liveOpen
Agent docs index
Human and agent-friendly index for Bumpgrade read contracts, source evidence, MCP direction, and safety boundaries.
EvidenceIssue #12, public/llms.txt
Agent docs
Bumpgrade is readable by agents without scraping private admin UI.
These docs map the public-safe routes, stable IDs, source evidence, MCP direction, and write rules that let Codex, ChatGPT, Claude, and other agents work from evidence instead of guesses.
Agent manifestStatus
Live read contractsIssue #12 publishes the current read surface and records MCP/write capabilities as planned contracts.Docs
Agent-readable pages
liveOpen
Bumpgrade agent surface
Orientation for what agents can read, what is planned, and what requires owner credentials.
EvidenceIssue #12, /agent-docs/source-data
liveOpen
Bumpgrade commerce contract
Stripe sandbox, checkout, webhook, billing, and confirmed-write safety boundaries.
EvidenceIssue #11, Issue #34, /commerce/source-data
liveOpen
Bumpgrade source evidence
How public claims resolve to source IDs, URLs, issues, PRs, work-log entries, and caveats.
Evidence/compare/source-data, /features/source-data, /roadmap/source-data
liveOpen
Bumpgrade admin surfaces
Which admin pages require owner auth and which source-data routes are public-safe for agents.
Evidence/admin/source-data, docs/agent/admin-surfaces.md
liveOpen
Bumpgrade MCP roadmap
First MCP resources and tools planned on top of the same public-safe contracts.
EvidenceIssue #12, docs/agent/agent-ready.md
liveOpen
Bumpgrade mobile admin contract
Shared iOS and Android publisher/admin app jobs, API dependencies, auth boundaries, and write-safety rules.
EvidenceIssue #13, Issue #67, Issue #68, Issue #153, Issue #155, Issue #157, /mobile-admin/source-data
Contracts
Stable read surfaces
publicRead
Feature catalog
src/lib/feature-catalog.ts
Stable IDsfeatureId, issue, status
Write boundaryFeature status changes must land through GitHub issue/PR work and admin work-log updates.
publicRead
Public roadmap
src/lib/roadmap.ts
Stable IDsroadmapItemId, featureId, issue, status
Write boundaryRoadmap moves require an issue/PR or approved admin append path, not chat-only edits.
publicRead
Competitor comparisons and source evidence
src/lib/comparison-data.ts
Stable IDscompetitorId, sourceId, seoTargetId
Write boundaryRefresh competitor claims from official sources before changing dated pricing, packaging, or feature claims.
publicRead
Commerce contract
src/lib/commerce.ts and src/lib/sandbox-checkout.ts
Stable IDsproductId, priceId, checkoutIntentId, referralClickId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, postPurchaseDecisionId, auditCorrelationId
Write boundaryNon-billing post-purchase decisions can be recorded only for trusted checkout state; billing-impacting and payable commission writes require exact confirmation, idempotency, stale-state checks, audit correlation, owner review, and webhook evidence.
publicRead
Admin source-data bundle
D1 admin tables with fixture fallback in src/lib/admin-surface-data.ts
Stable IDsworkLogEntryId, userJourneyId, markAttentionId, roadmapItemId
Write boundaryHuman admin pages require Better Auth; agent writes need approved scripts or future confirmed APIs.
publicRead
Agent manifest
src/lib/agent-manifest.ts
Stable IDsreadContractId, mcpPlanId, agentDocId
Write boundaryThis route is read-only until confirmed-write agent APIs exist.
publicRead
Content surfaces
src/lib/content-surfaces.ts
Stable IDsaudienceSegmentId, resourceItemId, pricingPrincipleId, pricingTrackId
Write boundaryContent changes must cite source-data routes, issues, or shipped evidence before public claims change.
publicRead
Publisher account, subdomain, and custom-domain setup
src/lib/publisher-tenants.ts and D1 publisher tenant tables
Stable IDspublisherTenantId, publisherSubdomainReservationId, publisherCustomDomainId, publisherPlanEntitlementId, publisherAuthBoundaryId, issue
Write boundarySubdomain reservation and custom-domain onboarding require a signed-in, email-confirmed publisher with active paid-plan entitlement, idempotency, audit correlation, and redacted outputs; Bumpgrade does not sell, register, renew, transfer, or price domains today.
