Web Bot Disclosure and Verification

1. Bot Operator Information

2. Bot Technical Specifications

2.1 Identification

• User-Agent String: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36 (Nava/1.0)
• Verified Domains:
  • Development: dev.labs-asp.navateam.com
  • Production: app.labs-asp.navateam.com
• Verification Method: HTTP Message Signatures (RFC 9421) using Ed25519 cryptographic keys
• Cloudflare Status: Registered Verified Bot (Signed Agent)

2.2 Public Key Infrastructure

All HTTP requests originating from this bot are cryptographically signed. Public keys for verification are accessible via the following endpoints:

• Development: https://dev.labs-asp.navateam.com/.well-known/http-message-signatures-directory
• Production: https://app.labs-asp.navateam.com/.well-known/http-message-signatures-directory

2.3 Technology Stack

• Browser Engine: Chromium via Playwright automation framework
• AI Model: Anthropic Claude Sonnet 4.5
• Infrastructure: Google Cloud Platform (Cloud Run, Compute Engine)
• Runtime: Node.js (TypeScript)
• Framework: Mastra.ai agent orchestration

3. Operational Parameters

3.1 Purpose and Scope

This bot is designed exclusively to assist social service caseworkers in navigating government benefit portals and information websites on behalf of families seeking public support services including, but not limited to, WIC (Women, Infants, and Children), SNAP (Supplemental Nutrition Assistance Program), and Medicaid.

3.2 Operational Model

The bot operates autonomously based on caseworker intent. Authorized caseworkers provide high-level objectives through a secure web interface (e.g., “research WIC eligibility requirements for California residents”), and the AI-powered system autonomously:

• Performs web searches using commercial search engines
• Navigates to relevant government and institutional websites
• Extracts and synthesizes information from web pages
• Populates application forms with participant data from secure databases
• Captures screenshots and documentation for case records

All bot activity is initiated and supervised by authenticated human caseworkers. The system does not operate independently or crawl the web without explicit human direction.

3.3 Access Control

• Access restricted to authenticated caseworkers via secure login
• Role-based access control (RBAC) enforced
• All sessions logged and auditable
• Multi-factor authentication available for sensitive operations

3.4 Rate Limiting and Resource Consumption

• Maximum Concurrent Sessions: 5 browser instances per environment
• Request Timeout: 3600 seconds (1 hour) maximum per workflow
• Throttling: Automatic delays implemented to prevent target site overload
• Respect for robots.txt: Standard web crawling conventions honored

4. Data Protection and Privacy

4.1 Data Handling

• Participant personally identifiable information (PII) stored in encrypted PostgreSQL databases
• Data transmission encrypted via TLS 1.3
• Compliance with HIPAA privacy and security rules where applicable
• Data retention policies aligned with government record-keeping requirements

4.2 Security Measures

• Application Default Credentials (ADC) for service authentication (no static API keys)
• Google Cloud Secret Manager for sensitive credential storage
• Network isolation via VPC and firewall rules
• Regular security audits and dependency updates
• Comprehensive audit logging of all bot actions

5. Responsible Crawling Practices

5.1 Website Interaction Policy

This bot commits to:

• Transparent identification: Uses verified cryptographic signatures on all requests
• Human-paced interaction: Session timing mimics human behavior patterns
• Respectful resource usage: No aggressive scraping or automated mass downloads
• Standards compliance: Honors HTTP headers, robots.txt, and meta robots tags
• Error handling: Graceful degradation on access denial or rate limiting

5.2 Prohibited Activities

This bot will NOT:

• Attempt to circumvent access controls or authentication mechanisms
• Execute denial-of-service attacks or resource exhaustion techniques
• Harvest data for commercial purposes unrelated to case management
• Access non-public areas without explicit authorization
• Impersonate human users for fraudulent purposes

6. Cloudflare Pay Per Crawl Program

This bot participates in Cloudflare's Verified Bots program and the Pay Per Crawl beta program. As a Signed Agent, all requests include:

• HTTP Message Signature headers proving authenticity
• Signature-Agent header referencing public key directory
• Cryptographic proof of domain ownership

Website operators using Cloudflare can verify request authenticity and opt into pay-per-crawl billing for bot traffic originating from this system.

7. Legal and Compliance

7.1 Applicable Laws

This bot operates in compliance with:

• Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030
• Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules
• Federal and state data protection regulations
• Terms of Service of accessed websites (where applicable to government work)

7.2 Liability and Indemnification

Nava Public Benefit Corporation maintains appropriate insurance coverage and indemnification agreements with client government agencies for services provided via this system.

8. Contact and Dispute Resolution

8.1 Technical Support

For technical issues, verification questions, or access control requests, contact: labs-asp@navapbc.com

8.2 Security Reports

To report security vulnerabilities or suspected abuse, contact: labs-asp@navapbc.com

8.3 Website Operator Requests

Website operators wishing to block this bot, adjust rate limits, or negotiate access terms should contact: labs@navapbc.com

9. Source Code and Transparency

This project is open source. The complete codebase, infrastructure configuration, and deployment documentation are available at: https://github.com/navapbc/labs-asp