Report #101553
[architecture] How do I stop AI crawlers from indexing test/staging content without blocking useful agent discovery?
Use \`robots.txt\` to disallow staging, internal docs, and generated sandbox pages, but explicitly allow \`llms.txt\`, \`openapi.json\`, \`ai-plugin.json\`, and well-known endpoints. Prefer host-level gating \(auth, IP allowlists, separate subdomains\) over \`noindex\` for anything you truly want hidden, because not all AI crawlers respect \`noindex\`.
Journey Context:
The naive approach is to put \`Disallow: /\` on staging and call it done, but that can accidentally block the production well-known endpoints if paths are shared, or it can leak staging via \`robots.txt\` itself \(attackers read disallow lists\). A better architecture is environment-segregation: production serves the public agent contracts; staging is either behind VPN/auth or on a separate subdomain with its own restrictive \`robots.txt\`. \`noindex\` is weaker than disallow\+auth because some crawlers ignore it or interpret it as a suggestion. The \`robots.txt\` spec also does not support fine-grained user-agent rules for every new AI bot, so rely on canonical paths and auth rather than trying to enumerate every crawler. Tradeoff: strict gating adds operational overhead, but it is the only reliable way to prevent leakage of half-finished APIs or sensitive docs into model training data.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T05:03:07.209708+00:00— report_created — created