publicRead
Funnel source data
src/lib/funnels.ts
Stable IDsfunnelId, funnelStepId, funnelBlockId, funnelTemplateId, funnelBlockTemplateId, funnelCheckoutLinkId, funnelWebinarResourceTemplateId, funnelRevisionId, funnelDraftId, funnelDraftDuplicateId, funnelDraftArchiveId, funnelAuditEventId, checkoutIntentId, checkoutOfferStackId, offerId, agentActionId
Write boundaryOwner-session seed/create/template-create/duplicate/update/reorder/checkout-link/archive draft writes, including webinar/resource template-to-draft creation, private draft preview, exact-confirmed public publishing, and exact-confirmed archive/unpublish exist at /admin/funnels. Published linked checkout blocks can render the existing sandbox checkout start surface. Direct agent template creation, block editing, direct agent checkout linking, direct agent duplication, direct agent archive/unpublish, destructive deletion, live billing, live webinar scheduling, private resource delivery, drag-and-drop layout editing, and direct agent edits require future confirmed-write APIs.
owner-sessionRead
Admin draft funnels
D1 tables funnel_drafts, funnel_draft_steps, and funnel_audit_events
Stable IDsfunnelDraftId, funnelDraftDuplicateId, funnelDraftArchiveId, funnelDraftStepId, funnelAuditEventId, ownerUserId
Write boundaryThe POST endpoint can seed, create, create from templates including webinar/resource page shapes, duplicate, update, reorder, checkout-link, publish, and archive/unpublish private draft steps for an authenticated owner. Archived drafts become read-only owner evidence; private preview is owner-gated; destructive deletion, direct agent archive/unpublish, live webinar scheduling, private resource delivery, direct agent template creation, direct agent duplication, and direct agent edits are not live.
publicRead
Checkout offer source data
src/lib/checkout-offers.ts
Stable IDscheckoutOfferStackId, offerId, orderBumpId, upsellId, downsellId, checkoutRevisionId, referralClickId, postPurchaseDecisionId, agentActionId
Write boundaryA confirmed sandbox checkout start can include the seeded primary offer, constrained order bump, and optional referral-click attribution evidence; trusted checkout state can record non-billing upsell/downsell follow-up decisions; live billing, price mutation, fulfillment, commission writes, direct agent writes, and post-purchase charges require future confirmed-write APIs.
publicRead
Product access source data
src/lib/product-access.ts + src/lib/product-entitlement-inspection.ts + src/lib/customer-product-entitlements.ts + src/lib/product-download-tokens.ts + src/lib/product-asset-uploads.ts + src/lib/product-protected-content.ts
Stable IDsproductId, assetId, accessRuleId, entitlementTemplateId, productEntitlementInspectionId, customerProductEntitlementLookupId, productDownloadTokenId, productAssetUploadIntentId, productEntitlementRevocationIntentId, productProtectedContentId, productProtectedContentDeliveryId, subscriptionPlanId, subscriptionMembershipAccessId, fulfillmentId, agentActionId
Write boundaryTrusted paid sandbox webhooks can grant idempotent entitlement rows for seeded checkout line items; trusted Stripe Billing subscription webhooks can sync checkout-linked membership access while state is active or trialing and pause it when subscription state is canceled, unpaid, incomplete_expired, or deleted; verified owners can inspect private entitlement rows, owner-confirmed non-destructive revocation intents, and protected content readiness in /admin/products; customers can inspect checkout-intent-scoped entitlement status, create short-lived download tokens that stream a seeded private R2 fixture without buyer or provider identifiers, and read seeded protected course/member fixture bodies only after active-entitlement and trusted-checkout checks; verified owners can create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, and record non-destructive revocation intents after exact confirmation, idempotency, and stale entitlement status checks; product creation, customer delivery of arbitrary uploads, signed object URLs, destructive revocation, live fulfillment automation, Customer Portal actions, and private content writes require future authenticated confirmed-write APIs.
publicRead
Customer product entitlement lookup
src/lib/customer-product-entitlements.ts
Stable IDscheckoutIntentId, productEntitlementId, productId, entitlementTemplateId, fulfillmentTaskId
Write boundaryThis is a read-only checkout-intent-scoped lookup; signed downloads, protected lessons, buyer identity, entitlement mutation, destructive revocation, and live fulfillment require future authenticated confirmed-write APIs.
