Agent docs

Agents get public contracts, not hidden browser-only state.

Bumpgrade exposes feature, roadmap, comparison, commerce, admin, and agent manifest reads through stable source-data routes. Human admin pages remain owner-gated, and write actions require explicit confirmation.

Agent manifest

Status

34 public readsIssue #12 backs this agent surface with manifest data and source evidence.

Public reads

Agent-readable contracts available today

Docs index
PublicOpen

Feature catalog

Read feature status, Distinguish live from pending, Cite feature evidence

Source of truthsrc/lib/feature-catalog.ts
Write boundaryFeature status changes must land through GitHub issue/PR work and admin work-log updates.
PublicOpen

Public roadmap

Read public-safe roadmap state, Find blockers and next milestones, Cite issue evidence

Source of truthsrc/lib/roadmap.ts
Write boundaryRoadmap moves require an issue/PR or approved admin append path, not chat-only edits.
PublicOpen

Competitor comparisons and source evidence

Resolve competitor claims, Read retrieved dates, Cite official source URLs

Source of truthsrc/lib/comparison-data.ts
Write boundaryRefresh competitor claims from official sources before changing dated pricing, packaging, or feature claims.
PublicOpen

Competitor importers

Read supported importer platforms, Resolve importer routes from competitor IDs, Inspect input kinds, platform-specific source checklists, export match templates, preflight signal labels, redacted sourceChecklistReview maps, exportFileAnalysis fields, platformExportMatches, private importReview metadata persistence, private structured import-record contracts, safe extractedFields plans, subscriberImportDepth metadata, subscriberImportPreflight actions, subscriberImportCreation actions, subscriberAudiencePromotion actions, owner-only privateSubscriberRecords inspection rules, owner-only subscriberPrivateExport metadata, private record review routes, review-action routes, extracted-field edit actions, duplicate-review fields, rollback routes, and saved private plan parts, Identify verified-publisher private-draft, private record review, private record review-action, and rollback routes for supported importer platforms, Cite safety gates and unsupported fields before describing migration capability, Cite issue #467 for the active importer feature request

Source of truthsrc/lib/importers.ts
Write boundaryImporter source-data is read-only. Platform-specific source checklists and export match templates describe what a prospect can bring before private plan creation. Public preflight review routes return redacted import maps, sourceChecklistReview status, exportFileAnalysis structure, and platformExportMatches without persisting records or echoing pasted source material, raw rows, raw file text, export file names, customer rows, credentials, sessions, or payment data. Private-draft importer APIs require a verified publisher session, exact confirmation, idempotency, and redacted responses; new private drafts persist safe importReview metadata with export analysis, platform export matches, and recognized match IDs only, then create private importRecords, safe extractedFields target plans, and subscriberImportDepth metadata for audience records without public source-data exposing private record content, raw values, raw contact rows, emails, names, sequence enrollments, sends, or exports. Private record review routes require the same verified publisher owner and can show safe structure plus saved private importer subscriber contact records after confirmed creation; public source-data, public preview routes, unauthenticated responses, and public agent contracts expose counts and redaction rules only. Private record review-action routes can mark records ready or needing cleanup, edit extracted field labels/status/prompts, record subscriberImportPreflight readiness/cleanup metadata, create private importer subscriber records from a confirmed fresh upload, add those saved contacts to the audience review list as imported_pending_review rows, and prepare an owner-only private subscriber CSV with redacted JSON responses and idempotency/confirmation evidence. Subscriber import creation stores private email/name data only in owner-scoped importer subscriber records and returns counts only; subscriberAudiencePromotion writes audience_subscribers and non-sending tag assignments, but creates no consent events, sequence enrollments, private exports, sends, or go-live effects. SubscriberPrivateExport returns private emails only in the same-owner CSV download; public source-data, unauthenticated responses, and JSON API responses expose counts and redaction rules only. Source URL and export file name duplicate review can reuse a matching private import plan. Private rollback routes archive importer-created plans and preserve saved plan content, structured import records, steps, and audit history, while public publishing, live checkout, subscriber sends, domains, fulfillment, account transfer, payment credential migration, and customer passwords remain outside this contract.
PublicOpen

