// ───────────────────────────────────────────────────────────────────────── // content-pages.jsx — content schemas for non-landing public pages. // Edit values; keep shapes intact. // ───────────────────────────────────────────────────────────────────────── // ─── Product deep-dive ─────────────────────────────────────────────────── // Each PRODUCT in content.jsx may optionally have a `deepDive` field with // this shape. The product.html template renders it. If absent, the page // falls back to the short content from the landing card. // // deepDive: { // tagline: "One-line subtitle under the giant title.", // overview: "Two paragraphs. Use \\n\\n between them.", // principles: [ ["Title", "One-line body."], ... ], // 3–4 // methodology:"One long paragraph explaining the technical approach.", // examples: [ { kind: "code"|"diagram", lang?, body, caption? }, ... ], // } // // DEEPDIVE_DEFAULTS gives the page chrome (section headings) that's shared // across all 5 product pages. const DEEPDIVE_DEFAULTS = window.DEEPDIVE_DEFAULTS || { sectionLabels: { overview: "Overview", principles: "Principles", methodology: "Methodology", examples: "Excerpts", facts: "At a glance", related: "Related engines", }, // CTA at the foot of every deep-dive. footerCta: { eyebrow: "Engagements", headline: "Working on something this would catch?", body: "We work with protocol teams, exchanges, and infrastructure companies on pre-release verification and incident response.", cta: { label: "Get in touch", href: "/#contact" }, }, }; window.DEEPDIVE_DEFAULTS = DEEPDIVE_DEFAULTS; // ─── About / studio page ───────────────────────────────────────────────── const ABOUT = window.ABOUT || { eyebrow: "About blockscanner", headline: "We build the analyzers that find what fuzzers and human auditors miss.", lede: "Blockscanner is a security research and engineering studio. We sit between " + "program-analysis academia and the protocols actually shipping code — chaining " + "taint analysis into symbolic execution across EVM, Solana, and Bitcoin, " + "running both behind a parallel-EVM throughput layer of our own, and packaging " + "everything into a managed-service audit platform on the Anthropic API.", pillars: [ { title: "Method-first.", body: "Every product starts from a program-analysis primitive — taint propagation " + "feeding symbolic exploration, parallel re-execution underneath. The Live " + "Audit platform is a consumer of those primitives, not the primitive itself.", }, { title: "Three bytecodes, one toolchain.", body: "EVM, Solana BPF, and Bitcoin have different state models, different attack " + "idioms, different runtime mechanics. We treat them as one problem with three " + "backends — every analyzer ships against all three, every finding on one " + "informs the others. Bitcoin coverage spans Taproot, Lightning, PSBT, and " + "Schnorr nonce extraction.", }, { title: "Validate before build.", body: "Every novel vulnerability class lands in the vector registry with an explicit " + "validation tier and a proof plan. We don't ship detectors for unvalidated " + "theories. Mathematical confirmation, local test, or fork simulation comes " + "first; detector code comes second.", }, { title: "Private-first disclosure.", body: "Findings stay private until affected parties have patched. We refuse to " + "publish writeups that ride a still-exploitable bug. Class-level publication " + "is the rule; instance-level details stay with verification partners.", }, ], values: [ ["No theater", "Plain numbers, plain language, no demo videos that aren't real."], ["No surprises", "We share scope and methodology before engagement, not after."], ["No retainer", "Per-engagement pricing. We earn the next one or we don't."], ], // Adjacent track: web-infrastructure work runs alongside the onchain stack. // Currently between v1 (shipped, owner-conducted research) and v2 (in build). adjacent: { title: "Web infrastructure — adjacent track.", body: "A custom WAF-bypass fuzzer runs alongside the onchain work. v1 served research " + "engagements on owner-conducted targets; v2 (in development) broadens payload " + "generation and classifies bypasses by which WAF feature was evaded. Web-infra " + "engagements return when v2 ships.", }, // Team is optional and intentionally minimal. Replace with real entries // when you're ready to name people. team: { note: "Team will be listed publicly once the first batch of class-level summaries publishes.", seats: 1, }, }; window.ABOUT = ABOUT; // ─── Waitlist / early access ───────────────────────────────────────────── const WAITLIST = window.WAITLIST || { eyebrow: "Live Audit — operator-only private beta", headline: "Managed-service audit, on the Anthropic API.", lede: "Blockscanner's Live Audit platform is operator-only: you submit a target and " + "authorization, our team runs the engagement end-to-end on Claude Opus 4.7 + " + "Sonnet 4.6 subagents, you receive a finished report. Currently in private beta " + "with a small set of DeFi and infrastructure partners; first demo engagement " + "is queued.", benefits: [ ["Operator-driven, not self-serve.", "You don't run the platform — we do. You submit scope and authorization; we deliver the finished report. No client console, no shared model context."], ["Three-layer context discipline.", "Programmatic Tool Calling for fan-out, parallel Sonnet 4.6 subagents for deep dives, server-side compaction for the long-running lead loop. Engagement-cost / token-cost is engineered, not accidental."], ["Three bytecodes, one workflow.", "EVM (Solidity, Vyper, Yul, raw bytecode), Solana (Anchor, Native, raw BPF), and Bitcoin (Taproot, Lightning, PSBT) all handled through the same engagement interface."], ["Re-audit lineage.", "Every engagement can branch from a prior one. The system carries institutional memory across audits of the same protocol — you don't pay to rediscover the same surface every quarter."], ], faq: [ ["When does it open?", "Operator-only during private beta. We're admitting partners in batches — expect a reply within two business days of joining."], ["What does it cost?", "Per-engagement, scaling with target complexity and re-audit lineage. Numbers shared during onboarding."], ["Does it replace audits?", "It IS an audit, delivered as a managed service. For a brand-new launch a parallel human audit is still the right move; for the next twelve months of changes after that, Live Audit is what you re-run."], ["What languages?", "Solidity, Vyper, Yul, raw EVM bytecode; Anchor (Rust), Native (Rust), raw BPF; Bitcoin script with Taproot / Lightning / PSBT extensions. New backends as we ship engines for them."], ], formCta: "Request access", }; window.WAITLIST = WAITLIST; // ─── 404 / error states ────────────────────────────────────────────────── const ERROR404 = window.ERROR404 || { eyebrow: "Page not found", code: "404", headline: "Lost in execution.", body: "The path you followed doesn't resolve to anything we currently serve. " + "If you reached this from elsewhere on the site, that's a bug — let us know.", suggestions: [ { label: "Home", href: "/" }, { label: "Products", href: "/#products" }, { label: "Research index", href: "/research.html" }, { label: "About", href: "/about.html" }, { label: "Contact", href: "/#contact" }, ], }; window.ERROR404 = ERROR404; // Reusable 500 / generic error variant — pass to BSErrorState as a prop. const ERROR500 = window.ERROR500 || { eyebrow: "Server error", code: "500", headline: "Something faulted on our end.", body: "We've been notified. If this is blocking something time-sensitive, " + "write to us directly — a human will reply.", suggestions: [ { label: "Try again", href: "javascript:location.reload()" }, { label: "Home", href: "/" }, { label: "Email us", href: "mailto:hello@blockscanner.org" }, ], }; window.ERROR500 = ERROR500; // ─── Disclosure submission page (for external researchers) ─────────────── const DISCLOSE = window.DISCLOSE || { eyebrow: "Vulnerability disclosure", headline: "Tell us about a finding.", lede: "Researchers can submit potential vulnerabilities affecting our infrastructure or " + "any protocol we audit. We acknowledge every submission within one business day " + "and route confirmed findings to the affected party under our coordinated " + "disclosure policy.", // Form schema. Backend should accept these field names verbatim. fields: [ { name: "submitter_name", label: "Your name", type: "text", required: true }, { name: "submitter_email", label: "Your email", type: "email", required: true }, { name: "affiliation", label: "Affiliation", type: "text" }, { name: "target", label: "Affected system", type: "text", required: true, placeholder: "Protocol name, repo, contract address, or URL." }, { name: "domain", label: "Domain", type: "select", required: true, options: ["EVM", "Solana", "Web infrastructure", "Other"] }, { name: "severity", label: "Estimated severity",type: "select", options: ["Informational", "Low", "Medium", "High", "Critical"] }, { name: "summary", label: "Short summary", type: "text", required: true, placeholder: "One sentence." }, { name: "details", label: "Full writeup", type: "textarea", required: true, placeholder: "Reproduction steps, impact analysis, proof-of-concept — paste everything. Markdown OK." }, ], policyPoints: [ ["Acknowledge", "Within one business day, by email."], ["Triage", "Within five business days. We tell you scope, severity, and timeline."], ["Coordinate", "We notify the affected party and run the disclosure window."], ["Credit", "By default, you're credited on the published advisory. Opt out by saying so."], ], safeHarbor: "Good-faith research that follows this policy will not result in legal action " + "from us, regardless of severity. We do not require an NDA to submit.", }; window.DISCLOSE = DISCLOSE; // ─── Case studies page ─────────────────────────────────────────────────── // Until you have published case studies, leave `entries` as an empty list — // the page will render an honest empty state. When you publish, add entries // with the shape shown in COMMENTED_TEMPLATE_ENTRY below. const CASES = window.CASES || { eyebrow: "Engagements", headline: "Selected work, published as disclosure windows close.", lede: "We publish a writeup for every engagement that resulted in a previously-unknown " + "class of bug, once affected parties have patched and the disclosure window has " + "closed. Older engagements may stay private at the partner's request.", entries: [], // [CaseEntry] // CaseEntry shape (uncomment one to seed): // { // id: "case-001", // ref: "BS-001", // title: "Authorization confusion in a multi-chain bridge contract.", // partner: "[redacted]", // year: 2025, // domain: "EVM", // severity: "High", // summary: "Two-paragraph public summary.", // status: "disclosed", // or "pre-disclosure" // } emptyState: { title: "No public engagements yet.", body: "Active engagements are pre-disclosure until coordinated windows close. " + "If you're considering working with us and want references, write directly — we'll " + "put you in touch with partners under NDA.", cta: { label: "Request references", href: "/#contact" }, }, }; window.CASES = CASES; // ─── Legal pages (privacy + terms share one schema) ────────────────────── const LEGAL = window.LEGAL || { privacy: { title: "Privacy policy", updated: "Effective 2026-01-01", summary: "We collect the minimum information needed to operate the site, answer your " + "messages, and run the audit platform you've signed up for. We do not sell " + "or share personal data with third parties for advertising purposes.", sections: [ ["Information we collect", "Names and email addresses submitted through the contact and disclosure forms. " + "Basic web analytics (page views, referrer, country) collected without cookies. " + "Account credentials (email, hashed password) when you sign up for the audit platform."], ["How we use it", "To reply to your messages, to operate the platform you've signed up for, and to " + "improve the site. We do not use submission data to train external models."], ["Retention", "Contact submissions are retained for 24 months unless you ask us to delete them. " + "Account data is retained for the lifetime of the account plus 90 days."], ["Your rights", "You can request a copy, correction, or deletion of any personal data we hold by " + "emailing us. We respond within 30 days."], ["Disclosure submissions", "Information submitted through the vulnerability disclosure form is shared only with " + "the affected party under our coordinated disclosure policy. Researchers are credited " + "on the published advisory by default; opt out by saying so in the submission."], ["Contact", "Questions about this policy: hello@blockscanner.org."], ], }, terms: { title: "Terms of use", updated: "Effective 2026-01-01", summary: "These terms govern use of the blockscanner website and the audit platform. The " + "platform's master services agreement, when applicable, supersedes these terms.", sections: [ ["Acceptable use", "Don't probe, scan, or attempt to compromise the site or the platform without " + "going through our disclosure process. Don't submit malware. Don't scrape at " + "a rate that affects other users."], ["Account responsibility", "You're responsible for credentials and for activity under your account. Tell us " + "immediately if you suspect compromise."], ["Engagement scope", "Reports we deliver are advisory. We make no warranty