PublicOpen
Feature catalog
Read feature status, Distinguish live from pending, Cite feature evidence
Source of truthsrc/lib/feature-catalog.ts
Write boundaryFeature status changes must land through GitHub issue/PR work and admin work-log updates.
Agent docs
Agents get public contracts, not hidden browser-only state.
Bumpgrade exposes feature, roadmap, comparison, commerce, admin, and agent manifest reads through stable source-data routes. Human admin pages remain owner-gated, and write actions require explicit confirmation.
Agent manifestStatus
23 public readsIssue #12 turns the scaffold route into a manifest-backed agent surface with source evidence.Public reads
Agent-readable contracts available today
PublicOpen
Public roadmap
Read public-safe roadmap state, Find blockers and next milestones, Cite issue evidence
Source of truthsrc/lib/roadmap.ts
Write boundaryRoadmap moves require an issue/PR or approved admin append path, not chat-only edits.
PublicOpen
Competitor comparisons and source evidence
Resolve competitor claims, Read retrieved dates, Cite official source URLs
Source of truthsrc/lib/comparison-data.ts
Write boundaryRefresh competitor claims from official sources before changing dated pricing, packaging, or feature claims.
PublicOpen
Commerce contract
Read redacted commerce architecture, Separate sandbox from live billing, Inspect referral attribution evidence, Inspect review-only commission ledger evidence, Inspect owner review action boundaries, Inspect non-billing post-purchase decision evidence, Inspect write safety rules
Source of truthsrc/lib/commerce.ts and src/lib/sandbox-checkout.ts
Write boundaryNon-billing post-purchase decisions can be recorded only for trusted checkout state; billing-impacting and payable commission writes require exact confirmation, idempotency, stale-state checks, audit correlation, owner review, and webhook evidence.
PublicOpen
Admin source-data bundle
Read public-safe work-log entries, Read user journeys, Read Mark attention summaries
Source of truthD1 admin tables with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryHuman admin pages require Better Auth; agent writes need approved scripts or future confirmed APIs.
PublicOpen
Agent manifest
Discover read contracts, Route to source-data APIs, Understand write boundaries
Source of truthsrc/lib/agent-manifest.ts
Write boundaryThis route is read-only until confirmed-write agent APIs exist.
PublicOpen
Content surfaces
Read use-case records, Read resource hub records, Read pricing caveats
Source of truthsrc/lib/content-surfaces.ts
Write boundaryContent changes must cite source-data routes, issues, or shipped evidence before public claims change.
PublicOpen
Publisher account, subdomain, and custom-domain setup
Read paid-plan gate requirements, Read default Bumpgrade subdomain reservation policy, Read custom-domain DNS instruction and verification policy, Read cross-subdomain auth configuration and custom-domain login boundary, Distinguish Bumpgrade subdomains, existing custom domains, and the current no-domain-purchase policy
Source of truthsrc/lib/publisher-tenants.ts and D1 publisher tenant tables
Write boundarySubdomain reservation and custom-domain onboarding require a signed-in, email-confirmed publisher with active paid-plan entitlement, idempotency, audit correlation, and redacted outputs; Bumpgrade does not sell, register, renew, transfer, or price domains today.
PublicOpen
Funnel source data
Read seeded draft funnel, Inspect ordered steps, Inspect page blocks and write boundaries, Inspect reusable funnel templates and block-template write boundaries from issue #159, Discover owner-session template-to-draft creation from issue #161, Discover owner-session checkout-offer linking from issue #163, Discover public linked-checkout start rendering from issue #165, Discover webinar and resource page-shape templates from issue #213, Discover owner-session private draft duplication from issue #215, Discover owner-session private draft archive/unpublish from issue #341, Discover owner-session editable draft, private preview, and exact-confirmed publish/archive capability from issues #91, #93, #95, #135, #163, #165, #213, #215, and #341
Source of truthsrc/lib/funnels.ts
Write boundaryOwner-session seed/create/template-create/duplicate/update/reorder/checkout-link/archive draft writes, including webinar/resource template-to-draft creation, private draft preview, exact-confirmed public publishing, and exact-confirmed archive/unpublish exist at /admin/funnels. Published linked checkout blocks can render the existing sandbox checkout start surface. Direct agent template creation, block editing, direct agent checkout linking, direct agent duplication, direct agent archive/unpublish, destructive deletion, live billing, live webinar scheduling, private resource delivery, drag-and-drop layout editing, and direct agent edits require future confirmed-write APIs.