Commerce contract

Read redacted commerce architecture, Separate sandbox from live billing, Inspect referral attribution evidence, Inspect review-only commission ledger evidence, Inspect owner review action boundaries, Inspect non-billing post-purchase decision evidence, Inspect write safety rules

Source of truthsrc/lib/commerce.ts and src/lib/sandbox-checkout.ts
Write boundaryNon-billing post-purchase decisions can be recorded only for trusted checkout state; billing-impacting and payable commission writes require exact confirmation, idempotency, stale-state checks, audit correlation, owner review, and webhook evidence.
PublicOpen

Pricing policy and free-build gates

Read the free build-before-go-live policy from issue #466, Distinguish live signed-in private Free Build workspace creation from paid go-live actions, Confirm logged-out anonymous structured playground recovery, browser-recovery save limits, owner-gated and scheduled cleanup, additive claim-to-private-draft and private claim-record creation, and signed-in Free Build workspace creation are live, Cite paid go-live gates for publishing, checkout, subscriber sends, domains, and fulfillment

Source of truthsrc/lib/pricing-plans.ts
Write boundaryAgents may read the pricing policy only. Saving anonymous structured playground state is browser-scoped, rate-limited per browser recovery workspace, and redacted; owner cleanup and scheduled Cloudflare cleanup expire recovery without exposing private content; claim creates or reuses the verified account's Free Build workspace and adds a private launch draft plus private offer/product/audience/importer-review records without replacing existing work; creating signed-in Free Build workspaces uses authenticated account setup APIs; publishing, charging buyers, sending email, connecting domains, and fulfillment changes require paid-plan flows.
PublicOpen

Anonymous playground recovery

Read the browser-scoped playground contract, Distinguish anonymous save, signed-in claim, owner cleanup routes, and scheduled cleanup triggers, Confirm rapid save limits are scoped to the browser recovery workspace without raw IP or user-agent storage, Confirm claim creates private Free Build workspace, private funnel draft records, and private offer/product/audience/importer-review records, Confirm owner-gated and scheduled cleanup expire old anonymous recovery and clear anonymous draft fields without exposing cleanup actors, Confirm recovery cookie values and token hashes are not public source-data, Cite paid go-live gates before discussing publishing, checkout, sends, domains, or fulfillment

Source of truthsrc/lib/anonymous-playground.ts
Write boundaryAnonymous playground writes are limited to browser-scoped structured draft launch context, with rapid save limits per browser recovery workspace and no raw IP or user-agent storage. Cleanup requires an owner session and exact confirmation. Attaching a playground requires an authenticated, email-verified publisher account, reuses an existing private Free Build workspace when present, and adds only private funnel draft state and private claim records.
PublicOpen

Admin source-data bundle

Read public-safe work-log entries, Read user journeys, Read owner attention summaries

Source of truthD1 admin tables with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryHuman admin pages require Better Auth; agent writes need approved scripts or future confirmed APIs.
PublicOpen

Project roadmap source data

Read owner-maintained roadmap records, Inspect status counts, Cite issue and PR evidence when present

Source of truthD1 admin roadmap rows with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryRoadmap changes still require GitHub issue/PR work, admin scripts, or future confirmed-write APIs.
PublicOpen

Project work-log source data

Read public-safe work-log entries, Cite shipped PRs and validation evidence, Find recently changed product surfaces

Source of truthD1 admin work-log rows with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryWork-log changes still require approved scripts or future confirmed-write APIs.
PublicOpen

User journey source data

Read named user journeys, Inspect owner/user goals, Cite edge cases and evidence links

Source of truthD1 admin user-journey rows with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryUser-journey changes still require approved scripts or future confirmed-write APIs.
PublicOpen

Owner attention source data

Read public-safe owner-attention summaries, Separate blockers from FYI follow-ups, Cite related issues and PRs

Source of truthD1 owner-attention rows with fixture fallback in src/lib/admin-surface-data.ts
Write boundaryOwner-attention changes still require approved scripts, email follow-up, or future confirmed-write APIs.
PublicOpen

