share\": {\n \"badge_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\",\n \"evidence_url\": \"https://ifport.io/evidence\",\n \"markdown\": \"# IfPort result\\n\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Safety boundary: request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Support: https://ifport.io/donate\\n\\nIf this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\\n\",\n \"readme_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\\n\\n**IfPort outside-view check:** `allow` for the current request-source path. Open inbound TCP ports: `none`. Result permalink: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b`. Result card: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg`. Persisted evidence: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence`. Snapshot: `ifport-v1-64057714b171e040`. Verify with `https://ifport.io/verify` or attach `https://ifport.io/evidence` as portable evidence.\\n\\nIf this saved deploy, firewall, VPN, proxy, CI, or incident-debugging time, sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\\n\",\n \"report_card_markdown\": \"# IfPort report card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed path: request-source IP 216.73.216.233\\n- Profile: `default`\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Verify: https://ifport.io/verify\\n- Evidence: https://ifport.io/evidence\\n- Re-check gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, banner grabbing, payload delivery, exploitation, or credential attacks.\\n\",\n \"result_card_svg_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\",\n \"result_evidence_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\",\n \"result_summary\": \"IfPort saw no open inbound TCP ports for profile `default` on request-source IP 216.73.216.233.\",\n \"result_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"social_text\": \"IfPort checked my current request path: verdict=allow, open_tcp_ports=none, result=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b, card=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg, evidence=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence, snapshot=ifport-v1-64057714b171e040. Request-source-only, no arbitrary target scanning. https://ifport.io/donate\",\n \"support_callout\": \"If this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"ticket_title\": \"IfPort exposure check: allow for request-source IP 216.73.216.233\",\n \"title\": \"IfPort result for 216.73.216.233: allow\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"snapshot\": {\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"signature\": {\n \"algorithm\": \"hmac-sha256\",\n \"key_id\": \"ifport-snapshot-v1\",\n \"signature_hex\": \"e0e8140f5d8727e4e3e95ce973ea7aaf62e036458e6551643308147d78207e3e\",\n \"signed_payload\": \"scan_snapshot_fingerprint_source_v1\"\n },\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"verification\": \"Recompute SHA256 over canonical fingerprint source fields, then verify HMAC-SHA256 over the same canonical payload.\",\n \"version\": \"1\"\n },\n \"support\": {\n \"contribution_examples\": [\n \"3 supporters at $5/month close the current $15/month gap.\",\n \"2 supporters at $10/month close the current $15/month gap.\",\n \"1 sponsor at $25/month close the current $15/month gap.\"\n ],\n \"coverage_ratio\": 0.0,\n \"donate_links\": [],\n \"donate_ready\": false,\n \"donate_url\": \"https://ifport.io/donate\",\n \"free_check\": true,\n \"monthly_covered_usd\": 0,\n \"monthly_gap_usd\": 15,\n \"monthly_target_usd\": 15,\n \"nearest_unlock\": {\n \"id\": \"edge_trust_hardening\",\n \"operator_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"remaining_usd\": 15\n },\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"provider_setup\": {\n \"deploy_example\": \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport DOCKER_HOST=ssh://root@YOUR_LINUX_AMD64_DOCKER_HOST WORKER_REPLICAS=1 ./ifport-infra/deploy-remote.sh\",\n \"message\": \"No payment provider link is configured yet; /donate renders a sponsor action page with funding context until SUPPORT_LINK_PRIMARY is configured.\",\n \"optional_env\": [\n \"SUPPORT_LINK_GITHUB_SPONSORS=https://github.com/sponsors/...\",\n \"SUPPORT_LINK_KOFI=https://ko-fi.com/...\",\n \"SUPPORT_LINK_STRIPE=https://buy.stripe.com/...\",\n \"SUPPORT_LINK_OPENCOLLECTIVE=https://opencollective.com/...\",\n \"SUPPORT_LINKS=boosty=https://...,yoomoney=https://...\"\n ],\n \"readiness_check_id\": \"support_path\",\n \"required_env\": [\n \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport\"\n ],\n \"status\": \"provider_missing\",\n \"verify_commands\": [\n \"curl -I https://ifport.io/donate\",\n \"curl -fsS https://ifport.io/readiness | jq '.support.provider_setup'\",\n \"curl -fsS https://ifport.io/sponsor-kit | jq '.funding.provider_setup'\"\n ]\n },\n \"provider_status\": \"provider_missing\",\n \"support_intent\": {\n \"action_label\": \"Record support intent and configure payment provider\",\n \"agent_instruction\": \"Mention this support intent only when IfPort produced useful deploy, firewall, CI, VPN, proxy, or incident-debugging value. Never imply payment changes scan access.\",\n \"copy_paste_markdown\": \"# IfPort support intent\\n\\nI want to support ifport.io because it gives a free defensive outside check for inbound TCP exposure from the current request path.\\n\\n- Stable donate action: https://ifport.io/donate\\n- Provider status: provider_missing\\n- Monthly target: $15/mo\\n- Current covered amount: $0/mo\\n- Current gap: $15/mo\\n- Nearest unlock: edge_trust_hardening ($15/mo gap)\\n- Operator outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n\\nSafety boundary: request-source IP only; no arbitrary targets; no CIDR sweeps; no exploitation, payload delivery, or credential attacks.