PublicOpen
Checkout offer source data
Read seeded checkout offer stack, Inspect bump and upsell sequence, Inspect confirmed sandbox checkout start boundaries, Inspect optional referral-click attribution evidence, Inspect aggregate non-billing post-purchase decision counts
Source of truthsrc/lib/checkout-offers.ts
Write boundaryA confirmed sandbox checkout start can include the seeded primary offer, constrained order bump, and optional referral-click attribution evidence; trusted checkout state can record non-billing upsell/downsell follow-up decisions; live billing, price mutation, fulfillment, commission writes, direct agent writes, and post-purchase charges require future confirmed-write APIs.
PublicOpen
Product access source data
Read seeded product catalog, Inspect access rules, Inspect sandbox entitlement grant mappings, Inspect aggregate owner-entitlement counts and redaction flags, Discover the customer-safe checkout intent entitlement lookup contract, Discover short-lived private R2-backed download-token boundaries, Discover owner-confirmed private asset upload-intent boundaries, Inspect owner-confirmed non-destructive revocation intent records, Inspect protected content readiness and the checkout-intent-scoped protected fixture delivery boundary, Inspect subscription-backed membership access state from trusted Stripe Billing webhook evidence, Inspect entitlement and fulfillment boundaries
Source of truthsrc/lib/product-access.ts + src/lib/product-entitlement-inspection.ts + src/lib/customer-product-entitlements.ts + src/lib/product-download-tokens.ts + src/lib/product-asset-uploads.ts + src/lib/product-protected-content.ts
Write boundaryTrusted paid sandbox webhooks can grant idempotent entitlement rows for seeded checkout line items; trusted Stripe Billing subscription webhooks can sync checkout-linked membership access while state is active or trialing and pause it when subscription state is canceled, unpaid, incomplete_expired, or deleted; verified owners can inspect private entitlement rows, owner-confirmed non-destructive revocation intents, and protected content readiness in /admin/products; customers can inspect checkout-intent-scoped entitlement status, create short-lived download tokens that stream a seeded private R2 fixture without buyer or provider identifiers, and read seeded protected course/member fixture bodies only after active-entitlement and trusted-checkout checks; verified owners can create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, and record non-destructive revocation intents after exact confirmation, idempotency, and stale entitlement status checks; product creation, customer delivery of arbitrary uploads, signed object URLs, destructive revocation, live fulfillment automation, Customer Portal actions, and private content writes require future authenticated confirmed-write APIs.
PublicOpen
Customer product entitlement lookup
Inspect customer-safe product access for a known checkout intent, Confirm entitlement and fulfillment state without private buyer data, Confirm raw Stripe IDs, event IDs, metadata JSON, R2 keys, and signed URLs are excluded
Source of truthsrc/lib/customer-product-entitlements.ts
Write boundaryThis is a read-only checkout-intent-scoped lookup; signed downloads, protected lessons, buyer identity, entitlement mutation, destructive revocation, and live fulfillment require future authenticated confirmed-write APIs.
PublicOpen
Subscription membership access state
Inspect the seeded monthly membership price and access-rule mapping, Confirm active/trialing Stripe Billing subscription state can activate checkout-linked membership access, Confirm canceled, unpaid, incomplete_expired, or deleted subscription state pauses membership access, Confirm buyer identity, raw subscription/customer IDs, webhook IDs, metadata JSON, member posts, private files, Customer Portal URLs, and progress rows are excluded
Source of truthsrc/lib/product-entitlements.ts + D1 billing_subscriptions and product_entitlements
Write boundaryThis is read-only subscription-backed membership access evidence. It does not create or mutate Stripe subscriptions, open Customer Portal sessions, expose raw Stripe IDs, deliver member posts/files, change pricing, or perform direct agent billing writes.
PublicOpen
Private R2 product download token
Create a short-lived download token for an active checkout-linked file entitlement, Confirm private R2-backed fixture delivery does not expose private R2 keys or signed object URLs, Inspect token expiry, one-use replay rejection, entitlement scope, and current checkout-state revalidation
Source of truthsrc/lib/product-download-tokens.ts
Write boundaryThis creates a short-lived token and streams a seeded private R2-backed fixture through Bumpgrade after revalidating current entitlement status, checkout intent linkage, trusted checkout state, and asset scope; protected content, arbitrary asset uploads, destructive revocation, subscription access, and live fulfillment automation require future authenticated confirmed-write APIs.