Director status dashboard

Read director-level workstream rollups instead of raw niche work-log noise, Inspect briefing controls for past-day, past-week, executive queue, and workstream-map views, Inspect past 1 day and past 7 days change windows, Read collapsed workstream brief signals for due, doing, next, changed-7-days, and watchlist summaries, Read named recent-change digests for each director window with workstream provenance, Read due-now, in-flight, pending-next, and watchlist executive queue lanes with workstream provenance, Distinguish shipped, in-flight, pending, blocked, at-risk, and owner-action items with evidence links

Source of truthsrc/lib/director-status.ts over D1 admin records from src/lib/admin-surface-data.ts
Write boundaryThis route is a read-only summary. Status changes still require updating roadmap, work-log, owner-attention, issue, PR, or future confirmed-write records.
PublicOpen

Agent manifest

Discover read contracts, Route to source-data APIs, Understand write boundaries

Source of truthsrc/lib/agent-manifest.ts
Write boundaryThis route is read-only until confirmed-write agent APIs exist.
PublicOpen

Content surfaces

Read use-case records, Resolve dedicated use-case routes, Read resource hub records, Read pricing caveats

Source of truthsrc/lib/content-surfaces.ts
Write boundaryContent changes must cite source-data routes, issues, or shipped evidence before public claims change.
PublicOpen

Customer proof and trust signals

Read the current customer-proof approval policy, Confirm whether public testimonials, logos, metrics, or case studies are approved, Avoid inventing customer proof when approved records are absent

Source of truthsrc/lib/customer-proof.ts
Write boundaryCustomer proof records require source evidence, owner approval, public consent, and a PR or issue before public rendering.
PublicOpen

Publisher account, subdomain, and custom-domain setup

Read signed-in Free Build workspace creation policy, Read paid-plan gate requirements, Read default Bumpgrade subdomain reservation policy, Read custom-domain DNS instruction and verification policy, Read cross-subdomain auth configuration and custom-domain login boundary, Distinguish Bumpgrade subdomains, existing custom domains, and the current no-domain-purchase policy

Source of truthsrc/lib/publisher-tenants.ts and D1 publisher tenant tables
Write boundaryFree Build workspace creation requires a signed-in, email-confirmed publisher with explicit confirmation, idempotency, audit correlation, and redacted outputs; subdomain reservation and custom-domain onboarding also require active paid-plan entitlement. Bumpgrade does not sell, register, renew, transfer, or price domains today.
PublicOpen

Funnel source data

Read seeded draft funnel, Inspect ordered steps, Inspect page blocks and write boundaries, Inspect reusable funnel templates and block-template write boundaries from issue #159, Discover owner-session template-to-draft creation from issue #161, Discover owner-session checkout-offer linking from issue #163, Discover public linked-checkout start rendering from issue #165, Discover aggregate owner-created product delivery-gate links from issue #409, Discover webinar and resource page-shape templates from issue #213, Discover owner-session private draft duplication from issue #215, Discover owner-session private draft archive/unpublish from issue #341, Discover owner-session archived-draft purge from issue #417, Discover owner-session bulk archived-draft purge from issue #417, Discover owner-session checkout unlinking from issue #417, Discover owner-session resource delivery linking from issue #417, Discover public funnel-scoped resource delivery tokens from issue #417, Discover owner-session agent-created resource delivery tokens from issue #417, Discover redacted resource-delivery receipt evidence from issue #417, Discover owner-session webinar event/replay linking from issue #417, Discover owner-session visual style controls for existing funnel blocks from issue #417, Discover owner-session bounded canvas layout controls for existing funnel blocks from issue #417, Discover owner-session block reordering from issue #417, Discover owner-session drag/drop block placement through existing move endpoints from issue #417, Discover owner-session cross-step block moves from issue #417, Discover owner-session direct agent-safe draft writes for block copy edits, visual style presets, bounded canvas layouts, reusable block add/remove, checkout linking/unlinking, resource-delivery linking, webinar-event linking, block movement, private duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge from issue #417, Discover owner-session granular draft block editing from issue #430, Discover owner-session draft block add/remove controls from issue #432, Discover owner-session editable draft, private preview, and exact-confirmed publish/archive/purge/checkout-unlink/resource-delivery-link/webinar-event-link capability from issues #91, #93, #95, #135, #163, #165, #213, #215, #341, #417, #430, and #432

