Agent docs

Bumpgrade is readable by agents without scraping private admin UI.

These docs map the public-safe routes, stable IDs, source evidence, MCP direction, and write rules that let Codex, ChatGPT, Claude, and other agents work from evidence instead of guesses.

Agent manifest

Status

Live read contractsIssue #12 publishes the current read surface and records MCP/write capabilities as planned contracts.

Docs

Agent-readable pages

Track issue #12
liveOpen

Agent docs index

Human and agent-friendly index for Bumpgrade read contracts, source evidence, MCP direction, and safety boundaries.

EvidenceIssue #12, public/llms.txt
liveOpen

Bumpgrade agent surface

Orientation for what agents can read, what is planned, and what requires owner credentials.

EvidenceIssue #12, /agent-docs/source-data
liveOpen

Bumpgrade commerce contract

Stripe sandbox, checkout, webhook, billing, and confirmed-write safety boundaries.

EvidenceIssue #11, Issue #34, /commerce/source-data
liveOpen

Bumpgrade source evidence

How public claims resolve to source IDs, URLs, issues, PRs, work-log entries, and caveats.

Evidence/compare/source-data, /features/source-data, /roadmap/source-data
liveOpen

Bumpgrade admin surfaces

Which admin pages require owner auth and which source-data routes are public-safe for agents.

Evidence/agent-docs/project-source-data, docs/agent/admin-surfaces.md
liveOpen

Bumpgrade MCP roadmap

First MCP resources and tools planned on top of the same public-safe contracts.

EvidenceIssue #12, docs/agent/agent-ready.md
liveOpen

Bumpgrade mobile admin contract

Shared iOS and Android publisher/admin app jobs, API dependencies, auth boundaries, and write-safety rules.

EvidenceIssue #414, Issue #13, Issue #67, Issue #68, Issue #153, Issue #155, Issue #157, /mobile-admin/source-data

Contracts

Stable read surfaces

Source data
publicRead

Feature catalog

src/lib/feature-catalog.ts

Stable IDsfeatureId, issue, status
Write boundaryFeature status changes must land through GitHub issue/PR work and admin work-log updates.
publicRead

Public roadmap

src/lib/roadmap.ts

Stable IDsroadmapItemId, featureId, issue, status
Write boundaryRoadmap moves require an issue/PR or approved admin append path, not chat-only edits.
publicRead

Competitor comparisons and source evidence

src/lib/comparison-data.ts

Stable IDscompetitorId, sourceId, seoTargetId
Write boundaryRefresh competitor claims from official sources before changing dated pricing, packaging, or feature claims.
publicRead

Competitor importers

src/lib/importers.ts

Stable IDsimporterPlatformId, competitorId, sourceId, importInputKind, importSourceChecklistItemId, importDraftEntity, importReviewAreaStatus, importReview, importRecords, extractedFields, subscriberImportDepth, subscriberImportPreflight, subscriberImportCreation, subscriberAudiencePromotion, privateSubscriberRecords, privateRecordReviewRoute, privateRecordReviewActionApiRoute, edit_extracted_field, record_subscriber_import_preflight, create_subscriber_import_records, promote_subscriber_import_records_to_audience, export_private_subscriber_records
Write boundaryImporter source-data is read-only. Platform-specific source checklists and export match templates describe what a prospect can bring before private plan creation. Public preflight review routes return redacted import maps, sourceChecklistReview status, exportFileAnalysis structure, and platformExportMatches without persisting records or echoing pasted source material, raw rows, raw file text, export file names, customer rows, credentials, sessions, or payment data. Private-draft importer APIs require a verified publisher session, exact confirmation, idempotency, and redacted responses; new private drafts persist safe importReview metadata with export analysis, platform export matches, and recognized match IDs only, then create private importRecords, safe extractedFields target plans, and subscriberImportDepth metadata for audience records without public source-data exposing private record content, raw values, raw contact rows, emails, names, sequence enrollments, sends, or exports. Private record review routes require the same verified publisher owner and can show safe structure plus saved private importer subscriber contact records after confirmed creation; public source-data, public preview routes, unauthenticated responses, and public agent contracts expose counts and redaction rules only. Private record review-action routes can mark records ready or needing cleanup, edit extracted field labels/status/prompts, record subscriberImportPreflight readiness/cleanup metadata, create private importer subscriber records from a confirmed fresh upload, add those saved contacts to the audience review list as imported_pending_review rows, and prepare an owner-only private subscriber CSV with redacted JSON responses and idempotency/confirmation evidence. Subscriber import creation stores private email/name data only in owner-scoped importer subscriber records and returns counts only; subscriberAudiencePromotion writes audience_subscribers and non-sending tag assignments, but creates no consent events, sequence enrollments, private exports, sends, or go-live effects. SubscriberPrivateExport returns private emails only in the same-owner CSV download; public source-data, unauthenticated responses, and JSON API responses expose counts and redaction rules only. Source URL and export file name duplicate review can reuse a matching private import plan. Private rollback routes archive importer-created plans and preserve saved plan content, structured import records, steps, and audit history, while public publishing, live checkout, subscriber sends, domains, fulfillment, account transfer, payment credential migration, and customer passwords remain outside this contract.
publicRead

Commerce contract

src/lib/commerce.ts and src/lib/sandbox-checkout.ts

Stable IDsproductId, priceId, checkoutIntentId, referralClickId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, postPurchaseDecisionId, auditCorrelationId
Write boundaryNon-billing post-purchase decisions can be recorded only for trusted checkout state; billing-impacting and payable commission writes require exact confirmation, idempotency, stale-state checks, audit correlation, owner review, and webhook evidence.
publicRead

Pricing policy and free-build gates

src/lib/pricing-plans.ts

Stable IDspricingPolicyId, freeBuildModeId, freeBuildCapabilityId, paidGoLiveGateId, pricingPlanSlug
Write boundaryAgents may read the pricing policy only. Saving anonymous structured playground state is browser-scoped, rate-limited per browser recovery workspace, and redacted; owner cleanup and scheduled Cloudflare cleanup expire recovery without exposing private content; claim creates or reuses the verified account's Free Build workspace and adds a private launch draft plus private offer/product/audience/importer-review records without replacing existing work; creating signed-in Free Build workspaces uses authenticated account setup APIs; publishing, charging buyers, sending email, connecting domains, and fulfillment changes require paid-plan flows.
publicRead

Anonymous playground recovery

src/lib/anonymous-playground.ts

Stable IDsanonymousPlaygroundId, anonymousPlaygroundRoute, anonymousPlaygroundGateId
Write boundaryAnonymous playground writes are limited to browser-scoped structured draft launch context, with rapid save limits per browser recovery workspace and no raw IP or user-agent storage. Cleanup requires an owner session and exact confirmation. Attaching a playground requires an authenticated, email-verified publisher account, reuses an existing private Free Build workspace when present, and adds only private funnel draft state and private claim records.
publicRead

Admin source-data bundle

D1 admin tables with fixture fallback in src/lib/admin-surface-data.ts

Stable IDsworkLogEntryId, userJourneyId, markAttentionId, roadmapItemId
Write boundaryHuman admin pages require Better Auth; agent writes need approved scripts or future confirmed APIs.
publicRead

Project roadmap source data

D1 admin roadmap rows with fixture fallback in src/lib/admin-surface-data.ts

Stable IDsroadmapItemId, featureId, issue
Write boundaryRoadmap changes still require GitHub issue/PR work, admin scripts, or future confirmed-write APIs.
publicRead

Project work-log source data

D1 admin work-log rows with fixture fallback in src/lib/admin-surface-data.ts

Stable IDsworkLogEntryId, roadmapItemId, featureId
Write boundaryWork-log changes still require approved scripts or future confirmed-write APIs.
publicRead

User journey source data

D1 admin user-journey rows with fixture fallback in src/lib/admin-surface-data.ts

Stable IDsuserJourneyId, featureId, roadmapItemId
Write boundaryUser-journey changes still require approved scripts or future confirmed-write APIs.
publicRead

Owner attention source data

D1 owner-attention rows with fixture fallback in src/lib/admin-surface-data.ts

Stable IDsmarkAttentionId, roadmapItemId, featureId
Write boundaryOwner-attention changes still require approved scripts, email follow-up, or future confirmed-write APIs.
publicRead

Director status dashboard

src/lib/director-status.ts over D1 admin records from src/lib/admin-surface-data.ts