PublicOpen
Protected product content delivery fixture
Read a seeded protected course/member fixture only with a known checkout intent and matching active entitlement, Confirm protected fixture delivery rechecks product/template scope and current paid/completed checkout state, Confirm buyer identity, raw Stripe IDs, webhook IDs, metadata JSON, R2 keys, signed URLs, arbitrary uploaded content, and progress rows are excluded
Source of truthsrc/lib/product-protected-content.ts
Write boundaryThis route returns seeded protected fixture bodies for eligible checkout-linked entitlements only. It is not direct public agent write access, arbitrary private upload delivery, signed object URL access, progress tracking, subscription mutation, destructive revocation, or live fulfillment automation.
PublicOpen
Audience automation source data
Read seeded opt-in form, Inspect tags and segments, Inspect consent-backed capture boundary, Inspect aggregate unsubscribe-paused sequence enrollment evidence without contact identity, Inspect aggregate sequence delivery readiness without body templates, unsubscribe URLs, recipient payloads, queue payloads, provider sends, or provider message IDs, Inspect aggregate owner-subscriber, suppression, and timeline counts with redaction flags, Inspect suppression-aware broadcast readiness without recipient exposure, Inspect public-safe dry-run broadcast schedule intent counts without actor email or recipient payloads, Inspect broadcast preview and unsubscribe-footer safety without personalized body or recipient exposure, Inspect delivery queue readiness without recipient payloads, queue rows, or provider sends, Inspect delivery-batch dry runs without recipient payloads, queue messages, or provider sends, Inspect delivery queue message dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends, Inspect dispatch preflight dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends, Inspect dispatch attempt receipts without Cloudflare Queue producers, queue payload bodies, provider responses, or provider sends, Inspect sender-domain readiness without private DNS credentials, raw DNS records, provider secrets, or provider sends, Inspect provider-event readiness without provider secrets, raw provider payloads, provider responses, or provider message IDs, Inspect provider rate-limit readiness without provider secrets, provider limit secrets, raw provider payloads, provider responses, or provider message IDs, Inspect provider response readiness without provider secrets, raw response bodies, provider responses, or provider message IDs, Inspect send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue producers, or provider sends, Inspect Queue producer readiness without Queue messages, queue payload bodies, recipient payloads, or provider sends, Inspect Queue consumer readiness without Queue message consumption, acks, retry/dead-letter rows, queue payload body reads, recipient payloads, or provider sends, Inspect owner-confirmed import intents without raw contact rows, raw emails, actor emails, private notes, sequence enrollments, or sends, Inspect owner-confirmed import preflights without raw contact rows, raw emails, subscriber writes, exports, actor emails, private notes, sequence enrollments, or sends, Inspect aggregate audience export readiness without raw emails, subscriber IDs, export files, or export URLs, Inspect the public-safe unsubscribe/suppression write boundary, Inspect the owner-only CRM timeline note boundary, Inspect sequence and automation boundaries
Source of truthsrc/lib/audience-automation.ts + src/lib/audience-subscribers.ts + src/lib/audience-broadcasts.ts + src/lib/audience-imports.ts + src/lib/audience-exports.ts + src/lib/audience-sequence-readiness.ts
Write boundaryPublic visitors can submit the seeded opt-in form with explicit consent and can record unsubscribe/suppression evidence without exposing list membership; known subscriber unsubscribe also pauses draft sequence enrollment state while public responses stay membership-safe. Verified owners can inspect private subscriber rows, create private CRM notes, view aggregate sequence delivery readiness, broadcast readiness, preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, redacted import intents, redacted import preflights, and aggregate export readiness, and record dry-run schedule intents, delivery batches, queue-message evidence, dispatch preflight evidence, dispatch attempt receipts, non-destructive import intents, and aggregate import preflights in /admin/audience; real contact imports, real sequence scheduling, real email delivery, private exports, export file creation, direct agent subscriber writes, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs require future confirmed-write APIs.
PublicOpen
Audience unsubscribe suppression
Inspect the unsubscribe/suppression confirmation contract, Record a public-safe unsubscribe preference only for the submitted email, Confirm responses do not reveal whether the email was already subscribed, Confirm sequence enrollment pause state is exposed only through aggregate source-data or owner views, Use idempotency before replaying a preference write
Source of truthD1 table audience_suppression_entries, subscriber status in audience_subscribers, and paused rows in audience_sequence_enrollments
Write boundaryThis public API records hashed unsubscribe/suppression evidence, marks known subscribers unsubscribed, and pauses known draft sequence enrollments without revealing list membership. It does not send email, export subscribers, expose suppression hashes or reasons publicly, include sequence state in public responses, or authorize direct agent subscriber management.
