/login page initial HTML exposes full project sitemap including admin/internal route names

When the hosted /login page is loaded (whether on direct visit or via redirect from a protected route), the initial HTML payload contains the complete list of every page/route in my project as plain text. During the FOUC window before the styled form renders, this is visible to the user as a vertical list of route names.

In my project, this includes:

• Public marketing routes (Home, Services, Process, Privacy — fine, expected)

• Internal seller-facing routes (SellerValuation, SellerIntake, SellerDocuments, SellerDealRoom — sensitive)

• Internal investor routes (InvestorPortal, InvestorProfile, InvestorCriteria, InvestorDeals, InvestorDealRoom)

• Admin/case manager routes (CaseManagerDashboard, CaseManagerDealView, CaseManagerIOIQueue, CaseManagerDealRoom)

• Operational tools (RunInvestorMatching, ActivityAudit, OutreachManager)

The case manager and admin route names are particularly sensitive — they describe internal tooling that's not linked from anywhere on the public site and shouldn't be discoverable by visitors.

Even setting aside the FOUC (which makes it visible to humans), this list is in the HTML source on every login page load and can be scraped trivially. It gives anyone reconnaissance value about the structure of internal admin tooling.

Requests:

1. Stop including the project's full route list in the /login page's initial HTML. The login page only needs to render the login form.

2. If route enumeration is needed for routing/auth purposes, do it client-side after authentication, not in the initial document.

3. Confirm whether this affects all Base44-hosted apps or only certain configurations.

I've also reported this to security@base44.com per the support agent's recommendation, but posting here so other customers can vote and the engineering team can prioritize.