Stable IDsdirectorWorkstreamId, directorWindowId, directorQueueLaneId, directorBriefingControlId, workLogEntryId, roadmapItemId, markAttentionId
Write boundaryThis route is a read-only summary. Status changes still require updating roadmap, work-log, owner-attention, issue, PR, or future confirmed-write records.
publicRead

Agent manifest

src/lib/agent-manifest.ts

Stable IDsreadContractId, mcpPlanId, agentDocId
Write boundaryThis route is read-only until confirmed-write agent APIs exist.
publicRead

Content surfaces

src/lib/content-surfaces.ts

Stable IDsaudienceSegmentId, audienceSegmentSlug, audienceSegmentRoute, resourceItemId, pricingPrincipleId, pricingTrackId, freeBuildModeId
Write boundaryContent changes must cite source-data routes, issues, or shipped evidence before public claims change.
publicRead

Customer proof and trust signals

src/lib/customer-proof.ts

Stable IDscustomerProofRecordId, customerProofPolicyId, customerProofSourceId
Write boundaryCustomer proof records require source evidence, owner approval, public consent, and a PR or issue before public rendering.
publicRead

Publisher account, subdomain, and custom-domain setup

src/lib/publisher-tenants.ts and D1 publisher tenant tables

Stable IDspublisherTenantId, publisherSubdomainReservationId, publisherCustomDomainId, publisherPlanEntitlementId, publisherFreeBuildWorkspaceId, publisherAuthBoundaryId, issue
Write boundaryFree Build workspace creation requires a signed-in, email-confirmed publisher with explicit confirmation, idempotency, audit correlation, and redacted outputs; subdomain reservation and custom-domain onboarding also require active paid-plan entitlement. Bumpgrade does not sell, register, renew, transfer, or price domains today.
publicRead

Funnel source data

src/lib/funnels.ts

Stable IDsfunnelId, funnelStepId, funnelBlockId, funnelTemplateId, funnelBlockTemplateId, funnelDraftBlockEditId, funnelDraftBlockVisualStyleId, funnelDraftBlockCanvasLayoutId, funnelDraftBlockReorderId, funnelDraftBlockCrossStepMoveId, funnelCheckoutLinkId, funnelResourceDeliveryLinkId, funnelResourceDeliveryTokenId, funnelResourceDeliveryReceiptId, funnelWebinarEventLinkId, funnelWebinarResourceTemplateId, funnelRevisionId, funnelDraftId, funnelDraftDuplicateId, funnelDraftArchiveId, funnelDraftPurgeId, funnelDraftBulkPurgeId, funnelDraftBlockStructureEditId, funnelAuditEventId, funnelPurgeEventId, agentFunnelDraftWriteId, agentFunnelDraftWriteOperationId, agentFunnelResourceDeliveryTokenId, auditCorrelationId, checkoutIntentId, checkoutOfferStackId, offerId, funnelCheckoutUnlinkId, productDeliveryGateLinkId, agentActionId
Write boundaryOwner-session seed/create/template-create/duplicate/update/reorder/block-edit/block-style/block-canvas-layout/block-add/block-remove/block-reorder/block-cross-step-move/checkout-link/checkout-unlink/resource-delivery-link/webinar-event-link/archive/purge/bulk-purge draft writes, including webinar/resource template-to-draft creation, granular block title/body editing with preserved block metadata, curated block visual style presets with preserved block metadata, bounded canvas layout values with preserved block metadata, block add/remove from the reusable block library with checkout-linked block protection, within-step block reordering that preserves checkout/resource/webinar metadata, drag/drop block placement that reuses the same move endpoint modes with fresh revisions, cross-step block moves that preserve block metadata while changing step membership, checkout unlinking with preserved block identity and copy, resource delivery linking to public-safe product/access catalog assets, webinar event/replay linking to public-safe external URLs, private draft preview, exact-confirmed public publishing, exact-confirmed archive/unpublish, exact-confirmed archived-draft purge, and exact-confirmed bulk archived-draft purge with per-draft tombstone evidence exist at /admin/funnels. The owner-session /api/agent/funnels/draft-writes JSON API now lets agents perform private block copy edits, curated visual style presets, bounded canvas layout writes, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, within-step block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. The owner-session /api/agent/funnels/resource-delivery-tokens API can create a funnel-scoped resource delivery token for a published linked resource block after exact confirmation, idempotency, current published revision, checkout intent, entitlement, and audit correlation checks, with replays redacted because raw tokens are not stored. Successful redemption through the existing Bumpgrade download route records redacted resource-delivery receipt evidence with safe funnel, block, product, asset, and source metadata only. Agent style writes store only curated style IDs, canvas layout writes store only bounded x, y, width, height, and zIndex numbers, and both preserve block metadata. Direct agent block removal refuses checkout-linked blocks and keeps at least one block per step. Owner-confirmed direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived-draft purge and bulk archived-draft purge record tombstones before deleting already archived draft and step rows without deleting audit rows, product assets, R2 objects, buyer records, or billing state. Published linked checkout blocks can render the existing sandbox checkout start surface, published resource-linked blocks can render entitlement-safe resource access references and mint funnel-scoped private download tokens only when the submitted checkout intent and entitlement match the linked product and file asset, and published webinar-linked blocks can render external registration/replay references. Owner product delivery-gate writes are separate owner-authenticated product APIs that expose only aggregate funnel source-data. Direct agent template creation, unauthenticated public agent-created delivery tokens, non-archived purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, and unbounded arbitrary CSS/script layout editing require future confirmed-write APIs.
owner-sessionRead

Admin draft funnels

D1 tables funnel_drafts, funnel_draft_steps, funnel_audit_events, and funnel_purge_events

Stable IDsfunnelDraftId, funnelDraftDuplicateId, funnelDraftArchiveId, funnelDraftPurgeId, funnelDraftBulkPurgeId, funnelCheckoutUnlinkId, funnelResourceDeliveryLinkId, funnelWebinarEventLinkId, funnelDraftBlockCanvasLayoutId, funnelDraftBlockReorderId, funnelDraftBlockCrossStepMoveId, funnelDraftBlockStructureEditId, funnelDraftBlockVisualStyleId, funnelDraftStepId, funnelDraftBlockId, funnelAuditEventId, funnelPurgeEventId, ownerUserId
Write boundaryThe POST endpoint can seed, create, create from templates including webinar/resource page shapes, duplicate, update, reorder, block-edit, block-style, block-canvas-layout, block-add, block-remove, block-reorder, block-cross-step-move, checkout-link, checkout-unlink, resource-delivery-link, webinar-event-link, publish, archive/unpublish, purge already archived private draft steps, and bulk purge selected archived private draft steps for an authenticated owner. Block edits update title/body copy only and preserve block IDs, block kinds, and checkout-link/resource-link/webinar-link metadata. Block style updates store only a curated visual style ID and preserve block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and audit evidence. Block canvas layout updates store only bounded x, y, width, height, and zIndex numbers and preserve the same block metadata. Block add/remove uses reusable block-library items and refuses checkout-linked block removal until checkout metadata is unlinked through the dedicated confirmed action. Block reorder moves existing blocks only within the same step and preserves block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and step membership. The /admin/funnels drag/drop UI reuses block-reorder and cross-step move endpoint modes with fresh revisions; it does not add a separate write contract. Cross-step block moves append a block to another step, refuse to empty the source step, and preserve block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and audit evidence. Checkout linking/unlinking, resource delivery linking, and webinar event/replay linking preserve block ID, kind, title, body, step order, and audit evidence. Archived drafts become read-only owner evidence; archived-draft purge and bulk archived-draft purge record tombstones before deleting draft and step rows and do not delete audit rows, product assets, R2 objects, buyer records, or billing state. The /api/agent/funnels/draft-writes endpoint gives owner-session agents a JSON contract for private block copy edits, curated visual style presets, bounded canvas layouts, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge only after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. Agent style writes store only curated style IDs, agent canvas layout writes store only bounded numbers, and both preserve block metadata. Direct agent block removal refuses checkout-linked blocks and keeps at least one block per step. Direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived purge returns a redacted tombstone summary, and bulk purge returns redacted per-draft tombstones. Private preview is owner-gated; non-archived purge, unauthenticated public agent-created delivery tokens, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, unbounded arbitrary CSS/script layout editing, direct agent template creation, and unauthenticated public agent publishing are not live.
owner-sessionRead

Owner agent-safe funnel draft write

src/app/api/agent/funnels/draft-writes/route.ts plus D1 funnel draft audit events