publicRead
Subscription membership access state
src/lib/product-entitlements.ts + D1 billing_subscriptions and product_entitlements
Stable IDssubscriptionMembershipAccessId, checkoutIntentId, productEntitlementId, subscriptionPlanId, productId, entitlementTemplateId
Write boundaryThis is read-only subscription-backed membership access evidence. It does not create or mutate Stripe subscriptions, open Customer Portal sessions, expose raw Stripe IDs, deliver member posts/files, change pricing, or perform direct agent billing writes.
publicRead
Private R2 product download token
src/lib/product-download-tokens.ts
Stable IDscheckoutIntentId, productEntitlementId, productDownloadTokenId, assetId
Write boundaryThis creates a short-lived token and streams a seeded private R2-backed fixture through Bumpgrade after revalidating current entitlement status, checkout intent linkage, trusted checkout state, and asset scope; protected content, arbitrary asset uploads, destructive revocation, subscription access, and live fulfillment automation require future authenticated confirmed-write APIs.
publicRead
Protected product content delivery fixture
src/lib/product-protected-content.ts
Stable IDscheckoutIntentId, productEntitlementId, productProtectedContentId, productId, entitlementTemplateId
Write boundaryThis route returns seeded protected fixture bodies for eligible checkout-linked entitlements only. It is not direct public agent write access, arbitrary private upload delivery, signed object URL access, progress tracking, subscription mutation, destructive revocation, or live fulfillment automation.
owner-sessionRead
Admin product entitlements
D1 tables product_entitlements, product_fulfillment_tasks, product_entitlement_revocation_intents, product_protected_content_sections, checkout_intents, commerce_products, and commerce_prices
Stable IDsproductId, entitlementTemplateId, productEntitlementId, productEntitlementRevocationIntentId, productProtectedContentId, fulfillmentTaskId, checkoutIntentId, ownerUserId
Write boundaryThis owner page can inspect entitlement rows and record non-destructive revocation intent evidence without removing access; protected fixture body delivery happens only through checkout-intent scoped customer checks. Signed object URLs, arbitrary uploaded content delivery, destructive revocation, subscription access changes, refunds, customer portals, private asset delivery, and direct public agent entitlement writes require future confirmed-write APIs.
owner-sessionRead
Owner private product asset upload intent
D1 table product_asset_uploads and PRODUCT_ASSETS R2 binding
Stable IDsproductAssetUploadIntentId, productId, assetId, ownerUserId, idempotencyKey, catalogRevisionId
Write boundaryThis owner-session API stores small private payloads in PRODUCT_ASSETS and records redacted upload metadata in D1 after exact confirmation, idempotency, and catalog revision checks. It does not make uploaded assets customer-deliverable, create signed URLs, expose object keys, mutate entitlements, or allow unauthenticated/direct public agent writes.
owner-sessionRead
Owner product revocation intent
D1 table product_entitlement_revocation_intents
Stable IDsproductEntitlementRevocationIntentId, productEntitlementId, productId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted revocation intent metadata in D1 after exact confirmation, idempotency, and stale entitlement status checks. It does not revoke access, mutate entitlement status, issue refunds, change subscriptions, notify customers, expose private reason text, or allow unauthenticated/direct public agent writes.