PublicOpen
Analytics and experiments source data
Read seeded event taxonomy, Inspect aggregate event counts, Inspect aggregate variant event counts, Inspect aggregate source attribution counts, Inspect aggregate assignment counts, Inspect aggregate funnel conversion report rows, Inspect aggregate report export sections without raw analytics downloads, Inspect fixture cohort comparison definitions with sample-size caveats, Inspect owner-reviewed cohort comparison evidence without winner or revenue claims, Inspect owner-reviewed alert threshold and anomaly-review evidence without automated alerts or traffic routing, Inspect owner-reviewed notification delivery readiness without sending alerts or writing inbox rows, Inspect owner-confirmed notification inbox records without recipients, email bodies, queue dispatch, or email sends, Inspect owner-confirmed notification dispatch preflights without recipients, email bodies, provider message IDs, queue payloads, queue dispatch, or email sends, Inspect owner-reviewed notification provider/domain readiness without provider configuration, provider secrets, sender credentials, private DNS credentials, provider sends, or verified-domain claims, Inspect owner-reviewed notification content/consent readiness without body templates, unsubscribe URLs, recipients, email bodies, provider message IDs, queue payloads, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue messages, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification queue-producer readiness without Queue producer execution, queue messages, queue payload bodies, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification queue-consumer readiness without Queue consumer execution, message consumption, message acknowledgement, retry/dead-letter rows, queue payload body reads, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification provider-call readiness without provider sends, provider calls, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, Queue consumer execution, queue payload body reads, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-attempt readiness without provider sends, delivery attempts, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-result readiness without delivery results, delivery receipts, status webhooks, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-status-webhook readiness without delivery status webhooks, delivery receipts, receipt payloads, status webhook payloads, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification provider-polling readiness without provider polling execution, delivery receipts, receipt payloads, status webhook payloads, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification receipt-payload readiness without receipt payload capture, delivery receipts, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-receipt readiness without delivery receipt creation, receipt payload capture, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification provider-status reconciliation readiness without provider polling execution, delivery receipt processing, receipt payload ingestion, provider status reconciliation execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect dashboard-visible source attribution rows, Inspect fixed time-window metadata and aggregate source/conversion rows, Inspect metric formulas, Inspect seeded event capture boundary, Inspect browser-side page-view beacon boundary, Inspect seeded experiment assignment boundary, Inspect experiment assignment boundaries, Inspect owner-confirmed experiment decision evidence without raw event rows or raw assignment rows
Source of truthsrc/lib/analytics-experiments.ts + src/lib/analytics-conversion-report.ts
Write boundarySeeded analytics events, browser-side seeded funnel page-view beacons with deterministic variant evidence and normalized source attribution, seeded experiment assignments, owner-confirmed notification inbox records from issue #271, owner-confirmed notification dispatch preflights from issue #284, owner-reviewed provider/domain readiness records from issue #286, owner-reviewed content/consent readiness records from issue #288, owner-reviewed send-payload readiness records from issue #290, owner-reviewed queue-producer readiness records from issue #292, owner-reviewed queue-consumer readiness records from issue #294, owner-reviewed provider-call readiness records from issue #297, owner-reviewed delivery-attempt readiness records from issue #299, owner-reviewed delivery-result readiness records from issue #301, owner-reviewed delivery-status-webhook readiness records from issue #303, owner-reviewed provider-polling readiness records from issue #305, owner-reviewed receipt-payload readiness records from issue #307, owner-reviewed delivery-receipt readiness records from issue #309, owner-reviewed provider-status reconciliation readiness records from issue #311, and owner-confirmed experiment decision evidence can be captured with idempotency, source-route validation, aggregate count checks, and bot/preview suppression; fixed-window aggregate funnel conversion reports, dashboard-visible aggregate source counts, aggregate variant counts, aggregate report export metadata, owner-reviewed cohort comparison evidence from issue #265, owner-reviewed alert threshold/anomaly-review evidence from issue #267, owner-reviewed notification delivery readiness evidence from issue #269, and redacted decision counts can be read from captured test events. Cookie assignment, contact analytics, raw campaign/referrer reporting, raw analytics exports, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, Queue producer execution, Queue consumer execution, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, body templates, unsubscribe URLs, customer alerts, custom events, experiment traffic routing, automated winners, and direct public agent decision writes require future confirmed-write APIs.