Source of truthsrc/lib/funnels.ts
Write boundaryOwner-session seed/create/template-create/duplicate/update/reorder/block-edit/block-style/block-canvas-layout/block-add/block-remove/block-reorder/block-cross-step-move/checkout-link/checkout-unlink/resource-delivery-link/webinar-event-link/archive/purge/bulk-purge draft writes, including webinar/resource template-to-draft creation, granular block title/body editing with preserved block metadata, curated block visual style presets with preserved block metadata, bounded canvas layout values with preserved block metadata, block add/remove from the reusable block library with checkout-linked block protection, within-step block reordering that preserves checkout/resource/webinar metadata, drag/drop block placement that reuses the same move endpoint modes with fresh revisions, cross-step block moves that preserve block metadata while changing step membership, checkout unlinking with preserved block identity and copy, resource delivery linking to public-safe product/access catalog assets, webinar event/replay linking to public-safe external URLs, private draft preview, exact-confirmed public publishing, exact-confirmed archive/unpublish, exact-confirmed archived-draft purge, and exact-confirmed bulk archived-draft purge with per-draft tombstone evidence exist at /admin/funnels. The owner-session /api/agent/funnels/draft-writes JSON API now lets agents perform private block copy edits, curated visual style presets, bounded canvas layout writes, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, within-step block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. The owner-session /api/agent/funnels/resource-delivery-tokens API can create a funnel-scoped resource delivery token for a published linked resource block after exact confirmation, idempotency, current published revision, checkout intent, entitlement, and audit correlation checks, with replays redacted because raw tokens are not stored. Successful redemption through the existing Bumpgrade download route records redacted resource-delivery receipt evidence with safe funnel, block, product, asset, and source metadata only. Agent style writes store only curated style IDs, canvas layout writes store only bounded x, y, width, height, and zIndex numbers, and both preserve block metadata. Direct agent block removal refuses checkout-linked blocks and keeps at least one block per step. Owner-confirmed direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived-draft purge and bulk archived-draft purge record tombstones before deleting already archived draft and step rows without deleting audit rows, product assets, R2 objects, buyer records, or billing state. Published linked checkout blocks can render the existing sandbox checkout start surface, published resource-linked blocks can render entitlement-safe resource access references and mint funnel-scoped private download tokens only when the submitted checkout intent and entitlement match the linked product and file asset, and published webinar-linked blocks can render external registration/replay references. Owner product delivery-gate writes are separate owner-authenticated product APIs that expose only aggregate funnel source-data. Direct agent template creation, unauthenticated public agent-created delivery tokens, non-archived purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, and unbounded arbitrary CSS/script layout editing require future confirmed-write APIs.
PublicOpen

Checkout offer source data

Read seeded checkout offer stack, Inspect bump and upsell sequence, Inspect confirmed sandbox checkout start boundaries, Inspect optional referral-click attribution evidence, Inspect aggregate non-billing post-purchase decision counts, Inspect aggregate owner-created product delivery-gate counts for the seeded offer/funnel path

Source of truthsrc/lib/checkout-offers.ts
Write boundaryA confirmed sandbox checkout start can include the seeded primary offer, constrained order bump, and optional referral-click attribution evidence; trusted checkout state can record non-billing upsell/downsell follow-up decisions; owner product delivery-gate links can connect test checkout links to the seeded offer/funnel path behind owner auth; live billing, price mutation, fulfillment, commission writes, direct agent writes, and post-purchase charges require future confirmed-write APIs.
PublicOpen

Product access source data

Read seeded product catalog, Inspect access rules, Inspect sandbox entitlement grant mappings, Inspect aggregate owner-entitlement counts and redaction flags, Inspect aggregate owner-created product, test checkout, delivery-gate, and test access-grant counts, Discover the customer-safe checkout intent entitlement lookup contract, Discover short-lived private R2-backed download-token boundaries, Discover owner-confirmed private asset upload-intent boundaries, Inspect owner-confirmed non-destructive revocation intent records, Inspect protected content readiness and the checkout-intent-scoped protected fixture delivery boundary, Inspect subscription-backed membership access state from trusted Stripe Billing webhook evidence, Inspect seeded product payment-plan read records without live amount, Stripe Price, or customer data exposure, Inspect entitlement and fulfillment boundaries