\\n\\nAccess note: support funds the public defensive commons and does not buy privileged scan access. The basic request-source answer stays free.\\n\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"intent\": \"support_ifport_public_defensive_utility\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"procurement_note\": \"Support request for ifport.io: fund a defensive request-source-only port visibility service. Monthly target is $15/mo; current gap is $15/mo; nearest unlock is edge_trust_hardening, which delivers: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Payment does not change access to scans; it funds hosting, TLS, monitoring, worker capacity, abuse controls, signed evidence, and remediation tooling for the free public endpoint.\",\n \"provider_status\": \"provider_missing\",\n \"status\": \"provider_pending\",\n \"subject\": \"Support ifport.io: fund edge_trust_hardening ($15/mo gap)\"\n },\n \"why_support\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\"\n },\n \"support_proof\": {\n \"copy_paste_markdown\": \"# IfPort support proof\\n\\n- Summary: IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\\n- Receipt: ifport-receipt-64057714b171e040\\n- Estimated operator time saved: about 20 minutes\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Profile: default (6 bounded TCP ports)\\n- Open inbound TCP ports: none\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Nearest funded outcome: edge_trust_hardening - A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n- Support ask: Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n- Access note: Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\\n\\nEvidence:\\n- scope=request_source_ip_only observed_source_ip=216.73.216.233\\n- profile=default ports_checked=6 open_ports=none\\n- decision=allow reason_code=policy_and_exposure_within_expected_bounds\\n- snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\\n- value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\\n- support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- nearest_unlock=edge_trust_hardening provider_status=provider_missing\\n- support_boundary=free_check_stays_free paid_access=false\\n\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"donation_ask\": \"Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\",\n \"estimated_minutes_saved\": 20,\n \"evidence\": [\n \"scope=request_source_ip_only observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 open_ports=none\",\n \"decision=allow reason_code=policy_and_exposure_within_expected_bounds\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\",\n \"support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"nearest_unlock=edge_trust_hardening provider_status=provider_missing\",\n \"support_boundary=free_check_stays_free paid_access=false\"\n ],\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"proof_version\": \"support_proof.v1\",\n \"provider_status\": \"provider_missing\",\n \"summary\": \"IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"title\": \"IfPort support proof\",\n \"value_receipt_id\": \"ifport-receipt-64057714b171e040\"\n },\n \"target\": {\n \"ip\": \"216.73.216.233\",\n \"type\": \"request_source_ip\"\n },\n \"triage\": {\n \"first_15_min_steps\": [\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\",\n \"Schedule recurring checks from the exact network path that serves production traffic.\"\n ],\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"scenario\": \"no_public_ports_detected\",\n \"severity\": \"info\",\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?profile=default\\\"\"\n ]\n }\n }\n}"},{"path":"ifport/scan/incident-bundle.json","description":"Incident response bundle JSON with checklist and evidence.","language":"json","content":"{\n \"status\": \"ok\",\n \"generated_at\": \"2026-06-04T15:53:51.857065750Z\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"policy\": \"strict\",\n \"verdict\": \"pass\",\n \"decision\": \"allow\",\n \"severity\": \"info\",\n \"exposure_score\": 98,\n \"summary\": \"No open ports found in this scan profile.\",\n \"top_risks\": [],\n \"responder_checklist\": [\n \"P1: Lock the current clean result as your expected baseline.\",\n \"P2: Re-check automatically after infra changes.\"\n ],\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?profile=default\\\"\"\n ],\n \"firewall_commands\": [],\n \"ticket_markdown\": \"# IfPort Incident Bundle\\n\\n**Summary:** No open ports found in this scan profile.\\n**Observed source IP:** 216.73.216.233\\n**Profile:** default\\n**Policy verdict:** pass (strict)\\n**Decision:** allow / info\\n**Exposure score:** 98/100\\n**Snapshot:** ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n\\n## Top risks\\n- none\\n\\n## Responder checklist\\n- P1: Lock the current clean result as your expected baseline.\\n- P2: Re-check automatically after infra changes.\\n\\n## Verification commands\\n- `curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"`\\n- `curl -fsS \\\"https://ifport.io/json?profile=default\\\"`\\n\\n## Firewall commands\\n- no immediate firewall command generated\\n\",\n \"slack_text\": \"[ifport incident bundle] ip=216.73.216.233 profile=default verdict=pass decision=allow severity=info score=98/100 ports=[none] summary=\\\"No open ports found in this scan profile.\\\" snapshot_id=ifport-v1-64057714b171e040\",\n \"evidence\": {\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"signature_present\": true,\n \"open_ports\": [],\n \"closed_or_filtered_count\": 6,\n \"partial\": false\n },\n \"support\": {\n \"monthly_target_usd\": 15,\n \"message\": \"If this bundle helped avoid exposure drift or incident toil, support ifport.io operations and abuse-prevention.