PublicOpen
Affiliate and referral source data
Read seeded affiliate program, Inspect referral links and attribution rules, Inspect aggregate referral click counts, Inspect aggregate checkout attribution counts, Inspect aggregate review-only commission ledger counts, Inspect aggregate owner review and reversal action counts, Inspect public-safe partner performance reports, Inspect read-only payout preparation checklists, Inspect owner-confirmed payout preparation records without payout accounts, tax data, Stripe payout IDs, partner notification bodies, buyer data, raw ledger rows, or raw actor fields, Inspect owner-reviewed fraud review records without private fraud signals, buyer data, raw ledger/click/checkout rows, actor identity, payout accounts, tax data, Stripe payout IDs, or partner notification bodies, Inspect owner-reviewed partner notification readiness records without recipient emails, message bodies, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, or partner sends, Inspect owner-reviewed partner notification send preflight records without recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends, Inspect owner-reviewed notification provider readiness records without provider configuration, provider secrets, sender credentials, recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends, Inspect commission and payout review boundaries
Source of truthsrc/lib/affiliate-referrals.ts
Write boundarySeeded referral clicks can be captured with idempotency and destination-route validation, eligible clicks can be attached to sandbox checkout intents as evidence, trusted checkout attribution can create review-only commission ledger evidence, owner sessions can review, hold, or reverse that evidence, public-safe partner reports can be read, read-only payout preparation can be inspected, and owner sessions can record payout preparation, fraud review, partner notification readiness, partner notification send preflight, and notification provider readiness evidence; cookie assignment, buyer attribution finalization, payable commission writes, direct agent review writes, fraud enforcement, payout actions, tax collection, private partner portals, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, and queue dispatch require future confirmed-write APIs.
PublicOpen
Mobile admin contract
Read iOS and Android scope, Find API dependencies, Understand mobile write boundaries
Source of truthsrc/lib/mobile-admin.ts
Write boundaryMobile app writes remain read-only until a future confirmed-write API exists.
PublicOpen
Live mobile admin dashboard source data
Read one public-safe mobile dashboard digest, Inspect live feature, roadmap, admin, commerce, and agent-readiness counts, Find iOS and Android source-data routes without scraping private admin pages
Source of truthsrc/lib/mobile-admin-dashboard.ts
Write boundaryRead-only public-safe digest; private mobile auth, push notifications, and confirmed mobile writes require future authenticated APIs.
PublicOpen
iOS mobile admin source data
Read iOS scaffold status, Find simulator smoke command, Find screenshot evidence
Source of truthsrc/lib/mobile-admin-ios.ts and apps/mobile-admin
Write boundaryThe iOS slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
PublicOpen
Android mobile admin source data
Read Android scaffold status, Find emulator smoke command, Find screenshot evidence
Source of truthsrc/lib/mobile-admin-android.ts and apps/mobile-admin
Write boundaryThe Android slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
Evidence
Claim resolution starts from stable IDs.
SourceJSON
/features/source-data
Bumpgrade feature status, audience, expected capabilities, issue ownership, and agent contract notes.
Stable IDsfeatureId, issue
CaveatFeature records must not be described as live unless status is live and issue/PR evidence supports it.
SourceJSON
/roadmap/source-data
Public roadmap item status, blocker notes, next milestones, issue links, and public evidence.
Stable IDsroadmapItemId, featureId, issue
CaveatRoadmap lane changes should come from merged issue work or explicit admin updates.
SourceJSON
/compare/source-data
Competitor records, official source URLs, retrieval dates, SEO targets, and caveats.
Stable IDscompetitorId, sourceId, seoTargetId
CaveatPricing, packaging, integrations, and feature availability require a fresh source refresh before citation.
SourceJSON
/admin/source-data
Public-safe admin roadmap, work-log, user-journey, and Mark-attention records.
Stable IDsworkLogEntryId, userJourneyId, markAttentionId, roadmapItemId
CaveatPrivate notes and owner-only decisions stay behind Better Auth or approved scripts.