publicRead
Audience automation source data
src/lib/audience-automation.ts + src/lib/audience-subscribers.ts + src/lib/audience-broadcasts.ts + src/lib/audience-imports.ts + src/lib/audience-exports.ts + src/lib/audience-sequence-readiness.ts
Stable IDssubscriberId, subscriberInspectionId, subscriberSegmentId, optInFormId, leadMagnetId, subscriberTagId, emailSequenceId, sequenceEnrollmentPauseId, sequenceDeliveryReadinessId, automationRuleId, broadcastDraftId, broadcastReadinessId, consentRecordId, suppressionEntryId, timelineEntryId, agentActionId, broadcastScheduleIntentId, broadcastPreviewSafetyId, broadcastQueueReadinessId, broadcastDeliveryBatchId, broadcastDeliveryQueueMessageId, broadcastDispatchPreflightId, broadcastDispatchAttemptId, broadcastSenderDomainReadinessId, broadcastProviderEventReadinessId, broadcastProviderRateLimitReadinessId, broadcastProviderResponseReadinessId, broadcastSendPayloadReadinessId, broadcastQueueProducerReadinessId, broadcastQueueConsumerReadinessId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId
Write boundaryPublic visitors can submit the seeded opt-in form with explicit consent and can record unsubscribe/suppression evidence without exposing list membership; known subscriber unsubscribe also pauses draft sequence enrollment state while public responses stay membership-safe. Verified owners can inspect private subscriber rows, create private CRM notes, view aggregate sequence delivery readiness, broadcast readiness, preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, redacted import intents, redacted import preflights, and aggregate export readiness, and record dry-run schedule intents, delivery batches, queue-message evidence, dispatch preflight evidence, dispatch attempt receipts, non-destructive import intents, and aggregate import preflights in /admin/audience; real contact imports, real sequence scheduling, real email delivery, private exports, export file creation, direct agent subscriber writes, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs require future confirmed-write APIs.
owner-sessionRead
Owner broadcast schedule dry-run intent
D1 tables audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_subscribers, audience_consent_events, and audience_suppression_entries
Stable IDsbroadcastScheduleIntentId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records dry-run broadcast schedule intent metadata only. It does not send email, create send queue rows, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, and audit requirements.
owner-sessionRead
Owner broadcast delivery batch dry run
D1 tables audience_broadcast_delivery_batches, audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_broadcast_preview_safety, and audience_broadcast_queue_readiness
Stable IDsbroadcastDeliveryBatchId, broadcastScheduleIntentId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate delivery-batch dry-run metadata only. It does not send email, create recipient payloads, enqueue provider messages, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, and audit requirements.
owner-sessionRead
Owner broadcast delivery queue message dry run
D1 tables audience_broadcast_delivery_queue_messages, audience_broadcast_delivery_batches, audience_broadcast_drafts, and audience_broadcast_queue_readiness
Stable IDsbroadcastDeliveryQueueMessageId, broadcastDeliveryBatchId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate queue-message dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, dispatch, and audit requirements.
owner-sessionRead
Owner broadcast dispatch preflight dry run
D1 tables audience_broadcast_dispatch_preflights, audience_broadcast_delivery_queue_messages, audience_broadcast_drafts, and audience_broadcast_queue_readiness
Stable IDsbroadcastDispatchPreflightId, broadcastDeliveryQueueMessageId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate dispatch preflight dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements.
owner-sessionRead
Owner broadcast dispatch attempt receipt
D1 tables audience_broadcast_dispatch_attempts, audience_broadcast_dispatch_preflights, audience_broadcast_drafts, and audience_broadcast_queue_readiness
Stable IDsbroadcastDispatchAttemptId, broadcastDispatchPreflightId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate dispatch attempt receipt metadata only. It does not send email, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements.
publicRead
Audience unsubscribe suppression
D1 table audience_suppression_entries, subscriber status in audience_subscribers, and paused rows in audience_sequence_enrollments
Stable IDssuppressionEntryId, sequenceEnrollmentPauseId, idempotencyKey
Write boundaryThis public API records hashed unsubscribe/suppression evidence, marks known subscribers unsubscribed, and pauses known draft sequence enrollments without revealing list membership. It does not send email, export subscribers, expose suppression hashes or reasons publicly, include sequence state in public responses, or authorize direct agent subscriber management.
owner-sessionRead
Owner audience CRM timeline note
D1 table audience_timeline_entries
Stable IDstimelineEntryId, subscriberId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API stores private audience timeline notes after exact confirmation, idempotency, and expected subscriber-status checks. It does not expose note bodies publicly, import contacts, send email, schedule broadcasts, export private data, or authorize unauthenticated/direct public agent writes.
owner-sessionRead
Owner audience import intent
D1 table audience_import_intents
Stable IDsaudienceImportIntentId, workspaceId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted import intent metadata in D1 after exact confirmation, idempotency, and workspace stale-state checks. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes.