Stable IDsagentFunnelDraftWriteId, agentFunnelDraftWriteOperationId, funnelDraftId, funnelDraftBlockId, funnelDraftBlockCanvasLayoutId, funnelRevisionId, funnelAuditEventId, idempotencyKey, auditCorrelationId
Write boundaryThis owner-session API records direct agent-safe funnel draft writes after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. It can update private draft block copy, apply curated visual style presets, set bounded canvas layout values, link checkout/resource-delivery/webinar-event metadata, move blocks, duplicate a private draft, publish a draft, archive/unpublish a draft, purge an already archived draft, and bulk purge selected archived drafts. Publishing creates a public route mutation with archive-draft rollback and no billing mutation. Style writes store only known style IDs, canvas layout writes store only bounded x, y, width, height, and zIndex numbers, and neither accepts arbitrary CSS or scripts. Archived-draft purge records a tombstone before deleting draft and step rows and returns a redacted tombstone summary; bulk purge validates all selected archived drafts before deletion and returns redacted per-draft tombstones. It does not purge non-archived drafts, create unauthenticated public agent writes, mutate billing, expose arbitrary private R2 delivery, create signed URLs, run live webinar or fulfillment automation, or expose owner identity in responses. Issue #417 tracks this slice.
owner-sessionRead

Owner agent funnel resource delivery token

src/app/api/agent/funnels/resource-delivery-tokens/route.ts plus agent_funnel_resource_delivery_token_requests

Stable IDsagentFunnelResourceDeliveryTokenId, funnelId, funnelBlockId, funnelRevisionId, checkoutIntentId, productEntitlementId, productId, assetId, auditCorrelationId, idempotencyKey
Write boundaryThis owner-session API creates a short-lived funnel-scoped private download token for a published resource block after exact confirmation, idempotency, current published funnel revision, checkout intent, entitlement, and audit correlation checks. It delegates entitlement, product, asset, and private R2-token validation to the existing funnel and product download-token path. Replays return only redacted audit metadata because raw bearer tokens are not stored. It does not create unauthenticated public agent writes, mutate billing, expose arbitrary private R2 delivery, create signed URLs, run live fulfillment automation, mutate public routes, or expose owner identity in responses. Issue #417 tracks this slice.
publicRead

Checkout offer source data

src/lib/checkout-offers.ts

Stable IDscheckoutOfferStackId, offerId, orderBumpId, upsellId, downsellId, checkoutRevisionId, referralClickId, postPurchaseDecisionId, productDeliveryGateLinkId, agentActionId
Write boundaryA confirmed sandbox checkout start can include the seeded primary offer, constrained order bump, and optional referral-click attribution evidence; trusted checkout state can record non-billing upsell/downsell follow-up decisions; owner product delivery-gate links can connect test checkout links to the seeded offer/funnel path behind owner auth; live billing, price mutation, fulfillment, commission writes, direct agent writes, and post-purchase charges require future confirmed-write APIs.
publicRead

Product access source data

src/lib/product-access.ts + src/lib/product-creation.ts + src/lib/product-delivery-gates.ts + src/lib/product-offer-access.ts + src/lib/product-entitlement-inspection.ts + src/lib/customer-product-entitlements.ts + src/lib/product-download-tokens.ts + src/lib/product-asset-uploads.ts + src/lib/product-protected-content.ts

Stable IDsproductId, assetId, accessRuleId, entitlementTemplateId, productEntitlementInspectionId, customerProductEntitlementLookupId, productDownloadTokenId, productAssetUploadIntentId, productCreationIntentId, productOfferAccessGrantIntentId, productDeliveryGateLinkId, productEntitlementRevocationIntentId, productProtectedContentId, productProtectedContentDeliveryId, productPaymentPlanId, subscriptionPlanId, subscriptionMembershipAccessId, fulfillmentId, agentActionId
Write boundaryTrusted paid sandbox webhooks can grant idempotent entitlement rows for seeded checkout line items; trusted Stripe Billing subscription webhooks can sync checkout-linked membership access while state is active or trialing and pause it when subscription state is canceled, unpaid, incomplete_expired, or deleted; public source-data exposes seeded pay-in-full, installment, and subscription payment-plan read records without live amounts or provider IDs; verified owners can create draft products, create owner-created product test checkout links, link those links to seeded offer/funnel delivery gates, create owner-created product test offer/access grants, inspect private entitlement rows, owner-confirmed non-destructive revocation intents, and protected content readiness in /admin/products; customers can inspect checkout-intent-scoped entitlement status, create short-lived download tokens that stream a seeded private R2 fixture without buyer or provider identifiers, and read seeded protected course/member fixture bodies only after active-entitlement and trusted-checkout checks; verified owners can create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, and record non-destructive revocation intents after exact confirmation, idempotency, and stale entitlement status checks; Stripe Price creation, live payment-plan checkout, customer delivery of arbitrary uploads, signed object URLs, destructive revocation, live offer/funnel publishing, live fulfillment automation, Customer Portal actions, and private content writes require future authenticated confirmed-write APIs.
publicRead

Customer product entitlement lookup

src/lib/customer-product-entitlements.ts

Stable IDscheckoutIntentId, productEntitlementId, productId, entitlementTemplateId, fulfillmentTaskId
Write boundaryThis is a read-only checkout-intent-scoped lookup; signed downloads, protected lessons, buyer identity, entitlement mutation, destructive revocation, and live fulfillment require future authenticated confirmed-write APIs.
publicRead

Subscription membership access state

src/lib/product-entitlements.ts + D1 billing_subscriptions and product_entitlements

Stable IDssubscriptionMembershipAccessId, checkoutIntentId, productEntitlementId, subscriptionPlanId, productId, entitlementTemplateId
Write boundaryThis is read-only subscription-backed membership access evidence. It does not create or mutate Stripe subscriptions, open Customer Portal sessions, expose raw Stripe IDs, deliver member posts/files, change pricing, or perform direct agent billing writes.
publicRead

Private R2 product download token

src/lib/product-download-tokens.ts

Stable IDscheckoutIntentId, productEntitlementId, productDownloadTokenId, assetId
Write boundaryThis creates a short-lived token and streams a seeded private R2-backed fixture through Bumpgrade after revalidating current entitlement status, checkout intent linkage, trusted checkout state, and asset scope; protected content, arbitrary asset uploads, destructive revocation, subscription access, and live fulfillment automation require future authenticated confirmed-write APIs.
publicRead

Published funnel resource delivery token

src/lib/funnel-resource-delivery.ts + src/lib/product-download-tokens.ts

Stable IDsfunnelId, funnelBlockId, funnelResourceDeliveryTokenId, funnelResourceDeliveryReceiptId, checkoutIntentId, productEntitlementId, productId, assetId
Write boundaryThis public API can mint a one-use Bumpgrade download route for a published D1 funnel resource/delivery block after checkout intent, entitlement, product, and file asset scope are revalidated. The owner-session agent route can create the same scoped token after exact confirmation, idempotency, audit correlation, and current published-revision checks. Successful download redemption records redacted receipt evidence with safe funnel, block, product, asset, and source metadata only. Neither route exposes private R2 keys, signed URLs, buyer data, raw funnel rows, raw entitlement rows, raw tokens, arbitrary uploaded assets, live fulfillment mutation, or unauthenticated public agent writes.
publicRead

Protected product content delivery fixture

src/lib/product-protected-content.ts

Stable IDscheckoutIntentId, productEntitlementId, productProtectedContentId, productId, entitlementTemplateId
Write boundaryThis route returns seeded protected fixture bodies for eligible checkout-linked entitlements only. It is not direct public agent write access, arbitrary private upload delivery, signed object URL access, progress tracking, subscription mutation, destructive revocation, or live fulfillment automation.
owner-sessionRead

Admin product entitlements

D1 tables product_entitlements, product_fulfillment_tasks, product_delivery_gate_links, product_entitlement_revocation_intents, product_protected_content_sections, checkout_intents, commerce_products, and commerce_prices

Stable IDsproductId, entitlementTemplateId, productEntitlementId, productDeliveryGateLinkId, productEntitlementRevocationIntentId, productProtectedContentId, fulfillmentTaskId, checkoutIntentId, ownerUserId
Write boundaryThis owner page can inspect entitlement rows, create owner product delivery-gate links, and record non-destructive revocation intent evidence without removing access; protected fixture body delivery happens only through checkout-intent scoped customer checks. Signed object URLs, arbitrary uploaded content delivery, destructive revocation, subscription access changes, refunds, customer portals, private asset delivery, and direct public agent entitlement writes require future confirmed-write APIs.
owner-sessionRead