SourceJSON
/commerce/source-data
Redacted commerce architecture, sandbox checkout offer, referral attribution evidence, review-only commission ledger evidence, owner review action boundaries, non-billing post-purchase decision evidence, payment tables, webhook rules, and billing write safety.
Stable IDsproductId, priceId, checkoutIntentId, referralClickId, referralAttributionId, commissionReviewActionId, reviewOnlyCommissionLedgerId, postPurchaseDecisionId, auditCorrelationId
CaveatLive payment capability, one-click post-purchase charging, fulfillment, and payable commission state are not enabled until separate rollout and webhook smoke evidence prove them.
SourceJSON
/agent-docs/source-data
Agent doc links, read contracts, evidence routes, MCP plan, and write-safety rules.
Stable IDsagentDocId, readContractId, mcpPlanId, evidenceRouteId
CaveatThe manifest is discovery metadata; it does not grant write permission.
SourceJSON
/content/source-data
Audience segments, resource hub records, pricing principles, planned pricing tracks, issue links, and agent boundaries.
Stable IDsaudienceSegmentId, resourceItemId, pricingPrincipleId, pricingTrackId
CaveatExperiment, Grow, Enterprise, and White glove setup are the current public pricing records; future limits, trials, and usage-meter rates still need current source evidence before being cited.
SourceJSON
/account/source-data
Paid publisher tenant setup, Bumpgrade subdomain reservation rules, custom-domain DNS onboarding, D1 table boundaries, cross-subdomain auth configuration, and the no-domain-purchase launch policy.
Stable IDspublisherTenantId, publisherSubdomainReservationId, publisherCustomDomainId, publisherPlanEntitlementId, issue
CaveatDefault Bumpgrade subdomain reservation and existing-domain DNS onboarding are live for paid accounts; Bumpgrade-hosted subdomains share the central identity session, custom domains use a Bumpgrade login handoff, and Bumpgrade does not sell or register domains today.
SourceJSON
/funnels/source-data
Seeded funnel, ordered steps, page blocks, reusable funnel templates including webinar/resource page shapes, block-template library records, owner-session template-to-draft capability, owner-session checkout-link capability, public funnel checkout-start capability, revision ID, preview route, source-data route, published D1 funnel summaries, owner-gated draft capability, D1 table names, and confirmed-write boundary.
Stable IDsfunnelId, funnelStepId, funnelBlockId, funnelTemplateId, funnelBlockTemplateId, funnelCheckoutLinkId, funnelWebinarResourceTemplateId, funnelRevisionId, funnelDraftId, funnelAuditEventId, checkoutIntentId, checkoutOfferStackId, offerId
CaveatThe public funnel contract exposes template and block-template records, webinar/resource page-shape records, owner-gated template-create, checkout-link, editable draft, publish capability metadata, and public sandbox checkout-start rendering metadata; it does not expose unpublished private draft copy, direct agent template creation, direct agent checkout linking, live billing, live webinar scheduling, private resource delivery, unpublishing, or unconfirmed agent edits.
SourceJSON
/offers/source-data
Seeded checkout offer stack, primary offer, selectable order bump, optional referral-click attribution evidence, upsell, downsell, non-billing post-purchase decision contract, aggregate decision counts, checkout route, revision ID, and confirmed-write boundary.
Stable IDscheckoutOfferStackId, offerId, orderBumpId, upsellId, downsellId, checkoutRevisionId, referralClickId, postPurchaseDecisionId
CaveatThe checkout-offer contract now includes a confirmed sandbox checkout start for the seeded primary offer plus constrained order bump, optional referral-click attribution evidence, and non-billing upsell/downsell decision evidence; it is not live billing, one-click upsell charging, fulfillment, commission writes, price mutation, or direct agent write capability.
SourceJSON
/products/source-data
Seeded product catalog, assets, access rules, entitlement templates, sandbox webhook grant mappings, aggregate owner-entitlement inspection counts, customer-safe lookup contract, private R2-backed fixture delivery contract, owner-confirmed private asset upload intent contract, owner-confirmed non-destructive revocation intent contract, protected content readiness, checkout-intent-scoped protected fixture delivery, redaction flags, preview route, revision ID, and confirmed-write boundary.