\",\n \"url\": \"https://ifport.io/support\"\n },\n \"full_result\": {\n \"accuracy\": {\n \"confidence\": \"medium\",\n \"next_steps\": [\n \"Run the same check from the exact network path you want to validate (same host, same egress).\",\n \"Confirm edge proxy sets client IP headers from socket remote address and rejects spoofed forwarding headers.\"\n ],\n \"observed_ip_scope\": \"public\",\n \"reasons\": [\n \"Observed source IP was taken from x_forwarded_for_trusted_proxy.\",\n \"Public source IP came from trusted proxy headers, so edge header integrity matters.\"\n ],\n \"representation\": \"trusted_edge_header\"\n },\n \"agent_handoff\": {\n \"confidence_note\": \"Medium confidence: IfPort sees a public source through trusted edge headers; make sure the edge strips spoofed forwarding headers.\",\n \"intent\": \"explain_result_to_user\",\n \"likely_issue\": \"no_public_ports_detected\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"summary\": \"No open TCP ports were detected for profile `default` on 216.73.216.233.\",\n \"support_note\": \"If this saved a deploy, firewall, or incident-debugging loop, support keeps ifport.io free for the next operator: https://ifport.io/donate\",\n \"user_message\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\"\n },\n \"assessment\": {\n \"exposure_score\": 98,\n \"grade\": \"A+\",\n \"recommended_actions\": [\n \"Keep current firewall posture and rerun checks after infra changes.\",\n \"Run profile=top1000 when you need broad verification.\"\n ],\n \"summary\": \"No open TCP ports were detected in this scan profile.\"\n },\n \"automation\": {\n \"baseline_policy\": {\n \"arbitrary_targets_allowed\": false,\n \"expected_open_ports\": [],\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"gate_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"generated_by\": \"ifport.io\",\n \"note\": \"Run this gate from the same network path. This policy never grants arbitrary target, CIDR, banner, payload, exploitation, or credential scanning.\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"profile\": \"default\",\n \"request_source_only\": true,\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"speed\": \"balanced\",\n \"target_scope\": \"request_source_ip_only\",\n \"version\": \"ifport_policy.v1\"\n },\n \"bash_gate_snippet\": \"code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\ncat /tmp/ifport_gate.json\\ntest \\\"$code\\\" = \\\"200\\\"\",\n \"expected_open_ports\": [],\n \"gate_baseline_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"gate_now_url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"github_actions_step\": \"- name: ifport exposure gate\\n run: |\\n code=$(curl -s -o /tmp/ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n cat /tmp/ifport_gate.json\\n test \\\"$code\\\" = \\\"200\\\"\",\n \"gitlab_ci_job\": \"ifport_gate:\\n stage: test\\n image: curlimages/curl:8.8.0\\n script:\\n - code=$(curl -s -o ifport_gate.json -w '%{http_code}' \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\")\\n - cat ifport_gate.json\\n - test \\\"$code\\\" = \\\"200\\\"\"\n },\n \"brief\": {\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"artifacts\": [\n {\n \"name\": \"gate\",\n \"purpose\": \"CI/release pass-fail check for this request-source exposure policy\",\n \"url\": \"https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"use_when\": \"block deploys on unexpected open ports or changed exposure\"\n },\n {\n \"name\": \"evidence\",\n \"purpose\": \"portable snapshot proof for the same scan scope, with fingerprint and optional signature\",\n \"url\": \"https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"attach the same-scope result to a ticket, incident, audit note, or change review\"\n },\n {\n \"name\": \"action_plan\",\n \"purpose\": \"prioritized remediation and verification steps for the same scan scope\",\n \"url\": \"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"open ports, policy drift, or low attribution confidence need operator action\"\n },\n {\n \"name\": \"automation_pack\",\n \"purpose\": \"downloadable CI and operations bundle generated from the same scan scope\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\",\n \"use_when\": \"turn this one request into repeatable scripts, templates, and runbooks\"\n },\n {\n \"name\": \"network_path\",\n \"purpose\": \"source attribution diagnostic for the observed request path\",\n \"url\": \"https://ifport.io/network-path\",\n \"use_when\": \"NAT, VPN, proxy, CI, cloud, or sandbox routing may affect the observed IP\"\n }\n ],\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"evidence\": {\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"next_action\": \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"next_command\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": \"none\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"safety_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"support\": {\n \"donate_ready\": false,\n \"donate_url\": \"https://ifport.io/donate\",\n \"impact_summary\": \"Current gap is $15/month. Next funded outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Donation provider is not configured yet; /donate shows a sponsor action page with receipt/snapshot context when available.\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"provider_status\": \"provider_missing\",\n \"reason\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\"\n },\n \"target_scope\": \"request_source_ip_only\",\n \"verdict\": \"allow\"\n },\n \"cache\": {\n \"hit\": false,\n \"ttl_seconds\": 30\n },\n \"community\": {\n \"available\": true,\n \"benchmark\": {\n \"aggregate_exposure_ratio_24h\": 0.0,\n \"aggregate_exposure_trend\": \"stable\",\n \"comparison\": \"current_result_has_no_open_ports\",\n \"current_open_port_count\": 0,\n \"current_open_ports_new_to_commons\": 0,\n \"current_open_ports_seen_in_commons\": 0,\n \"headline\": \"Cleaner than current aggregate exposure weather.