owner-sessionRead
Owner audience import preflight
D1 tables audience_import_preflights and audience_import_intents
Stable IDsaudienceImportPreflightId, audienceImportIntentId, workspaceId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted import preflight evidence in D1 after exact confirmation, idempotency, workspace stale-state checks, selected import-intent source checks, and aggregate count validation. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, export private data, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes.
owner-sessionRead
Admin audience subscribers
D1 tables audience_subscribers, audience_consent_events, audience_tag_assignments, audience_sequence_enrollments, audience_suppression_entries, audience_timeline_entries, audience_import_intents, and audience_import_preflights
Stable IDssubscriberId, subscriberSegmentId, subscriberTagId, emailSequenceId, sequenceDeliveryReadinessId, consentRecordId, suppressionEntryId, timelineEntryId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId, ownerUserId
Write boundaryThis owner page can create private CRM notes through the owner note API, record non-destructive import intents through the import intent API, record aggregate import preflights through the import preflight API, and inspect aggregate sequence delivery and export readiness; real imports, sequence scheduling, sends, broadcasts, private exports, export file creation, CRM automation, and direct agent subscriber writes require future confirmed-write APIs.
publicRead
Analytics and experiments source data
src/lib/analytics-experiments.ts + src/lib/analytics-conversion-report.ts
Stable IDsanalyticsEventId, analyticsEventIngestionId, analyticsPageViewBeaconId, analyticsEventVariantAggregateId, analyticsEventSourceAggregateId, experimentAssignmentId, analyticsExperimentDecisionId, analyticsReportExportId, analyticsReportExportSectionId, analyticsCohortFixtureId, analyticsCohortComparisonId, analyticsCohortReviewId, analyticsCohortReviewStatus, analyticsAlertThresholdId, analyticsAnomalyReviewId, analyticsAnomalyReviewStatus, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsNotificationReadinessStatus, analyticsNotificationInboxRecordId, analyticsNotificationInboxStatus, analyticsNotificationDispatchPreflightId, analyticsNotificationDispatchPreflightStatus, analyticsNotificationProviderDomainReadinessId, analyticsNotificationProviderDomainReadinessStatus, analyticsNotificationProviderDomainReadinessDisposition, analyticsNotificationContentConsentReadinessId, analyticsNotificationContentConsentReadinessStatus, analyticsNotificationContentConsentReadinessDisposition, analyticsNotificationSendPayloadReadinessId, analyticsNotificationSendPayloadReadinessStatus, analyticsNotificationSendPayloadReadinessDisposition, analyticsNotificationQueueProducerReadinessId, analyticsNotificationQueueProducerReadinessStatus, analyticsNotificationQueueProducerReadinessDisposition, analyticsNotificationQueueConsumerReadinessId, analyticsNotificationQueueConsumerReadinessStatus, analyticsNotificationQueueConsumerReadinessDisposition, analyticsNotificationProviderCallReadinessId, analyticsNotificationProviderCallReadinessStatus, analyticsNotificationProviderCallReadinessDisposition, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationDeliveryAttemptReadinessStatus, analyticsNotificationDeliveryAttemptReadinessDisposition, analyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryResultReadinessStatus, analyticsNotificationDeliveryResultReadinessDisposition, analyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationDeliveryStatusWebhookReadinessStatus, analyticsNotificationDeliveryStatusWebhookReadinessDisposition, analyticsNotificationProviderPollingReadinessId, analyticsNotificationProviderPollingReadinessStatus, analyticsNotificationProviderPollingReadinessDisposition, analyticsNotificationReceiptPayloadReadinessId, analyticsNotificationReceiptPayloadReadinessStatus, analyticsNotificationReceiptPayloadReadinessDisposition, analyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationDeliveryReceiptReadinessStatus, analyticsNotificationDeliveryReceiptReadinessDisposition, analyticsNotificationProviderStatusReconciliationReadinessId, analyticsNotificationProviderStatusReconciliationReadinessStatus, analyticsNotificationProviderStatusReconciliationReadinessDisposition, analyticsFunnelConversionReportId, utmSource, utmMedium, utmCampaign, referrerHost, metricId, funnelStepMetricId, experimentId, variantId, assignmentRuleId, reportId, agentActionId
Write boundarySeeded analytics events, browser-side seeded funnel page-view beacons with deterministic variant evidence and normalized source attribution, seeded experiment assignments, owner-confirmed notification inbox records from issue #271, owner-confirmed notification dispatch preflights from issue #284, owner-reviewed provider/domain readiness records from issue #286, owner-reviewed content/consent readiness records from issue #288, owner-reviewed send-payload readiness records from issue #290, owner-reviewed queue-producer readiness records from issue #292, owner-reviewed queue-consumer readiness records from issue #294, owner-reviewed provider-call readiness records from issue #297, owner-reviewed delivery-attempt readiness records from issue #299, owner-reviewed delivery-result readiness records from issue #301, owner-reviewed