Owner product test checkout link

D1 tables product_test_checkout_links, commerce_products, commerce_prices, and product_creation_intents

Stable IDsproductTestCheckoutLinkId, productId, testPriceId, ownerUserId, idempotencyKey, productUpdatedAt
Write boundaryThis owner-session API records a buyer-facing test checkout link for an owner-created product after exact confirmation, idempotency, and a current product updatedAt check. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer copy, customer-facing fulfillment delivery, raw buyer exposure, or unauthenticated/direct public agent writes.
publicRead

Owner product public test checkout

D1 tables product_test_checkout_purchases, product_test_checkout_links, checkout_intents, product_entitlements, product_fulfillment_tasks, commerce_products, commerce_prices, and payment_audit_events

Stable IDsproductTestCheckoutPurchaseId, productTestCheckoutLinkId, productId, checkoutIntentId, productEntitlementId, fulfillmentTaskId, idempotencyKey, linkRevisionId
Write boundaryThis public test-link API creates a synthetic paid checkout intent, entitlement row, fulfillment task evidence, and audit evidence after exact confirmation, idempotency, and a current link revision check. It does not create Stripe Checkout Sessions, live charges, live offer/funnel publishing, arbitrary fulfillment delivery, raw buyer exposure, or unconfirmed agent writes.
owner-sessionRead

Owner product delivery-gate link

D1 tables product_delivery_gate_links, product_test_checkout_links, commerce_products, and product_creation_intents

Stable IDsproductDeliveryGateLinkId, productTestCheckoutLinkId, productId, checkoutOfferStackId, offerId, funnelId, ownerUserId, idempotencyKey, productUpdatedAt, linkRevisionId
Write boundaryThis owner-session API records a delivery-gate link between an owner-created product test checkout link and the seeded offer/funnel path after exact confirmation, idempotency, product stale-state, and link revision checks. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer/funnel state, customer-facing fulfillment delivery, signed URLs, private R2 keys, raw buyer exposure, or unauthenticated/direct public agent writes.
owner-sessionRead

Owner product test offer/access grant

D1 tables product_offer_access_grant_intents, checkout_intents, product_entitlements, product_fulfillment_tasks, commerce_products, commerce_prices, and payment_audit_events

Stable IDsproductOfferAccessGrantIntentId, productId, offerId, funnelId, checkoutIntentId, productEntitlementId, fulfillmentTaskId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records test offer/funnel linkage, a synthetic paid checkout intent, an entitlement row, fulfillment task evidence, and audit evidence after exact confirmation and idempotency. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer copy, customer-facing fulfillment delivery, raw buyer exposure, or unauthenticated/direct public agent writes.
owner-sessionRead

Owner private product asset upload intent

D1 table product_asset_uploads and PRODUCT_ASSETS R2 binding

Stable IDsproductAssetUploadIntentId, productId, assetId, ownerUserId, idempotencyKey, catalogRevisionId
Write boundaryThis owner-session API stores small private payloads in PRODUCT_ASSETS and records redacted upload metadata in D1 after exact confirmation, idempotency, and catalog revision checks. It does not make uploaded assets customer-deliverable, create signed URLs, expose object keys, mutate entitlements, or allow unauthenticated/direct public agent writes.
owner-sessionRead

Owner product revocation intent

D1 table product_entitlement_revocation_intents

Stable IDsproductEntitlementRevocationIntentId, productEntitlementId, productId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted revocation intent metadata in D1 after exact confirmation, idempotency, and stale entitlement status checks. It does not revoke access, mutate entitlement status, issue refunds, change subscriptions, notify customers, expose private reason text, or allow unauthenticated/direct public agent writes.
publicRead

Audience automation source data

src/lib/audience-automation.ts + src/lib/audience-subscribers.ts + src/lib/audience-broadcasts.ts + src/lib/audience-imports.ts + src/lib/audience-exports.ts + src/lib/audience-sequence-readiness.ts + src/lib/audience-sequence-dispatch-preflights.ts + src/lib/audience-sequence-dispatch-attempts.ts + src/lib/audience-sequence-queue-producer-readiness.ts + src/lib/audience-sequence-queue-consumer-readiness.ts + src/lib/audience-sequence-provider-call-readiness.ts + src/lib/audience-sequence-delivery-attempt-readiness.ts + src/lib/audience-sequence-delivery-result-readiness.ts + src/lib/audience-sequence-delivery-status-webhook-readiness.ts + src/lib/audience-sequence-provider-polling-readiness.ts + src/lib/audience-sequence-receipt-payload-readiness.ts

Stable IDssubscriberId, subscriberInspectionId, subscriberSegmentId, optInFormId, leadMagnetId, subscriberTagId, emailSequenceId, sequenceEnrollmentPauseId, sequenceDeliveryReadinessId, sequenceScheduleIntentId, sequenceDeliveryBatchId, sequenceDeliveryQueueMessageId, sequenceDispatchPreflightId, sequenceDispatchAttemptId, sequenceQueueProducerReadinessId, sequenceQueueConsumerReadinessId, sequenceProviderCallReadinessId, sequenceDeliveryAttemptReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryStatusWebhookReadinessId, sequenceProviderPollingReadinessId, sequenceReceiptPayloadReadinessId, sequenceTestSendId, automationRuleId, broadcastDraftId, broadcastReadinessId, consentRecordId, suppressionEntryId, timelineEntryId, agentActionId, broadcastScheduleIntentId, broadcastPreviewSafetyId, broadcastQueueReadinessId, broadcastDeliveryBatchId, broadcastDeliveryQueueMessageId, broadcastDispatchPreflightId, broadcastDispatchAttemptId, broadcastTestSendId, broadcastSenderDomainReadinessId, broadcastProviderEventReadinessId, broadcastProviderRateLimitReadinessId, broadcastProviderResponseReadinessId, broadcastSendPayloadReadinessId, broadcastQueueProducerReadinessId, broadcastQueueConsumerReadinessId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId
Write boundaryPublic visitors can submit the seeded opt-in form with explicit consent and can record unsubscribe/suppression evidence without exposing list membership; known subscriber unsubscribe also pauses draft sequence enrollment state while public responses stay membership-safe. Verified owners can inspect private subscriber rows, create private CRM notes, view aggregate sequence delivery readiness, sequence schedule-intent dry runs, sequence delivery-batch dry runs, sequence queue-message dry runs, sequence dispatch preflight dry runs, sequence dispatch attempt receipts, sequence Queue producer readiness, sequence Queue consumer readiness, sequence provider-call readiness, sequence delivery-attempt readiness, sequence delivery-result readiness, sequence delivery-status webhook readiness, owner-only sequence test sends, broadcast readiness, preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, owner-only broadcast test sends, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, redacted import intents, redacted import preflights, and aggregate export readiness, and record dry-run sequence schedule intents, sequence delivery batches, sequence queue-message evidence, sequence dispatch preflight evidence, sequence dispatch attempt receipts, sequence Queue producer readiness gates, sequence Queue consumer readiness gates, sequence provider-call readiness gates, sequence delivery-attempt readiness gates, sequence delivery-result readiness gates, sequence delivery-status webhook readiness gates, owner-only sequence test sends, broadcast schedule intents, delivery batches, queue-message evidence, dispatch preflight evidence, dispatch attempt receipts, owner-only broadcast test sends, non-destructive import intents, and aggregate import preflights in /admin/audience; real contact imports, subscriber email delivery, real sequence scheduling, broadcast blasts, private exports, export file creation, direct agent subscriber writes, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider calls, delivery attempts, provider responses, provider message IDs, delivery results, webhooks, polling, and receipts require future confirmed-write APIs.
owner-sessionRead

Owner sequence schedule dry-run intent

D1 tables audience_sequence_schedule_intents, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceScheduleIntentId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records dry-run sequence schedule intent metadata only. It does not schedule sequence steps, create delivery queue rows, create recipient payloads, create personalized bodies, expose unsubscribe URLs, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, and audit requirements.
owner-sessionRead

Owner sequence delivery batch dry run

D1 tables audience_sequence_delivery_batches, audience_sequence_schedule_intents, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDeliveryBatchId, sequenceScheduleIntentId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate dry-run sequence delivery-batch metadata only. It does not schedule sequence steps, create delivery queue rows, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, and audit requirements.
owner-sessionRead

