Rename operator-model → site-model and sweep "operator" prose

The "Operator model" doc page is renamed to "Site model" and the
"operator" framing is dropped throughout the docs handbook in
favor of direct address ("you", "site", or just dropping the
qualifier where it added nothing). Three exceptions: the phrase
"bot operators" stays as-is in faq.md and site-model.md because
there it refers to the adversaries running bots, not to anyone
running mod_botshield.

Mechanics:
- docs-src/operator-model.md → docs-src/site-model.md (git mv).
- 11 cross-links across 8 docs-src files retargeted to
  ../site-model/index.html.
- Three docs/index card summaries de-"operator"-ed.
- README.md: "Operator handbook" → "Site handbook" and the table
  entry now points at docs-src/site-model.md.
- CHANGELOG.md: "Operator handbook" entry renamed to "Site
  handbook" plus one inline prose tweak.

The rebuilt docs/ output for these doc pages lands in the
following commit alongside the home-page polish work.

Author: nkissebe

CHANGELOG.md

@@ -65,7 +65,7 @@
   wrk-driven, results saved per timestamp. Cookied scenario mints
   a real `_bs_verified` and replays. `LogLevel info` scenario
   measures decision-log overhead.
-- Operator handbook: 9 markdown source files (~2,400 lines) under
+- Site handbook: 9 markdown source files (~2,400 lines) under
   `docs-src/`, rendered to `docs/` via `tools/build_site.py`.
 - Performance section in `docs-src/deployment.md` with single-
   connection / saturation / fixed-rate framing.
@@ -113,7 +113,7 @@
   `app_claims_secret` into one shared `app_integration_secret` —
   the two protocols' canonical forms are structurally distinct
   (single-field vs seven-field) so cross-replay isn't possible,
-  and operators no longer maintain two key files.
+  and you no longer maintain two key files.
 - **E14 rework: replaced adaptive-intensity machinery with
   `BotShieldFlagTrigger`.** Original E14 design used a flag-meta
   registry with `penalty=` / `next_difficulty=` / `next_tier=`

README.md

@@ -26,7 +26,7 @@ code has to absorb the traffic.
 
 **Status: beta.** Stable shape, exercising in dev; not yet a production
 deployment. Architecture, threat model, and per-extension design notes
-live in [DESIGN.md](DESIGN.md). Operator-facing handbook is rendered to
+live in [DESIGN.md](DESIGN.md). Site handbook is rendered to
 GitHub Pages from `docs-src/`; see the [documentation index](#documentation)
 below.
 
@@ -97,14 +97,14 @@ chmod 600 /etc/botshield/secret`. Full setup walkthrough in
 
 ## Documentation
 
-Operator handbook (rendered to
+Site handbook (rendered to
 [hubzero.github.io/botshield](https://hubzero.github.io/botshield/)
 from these sources):
 
 | Topic | Source |
 |---|---|
 | Getting started — install, first vhost, smoke test | [`docs-src/getting-started.md`](docs-src/getting-started.md) |
-| Operator model — scoring, tiers, cookie reputation, multi-vhost | [`docs-src/operator-model.md`](docs-src/operator-model.md) |
+| Site model — scoring, tiers, cookie reputation, multi-vhost | [`docs-src/site-model.md`](docs-src/site-model.md) |
 | Directives reference | [`docs-src/directives.md`](docs-src/directives.md) |
 | Policy — triggers, rate limits, block-paths, robots.txt | [`docs-src/policy.md`](docs-src/policy.md) |
 | Captcha tier — providers, hardening, configuration | [`docs-src/captcha.md`](docs-src/captcha.md) |

docs-src/captcha.md

@@ -57,7 +57,7 @@ shouldn't black-hole legitimate traffic.
 
 `BotShieldCaptchaCABundle` is optional. If unset, libcurl uses its
 compiled-in default (usually `/etc/ssl/certs/ca-certificates.crt`
-on Debian-family). Operators with custom trust stores or air-gapped
+on Debian-family). Sites with custom trust stores or air-gapped
 deployments can pin a specific bundle.
 
