Then you can put monitor.txt behind that password protected endpoint too. My point is that whoever you need to give access to the file also has access to the actual website, which has all the information (it has to, since it's supposed to be able to test against it).
Just because it's all public does not mean I want one single source that in plain English (err.. cucumber?) defines key areas of my website that I want to ensure are always up.
Seems to me this just gives potentials hackers a map to the public end points of my most important areas.
Everything you put in monitors.txt has to be publicly accessibly anyhow. What could is reveal that the actual website doesn't?