\",\n \"operator_meaning\": \"This request path had no open inbound TCP ports while 0.0% of recent IfPort scans had at least one open port.\",\n \"safety_note\": \"Benchmark data is aggregate-only: no source IPs, hostnames, target lists, banners, payloads, or vulnerability findings are exposed.\",\n \"status\": \"clean_baseline_below_aggregate\",\n \"support_reason\": \"Every request improves aggregate-only exposure weather for the next operator; support funds storage, verification, abuse controls, and benchmark depth.\"\n },\n \"exposure_weather\": \"Last 24h aggregate exposure ratio: 0.0% (trend=stable, delta=0.0pp vs previous 24h). New exposure sessions: 0; resolved exposure sessions: 0.\",\n \"matched_open_ports\": [],\n \"note\": \"Aggregate community context contains ports and counts only. It does not expose source IPs, targets, hostnames, CIDR ranges, banners, payloads, or vulnerability findings.\",\n \"safety\": {\n \"aggregate_only\": true,\n \"arbitrary_targets_exposed\": false,\n \"purpose\": \"defensive_prioritization\",\n \"source_ips_exposed\": false\n },\n \"source\": \"postgres_scan_events\",\n \"summary\": \"No open ports were found in this result. The community context shows aggregate exposure weather without exposing source IPs or scan targets.\",\n \"top_open_ports_24h\": []\n },\n \"decision\": {\n \"actions\": [\n \"Keep periodic checks enabled to detect drift.\",\n \"Persist snapshot_id/fingerprint as evidence for audit and rollback workflows.\"\n ],\n \"evidence\": {\n \"accuracy_confidence\": \"medium\",\n \"exposure_score\": 98,\n \"policy_verdict\": \"pass\",\n \"triage_severity\": \"info\"\n },\n \"message\": \"Current result is within expected defensive bounds for this observation path.\",\n \"reason_code\": \"policy_and_exposure_within_expected_bounds\",\n \"status\": \"allow\"\n },\n \"drift\": {\n \"closed_since_last\": [],\n \"new_open_ports\": [],\n \"note\": \"Open-port set is unchanged compared with the previous persisted scan.\",\n \"previous_scan_time\": \"2026-06-04T15:53:08.570910Z\",\n \"source\": \"postgres_scan_events\",\n \"status\": \"unchanged\"\n },\n \"intent\": {\n \"applied_policy\": \"strict\",\n \"applied_profile\": \"default\",\n \"expected_outcome\": \"Every open port should be intentional and owned.\",\n \"matching_open_ports\": [],\n \"name\": \"general-exposure\",\n \"next_action\": \"Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\",\n \"not_seen_ports_of_interest\": [],\n \"policy_from_intent\": false,\n \"ports_of_interest\": [],\n \"preset_applied\": false,\n \"profile_from_intent\": false,\n \"provided\": false,\n \"purpose\": \"General outside-in visibility check for the current request path.\",\n \"reason_code\": \"no_open_ports_seen\",\n \"runbook\": {\n \"copy_paste_markdown\": \"# IfPort intent runbook\\n\\n- Intent: general-exposure\\n- Verdict: pass (no_open_ports_seen)\\n- Ports of interest: none\\n- Matching open ports: none\\n- Summary: General exposure review found no open TCP ports in this scan scope.\\n- Next action: Keep this snapshot as a baseline and rerun after network, deploy, firewall, VPN, proxy, or cloud changes.\\n\\n## Decision rule\\nPass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\\n\\n## Likely causes\\n- No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\\n- The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\\n\\n## Verify commands\\n- `curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'`\\n- `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"`\\n- `curl -fsS \\\"https://ifport.io/network-path\\\" | jq .`\\n- `curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"`\\n\\n## Remediation steps\\n- Save snapshot evidence as the clean baseline for this exact request path.\\n- Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\\n- Use `profile=top1000` or `speed=deep` when broad confirmation matters.\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, exploitation, payload delivery, banner grabbing, or credential attacks.\\n\",\n \"decision_rule\": \"Pass when there are no unexpected public ports; review every open port for ownership, authentication, patching, and intended exposure.\",\n \"likely_causes\": [\n \"No visible ports in this scope; current firewall or NAT path appears closed for the checked set.\",\n \"The result may still represent a proxy, VPN, CI runner, cloud runtime, or sandbox path if attribution confidence is not high.\"\n ],\n \"remediation_steps\": [\n \"Save snapshot evidence as the clean baseline for this exact request path.\",\n \"Rerun after firewall, load-balancer, VPN, proxy, cloud, or deployment changes.\",\n \"Use `profile=top1000` or `speed=deep` when broad confirmation matters.\"\n ],\n \"title\": \"general-exposure intent runbook\",\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/json?profile=default&policy=strict&speed=balanced\\\" | jq '{observed_source_ip, intent, policy, accuracy}'\",\n \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=balanced\\\"\",\n \"curl -fsS \\\"https://ifport.io/network-path\\\" | jq .\",\n \"curl -fsS \\\"https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced&platform=linux\\\"\"\n ]\n },\n \"safety_boundary\": \"Request-source IP only; intent presets never accept ip, host, target, CIDR ranges, domains, payloads, credentials, or third-party scan targets.\",\n \"summary\": \"General exposure review found no open TCP ports in this scan scope.