Stable IDsproductId, assetId, accessRuleId, entitlementTemplateId, productEntitlementInspectionId, customerProductEntitlementLookupId, productDownloadTokenId, productAssetUploadIntentId, productEntitlementRevocationIntentId, productProtectedContentId, productProtectedContentDeliveryId, fulfillmentId
CaveatThe product/access contract includes sandbox webhook-backed entitlement row grants, owner-only entitlement inspection, customer-safe checkout intent lookup, short-lived tokens that stream a seeded private R2 fixture, owner-confirmed private asset upload records, owner-confirmed non-destructive revocation intent records, protected content readiness, and checkout-intent-scoped seeded protected fixture delivery; it is not signed object URL access, customer delivery of arbitrary uploads, destructive revocation, subscription access mutation, or live fulfillment automation.
SourceJSON
/audience/source-data
Seeded audience automation workspace, opt-in form, consent-backed capture API, aggregate subscriber inspection counts, redaction flags, tags, segments, lead magnet, sequence, aggregate sequence delivery readiness, broadcast draft, broadcast readiness, dry-run schedule intent counts, broadcast preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness gates, provider-event readiness gates, provider rate-limit readiness gates, provider response readiness gates, send-payload readiness gates, Queue producer readiness gates, Queue consumer readiness gates, owner-confirmed import intent evidence, owner-confirmed import preflight evidence, aggregate export readiness evidence, and confirmed-write boundary.
Stable IDssubscriberSegmentId, subscriberId, subscriberInspectionId, optInFormId, leadMagnetId, emailSequenceId, sequenceEnrollmentPauseId, sequenceDeliveryReadinessId, automationRuleId, broadcastReadinessId, broadcastScheduleIntentId, broadcastPreviewSafetyId, broadcastQueueReadinessId, broadcastDeliveryBatchId, broadcastDeliveryQueueMessageId, broadcastDispatchPreflightId, broadcastDispatchAttemptId, broadcastSenderDomainReadinessId, broadcastProviderEventReadinessId, broadcastProviderRateLimitReadinessId, broadcastProviderResponseReadinessId, broadcastSendPayloadReadinessId, broadcastQueueProducerReadinessId, broadcastQueueConsumerReadinessId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId
CaveatThe audience automation contract includes consent-backed opt-in capture, aggregate owner-inspection evidence, unsubscribe/suppression evidence, unsubscribe-paused sequence enrollment aggregates, aggregate sequence delivery readiness from issue #351, private owner-note counts, broadcast readiness, dry-run schedule intent counts, preview/footer safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, owner-confirmed import intents, owner-confirmed import preflights, and aggregate export readiness evidence from issue #347; it is not contact import, raw import row storage, raw email storage, subscriber creation from imports, sequence scheduling, live email sending, private export, export file creation, export URL creation, private DNS/provider setup, provider webhook processing, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload body creation or reading, ack/retry/dead-letter row creation, recipient payload creation, raw payload body storage, provider response creation, provider message creation, personalized body generation, unsubscribe URL creation, body template exposure, or direct public agent subscriber write capability.
SourceJSON
/analytics/source-data
Seeded analytics event taxonomy, event capture API, browser-side page-view beacon boundary, dashboard-visible aggregate source attribution rows, fixed time-window metadata, aggregate event counts, aggregate variant event counts, aggregate source attribution counts, assignment API, aggregate assignment counts, aggregate funnel conversion reports, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, metric formulas, experiment variants, assignment rule, owner-confirmed experiment decision evidence, and confirmed-write boundary.
Stable IDsanalyticsEventId, analyticsEventIngestionId, analyticsPageViewBeaconId, analyticsEventVariantAggregateId, analyticsEventSourceAggregateId, experimentAssignmentId, analyticsExperimentDecisionId, analyticsReportExportId, analyticsReportExportSectionId, analyticsCohortFixtureId, analyticsCohortComparisonId, analyticsCohortReviewId, analyticsCohortReviewStatus, analyticsAlertThresholdId, analyticsAnomalyReviewId, analyticsAnomalyReviewStatus, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsNotificationReadinessStatus, analyticsNotificationInboxRecordId, analyticsNotificationInboxStatus, analyticsNotificationDispatchPreflightId, analyticsNotificationDispatchPreflightStatus, analyticsFunnelConversionReportId, analyticsTimeWindow, utmSource, utmMedium, utmCampaign, referrerHost, metricId, experimentId, variantId, assignmentRuleId
CaveatThe analytics contract includes seeded event capture, browser-side page-view beacons with deterministic variant evidence and normalized source attribution, seeded assignment, dashboard-visible aggregate source rows, fixed-window aggregate counts, aggregate source counts, aggregate variant counts, aggregate conversion report rows, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, and owner-confirmed experiment decision evidence; it is not cookie assignment, automated alert sends, owner email sends, provider sends, provider configuration, provider secrets, private DNS credentials, queue dispatch, customer alerts, traffic routing, contact-level analytics, raw event or assignment exposure, raw referrer/query exposure, raw analytics exports, automated winners, revenue claims, or statistically meaningful proof.
