Machine authentication and contracts
Human login and machine authentication are separate systems. Machine credentials never replace WordPress user sessions.
Machine authentication
Per-site machine tokens authorize Hub pulls of module/workspace payloads from connected sites (e.g. Intake). Fail closed on desync, revoke, or contract mismatch.
Credential vault
Outbound credentials are vaulted on Hub. Site reassignment does not casually rotate tokens; rotation is an explicit operator action with audit implications.
Module Manifest contract
Typed module summaries (e.g. Intake Leads card inputs) validated before cache write. Invalid payloads rejected; last-known-good preserved where designed.
Workspace contract
Customer-safe Workspace card payloads (summaries, destinations) separate from full module manifests. Destination URLs are allowlisted (same-site front-end; no wp-admin bleed).
Operator Integration Health
Operator-only visibility into Hub→remote pull health (credential desync vs transport vs contract failures).