Owner sequence delivery queue-message dry run

D1 tables audience_sequence_delivery_queue_messages, audience_sequence_delivery_batches, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, sequenceScheduleIntentId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate dry-run sequence queue-message metadata only. It does not schedule sequence steps, create delivery queue rows, create Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, Queue producer, Queue consumer, and audit requirements.
owner-sessionRead

Owner sequence dispatch preflight dry run

D1 tables audience_sequence_dispatch_preflights, audience_sequence_delivery_queue_messages, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate dry-run sequence dispatch preflight metadata only. It does not schedule sequence steps, create delivery queue rows, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, Queue consumer, and audit requirements.
owner-sessionRead

Owner sequence dispatch attempt receipt

D1 tables audience_sequence_dispatch_attempts, audience_sequence_dispatch_preflights, audience_sequence_delivery_queue_messages, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate dry-run sequence dispatch attempt receipt metadata only. It does not schedule sequence steps, create delivery queue rows, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, Queue consumer, and audit requirements.
owner-sessionRead

Owner sequence Queue producer readiness

D1 tables audience_sequence_queue_producer_readiness, audience_sequence_dispatch_attempts, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence Queue producer readiness metadata only. It does not schedule sequence steps, create delivery queue rows, enable Cloudflare Queue producers, create Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue consumer, payload, and audit requirements.
owner-sessionRead

Owner sequence Queue consumer readiness

D1 tables audience_sequence_queue_consumer_readiness, audience_sequence_queue_producer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence Queue consumer readiness metadata only. It does not schedule sequence steps, create delivery queue rows, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, payload, provider-handoff, and audit requirements.
owner-sessionRead

Owner sequence provider-call readiness

D1 tables audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence provider-call readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue consumer, response, receipt, and audit requirements.
owner-sessionRead

Owner sequence delivery-attempt readiness

D1 tables audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDeliveryAttemptReadinessId, sequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence delivery-attempt readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, response, receipt, and audit requirements.
owner-sessionRead

Owner sequence delivery-result readiness

D1 tables audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDeliveryResultReadinessId, sequenceDeliveryAttemptReadinessId, sequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence delivery-result readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, webhook, receipt, and audit requirements.
owner-sessionRead

Owner sequence delivery-status webhook readiness

D1 tables audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceDeliveryStatusWebhookReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryAttemptReadinessId, sequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence delivery-status webhook readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, create provider polling results, create receipt payloads, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, receipt, and audit requirements.
owner-sessionRead

Owner sequence provider-polling readiness

D1 tables audience_sequence_provider_polling_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceProviderPollingReadinessId, sequenceDeliveryStatusWebhookReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryAttemptReadinessId, sequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence provider-polling readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, delivery-status webhook, receipt, reconciliation, and audit requirements. Issue #378 tracks this slice.
owner-sessionRead

Owner sequence receipt-payload readiness

D1 tables audience_sequence_receipt_payload_readiness, audience_sequence_provider_polling_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDssequenceReceiptPayloadReadinessId, sequenceProviderPollingReadinessId, sequenceDeliveryStatusWebhookReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryAttemptReadinessId, sequenceProviderCallReadinessId, sequenceQueueConsumerReadinessId, sequenceQueueProducerReadinessId, sequenceDispatchAttemptId, sequenceDispatchPreflightId, sequenceDeliveryQueueMessageId, sequenceDeliveryBatchId, emailSequenceId, ownerUserId, idempotencyKey, expectedWorkspaceRevisionId
Write boundaryThis owner-session API records aggregate sequence receipt-payload readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create delivery receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, delivery-status webhook, provider-polling, delivery-receipt, reconciliation, and audit requirements. Issue #380 tracks this slice.
owner-sessionRead

Owner broadcast schedule dry-run intent

D1 tables audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_subscribers, audience_consent_events, and audience_suppression_entries

Stable IDsbroadcastScheduleIntentId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records dry-run broadcast schedule intent metadata only. It does not send email, create send queue rows, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, and audit requirements.
owner-sessionRead

Owner broadcast delivery batch dry run

D1 tables audience_broadcast_delivery_batches, audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_broadcast_preview_safety, and audience_broadcast_queue_readiness

Stable IDsbroadcastDeliveryBatchId, broadcastScheduleIntentId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate delivery-batch dry-run metadata only. It does not send email, create recipient payloads, enqueue provider messages, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, and audit requirements.
owner-sessionRead

Owner broadcast delivery queue message dry run

D1 tables audience_broadcast_delivery_queue_messages, audience_broadcast_delivery_batches, audience_broadcast_drafts, and audience_broadcast_queue_readiness

Stable IDsbroadcastDeliveryQueueMessageId, broadcastDeliveryBatchId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate queue-message dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, dispatch, and audit requirements.
owner-sessionRead

Owner broadcast dispatch preflight dry run

D1 tables audience_broadcast_dispatch_preflights, audience_broadcast_delivery_queue_messages, audience_broadcast_drafts, and audience_broadcast_queue_readiness

Stable IDsbroadcastDispatchPreflightId, broadcastDeliveryQueueMessageId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate dispatch preflight dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements.
owner-sessionRead

Owner broadcast dispatch attempt receipt

D1 tables audience_broadcast_dispatch_attempts, audience_broadcast_dispatch_preflights, audience_broadcast_drafts, and audience_broadcast_queue_readiness

Stable IDsbroadcastDispatchAttemptId, broadcastDispatchPreflightId, broadcastDraftId, ownerUserId, idempotencyKey, expectedDraftUpdatedAt
Write boundaryThis owner-session API records aggregate dispatch attempt receipt metadata only. It does not send email, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements.
owner-sessionRead

Owner sequence test send

D1 table audience_sequence_test_sends and /audience/source-data sequence readiness records

Stable IDssequenceTestSendId, emailSequenceId, emailSequenceStepId, ownerUserId, idempotencyKey, auditCorrelationId, expectedWorkspaceRevisionId
Write boundaryThis owner-session API sends the seeded sequence-step preview only to the verified owner-session email through the configured Cloudflare Email binding or test capture, then stores redacted D1 evidence. It does not send to subscribers, create recipient payloads, dispatch or consume Cloudflare Queue messages, expose raw recipient email, expose raw email body, create provider message IDs, authorize public agent sequence sends, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, Queue, provider-response, webhook, retry, and dead-letter requirements. Issue #420 tracks this slice.
owner-sessionRead

Owner broadcast test send

D1 table audience_broadcast_test_sends, audience_broadcast_drafts, and audience_broadcast_preview_safety

Stable IDsbroadcastTestSendId, broadcastDraftId, ownerUserId, idempotencyKey, auditCorrelationId, expectedDraftUpdatedAt
Write boundaryThis owner-session API sends the seeded broadcast preview only to the verified owner-session email through the configured Cloudflare Email binding or test capture, then stores redacted D1 evidence. It does not send to subscribers, create recipient payloads, dispatch Cloudflare Queue messages, expose raw recipient email, expose raw email body, create provider message IDs, authorize public agent broadcast sends, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, Queue, provider-response, webhook, retry, and dead-letter requirements. Issue #420 tracks this slice.
publicRead

Audience unsubscribe suppression

D1 table audience_suppression_entries, subscriber status in audience_subscribers, and paused rows in audience_sequence_enrollments

Stable IDssuppressionEntryId, sequenceEnrollmentPauseId, idempotencyKey
Write boundaryThis public API records hashed unsubscribe/suppression evidence, marks known subscribers unsubscribed, and pauses known draft sequence enrollments without revealing list membership. It does not send email, export subscribers, expose suppression hashes or reasons publicly, include sequence state in public responses, or authorize direct agent subscriber management.
owner-sessionRead

Owner audience CRM timeline note

D1 table audience_timeline_entries

Stable IDstimelineEntryId, subscriberId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API stores private audience timeline notes after exact confirmation, idempotency, and expected subscriber-status checks. It does not expose note bodies publicly, import contacts, send email, schedule broadcasts, export private data, or authorize unauthenticated/direct public agent writes.
owner-sessionRead

Owner audience import intent

D1 table audience_import_intents

Stable IDsaudienceImportIntentId, workspaceId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted import intent metadata in D1 after exact confirmation, idempotency, and workspace stale-state checks. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes.
owner-sessionRead