SourceJSON
/affiliates/source-data
Seeded affiliate program, partner records, referral links, public-safe partner reports, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, owner-reviewed notification provider readiness records, referral click capture API, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal actions, aggregate counts, attribution rules, commission rules, ledger fixtures, payout batch, review flags, and confirmed-write boundary.
Stable IDsaffiliateProgramId, affiliatePartnerId, affiliatePartnerReportId, payoutPreparationId, payoutPreparationRecordId, payoutPreparationRecordStatus, fraudReviewRecordId, fraudReviewRecordStatus, partnerNotificationReadinessRecordId, partnerNotificationReadinessRecordStatus, partnerNotificationSendPreflightRecordId, partnerNotificationSendPreflightRecordStatus, partnerNotificationProviderReadinessRecordId, partnerNotificationProviderReadinessRecordStatus, referralLinkId, referralClickId, checkoutIntentId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, commissionRuleId, commissionLedgerId, payoutBatchId
CaveatThe affiliate/referral contract includes seeded click capture, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal action boundaries, aggregate counts, public-safe partner reports, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records; it is not cookie assignment, buyer attribution finalization, payable commission state, fraud enforcement, private fraud signal exposure, tax collection, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, private partner portal access, direct agent review automation, or Stripe payout capability.
SourceJSON
/mobile-admin/source-data
Mobile jobs-to-be-done, iOS and Android child issues, live dashboard source-data route, API dependencies, stack decision, and write boundaries.
Stable IDsmobileJobId, mobileApiDependencyId, platformIssue, mobileDashboardCardId
CaveatThe mobile contract and live public dashboard digest are live, but installable iOS and Android app claims require #67 and #68 smoke evidence.
SourceJSON
/mobile-admin/dashboard/source-data
Public-safe mobile dashboard digest with feature counts, roadmap counts, recent work-log metadata, attention counts, commerce table counts, agent-readiness counts, and platform source-data routes.
Stable IDsmobileDashboardCardId, featureId, roadmapItemId, workLogEntryId, markAttentionId, agentReadContractId
CaveatThe dashboard is a public-safe read contract, not private mobile auth, push notifications, confirmed writes, App Store distribution, or Play Store distribution.
SourceJSON
/mobile-admin/ios/source-data
iOS scaffold path, generated fixture, simulator target, validation command, smoke command, and screenshot evidence.
Stable IDsplatformIssue, fixturePath, simulatorBundleId
CaveatThe iOS simulator smoke target is not App Store distribution, push notification support, private mobile auth, or confirmed-write capability.
SourceJSON
/mobile-admin/android/source-data
Android scaffold path, generated fixture asset, native package, emulator target, validation command, smoke command, and screenshot evidence.
Stable IDsplatformIssue, fixturePath, nativePackage, defaultAvd
CaveatThe Android emulator smoke target is not Play Store distribution, push notification support, private mobile auth, or confirmed-write capability.
Baseline
The shared agent workflow is adapted from the project boilerplate.
AGENTS.md is adapted with Bumpgrade project constants, project stack, required product surfaces, and Bumpgrade Codex email identity.
docs/working-agreements.md carries the issue/branch/PR, screenshot, validation, work-log, and Mark-attention workflow.
docs/agent/* carries admin-surface, agent-ready, screenshot, work-log, and user-journey rules.
docs/keep-working/* carries the repo-tracked goal-runner and status-update skills.
public/llms.txt points agents to current Bumpgrade feature, roadmap, comparison, commerce, admin, and agent-doc routes.
Boundaries
Owner and write actions are explicit.
Admin auth
Human admin pages require Better Auth owner sessions. Public-safe source-data routes do not bypass that boundary.
Confirmed writes
Require confirmation, idempotency, stale-state checks, audit correlation, and redaction for public, destructive, billing-impacting, moderation, source-editing, publishing, or creator-speech writes.
No secrets
Keep secrets, raw provider IDs, private user data, private inbox bodies, and storage keys out of prompt-visible output.