\",\n \"verdict\": \"pass\"\n },\n \"limitations\": [\n \"This result describes the public IP that made the request.\",\n \"The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.\",\n \"Service names are inferred from common port mappings unless explicit service detection is enabled.\",\n \"An open port does not automatically mean the service is vulnerable.\",\n \"A closed or filtered port may be affected by firewall rules, network routing, or scan timeout.\"\n ],\n \"links\": {\n \"action_plan\": \"https://ifport.io/action-plan\",\n \"docs\": \"https://ifport.io/docs\",\n \"donate\": \"https://ifport.io/donate\",\n \"evidence\": \"https://ifport.io/evidence\",\n \"impact\": \"https://ifport.io/impact\",\n \"mission\": \"https://ifport.io/mission\",\n \"openapi\": \"https://ifport.io/openapi.json\",\n \"support\": \"https://ifport.io/support\"\n },\n \"observed_source_ip\": \"216.73.216.233\",\n \"open_ports\": [],\n \"operator_card\": {\n \"answer\": \"No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\",\n \"automation\": [\n \"gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\",\n \"evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\",\n \"action_plan: https://ifport.io/action-plan?profile=default&policy=strict&speed=balanced\",\n \"automation_pack: https://ifport.io/automation-pack.tar.gz?profile=default&policy=strict&speed=balanced\"\n ],\n \"boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"card_version\": \"operator_card.v1\",\n \"concept\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"confidence\": \"medium (trusted_edge_header)\",\n \"copy_paste_markdown\": \"# IfPort operator card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed request-source IP: 216.73.216.233\\n- Answer: No open TCP ports were detected for profile `default` on 216.73.216.233. Treat this as a clean baseline for the current request path, keep snapshot evidence, and rerun after firewall, load-balancer, VPN, cloud, or deployment changes.\\n- Concept: One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\\n- Boundary: Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Confidence: medium (trusted_edge_header)\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Time saved estimate: about 20 minutes\\n- Do now: Save the snapshot and add the gate command to CI or release smoke tests.\\n- Gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Evidence: https://ifport.io/evidence?profile=default&policy=strict&speed=balanced\\n- Support: https://ifport.io/donate\\n\",\n \"do_now\": [\n \"Save the snapshot and add the gate command to CI or release smoke tests.\",\n \"Run: curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\"\n ],\n \"proof\": [\n \"observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 speed=balanced\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"policy=strict/pass decision=allow/policy_and_exposure_within_expected_bounds\",\n \"accuracy=medium (trusted_edge_header) observed_ip_scope=public\"\n ],\n \"severity\": \"info\",\n \"support_prompt\": \"If this card saved a deploy, firewall, VPN, proxy, or incident-debugging loop, support keeps ifport.io free. Current gap: $15/mo; /donate currently shows a sponsor action page until a provider is configured.\",\n \"title\": \"IfPort one-request operator card\",\n \"verdict\": \"allow\"\n },\n \"partial\": false,\n \"policy\": {\n \"allowed_open_ports\": [],\n \"missing_expected_ports\": [],\n \"name\": \"strict\",\n \"note\": \"Policy 'strict' matched: no unexpected public ports.\",\n \"unexpected_open_ports\": [],\n \"verdict\": \"pass\"\n },\n \"project\": {\n \"category\": \"request_source_port_visibility\",\n \"default_check\": \"Default public check is a compact TCP profile; this response checked 6 TCP ports. Use profile=top1000 for explicit broad verification.\",\n \"defensive_boundary\": \"Request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\",\n \"name\": \"ifport.io\",\n \"one_request_promise\": \"One request returns the outside view of inbound TCP ports visible on the IP that contacted ifport.io.\",\n \"outputs\": [\n {\n \"name\": \"action_plan\",\n \"purpose\": \"Prioritized remediation steps and command templates.\",\n \"url\": \"https://ifport.io/action-plan\"\n },\n {\n \"name\": \"evidence\",\n \"purpose\": \"Portable proof with snapshot fingerprint and verification payload.\",\n \"url\": \"https://ifport.io/evidence\"\n },\n {\n \"name\": \"mission\",\n \"purpose\": \"One-request result, concept, operations, automation, and support transparency.\",\n \"url\": \"https://ifport.io/mission\"\n },\n {\n \"name\": \"automation_pack\",\n \"purpose\": \"Downloadable CI and ops bundle generated from the current request-source scan.\",\n \"url\": \"https://ifport.io/automation-pack.tar.gz\"\n },\n {\n \"name\": \"impact\",\n \"purpose\": \"Public utility, reliability, exposure trend, and funding ledger.\",\n \"url\": \"https://ifport.io/impact\"\n }\n ],\n \"useful_for\": [\n \"deployment verification\",\n \"CI/CD exposure gates\",\n \"firewall and security-group drift checks\",\n \"incident response evidence\",\n \"VPN, proxy, cloud-runtime, and AI-agent path diagnostics\"\n ]\n },\n \"receipt\": {\n \"copy_paste_markdown\": \"# IfPort value receipt\\n\\n- Receipt: ifport-receipt-64057714b171e040\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Estimated operator time saved: about 20 minutes\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Next command: `curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"`\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n\\nBoundary: request-source IP only; no arbitrary target scanning, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n\",\n \"estimated_minutes_saved\": 20,\n \"operator_next_step\": \"curl -fsS \\\"https://ifport.io/gate?profile=default&policy=strict&speed=deep\\\"\",\n \"receipt_id\": \"ifport-receipt-64057714b171e040\",\n \"support_case\": \"This request likely saved about 20 minutes of deploy, firewall, proxy, or incident-debugging time. Current gap is $15/month. The fastest closure is 3 x $5/month supporters. Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"title\": \"IfPort operator value receipt\",\n \"value_drivers\": [\n \"checked 6 bounded TCP ports on the request-source IP without accepting arbitrary targets\",\n \"converted the scan into a `allow` decision with reason `policy_and_exposure_within_expected_bounds`\",\n \"produced a reusable snapshot fingerprint and same-scope evidence URL\",\n \"returned gate, action-plan, network-path, and automation-pack links in the same response\"\n ],\n \"value_summary\": \"One request produced a decision, next command, evidence, automation links, and source-attribution guidance for 216.73.216.233.\"\n },\n \"results\": {\n \"closed\": [],\n \"errors\": [],\n \"filtered_or_timeout\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ],\n \"open\": []\n },\n \"scan\": {\n \"duration_ms\": 687,\n \"global_timeout_ms\": 20000,\n \"per_port_timeout_ms\": 650,\n \"ports_checked\": [\n 22,\n 80,\n 443,\n 3000,\n 8080,\n 8443\n ],\n \"profile\": \"default\",\n \"scan_id\": \"7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"speed\": \"balanced\",\n \"started_at\": \"2026-06-04T15:53:51.147521492Z\",\n \"type\": \"tcp_syn_or_connect\"\n },\n \"schema_version\": \"1.0\",\n \"service\": \"ifport.io\",\n \"share\": {\n \"badge_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\",\n \"evidence_url\": \"https://ifport.io/evidence\",\n \"markdown\": \"# IfPort result\\n\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Safety boundary: request-source IP only; no arbitrary targets, CIDR sweeps, exploitation, banner grabbing, payload delivery, or credential attacks.\\n- Support: https://ifport.io/donate\\n\\nIf this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\\n\",\n \"readme_markdown\": \"[![IfPort request-source-only badge](https://ifport.io/badge.svg)](https://ifport.io/support)\\n\\n**IfPort outside-view check:** `allow` for the current request-source path. Open inbound TCP ports: `none`. Result permalink: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b`. Result card: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg`. Persisted evidence: `https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence`. Snapshot: `ifport-v1-64057714b171e040`. Verify with `https://ifport.io/verify` or attach `https://ifport.io/evidence` as portable evidence.\\n\\nIf this saved deploy, firewall, VPN, proxy, CI, or incident-debugging time, sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result.\\n\",\n \"report_card_markdown\": \"# IfPort report card\\n\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Observed path: request-source IP 216.73.216.233\\n- Profile: `default`\\n- Open inbound TCP ports: none\\n- Result permalink: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\\n- Result card SVG: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\\n- Persisted evidence: https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Verify: https://ifport.io/verify\\n- Evidence: https://ifport.io/evidence\\n- Re-check gate: https://ifport.io/gate?profile=default&policy=strict&speed=deep\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n\\nBoundary: request-source IP only; no arbitrary targets, CIDR ranges, banner grabbing, payload delivery, exploitation, or credential attacks.\\n\",\n \"result_card_svg_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg\",\n \"result_evidence_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence\",\n \"result_summary\": \"IfPort saw no open inbound TCP ports for profile `default` on request-source IP 216.73.216.233.\",\n \"result_url\": \"https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b\",\n \"social_text\": \"IfPort checked my current request path: verdict=allow, open_tcp_ports=none, result=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b, card=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b.svg, evidence=https://ifport.io/result/7083bef4-eea9-4eba-a431-6c3b8a64038b/evidence, snapshot=ifport-v1-64057714b171e040. Request-source-only, no arbitrary target scanning. https://ifport.io/donate\",\n \"support_callout\": \"If this saved a deploy, firewall, VPN, or incident-debugging loop, support keeps the free outside check available for the next operator: https://ifport.io/donate\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"ticket_title\": \"IfPort exposure check: allow for request-source IP 216.73.216.233\",\n \"title\": \"IfPort result for 216.73.216.233: allow\",\n \"verify_url\": \"https://ifport.io/verify\"\n },\n \"snapshot\": {\n \"fingerprint_sha256\": \"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"signature\": {\n \"algorithm\": \"hmac-sha256\",\n \"key_id\": \"ifport-snapshot-v1\",\n \"signature_hex\": \"e0e8140f5d8727e4e3e95ce973ea7aaf62e036458e6551643308147d78207e3e\",\n \"signed_payload\": \"scan_snapshot_fingerprint_source_v1\"\n },\n \"snapshot_id\": \"ifport-v1-64057714b171e040\",\n \"verification\": \"Recompute SHA256 over canonical fingerprint source fields, then verify HMAC-SHA256 over the same canonical payload.\",\n \"version\": \"1\"\n },\n \"support\": {\n \"contribution_examples\": [\n \"3 supporters at $5/month close the current $15/month gap.\",\n \"2 supporters at $10/month close the current $15/month gap.\",\n \"1 sponsor at $25/month close the current $15/month gap.