Owner audience import preflight

D1 tables audience_import_preflights and audience_import_intents

Stable IDsaudienceImportPreflightId, audienceImportIntentId, workspaceId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted import preflight evidence in D1 after exact confirmation, idempotency, workspace stale-state checks, selected import-intent source checks, and aggregate count validation. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, export private data, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes.
owner-sessionRead

Admin audience subscribers

D1 tables audience_subscribers, audience_consent_events, audience_tag_assignments, audience_sequence_enrollments, audience_sequence_schedule_intents, audience_sequence_delivery_batches, audience_sequence_delivery_queue_messages, audience_sequence_dispatch_preflights, audience_sequence_dispatch_attempts, audience_sequence_queue_producer_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_provider_call_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_test_sends, audience_suppression_entries, audience_timeline_entries, audience_import_intents, and audience_import_preflights

Stable IDssubscriberId, subscriberSegmentId, subscriberTagId, emailSequenceId, sequenceDeliveryReadinessId, sequenceScheduleIntentId, sequenceDeliveryBatchId, sequenceDeliveryQueueMessageId, sequenceDispatchPreflightId, sequenceDispatchAttemptId, sequenceQueueProducerReadinessId, sequenceQueueConsumerReadinessId, sequenceProviderCallReadinessId, sequenceDeliveryAttemptReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryStatusWebhookReadinessId, sequenceTestSendId, consentRecordId, suppressionEntryId, timelineEntryId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId, ownerUserId
Write boundaryThis owner page can create private CRM notes through the owner note API, record dry-run sequence schedule intents through the sequence schedule-intent API, record dry-run sequence delivery batches through the sequence delivery-batch API, record dry-run sequence queue-message evidence through the sequence delivery queue-message API, record dry-run sequence dispatch preflight evidence through the sequence dispatch preflight API, record dry-run sequence dispatch attempt receipts through the sequence dispatch attempt API, record sequence Queue producer readiness through the sequence Queue producer readiness API, record sequence Queue consumer readiness through the sequence Queue consumer readiness API, record sequence provider-call readiness through the sequence provider-call readiness API, record sequence delivery-attempt readiness through the sequence delivery-attempt readiness API, record sequence delivery-result readiness through the sequence delivery-result readiness API, record sequence delivery-status webhook readiness through the sequence delivery-status webhook readiness API, record owner-only sequence test sends through the sequence test-send API, record non-destructive import intents through the import intent API, record aggregate import preflights through the import preflight API, and inspect aggregate sequence delivery and export readiness; real imports, real sequence scheduling, subscriber sends, broadcasts, Cloudflare Queue producer execution, Queue messages, queue payload bodies, delivery attempts, delivery results, status webhooks, webhook payloads, provider polling, receipt payloads, receipts, private exports, export file creation, CRM automation, and direct agent subscriber writes require future confirmed-write APIs.
publicRead

Analytics and experiments source data

src/lib/analytics-experiments.ts + src/lib/analytics-conversion-report.ts + src/lib/analytics-experiment-winner-rollouts.ts

Stable IDsanalyticsEventId, analyticsEventIngestionId, analyticsPageViewBeaconId, analyticsEventVariantAggregateId, analyticsEventSourceAggregateId, analyticsExperimentTrafficRoutingId, analyticsExperimentHoldoutRoutingId, analyticsExperimentCustomRoutingRuleId, analyticsExperimentRoutingSignal, experimentAssignmentId, analyticsExperimentDecisionId, analyticsExperimentWinnerRolloutId, analyticsExperimentWinnerRolloutStatus, analyticsExperimentWinnerRolloutRevision, analyticsReportExportId, analyticsReportExportSectionId, analyticsCohortFixtureId, analyticsCohortComparisonId, analyticsCohortReviewId, analyticsCohortReviewStatus, analyticsAlertThresholdId, analyticsAnomalyReviewId, analyticsAnomalyReviewStatus, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsNotificationReadinessStatus, analyticsNotificationInboxRecordId, analyticsNotificationInboxStatus, analyticsNotificationDispatchPreflightId, analyticsNotificationDispatchPreflightStatus, analyticsNotificationProviderDomainReadinessId, analyticsNotificationProviderDomainReadinessStatus, analyticsNotificationProviderDomainReadinessDisposition, analyticsNotificationContentConsentReadinessId, analyticsNotificationContentConsentReadinessStatus, analyticsNotificationContentConsentReadinessDisposition, analyticsNotificationSendPayloadReadinessId, analyticsNotificationSendPayloadReadinessStatus, analyticsNotificationSendPayloadReadinessDisposition, analyticsNotificationQueueProducerReadinessId, analyticsNotificationQueueProducerReadinessStatus, analyticsNotificationQueueProducerReadinessDisposition, analyticsNotificationQueueConsumerReadinessId, analyticsNotificationQueueConsumerReadinessStatus, analyticsNotificationQueueConsumerReadinessDisposition, analyticsNotificationProviderCallReadinessId, analyticsNotificationProviderCallReadinessStatus, analyticsNotificationProviderCallReadinessDisposition, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationDeliveryAttemptReadinessStatus, analyticsNotificationDeliveryAttemptReadinessDisposition, analyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryResultReadinessStatus, analyticsNotificationDeliveryResultReadinessDisposition, analyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationDeliveryStatusWebhookReadinessStatus, analyticsNotificationDeliveryStatusWebhookReadinessDisposition, analyticsNotificationProviderPollingReadinessId, analyticsNotificationProviderPollingReadinessStatus, analyticsNotificationProviderPollingReadinessDisposition, analyticsNotificationReceiptPayloadReadinessId, analyticsNotificationReceiptPayloadReadinessStatus, analyticsNotificationReceiptPayloadReadinessDisposition, analyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationDeliveryReceiptReadinessStatus, analyticsNotificationDeliveryReceiptReadinessDisposition, analyticsNotificationProviderStatusReconciliationReadinessId, analyticsNotificationProviderStatusReconciliationReadinessStatus, analyticsNotificationProviderStatusReconciliationReadinessDisposition, analyticsFunnelConversionReportId, utmSource, utmMedium, utmCampaign, referrerHost, metricId, funnelStepMetricId, experimentId, variantId, assignmentRuleId, reportId, agentActionId
Write boundarySeeded analytics events, browser-side seeded funnel page-view beacons with deterministic variant evidence and normalized source attribution, seeded experiment assignments, public-safe custom source/campaign routing rules, seeded sandbox funnel copy routing with a baseline holdout, owner-confirmed winner rollout and rollback routing from issue #422, owner-confirmed notification inbox records from issue #271, owner-confirmed notification dispatch preflights from issue #284, owner-reviewed provider/domain readiness records from issue #286, owner-reviewed content/consent readiness records from issue #288, owner-reviewed send-payload readiness records from issue #290, owner-reviewed queue-producer readiness records from issue #292, owner-reviewed queue-consumer readiness records from issue #294, owner-reviewed provider-call readiness records from issue #297, owner-reviewed delivery-attempt readiness records from issue #299, owner-reviewed delivery-result readiness records from issue #301, owner-reviewed delivery-status-webhook readiness records from issue #303, owner-reviewed provider-polling readiness records from issue #305, owner-reviewed receipt-payload readiness records from issue #307, owner-reviewed delivery-receipt readiness records from issue #309, owner-reviewed provider-status reconciliation readiness records from issue #311, and owner-confirmed experiment decision evidence can be captured with idempotency, source-route validation, aggregate count checks, and bot/preview suppression; fixed-window aggregate funnel conversion reports, dashboard-visible aggregate source counts, aggregate variant counts, aggregate report export metadata, owner-reviewed cohort comparison evidence from issue #265, owner-reviewed alert threshold/anomaly-review evidence from issue #267, owner-reviewed notification delivery readiness evidence from issue #269, redacted decision counts, and redacted winner rollout counts can be read from captured test events. Cookie assignment, contact analytics, raw campaign/referrer reporting, raw routing URL storage, raw analytics exports, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, Queue producer execution, Queue consumer execution, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, body templates, unsubscribe URLs, customer alerts, custom events beyond the seeded boundary, raw/private exports, and direct public agent decision writes require future confirmed-write APIs.
owner-sessionRead

Owner analytics experiment decision

D1 table analytics_experiment_decisions plus analytics_events and analytics_experiment_assignments aggregates

