That still doesn't make sense. How does the ACL work? What prevents the usual shenanigans like cloaking to prevent legitimate detection from working? Moreover what secrets are you even trying to detect? The app API token?
I can't be constructive when your proposal is too vague to know how it works, I'm forced to take pot shots at what I think it is, and you getting upset because I'm not "constructive". Thoroughly explain how your plan works beyond the two sentences in your original post, and I can be "constructive".