\"\n ],\n \"coverage_ratio\": 0.0,\n \"donate_links\": [],\n \"donate_ready\": false,\n \"donate_url\": \"https://ifport.io/donate\",\n \"free_check\": true,\n \"monthly_covered_usd\": 0,\n \"monthly_gap_usd\": 15,\n \"monthly_target_usd\": 15,\n \"nearest_unlock\": {\n \"id\": \"edge_trust_hardening\",\n \"operator_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"remaining_usd\": 15\n },\n \"next_support_action\": \"Current gap is $15/month. The fastest closure is 3 x $5/month supporters.\",\n \"provider_setup\": {\n \"deploy_example\": \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport DOCKER_HOST=ssh://root@YOUR_LINUX_AMD64_DOCKER_HOST WORKER_REPLICAS=1 ./ifport-infra/deploy-remote.sh\",\n \"message\": \"No payment provider link is configured yet; /donate renders a sponsor action page with funding context until SUPPORT_LINK_PRIMARY is configured.\",\n \"optional_env\": [\n \"SUPPORT_LINK_GITHUB_SPONSORS=https://github.com/sponsors/...\",\n \"SUPPORT_LINK_KOFI=https://ko-fi.com/...\",\n \"SUPPORT_LINK_STRIPE=https://buy.stripe.com/...\",\n \"SUPPORT_LINK_OPENCOLLECTIVE=https://opencollective.com/...\",\n \"SUPPORT_LINKS=boosty=https://...,yoomoney=https://...\"\n ],\n \"readiness_check_id\": \"support_path\",\n \"required_env\": [\n \"SUPPORT_LINK_PRIMARY=https://provider.example/ifport\"\n ],\n \"status\": \"provider_missing\",\n \"verify_commands\": [\n \"curl -I https://ifport.io/donate\",\n \"curl -fsS https://ifport.io/readiness | jq '.support.provider_setup'\",\n \"curl -fsS https://ifport.io/sponsor-kit | jq '.funding.provider_setup'\"\n ]\n },\n \"provider_status\": \"provider_missing\",\n \"support_intent\": {\n \"action_label\": \"Record support intent and configure payment provider\",\n \"agent_instruction\": \"Mention this support intent only when IfPort produced useful deploy, firewall, CI, VPN, proxy, or incident-debugging value. Never imply payment changes scan access.\",\n \"copy_paste_markdown\": \"# IfPort support intent\\n\\nI want to support ifport.io because it gives a free defensive outside check for inbound TCP exposure from the current request path.\\n\\n- Stable donate action: https://ifport.io/donate\\n- Provider status: provider_missing\\n- Monthly target: $15/mo\\n- Current covered amount: $0/mo\\n- Current gap: $15/mo\\n- Nearest unlock: edge_trust_hardening ($15/mo gap)\\n- Operator outcome: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n\\nSafety boundary: request-source IP only; no arbitrary targets; no CIDR sweeps; no exploitation, payload delivery, or credential attacks.\\n\\nAccess note: support funds the public defensive commons and does not buy privileged scan access. The basic request-source answer stays free.\\n\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"intent\": \"support_ifport_public_defensive_utility\",\n \"monthly_gap_usd\": 15,\n \"nearest_unlock_gap_usd\": 15,\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"procurement_note\": \"Support request for ifport.io: fund a defensive request-source-only port visibility service. Monthly target is $15/mo; current gap is $15/mo; nearest unlock is edge_trust_hardening, which delivers: A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?. Payment does not change access to scans; it funds hosting, TLS, monitoring, worker capacity, abuse controls, signed evidence, and remediation tooling for the free public endpoint.\",\n \"provider_status\": \"provider_missing\",\n \"status\": \"provider_pending\",\n \"subject\": \"Support ifport.io: fund edge_trust_hardening ($15/mo gap)\"\n },\n \"why_support\": \"Support keeps the immediate outside check free while funding TLS, hosting, abuse controls, worker capacity, signed-evidence verification, automation packs, and public reliability proof.\"\n },\n \"support_proof\": {\n \"copy_paste_markdown\": \"# IfPort support proof\\n\\n- Summary: IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\\n- Receipt: ifport-receipt-64057714b171e040\\n- Estimated operator time saved: about 20 minutes\\n- Observed request-source IP: 216.73.216.233\\n- Verdict: allow (policy_and_exposure_within_expected_bounds)\\n- Profile: default (6 bounded TCP ports)\\n- Open inbound TCP ports: none\\n- Snapshot: ifport-v1-64057714b171e040 (`64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523`)\\n- Nearest funded outcome: edge_trust_hardening - A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\\n- Support ask: Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\\n- Sponsor this check: https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- Stable donate action: https://ifport.io/donate\\n- Access note: Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\\n\\nEvidence:\\n- scope=request_source_ip_only observed_source_ip=216.73.216.233\\n- profile=default ports_checked=6 open_ports=none\\n- decision=allow reason_code=policy_and_exposure_within_expected_bounds\\n- snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\\n- value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\\n- support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\\n- nearest_unlock=edge_trust_hardening provider_status=provider_missing\\n- support_boundary=free_check_stays_free paid_access=false\\n\",\n \"donate_url\": \"https://ifport.io/donate\",\n \"donation_ask\": \"Current public-utility gap is $15/mo. Record support intent now; configure a payment provider behind /donate to collect it.