Source of truthsrc/lib/product-access.ts + src/lib/product-creation.ts + src/lib/product-delivery-gates.ts + src/lib/product-offer-access.ts + src/lib/product-entitlement-inspection.ts + src/lib/customer-product-entitlements.ts + src/lib/product-download-tokens.ts + src/lib/product-asset-uploads.ts + src/lib/product-protected-content.ts
Write boundaryTrusted paid sandbox webhooks can grant idempotent entitlement rows for seeded checkout line items; trusted Stripe Billing subscription webhooks can sync checkout-linked membership access while state is active or trialing and pause it when subscription state is canceled, unpaid, incomplete_expired, or deleted; public source-data exposes seeded pay-in-full, installment, and subscription payment-plan read records without live amounts or provider IDs; verified owners can create draft products, create owner-created product test checkout links, link those links to seeded offer/funnel delivery gates, create owner-created product test offer/access grants, inspect private entitlement rows, owner-confirmed non-destructive revocation intents, and protected content readiness in /admin/products; customers can inspect checkout-intent-scoped entitlement status, create short-lived download tokens that stream a seeded private R2 fixture without buyer or provider identifiers, and read seeded protected course/member fixture bodies only after active-entitlement and trusted-checkout checks; verified owners can create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, and record non-destructive revocation intents after exact confirmation, idempotency, and stale entitlement status checks; Stripe Price creation, live payment-plan checkout, customer delivery of arbitrary uploads, signed object URLs, destructive revocation, live offer/funnel publishing, live fulfillment automation, Customer Portal actions, and private content writes require future authenticated confirmed-write APIs.
PublicOpen

Customer product entitlement lookup

Inspect customer-safe product access for a known checkout intent, Confirm entitlement and fulfillment state without private buyer data, Confirm raw Stripe IDs, event IDs, metadata JSON, R2 keys, and signed URLs are excluded

Source of truthsrc/lib/customer-product-entitlements.ts
Write boundaryThis is a read-only checkout-intent-scoped lookup; signed downloads, protected lessons, buyer identity, entitlement mutation, destructive revocation, and live fulfillment require future authenticated confirmed-write APIs.
PublicOpen

Subscription membership access state

Inspect the seeded monthly membership price and access-rule mapping, Confirm active/trialing Stripe Billing subscription state can activate checkout-linked membership access, Confirm canceled, unpaid, incomplete_expired, or deleted subscription state pauses membership access, Confirm buyer identity, raw subscription/customer IDs, webhook IDs, metadata JSON, member posts, private files, Customer Portal URLs, and progress rows are excluded

Source of truthsrc/lib/product-entitlements.ts + D1 billing_subscriptions and product_entitlements
Write boundaryThis is read-only subscription-backed membership access evidence. It does not create or mutate Stripe subscriptions, open Customer Portal sessions, expose raw Stripe IDs, deliver member posts/files, change pricing, or perform direct agent billing writes.
PublicOpen

Private R2 product download token

Create a short-lived download token for an active checkout-linked file entitlement, Confirm private R2-backed fixture delivery does not expose private R2 keys or signed object URLs, Inspect token expiry, one-use replay rejection, entitlement scope, and current checkout-state revalidation

Source of truthsrc/lib/product-download-tokens.ts
Write boundaryThis creates a short-lived token and streams a seeded private R2-backed fixture through Bumpgrade after revalidating current entitlement status, checkout intent linkage, trusted checkout state, and asset scope; protected content, arbitrary asset uploads, destructive revocation, subscription access, and live fulfillment automation require future authenticated confirmed-write APIs.
PublicOpen

Published funnel resource delivery token

Create a short-lived Bumpgrade download token for a published D1 funnel resource block only when the checkout intent and entitlement match the linked product and file asset, Discover the owner-session agent route for the same scoped token when a verified owner wants agent-created delivery after exact confirmation and published-revision checks, Confirm private R2-backed delivery stays behind Bumpgrade download routes without exposing R2 keys, signed object URLs, buyer data, or raw entitlement rows, Read redacted receipt evidence after successful private download redemption without raw buyer, checkout, entitlement, token, R2, or signed URL data, Distinguish funnel-scoped token minting from arbitrary uploaded asset delivery, live fulfillment automation, live billing, provider-hosted media, or unauthenticated agent writes

