Missing User Warnings
Medium
- Confidence
- 98% confidence
- Finding
- The document publicly exposes what appears to be a live governance API key and pairs it with privileged governance endpoints, including validation, status, audit, and interactive query services. Even if labeled as an 'experience' key, publishing reusable authentication material in a spec encourages unauthorized access, abuse, scraping, and possible pivoting into internal governance services—especially because the same document notes the key is used via the X-Governance-Key header and that some services run on localhost:8701, suggesting trust boundary confusion.