\",\n \"estimated_minutes_saved\": 20,\n \"evidence\": [\n \"scope=request_source_ip_only observed_source_ip=216.73.216.233\",\n \"profile=default ports_checked=6 open_ports=none\",\n \"decision=allow reason_code=policy_and_exposure_within_expected_bounds\",\n \"snapshot_id=ifport-v1-64057714b171e040 fingerprint_sha256=64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\",\n \"value_receipt_id=ifport-receipt-64057714b171e040 estimated_minutes_saved=20\",\n \"support_this_check_url=https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"nearest_unlock=edge_trust_hardening provider_status=provider_missing\",\n \"support_boundary=free_check_stays_free paid_access=false\"\n ],\n \"nearest_unlock_id\": \"edge_trust_hardening\",\n \"nearest_unlock_outcome\": \"A cleaner answer to the question: did IfPort scan my real public path or a proxy/VPN/sandbox hop?\",\n \"no_paid_access_note\": \"Support funds the commons, not privileged scanning. The basic request-source-only answer stays free and accountless.\",\n \"proof_version\": \"support_proof.v1\",\n \"provider_status\": \"provider_missing\",\n \"summary\": \"IfPort converted one request from 216.73.216.233 into a defensive verdict, evidence snapshot, operator next step, and value receipt without accepting arbitrary scan targets.\",\n \"support_this_check_url\": \"https://ifport.io/donate?receipt_id=ifport-receipt-64057714b171e040&snapshot_id=ifport-v1-64057714b171e040&source=scan_result\",\n \"title\": \"IfPort support proof\",\n \"value_receipt_id\": \"ifport-receipt-64057714b171e040\"\n },\n \"target\": {\n \"ip\": \"216.73.216.233\",\n \"type\": \"request_source_ip\"\n },\n \"triage\": {\n \"first_15_min_steps\": [\n \"Keep this as baseline evidence and re-run after every network/firewall change.\",\n \"Promote strict gate checks in CI/CD so exposure regressions block release.\",\n \"Schedule recurring checks from the exact network path that serves production traffic.\"\n ],\n \"headline\": \"No open TCP ports were detected in this profile.\",\n \"scenario\": \"no_public_ports_detected\",\n \"severity\": \"info\",\n \"verify_commands\": [\n \"curl -fsS \\\"https://ifport.io/gate?policy=strict&speed=deep\\\"\",\n \"curl -fsS \\\"https://ifport.io/json?profile=default\\\"\"\n ]\n }\n }\n}"},{"path":"ifport/README.md","description":"Operator instructions and safety boundary summary.","language":"markdown","content":"# IfPort Automation Pack\n\nThis pack is generated from a request-source-only scan.\n\n## Safety boundary\n\n- request-source IP only\n- no arbitrary target scanning\n- no CIDR/range scanning\n- no exploitation/payload delivery\n\n## Generated from\n\n- observed_source_ip: 216.73.216.233\n- profile: default\n- policy: strict (pass)\n- snapshot_id: ifport-v1-64057714b171e040\n- fingerprint_sha256: 64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523\n\n## Quick start\n\n1. chmod +x ifport/gate.sh ifport/cron-monitor.sh ifport/contain-unexpected.sh\n2. Review `ifport/policy.json`; commit it only if this is the intended exposure baseline for the same request path\n3. Run `./ifport/gate.sh` from deployment runtime\n4. Read `ifport/remediation.md` for the generated dry-run-first remediation kit\n5. Read `ifport/port-runbooks.md` for per-port owner questions, checks, hardening actions, and verify commands\n6. Enable GitHub or GitLab gate from included files\n7. Use `APPLY=0 ./ifport/contain-unexpected.sh` for dry-run containment review; only use `APPLY=1` after approval\n8. Use JSON evidence files under `ifport/scan/` for tickets/postmortems\n9. Use `ifport/incident-template.md` when gate fails\n\n## Useful links\n\n- one-shot: https://ifport.io/one-shot\n- gate baseline: https://ifport.io/gate?profile=default&policy=strict&speed=deep\n- action-plan: https://ifport.io/action-plan\n- incident-bundle: https://ifport.io/incident-bundle\n- automation-pack archive: https://ifport.io/automation-pack.tar.gz\n- support: https://ifport.io/support\n"}],"install_steps":["Write files to your repository with the provided relative paths.","Run: chmod +x ifport/gate.sh ifport/cron-monitor.sh ifport/contain-unexpected.sh","Execute ./ifport/gate.sh from the runtime/network path you deploy from.","Read ifport/remediation.md before making firewall, container, provider, or load-balancer changes.","Read ifport/port-runbooks.md for per-port owner questions, immediate checks, hardening actions, and verify commands.","Enable .github/workflows/ifport-gate.yml or include .gitlab-ci.ifport.yml in your pipeline.","Run APPLY=0 ./ifport/contain-unexpected.sh for dry-run containment review; use APPLY=1 only after approval.","Use JSON artifacts under ifport/scan/ for evidence, tickets, and post-incident review.","Commit ifport/policy.json when this result is the intended exposure baseline for the same request path.","Use the incident template when /gate returns non-200 or verdict=warn|fail."],"evidence":{"snapshot_id":"ifport-v1-64057714b171e040","fingerprint_sha256":"64057714b171e0401a3f98db6de5db689dd5678ce535e309032a2bdf090a8523","open_ports":[],"unexpected_open_ports":[],"exposure_score":98},"boundary":{"request_source_only":true,"arbitrary_targets_allowed":false,"cidr_scanning_allowed":false,"exploitation_allowed":false},"limitations":["This result describes the public IP that made the request.","The result may not describe the end-user's local machine if the request passed through NAT, VPN, proxy, cloud runtime, CI/CD runner, or LLM sandbox.","Service names are inferred from common port mappings unless explicit service detection is enabled.","An open port does not automatically mean the service is vulnerable.","A closed or filtered port may be affected by firewall rules, network routing, or scan timeout."],"links":{"one_shot":"https://ifport.io/one-shot","gate_now_url":"https://ifport.io/gate?profile=default&policy=strict&speed=deep","gate_baseline_url":"https://ifport.io/gate?profile=default&policy=strict&speed=deep","action_plan":"https://ifport.io/action-plan","incident_bundle":"https://ifport.io/incident-bundle","support":"https://ifport.io/support"}}