feat(public): unified disclosure page with sub-tabs (disclosure + claim + opt-out + abuse)

The /disclosure (new), /claim, /opt-out, /abuse routes now serve a
single focused HTML extracted from public-site.html. Path-driven
sub-tab JS reveals the matching pane on load and intercepts tab
clicks with history.pushState (graceful fallback if JS disabled —
each path serves the same HTML directly). Existing form-POST
endpoints under /api/public/* are unchanged.

Test: public_disclosure_routes_serve_form_content (in-process,
GETs all 4 paths and asserts each carries #responsible-disclosure +
#claim + #opt-out + #abuse + the sub-tab strip).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: skullcmd

src/bin/anyscan-api.rs

@@ -419,9 +419,10 @@ async fn main() -> Result<()> {
         .route("/app/overview", get(operator_pages::operator_overview))
         .route("/scanning-policy", get(public_page))
         .route("/scanner-identity", get(public_page))
-        .route("/opt-out", get(public_page))
-        .route("/claim", get(public_page))
-        .route("/abuse", get(public_page))
+        .route("/opt-out", get(public_disclosure))
+        .route("/claim", get(public_disclosure))
+        .route("/abuse", get(public_disclosure))
+        .route("/disclosure", get(public_disclosure))
         .route("/data-policy", get(public_page))
         .route("/.well-known/security.txt", get(security_txt))
         .route("/api/public/profile", get(public_profile))
@@ -604,6 +605,10 @@ async fn public_page() -> Html<&'static str> {
     Html(include_str!("../../public-site.html"))
 }
 
+async fn public_disclosure() -> Html<&'static str> {
+    Html(include_str!("../../templates/public/disclosure.html"))
+}
+
 async fn enforce_worker_only_host_routes(
     State(state): State<Arc<AppState>>,
     request: Request,
@@ -4483,4 +4488,43 @@ mod tests {
         assert!(resolved.request_opt_in_enabled);
         assert!(resolved.is_enabled());
     }
+
+    #[tokio::test]
+    async fn public_disclosure_routes_serve_form_content() {
+        use axum::{Router, routing::get};
+        use tokio::net::TcpListener;
+
+        let app = Router::new()
+            .route("/disclosure", get(public_disclosure))
+            .route("/claim", get(public_disclosure))
+            .route("/opt-out", get(public_disclosure))
+            .route("/abuse", get(public_disclosure));
+        let listener = TcpListener::bind("127.0.0.1:0").await.unwrap();
+        let addr = listener.local_addr().unwrap();
+        let server = tokio::spawn(async move {
+            axum::serve(listener, app).await.unwrap();
+        });
+
+        for path in ["/disclosure", "/claim", "/opt-out", "/abuse"] {
+            let body = reqwest::get(format!("http://{addr}{path}"))
+                .await
+                .unwrap()
+                .text()
+                .await
+                .unwrap();
+            assert!(
+                body.contains(r#"id="responsible-disclosure""#),
+                "missing responsible-disclosure on {path}"
+            );
+            assert!(body.contains(r#"id="claim""#), "missing #claim on {path}");
+            assert!(body.contains(r#"id="opt-out""#), "missing #opt-out on {path}");
+            assert!(body.contains(r#"id="abuse""#), "missing #abuse on {path}");
+            assert!(
+                body.contains("data-disclosure-tabs"),
+                "sub-tab strip missing on {path}"
+            );
+        }
+
+        server.abort();
+    }
 }