that we've found every " + "vulnerability in scope; absence of a finding is not absence of a vulnerability."], ["Intellectual property", "We retain ownership of our analyzers, methodology, and tooling. You retain " + "ownership of your code. Reports we produce are licensed to you for internal " + "use; publish them with attribution."], ["Limitation of liability", "To the maximum extent permitted by law, our aggregate liability is capped at " + "the fees you paid us in the twelve months preceding the claim. We are not " + "liable for indirect or consequential damages."], ["Governing law", "These terms are governed by the laws of the United States, without regard to " + "conflict-of-laws principles."], ["Contact", "Questions: hello@blockscanner.org."], ], }, }; window.LEGAL = LEGAL; // ─── Auth pages ────────────────────────────────────────────────────────── // The four auth pages share a layout. Each has a title, lede, fields, and a // primary CTA. Backend wires the form actions; the design templates render // the inputs and copy. const AUTH = window.AUTH || { brand: { eyebrow: "blockscanner", tagline: "Continuous auditing", }, signup: { eyebrow: "Create account", headline: "Get on the platform.", lede: "Accounts are currently invite-only. If you've been invited, use the email " + "address the invite was sent to.", fields: [ { name: "name", label: "Name", type: "text", required: true }, { name: "email", label: "Work email", type: "email", required: true }, { name: "org", label: "Organization", type: "text", required: true }, // Invite code: required when signup_mode === "invite_only" (the default). // SignupStep auto-prefills from ?invite=... and hides this field entirely // when signup_mode === "open". { name: "invite_code", label: "Invite code", type: "text", required: false, hint: "Use the code or link you were sent. Leave blank if signup is open." }, ], primaryCta: "Create account", secondaryLinks: [ { label: "Already have an account? Sign in", href: "/auth/login.html" }, ], legal: "By creating an account, you agree to our Terms and Privacy Policy.", }, login: { eyebrow: "Sign in", headline: "Welcome back.", lede: null, fields: [ { name: "email", label: "Email", type: "email", required: true }, { name: "password", label: "Password", type: "password", required: true }, ], primaryCta: "Sign in", secondaryLinks: [ { label: "Forgot password?", href: "/auth/reset.html" }, { label: "No account? Request one", href: "/waitlist.html" }, ], }, reset: { eyebrow: "Password reset", headline: "Send a reset link.", lede: "Enter the email associated with your account. If we have a match, you'll receive a " + "reset link within a minute.", fields: [ { name: "email", label: "Email", type: "email", required: true }, ], primaryCta: "Send reset link", secondaryLinks: [ { label: "Back to sign in", href: "/auth/login.html" }, ], }, verify: { eyebrow: "Email verification", headline: "Check your email.", lede: "We sent a verification link to the address you signed up with. The link is " + "good for 24 hours. Didn't get it? Check spam, then ask us to resend.", primaryCta: "Resend verification email", secondaryLinks: [ { label: "Use a different email", href: "/auth/signup.html" }, { label: "Back to sign in", href: "/auth/login.html" }, ], // No fields — this page is informational + the resend button. }, setPassword: { eyebrow: "Almost there", headline: "Set your password.", lede: "Choose a strong password. After this, you'll set up two-factor authentication.", primaryCta: "Set password", }, mfaEnroll: { eyebrow: "Two-factor", headline: "Set up a second factor.", lede: "Pick a passkey for the smoothest experience, or use an authenticator app like " + "1Password, Authy, or Google Authenticator.", primaryCta: "Use a passkey", secondaryCta: "Use an authenticator app", }, mfaVerify: { eyebrow: "Two-factor", headline: "Confirm it's you.", lede: "Enter your code or use your passkey.", fields: [ { name: "totp_code", label: "6-digit code", type: "text", required: false, hint: "From your authenticator app." }, ], primaryCta: "Verify", secondaryCta: "Use a passkey instead", }, backupCodes: { eyebrow: "Recovery", headline: "Save these recovery codes.", lede: "Each code works once. Store them somewhere safe — they're your only path back " + "in if you lose every authenticator.", primaryCta: "I saved them", }, }; window.AUTH = AUTH; Object.assign(window, { DEEPDIVE_DEFAULTS, ABOUT, WAITLIST, ERROR404, ERROR500, DISCLOSE, CASES, LEGAL, AUTH, });