Stable IDsanalyticsExperimentDecisionId, analyticsDashboardId, experimentId, variantId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted experiment decision evidence in D1 after exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate count validation, and sample-size caveat acknowledgement. It does not route traffic, assign cookies, select automated winners, expose raw event rows, expose raw assignment rows, expose contact analytics, make revenue claims, or allow unauthenticated/direct public agent experiment writes. Issue #261 tracks this slice.
owner-sessionRead

Owner analytics winner rollout

D1 table analytics_experiment_winner_rollouts plus analytics_events and analytics_experiment_assignments aggregates

Stable IDsanalyticsExperimentWinnerRolloutId, analyticsExperimentWinnerRolloutRevision, analyticsDashboardId, experimentId, variantId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted winner rollout and rollback evidence in D1 after exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate count validation, current rollout revision checks, and sample-size caveat acknowledgement. Custom source/campaign rules stay ahead of winner rollout routing. It does not assign cookies, expose raw event rows, expose raw assignment rows, expose contact analytics, expose raw routing URLs, make revenue claims, call providers, dispatch queues, or allow unauthenticated/direct public agent experiment writes. Issue #422 tracks this slice.
owner-sessionRead

Owner analytics notification inbox record

D1 table analytics_notification_inbox_records plus analytics source-data readiness evidence

Stable IDsanalyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification inbox evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It creates owner-visible inbox records only; it does not send email, dispatch queues, alert customers, expose recipients, expose email bodies, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #271 tracks this slice.
owner-sessionRead

Owner analytics notification dispatch preflight

D1 table analytics_notification_dispatch_preflight_records plus analytics notification inbox/readiness source-data evidence

Stable IDsanalyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification dispatch preflight evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox record checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible dispatch preflight evidence only; it does not send email, call providers, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #284 tracks this slice.
owner-sessionRead

Owner analytics notification provider/domain readiness

D1 table analytics_notification_provider_domain_readiness_records plus analytics notification dispatch-preflight/readiness source-data evidence

Stable IDsanalyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider/domain readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider/domain readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #286 tracks this slice.
owner-sessionRead

Owner analytics notification content/consent readiness

D1 table analytics_notification_content_consent_readiness_records plus analytics notification provider-domain/readiness source-data evidence

Stable IDsanalyticsNotificationContentConsentReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification content/consent readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible body-template, unsubscribe, rate-limit, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #288 tracks this slice.
owner-sessionRead

Owner analytics notification send-payload readiness

D1 table analytics_notification_send_payload_readiness_records plus analytics notification content-consent/readiness source-data evidence

Stable IDsanalyticsNotificationSendPayloadReadinessId, analyticsNotificationContentConsentReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification send-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current content/consent readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible payload-shape, unsubscribe-footer, consent/suppression recheck, recipient-scope, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, create queue messages, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #290 tracks this slice.
owner-sessionRead

Owner analytics notification queue-producer readiness

D1 table analytics_notification_queue_producer_readiness_records plus analytics notification send-payload/readiness source-data evidence

Stable IDsanalyticsNotificationQueueProducerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification queue-producer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, producer-mode, idempotency-policy, retry/dead-letter-policy, consumer-dependency, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #292 tracks this slice.
owner-sessionRead

Owner analytics notification queue-consumer readiness

D1 table analytics_notification_queue_consumer_readiness_records plus analytics notification queue-producer/readiness source-data evidence

Stable IDsanalyticsNotificationQueueConsumerReadinessId, analyticsNotificationQueueProducerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification queue-consumer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-producer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, consumer-mode, producer-dependency, payload-read-policy, ack-policy, retry/dead-letter-policy, provider-handoff-dependency, idempotency-policy, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #294 tracks this slice.
owner-sessionRead

Owner analytics notification provider-call readiness

D1 table analytics_notification_provider_call_readiness_records plus analytics notification queue-consumer/readiness source-data evidence

Stable IDsanalyticsNotificationProviderCallReadinessId, analyticsNotificationQueueConsumerReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-call readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-consumer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-call dependency readiness only; it does not send email, enable provider sends or calls, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #297 tracks this slice.
owner-sessionRead

Owner analytics notification delivery-attempt readiness

D1 table analytics_notification_delivery_attempt_readiness_records plus analytics notification provider-call/readiness source-data evidence

Stable IDsanalyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationProviderCallReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-attempt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-call readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-attempt dependency readiness only; it does not send email, enable provider sends or calls, attempt delivery, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #299 tracks this slice.
owner-sessionRead

Owner analytics notification delivery-result readiness

D1 table analytics_notification_delivery_result_readiness_records plus analytics notification delivery-attempt/readiness source-data evidence

Stable IDsanalyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-result readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-attempt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-result boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #301 tracks this slice.
owner-sessionRead

Owner analytics notification delivery-status webhook readiness

D1 table analytics_notification_delivery_status_webhook_readiness_records plus analytics notification delivery-result/readiness source-data evidence

Stable IDsanalyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationDeliveryResultReadinessId, analyticsNotificationDeliveryAttemptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-status webhook readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-result readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-status webhook boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #303 tracks this slice.
owner-sessionRead

Owner analytics notification provider-polling readiness

D1 table analytics_notification_provider_polling_readiness_records plus analytics notification delivery-status-webhook/readiness source-data evidence

Stable IDsanalyticsNotificationProviderPollingReadinessId, analyticsNotificationDeliveryStatusWebhookReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-polling readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-status-webhook readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-polling boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #305 tracks this slice.
owner-sessionRead

Owner analytics notification receipt-payload readiness

D1 table analytics_notification_receipt_payload_readiness_records plus analytics notification provider-polling/readiness source-data evidence

Stable IDsanalyticsNotificationReceiptPayloadReadinessId, analyticsNotificationProviderPollingReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification receipt-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-polling readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible receipt-payload boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #307 tracks this slice.
owner-sessionRead

Owner analytics notification delivery-receipt readiness

D1 table analytics_notification_delivery_receipt_readiness_records plus analytics notification receipt-payload/readiness source-data evidence

Stable IDsanalyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationReceiptPayloadReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification delivery-receipt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current receipt-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-receipt boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #309 tracks this slice.
owner-sessionRead

Owner analytics notification provider-status reconciliation readiness

D1 table analytics_notification_provider_status_reconciliation_readiness_records plus analytics notification delivery-receipt/readiness source-data evidence

Stable IDsanalyticsNotificationProviderStatusReconciliationReadinessId, analyticsNotificationDeliveryReceiptReadinessId, analyticsNotificationSendPayloadReadinessId, analyticsNotificationProviderDomainReadinessId, analyticsNotificationDispatchPreflightId, analyticsNotificationInboxRecordId, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsDashboardId, analyticsTimeWindow, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted notification provider-status reconciliation readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-receipt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-status reconciliation boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, reconcile provider statuses, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #311 tracks this slice.
publicRead

Affiliate and referral source data

src/lib/affiliate-referrals.ts

Stable IDsaffiliateProgramId, affiliatePartnerId, affiliatePartnerPortalId, affiliatePartnerPortalRoute, affiliatePartnerPortalStatus, affiliatePartnerStatementSnapshotId, affiliatePartnerStatementSnapshotStatus, affiliatePartnerReportId, payoutPreparationId, payoutPreparationRecordId, payoutPreparationRecordStatus, fraudReviewRecordId, fraudReviewRecordStatus, fraudEnforcementRecordId, fraudEnforcementRecordStatus, partnerNotificationReadinessRecordId, partnerNotificationReadinessRecordStatus, partnerNotificationSendPreflightRecordId, partnerNotificationSendPreflightRecordStatus, partnerNotificationProviderReadinessRecordId, partnerNotificationProviderReadinessRecordStatus, referralLinkId, referralClickId, checkoutIntentId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, attributionRuleId, commissionRuleId, commissionLedgerId, payoutBatchId, reviewFlagId, auditEventId, agentActionId
Write boundarySeeded referral clicks can be captured with idempotency and destination-route validation, eligible clicks can be attached to sandbox checkout intents as evidence, trusted checkout attribution can create review-only commission ledger evidence, owner sessions can review, hold, or reverse that evidence, public-safe partner reports and partner portal status pages can be read, read-only payout preparation can be inspected, and owner sessions can record payout preparation, fraud review, fraud enforcement, partner notification readiness, partner notification send preflight, and notification provider readiness evidence; cookie assignment, buyer attribution finalization, payable commission writes, direct agent review writes, payout actions, tax collection, authenticated private partner portals, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, and queue dispatch require future confirmed-write APIs.
owner-sessionRead