 ### Verify-endpoint hardening
@@ -91,7 +91,7 @@ BotShieldCaptchaMaxInFlight  64   # global, 1..1024
 
 Several providers (hCaptcha, reCAPTCHA, Turnstile) return a
 `hostname` and `action` field in the siteverify response. mod_
-botshield validates these against operator-configured expectations:
+botshield validates these against the configured expectations:
 
 ```apache
 BotShieldCaptchaExpectedHostname  example.com
@@ -265,6 +265,6 @@ parser shape, not by key separation.
 ## Where to next
 
 - Real-world deployment topology: [deployment](../deployment/index.html).
-- Tier model and scoring: [operator model](../operator-model/index.html).
+- Tier model and scoring: [site model](../site-model/index.html).
 - Triggers, allow lists, robots: [policy](../policy/index.html).
 - Decision log + metrics: [observability](../observability/index.html).

docs-src/deployment.md

@@ -83,7 +83,7 @@ clients with the legacy cookie still work during the transition.
 
 Each vhost gets its own isolated bot reputation by default. A bot
 flagged on `site-a.example.com` doesn't carry that flag to
-`site-b.example.com`. Operators running many vhosts on one Apache
+`site-b.example.com`. Sites running many vhosts on one Apache
 instance get per-site detection without configuring anything.
 
 ### Default: auto-isolation per ServerName
@@ -105,7 +105,7 @@ automatically maintain separate reputation. No configuration required.
 ```
 
 Different sites usually have different threat models — the strict
-isolation is what most operators want.
+isolation is what most sites want.
 
 ### Opt-in shared reputation: `BotShieldShareScope`
 
@@ -167,7 +167,7 @@ emit a NOTICE and are ignored. The SHM segment is module-global, so
 sizing happens once at the main-server level.
 