delivery-status-webhook readiness records from issue #303, owner-reviewed provider-polling readiness records from issue #305, owner-reviewed receipt-payload readiness records from issue #307, owner-reviewed delivery-receipt readiness records from issue #309, owner-reviewed provider-status reconciliation readiness records from issue #311, and owner-confirmed experiment decision evidence can be captured with idempotency, source-route validation, aggregate count checks, and bot/preview suppression; fixed-window aggregate funnel conversion reports, dashboard-visible aggregate source counts, aggregate variant counts, aggregate report export metadata, owner-reviewed cohort comparison evidence from issue #265, owner-reviewed alert threshold/anomaly-review evidence from issue #267, owner-reviewed notification delivery readiness evidence from issue #269, and redacted decision counts can be read from captured test events. Cookie assignment, contact analytics, raw campaign/referrer reporting, raw analytics exports, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, Queue producer execution, Queue consumer execution, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, body templates, unsubscribe URLs, customer alerts, custom events, experiment traffic routing, automated winners, and direct public agent decision writes require future confirmed-write APIs.
owner-sessionRead
Owner analytics experiment decision
D1 table analytics_experiment_decisions plus analytics_events and analytics_experiment_assignments aggregates
Stable IDsanalyticsExperimentDecisionId, analyticsDashboardId, experimentId, variantId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted experiment decision evidence in D1 after exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate count validation, and sample-size caveat acknowledgement. It does not route traffic, assign cookies, select automated winners, expose raw event rows, expose raw assignment rows, expose contact analytics, make revenue claims, or allow unauthenticated/direct public agent experiment writes. Issue #261 tracks this slice.
owner-sessionRead
Owner analytics notification inbox record
D1 table analytics_notification_inbox_records plus analytics source-data readiness evidence
Stable IDsanalyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification inbox evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It creates owner-visible inbox records only; it does not send email, dispatch queues, alert customers, expose recipients, expose email bodies, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #271 tracks this slice.
owner-sessionRead
Owner analytics notification dispatch preflight
D1 table analytics_notification_dispatch_preflight_records plus analytics notification inbox/readiness source-data evidence
Stable IDsanalyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification dispatch preflight evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox record checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible dispatch preflight evidence only; it does not send email, call providers, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #284 tracks this slice.
owner-sessionRead
Owner analytics notification provider/domain readiness
D1 table analytics_notification_provider_domain_readiness_records plus analytics notification dispatch-preflight/readiness source-data evidence
Stable IDsanalyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider/domain readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider/domain readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #286 tracks this slice.
owner-sessionRead
Owner analytics notification content/consent readiness
D1 table analytics_notification_content_consent_readiness_records plus analytics notification provider-domain/readiness source-data evidence
Stable IDsanalyticsNotificationContentConsentReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification content/consent readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible body-template, unsubscribe, rate-limit, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #288 tracks this slice.
owner-sessionRead
Owner analytics notification send-payload readiness
D1 table analytics_notification_send_payload_readiness_records plus analytics notification content-consent/readiness source-data evidence
Stable IDsanalyticsNotificationSendPayloadReadinessId, analyticsNotificationContentConsentReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification send-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current content/consent readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible payload-shape, unsubscribe-footer, consent/suppression recheck, recipient-scope, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, create queue messages, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #290 tracks this slice.
owner-sessionRead
Owner analytics notification queue-producer readiness
D1 table analytics_notification_queue_producer_readiness_records plus analytics notification send-payload/readiness source-data evidence
Stable IDsanalyticsNotificationQueueProducerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification queue-producer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, producer-mode, idempotency-policy, retry/dead-letter-policy, consumer-dependency, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #292 tracks this slice.