Owner affiliate payout preparation record API

src/lib/affiliate-payout-preparation-records.ts

Stable IDspayoutPreparationRecordId, affiliateProgramId, payoutPreparationId, payoutBatchId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate payout preparation evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, and payout evidence validation. It creates owner-visible preparation records only; it does not create payable commission state, Stripe payouts or transfers, payout accounts, tax records, partner notifications, fraud decisions, buyer data, raw ledger rows, or direct public agent payout writes. Issue #273 tracks this slice.
owner-sessionRead

Owner affiliate fraud review record API

src/lib/affiliate-fraud-review-records.ts

Stable IDsfraudReviewRecordId, affiliateProgramId, reviewFlagId, payoutPreparationId, payoutBatchId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate fraud review evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible fraud review records only; it does not enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #275 tracks this slice.
owner-sessionRead

Owner affiliate fraud enforcement record API

src/lib/affiliate-fraud-review-records.ts

Stable IDsfraudEnforcementRecordId, affiliateProgramId, reviewFlagId, payoutPreparationId, payoutBatchId, fraudReviewRecordStatus, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate fraud enforcement decisions in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, fraud review record status checks, review-flag checks, and linked-ledger evidence validation. It records owner-visible fraud enforcement only; it does not create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #424 tracks this slice.
owner-sessionRead

Owner affiliate partner notification readiness record API

src/lib/affiliate-partner-notification-readiness-records.ts

Stable IDspartnerNotificationReadinessRecordId, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible readiness records only; it does not send partner notifications, call providers, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #277 tracks this slice.
owner-sessionRead

Owner affiliate partner notification send preflight record API

src/lib/affiliate-partner-notification-send-preflight-records.ts

Stable IDspartnerNotificationSendPreflightRecordId, partnerNotificationReadinessRecordStatus, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification send preflight evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, review-flag checks, linked-ledger evidence validation, and provider-send-disabled checks. It creates owner-visible send preflight records only; it does not send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #279 tracks this slice.
owner-sessionRead

Owner affiliate partner notification provider readiness record API

src/lib/affiliate-partner-notification-provider-readiness-records.ts

Stable IDspartnerNotificationProviderReadinessRecordId, partnerNotificationSendPreflightRecordStatus, affiliateProgramId, affiliatePartnerReportId, affiliatePartnerId, payoutPreparationId, payoutBatchId, reviewFlagId, ownerUserId, idempotencyKey
Write boundaryThis owner-session API records redacted affiliate partner notification provider readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, send preflight record status checks, review-flag checks, linked-ledger evidence validation, provider-configuration-disabled checks, provider-secret-redaction checks, sender-credential-redaction checks, and provider-send-disabled checks. It creates owner-visible provider readiness records only; it does not configure notification providers, store provider secrets, store sender credentials, send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #281 tracks this slice.
publicRead

Mobile admin contract

src/lib/mobile-admin.ts

Stable IDsmobileJobId, mobileApiDependencyId, mobilePrivateAuthId, mobilePrivateRowsApiId, mobilePrivateRowActionsApiId, mobileDirectorReviewApiId, mobileCommerceReviewApiId, mobileActionIntentApiId, mobilePushBoundaryId, mobileDistributionReadinessId, directorWorkstreamId, directorBriefSignalId, mobileConfirmedActionId, platformIssue, featureId
Write boundaryMobile apps can inspect owner-gated private rows through /api/mobile-admin/private-rows, mark private rows read/deferred through /api/mobile-admin/private-rows/actions, record owner-confirmed Director workstream review state through /api/mobile-admin/director-reviews, record owner-confirmed commerce-health review state through /api/mobile-admin/commerce-reviews, and record owner-gated audit-only action intents through /api/mobile-admin/actions. Push sends, provider calls, device-token registration, installable distribution, physical-device proof, and high-risk billing/publishing production writes remain disabled until future domain-specific confirmed-write APIs and platform evidence exist; issue #414 exposes the shared owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action contract.
publicRead

Live mobile admin dashboard source data

src/lib/mobile-admin-dashboard.ts

Stable IDsmobileDashboardCardId, directorWorkstreamId, directorBriefSignalId, directorWindowId, featureId, roadmapItemId, workLogEntryId, markAttentionId, mobilePrivateRowId, mobilePrivateRowActionId, mobileDirectorReviewId, mobileCommerceReviewId, mobilePushBoundaryId, mobileDistributionReadinessId, agentReadContractId
Write boundaryPublic-safe digest; issue #414 exposes owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action requirements, but push notifications, physical-device proof, App Store/Play Store distribution, and high-risk billing/publishing confirmed mobile writes require future authenticated APIs and platform evidence.
owner-sessionRead

Mobile admin commerce review API

src/lib/mobile-admin-commerce-reviews.ts

Stable IDsmobileCommerceReviewId, commerceReviewTargetId, auditCorrelationId, idempotencyKey, staleStateToken
Write boundaryThis owner-session API records low-risk owner review state for commerce source-data targets in D1 after exact confirmation, idempotency, current commerce generated-at checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, refunds, subscription changes, price changes, fulfillment changes, entitlement changes, push notifications, distribution state changes, public agent writes, private-row changes, or high-risk production confirmed-write side effects. Issue #414 tracks this slice.
owner-sessionRead

Mobile admin Director review API

src/lib/mobile-admin-director-reviews.ts

Stable IDsmobileDirectorReviewId, directorWorkstreamId, auditCorrelationId, idempotencyKey, staleStateToken
Write boundaryThis owner-session API records low-risk production owner review state for Director workstreams in D1 after exact confirmation, idempotency, current Director generated-at checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, publishing mutations, push notifications, distribution state changes, public agent writes, private-row changes, or high-risk production confirmed-write side effects. Issue #414 tracks this slice.
owner-sessionRead

Mobile admin private-row actions API

src/lib/mobile-admin-private-row-actions.ts

Stable IDsmobilePrivateRowActionId, mobilePrivateRowId, auditCorrelationId, idempotencyKey, staleStateToken
Write boundaryThis owner-session API mutates only Mobile Admin private-row workflow state after exact confirmation, idempotency, stale row revision checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, commerce mutations, publishing mutations, moderation actions, creator-speech actions, push notifications, distribution state changes, direct public agent writes, or high-risk production confirmed-write side effects. Issue #428 tracks this slice.
owner-sessionRead

Mobile admin private rows API

src/lib/mobile-admin-private-rows.ts

Stable IDsmobilePrivateRowId, sourceRoute, sourceRecordId, readState
Write boundaryThis owner-session API reads Mobile Admin private rows from D1 and returns owner-only notes and synthetic private payload metadata only to authenticated owners. It does not create production admin mutations, billing mutations, push notifications, distribution state changes, customer data exposure, public agent writes, or domain-specific confirmed-write side effects. Issue #414 tracks this slice.
owner-sessionRead

Mobile admin action intent API

src/lib/mobile-admin-actions.ts

Stable IDsmobileActionIntentId, mobileConfirmedActionId, sourceRoute, auditCorrelationId, idempotencyKey, staleStateToken
Write boundaryThis owner-session API records redacted mobile action intent evidence in D1 after exact confirmation, idempotency, contract revision checks, stale-state token checks, source-route allowlisting, audit correlation, and redaction. It creates audit-only action intent rows; it does not create production admin mutations, billing mutations, push notifications, distribution state changes, private mobile row exposure, direct public agent writes, or domain-specific confirmed-write side effects. Issue #414 tracks this slice.
publicRead

iOS mobile admin source data

src/lib/mobile-admin-ios.ts and apps/mobile-admin

Stable IDsplatformIssue, fixturePath, smokeCommand, simulatorBundleId
Write boundaryThe iOS slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
publicRead

Android mobile admin source data

src/lib/mobile-admin-android.ts and apps/mobile-admin

Stable IDsplatformIssue, fixturePath, smokeCommand, nativePackage, defaultAvd
Write boundaryThe Android slice is read-only until the shared confirmed-write API and mobile auth boundary exist.

Safety

Reads are live; writes remain confirmed or planned.

Evidence first

Do not invent pricing, customer, integration, roadmap, shipped-feature, testimonial, or competitor facts.

Confirmed writes

Require confirmation, idempotency, stale-state checks, audit correlation, and redaction for public, destructive, billing-impacting, moderation, source-editing, publishing, or creator-speech writes.

MCP direction

36 read contracts are ready for future MCP resources.