 The headroom watchdog logs notices when any table approaches
-capacity, so operators can size reactively rather than guess
+capacity, so you can size reactively rather than guess
 up-front. Look for log lines of the form:
 
 ```
@@ -216,7 +216,7 @@ save more work than many pass-through BotShield checks cost.
 The `tests/bench/run-bench.sh` and `tests/bench/run-rate-bench.sh`
 drivers reproduce these measurements on your own hardware. Raw
 `wrk` / `oha` output is saved under `tests/bench/results/` so
-operators can inspect the full latency and throughput distribution
+you can inspect the full latency and throughput distribution
 when sizing a deployment.
 
 ## State persistence
@@ -276,7 +276,7 @@ file.
 
 ## Where to next
 
-- Tier model, scoring, decision log: [operator model](../operator-model/index.html).
+- Tier model, scoring, decision log: [site model](../site-model/index.html).
 - Allow lists, rate limits, triggers: [policy](../policy/index.html).
 - Captcha and app-bridge integration: [captcha](../captcha/index.html).
 - Staging policy changes safely: [staging](../staging/index.html).

docs-src/directives.md

@@ -1,9 +1,9 @@
 # Directive reference
 
 mod_botshield registers 78 directives at config time. This page is
-the canonical operator-facing reference, grouped by family. The
+the canonical reference, grouped by family. The
 underlying source-of-truth is `bs_cmds[]` in `src/botshield.c:139` —
-operators tuning behavior should treat the source as authoritative
+when tuning behavior, treat the source as authoritative
 when it disagrees with a doc page.
 
 ## Scope and validity
@@ -92,7 +92,7 @@ Tier dispatch ladder:
 - `BotShieldScoreHard ≤ score < BotShieldScoreCaptcha` → form
 - `BotShieldScoreCaptcha ≤ score` → captcha (or form if no provider)
 
-See [operator model](../operator-model/index.html) for the full scoring
+See [site model](../site-model/index.html) for the full scoring
 discussion.
 
 `BotShieldForgivenessCapPerHour` caps total cookie-side
@@ -108,16 +108,16 @@ resistance; 0 disables (legacy behavior).
 
 `interstitial` (the default) serves a no-click splash page that
 auto-submits a SHA-256 PoW on load — the legacy silent-tier
-behavior. `embedded` instead hands off to the operator-included
+behavior. `embedded` instead hands off to the site-included
 `/botshield/embedded.js` wrapper: the page serves DECLINED (real
 content) and the wrapper does the PoW in a Web Worker, then POSTs
 the result back to `/botshield/embedded-verify` to mint
 `_bs_verified` on the next request. Embedded mode trades a brief
 window where the cookie isn't yet on the client (the very first
 request goes through unverified) for a zero-interstitial UX.
 
-Embedded mode requires the operator to include the wrapper
-script in their page templates; without it, the request still
+Embedded mode requires you to include the wrapper
+script in your page templates; without it, the request still
 serves the real content but no cookie ever lands.
 
 ## Widget customization
@@ -141,7 +141,7 @@ block itself. Max 256 KiB.
 
 Logo and help files are 64 KiB max each. Logo content is served
 inline as `<img>`-equivalent SVG; help content is rendered as
-trusted HTML (no escaping — operator owns sanitization).
+trusted HTML (no escaping — you own sanitization).
 
 `BotShieldShowLogo/Label/Box` strip widget chrome down to a lone
 checkbox if the surrounding page styles its own chrome. When label
@@ -316,7 +316,7 @@ This is the directive that replaces the legacy `BotShieldFlagIP`
 Action verbs: `action=score add=N` (signed N -1000..1000),
 `action=tier_floor min=<tier>` (raise effective tier; tier is one
 of `pass`/`silent`/`form`/`captcha`). The `reset` keyword clears
-all earlier triggers (compiled-in defaults + prior operator
+all earlier triggers (compiled-in defaults + prior
 declarations) for the named flag at post-config time.
 
 Flag bits: `honeypot_hit`, `scanner_probe`, `fake_bot`,
@@ -391,7 +391,7 @@ and security model.
 
 ## Where to next
 
-- Conceptual model and scoring: [operator model](../operator-model/index.html).
+- Conceptual model and scoring: [site model](../site-model/index.html).
 - Deployment topology and capacity: [deployment](../deployment/index.html).
 - Per-family policy semantics: [policy](../policy/index.html).
 - Captcha and app-bridge integration: [captcha](../captcha/index.html).

docs-src/faq.md

@@ -5,10 +5,10 @@
 ### Does this just block all bots?
 
 No, and that's deliberate. The goal isn't bot elimination — it's
-*operator control over the terms of access*. Search-engine
+*site control over the terms of access*. Search-engine
 crawlers, LLM training bots, archival crawlers, monitoring
-agents, partner integrations — many of these are bots an operator
-*wants* to reach the content, but on conditions the operator sets:
+agents, partner integrations — many of these are bots a site
+*wants* to reach the content, but on conditions the site sets:
 when, how often, which paths, with what rate cap, with what
 attribution. mod_botshield's primitives are built around setting
 those terms:
@@ -17,7 +17,7 @@ those terms:
   configured CIDR ranges are loaded, verified crawlers (UA-and-IP
   match against the published ranges) bypass the score ladder
   entirely. The built-in seed list covers Googlebot, Bingbot,
-  and Applebot; operators add others via `BotShieldAllowBot` and
+  and Applebot; you add others via `BotShieldAllowBot` and
   refresh ranges out of band with `tools/refresh-bot-ranges.sh`.
 - **Robots.txt enforcement.** A bot that ignores your `Disallow`
   rules gets enforced at the policy layer — robots.txt is no
@@ -36,7 +36,7 @@ those terms:
 A site that wanted to block every bot could do that with much
 less than mod_botshield offers. The reason this module exists is
 that "block everything that isn't a real human browser" is the
-*wrong* answer for most operators — they want search-engine
+*wrong* answer for most sites — they want search-engine
 indexing, want LLM crawlers to cite them under controlled terms,
 want monitoring to reach health endpoints, want partner bots to
 hit their API. mod_botshield is the policy surface for saying
@@ -62,7 +62,7 @@ What Cloudflare gives you that mod_botshield doesn't:
   application-layer attacks orders of magnitude bigger than a
   single Apache instance can survive.
 - **Managed challenges and turnkey product.** No tuning, no
-  capacity sizing, no operator log-grepping. Pay the bill, get a
+  capacity sizing, no log-grepping. Pay the bill, get a
   policy.
 
 What mod_botshield gives you that Cloudflare doesn't:
@@ -72,7 +72,7 @@ What mod_botshield gives you that Cloudflare doesn't:
 - **No vendor lock-in or recurring cost.** Bot mitigation that
   goes beyond simple known-bad-IP blocking is typically a paid
   tier with managed CDNs.
-- **Operator control.** You write the rules in Apache config you
+- **Direct control.** You write the rules in Apache config you
   already understand; you don't have to learn a separate dashboard
   or wait for a vendor to add a feature.
 
@@ -304,7 +304,7 @@ For challenged requests, yes, the user experiences friction
 of clicked PoW; captcha for as long as the provider takes). That's
 the entire point: *make scraping expensive without making real use
 expensive*. The threshold tuning workflow in
-[staging](../staging/index.html) is the operator handle on where
+[staging](../staging/index.html) is your handle on where
 that line falls.
 
 ### Does it work with PHP / FastCGI / mod_php / mod_proxy / nginx upstream?
@@ -342,7 +342,7 @@ Yes — it's just an Apache module. The constraints are:
 ### How much memory does it use?
 
 Default: 16 MiB SHM segment shared across all workers, growing as
-operators raise capacity directives. Per-process overhead is
+sites raise capacity directives. Per-process overhead is
 negligible (the `.so` is a few hundred KB; no per-request heap
 allocation outside of Apache's `r->pool` which is freed at request
 end).
@@ -355,15 +355,15 @@ sizing is documented in [deployment](../deployment/index.html#capacity-sizing).
 ### Does it phone home? Send data anywhere?
 
 No. The module makes outbound network calls in two
-operator-controlled categories:
+configured categories:
 
 1. **Captcha siteverify.** When `BotShieldCaptchaProvider` is
    configured, mod_botshield makes one HTTPS POST per verify
    attempt to the configured provider's siteverify URL with the
    client's captcha token (and the client IP as the `remoteip`
    field). This fires from three paths: the `/captcha-verify`
    endpoint, the silent-tier embedded-verify endpoint when an
-   operator pairs silent with a captcha provider, and the
+   site pairs silent with a captcha provider, and the
    form-captcha fixup. No siteverify call ever happens without
    a captcha provider explicitly configured on the scope.
 
@@ -376,8 +376,8 @@ operator-controlled categories:
 2. **Bot-range refresh script.** `tools/refresh-bot-ranges.sh`
    fetches published JSON from search-engine providers
    (Googlebot, Bingbot, etc.) and rewrites the CIDR files in
-   `/var/lib/botshield/bots/`. This runs only when the operator
-   invokes it (cron or manual); the module itself never makes
+   `/var/lib/botshield/bots/`. This runs only when you
+   invoke it (cron or manual); the module itself never makes
    these calls at runtime.
 
 No telemetry. No analytics. No phoning the project. The module is
@@ -415,7 +415,7 @@ The module's data footprint (client IP + flag bits + TTL) is
 generally classified as personal data under GDPR. Considerations:
 
 - **Lawful basis.** Bot mitigation is generally a "legitimate
-  interest" — preventing scraping of operator data. Document the
+  interest" — preventing scraping of site data. Document the
   basis in your privacy notice.
 - **Retention.** Flagged-IP entries expire after the configured
   TTL (default 1 hour for honeypot hits). The Bloom filter
@@ -456,11 +456,11 @@ mod_botshield fails open for siteverify timeouts. If
 provider responds, the verification path treats the request as
 passing — same outcome it would get without the provider. A
 WARNING-level log line carries the literal string `failing open`
-so operators can grep / alert on it. The Prometheus metrics
+so you can grep / alert on it. The Prometheus metrics
 count these as `outcome=failopen`.
 
 The reasoning: a third-party provider outage shouldn't black-hole
-legitimate traffic. Operators preferring fail-closed semantics
+legitimate traffic. Sites preferring fail-closed semantics
 can wrap the provider in a circuit breaker (e.g. require captcha
 tier through a different path that doesn't fail-open) but that
 isn't the default.
@@ -472,9 +472,9 @@ mod_botshield degrades gracefully:
 - Periodic state-file snapshots stop. The graceful-shutdown save
   still runs.
 - The capacity headroom watchdog stops emitting NOTICE/WARN
-  lines. Operators can read the same data from the on-demand
+  lines. You can read the same data from the on-demand
   Prometheus gauges (`botshield_shm_flagged_used` etc.).
-- The robots.txt mtime-poller stops. Operators must reload Apache
+- The robots.txt mtime-poller stops. You must reload Apache
   to pick up robots.txt changes.
 - The load sampler stops; load triggers won't fire.
 
@@ -578,7 +578,7 @@ permanent denial better than mod_botshield does.
 ## Where to next
 
 - Install + minimal config: [getting-started](../getting-started/index.html).
-- Tier model and scoring: [operator-model](../operator-model/index.html).
+- Tier model and scoring: [site model](../site-model/index.html).
 - Allow lists, triggers, robots: [policy](../policy/index.html).
 - Captcha + app-bridge: [captcha](../captcha/index.html).
 - Common operational issues: [troubleshooting](../troubleshooting/index.html).

docs-src/getting-started.md

@@ -94,7 +94,7 @@ Drop a single block into the vhost you want gated:
 
 That's the floor. Everything else (tier thresholds, forgiveness,
 allow lists, captcha providers, triggers) ships with reasonable
-defaults documented on the [operator model](../operator-model/index.html) and
+defaults documented on the [site model](../site-model/index.html) and
 [directives](../directives/index.html) pages.
 
 `BotShieldAlgorithm sha256-zeros` is currently the only built-in PoW
@@ -161,7 +161,7 @@ curl -sk -A "python-requests/2.31" https://example.test/ | grep -c BOTSHIELD
 
 If you don't see the widget, the heuristic configuration on your
 scope likely diverges from the defaults — see
-[operator model](../operator-model/index.html#tuning-workflow) for the
+[site model](../site-model/index.html#tuning-workflow) for the
 tuning workflow and [observability](../observability/index.html) for how
 to inspect what each request scored.
 
@@ -192,7 +192,7 @@ gradual rollback prefer `BotShieldShadowMode on` (see
 ## Where to next
 
 - Real-world deployments behind a proxy: [deployment](../deployment/index.html).
-- Tier model, scoring, and tuning: [operator model](../operator-model/index.html).
+- Tier model, scoring, and tuning: [site model](../site-model/index.html).
 - Allow lists, rate limits, and triggers: [policy](../policy/index.html).
 - Third-party captcha integration: [captcha](../captcha/index.html).
 - Metrics, decision log, mod_status: [observability](../observability/index.html).