owner-sessionRead
Owner analytics notification queue-consumer readiness
D1 table analytics_notification_queue_consumer_readiness_records plus analytics notification queue-producer/readiness source-data evidence
Stable IDsanalyticsNotificationQueueConsumerReadinessId, analyticsNotificationQueueProducerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification queue-consumer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-producer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, consumer-mode, producer-dependency, payload-read-policy, ack-policy, retry/dead-letter-policy, provider-handoff-dependency, idempotency-policy, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #294 tracks this slice.
owner-sessionRead
Owner analytics notification provider-call readiness
D1 table analytics_notification_provider_call_readiness_records plus analytics notification queue-consumer/readiness source-data evidence
Stable IDsanalyticsNotificationProviderCallReadinessId, analyticsNotificationQueueConsumerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-call readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-consumer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-call dependency readiness only; it does not send email, enable provider sends or calls, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #297 tracks this slice.
owner-sessionRead
Owner analytics notification delivery-attempt readiness
D1 table analytics_notification_delivery_attempt_readiness_records plus analytics notification provider-call/readiness source-data evidence
Stable IDsanalyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationProviderCallReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-attempt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-call readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-attempt dependency readiness only; it does not send email, enable provider sends or calls, attempt delivery, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #299 tracks this slice.
owner-sessionRead
Owner analytics notification delivery-result readiness
D1 table analytics_notification_delivery_result_readiness_records plus analytics notification delivery-attempt/readiness source-data evidence
Stable IDsanalyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-result readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-attempt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-result boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #301 tracks this slice.
owner-sessionRead
Owner analytics notification delivery-status webhook readiness
D1 table analytics_notification_delivery_status_webhook_readiness_records plus analytics notification delivery-result/readiness source-data evidence
Stable IDsanalyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-status webhook readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-result readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-status webhook boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #303 tracks this slice.
owner-sessionRead
Owner analytics notification provider-polling readiness
D1 table analytics_notification_provider_polling_readiness_records plus analytics notification delivery-status-webhook/readiness source-data evidence
Stable IDsanalyticsNotificationProviderPollingReadinessId, analyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-polling readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-status-webhook readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-polling boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #305 tracks this slice.
owner-sessionRead
Owner analytics notification receipt-payload readiness
D1 table analytics_notification_receipt_payload_readiness_records plus analytics notification provider-polling/readiness source-data evidence
Stable IDsanalyticsNotificationReceiptPayloadReadinessId, analyticsNotificationProviderPollingReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification receipt-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-polling readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible receipt-payload boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #307 tracks this slice.
owner-sessionRead
Owner analytics notification delivery-receipt readiness
D1 table analytics_notification_delivery_receipt_readiness_records plus analytics notification receipt-payload/readiness source-data evidence
Stable IDsanalyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationReceiptPayloadReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-receipt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current receipt-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-receipt boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #309 tracks this slice.
owner-sessionRead
Owner analytics notification provider-status reconciliation readiness
D1 table analytics_notification_provider_status_reconciliation_readiness_records plus analytics notification delivery-receipt/readiness source-data evidence
Stable IDsanalyticsNotificationProviderStatusReconciliationReadinessId, analyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-status reconciliation readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-receipt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-status reconciliation boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, reconcile provider statuses, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #311 tracks this slice.
publicRead
Affiliate and referral source data
src/lib/affiliate-referrals.ts
Stable IDsaffiliateProgramId, affiliatePartnerId, affiliatePartnerReportId, payoutPreparationId, payoutPreparationRecordId, payoutPreparationRecordStatus, fraudReviewRecordId, fraudReviewRecordStatus, partnerNotificationReadinessRecordId, partnerNotificationReadinessRecordStatus, partnerNotificationSendPreflightRecordId, partnerNotificationSendPreflightRecordStatus, partnerNotificationProviderReadinessRecordId, partnerNotificationProviderReadinessRecordStatus, referralLinkId, referralClickId, checkoutIntentId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, attributionRuleId, commissionRuleId, commissionLedgerId, payoutBatchId, reviewFlagId, auditEventId, agentActionId
Write boundarySeeded referral clicks can be captured with idempotency and destination-route validation, eligible clicks can be attached to sandbox checkout intents as evidence, trusted checkout attribution can create review-only commission ledger evidence, owner sessions can review, hold, or reverse that evidence, public-safe partner reports can be read, read-only payout preparation can be inspected, and owner sessions can record payout preparation, fraud review, partner notification readiness, partner notification send preflight, and notification provider readiness evidence; cookie assignment, buyer attribution finalization, payable commission writes, direct agent review writes, fraud enforcement, payout actions, tax collection, private partner portals, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, and queue dispatch require future confirmed-write APIs.
