Centralized update manifest service for QuinnLabs applications. Content here is machine-facing — applications poll well-known URLs to check for releases.
/.well-known/keys/chatalot.pub.
Channel endpoints:
/chatalot/channels/{canary,beta,stable}/latest.json.
Every release manifest is signed with a per-app cosign key. Clients verify signatures
against the corresponding .well-known/keys/<app>.pub before trusting.
A compromise of this static hosting cannot deliver a malicious update without the
signature check failing at the client.