owner-sessionRead
Owner affiliate payout preparation record API
src/lib/affiliate-payout-preparation-records.ts
Stable IDspayoutPreparationRecordId, affiliateProgramId, payoutPreparationId, payoutBatchId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate payout preparation evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, and payout evidence validation. It creates owner-visible preparation records only; it does not create payable commission state, Stripe payouts or transfers, payout accounts, tax records, partner notifications, fraud decisions, buyer data, raw ledger rows, or direct public agent payout writes. Issue #273 tracks this slice.
owner-sessionRead
Owner affiliate fraud review record API
src/lib/affiliate-fraud-review-records.ts
Stable IDsfraudReviewRecordId, affiliateProgramId, reviewFlagId, payoutPreparationId, payoutBatchId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate fraud review evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible fraud review records only; it does not enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #275 tracks this slice.
owner-sessionRead
Owner affiliate partner notification readiness record API
src/lib/affiliate-partner-notification-readiness-records.ts
Stable IDspartnerNotificationReadinessRecordId, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible readiness records only; it does not send partner notifications, call providers, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #277 tracks this slice.
owner-sessionRead
Owner affiliate partner notification send preflight record API
src/lib/affiliate-partner-notification-send-preflight-records.ts
Stable IDspartnerNotificationSendPreflightRecordId, partnerNotificationReadinessRecordStatus, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification send preflight evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, review-flag checks, linked-ledger evidence validation, and provider-send-disabled checks. It creates owner-visible send preflight records only; it does not send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #279 tracks this slice.
owner-sessionRead
Owner affiliate partner notification provider readiness record API
src/lib/affiliate-partner-notification-provider-readiness-records.ts
Stable IDspartnerNotificationProviderReadinessRecordId, partnerNotificationSendPreflightRecordStatus, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification provider readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, send preflight record status checks, review-flag checks, linked-ledger evidence validation, provider-configuration-disabled checks, provider-secret-redaction checks, sender-credential-redaction checks, and provider-send-disabled checks. It creates owner-visible provider readiness records only; it does not configure notification providers, store provider secrets, store sender credentials, send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #281 tracks this slice.
publicRead
Mobile admin contract
src/lib/mobile-admin.ts
Stable IDsmobileJobId, mobileApiDependencyId, platformIssue, featureId
Write boundaryMobile app writes remain read-only until a future confirmed-write API exists.
publicRead
Live mobile admin dashboard source data
src/lib/mobile-admin-dashboard.ts
Stable IDsmobileDashboardCardId, featureId, roadmapItemId, workLogEntryId, markAttentionId, agentReadContractId
Write boundaryRead-only public-safe digest; private mobile auth, push notifications, and confirmed mobile writes require future authenticated APIs.
publicRead
iOS mobile admin source data
src/lib/mobile-admin-ios.ts and apps/mobile-admin
Stable IDsplatformIssue, fixturePath, smokeCommand, simulatorBundleId
Write boundaryThe iOS slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
publicRead
Android mobile admin source data
src/lib/mobile-admin-android.ts and apps/mobile-admin
Stable IDsplatformIssue, fixturePath, smokeCommand, nativePackage, defaultAvd
Write boundaryThe Android slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
Safety
Reads are live; writes remain confirmed or planned.
Evidence first
Do not invent pricing, customer, integration, roadmap, shipped-feature, testimonial, or competitor facts.
Confirmed writes
Require confirmation, idempotency, stale-state checks, audit correlation, and redaction for public, destructive, billing-impacting, moderation, source-editing, publishing, or creator-speech writes.
MCP direction
32 read contracts are ready for future MCP resources.