Source of truthsrc/lib/funnel-resource-delivery.ts + src/lib/product-download-tokens.ts
Write boundaryThis public API can mint a one-use Bumpgrade download route for a published D1 funnel resource/delivery block after checkout intent, entitlement, product, and file asset scope are revalidated. The owner-session agent route can create the same scoped token after exact confirmation, idempotency, audit correlation, and current published-revision checks. Successful download redemption records redacted receipt evidence with safe funnel, block, product, asset, and source metadata only. Neither route exposes private R2 keys, signed URLs, buyer data, raw funnel rows, raw entitlement rows, raw tokens, arbitrary uploaded assets, live fulfillment mutation, or unauthenticated public agent writes.
PublicOpen

Protected product content delivery fixture

Read a seeded protected course/member fixture only with a known checkout intent and matching active entitlement, Confirm protected fixture delivery rechecks product/template scope and current paid/completed checkout state, Confirm buyer identity, raw Stripe IDs, webhook IDs, metadata JSON, R2 keys, signed URLs, arbitrary uploaded content, and progress rows are excluded

Source of truthsrc/lib/product-protected-content.ts
Write boundaryThis route returns seeded protected fixture bodies for eligible checkout-linked entitlements only. It is not direct public agent write access, arbitrary private upload delivery, signed object URL access, progress tracking, subscription mutation, destructive revocation, or live fulfillment automation.
PublicOpen

Owner product public test checkout

Inspect the public test checkout confirmation contract, Create synthetic paid test checkout/access evidence only through a known test checkout link, Use exact confirmation, idempotency, and current link revision checks before creating test access evidence, Confirm responses and source-data omit buyer email, buyer hashes, raw Stripe IDs, and idempotency keys

Source of truthD1 tables product_test_checkout_purchases, product_test_checkout_links, checkout_intents, product_entitlements, product_fulfillment_tasks, commerce_products, commerce_prices, and payment_audit_events
Write boundaryThis public test-link API creates a synthetic paid checkout intent, entitlement row, fulfillment task evidence, and audit evidence after exact confirmation, idempotency, and a current link revision check. It does not create Stripe Checkout Sessions, live charges, live offer/funnel publishing, arbitrary fulfillment delivery, raw buyer exposure, or unconfirmed agent writes.
PublicOpen

Audience automation source data

Read seeded opt-in form, Inspect tags and segments, Inspect consent-backed capture boundary, Inspect aggregate unsubscribe-paused sequence enrollment evidence without contact identity, Inspect aggregate sequence delivery readiness without body templates, unsubscribe URLs, recipient payloads, queue payloads, provider sends, or provider message IDs, Inspect public-safe dry-run sequence schedule intent counts without actor email, recipient payloads, personalized bodies, unsubscribe URLs, queue payloads, provider sends, or provider message IDs, Inspect public-safe dry-run sequence delivery-batch, queue-message, dispatch preflight, and dispatch-attempt counts without actor email, delivery queue payloads, queue payload bodies, recipient payloads, personalized bodies, unsubscribe URLs, provider sends, provider responses, or provider message IDs, Inspect public-safe sequence Queue producer readiness without enabling Queue producers, Queue messages, queue payload bodies, recipient payloads, provider sends, provider responses, or provider message IDs, Inspect public-safe sequence Queue consumer readiness without enabling Queue consumers, consuming or acking Queue messages, creating retry/dead-letter rows, reading queue payload bodies, recipient payloads, provider sends, provider responses, or provider message IDs, Inspect public-safe sequence provider-call readiness without making provider calls, sending messages, creating delivery attempts, delivery results, webhooks, receipts, provider responses, or provider message IDs, Inspect public-safe sequence delivery-attempt readiness without creating delivery attempts, delivery results, webhooks, receipts, provider responses, provider message IDs, recipient payloads, personalized bodies, or unsubscribe URLs, Inspect public-safe sequence delivery-result readiness without creating delivery results, webhooks, receipts, provider responses, provider message IDs, delivery attempts, recipient payloads, personalized bodies, or unsubscribe URLs, Inspect public-safe sequence delivery-status webhook readiness without processing status webhooks, reading webhook payloads, polling providers, creating receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs, Inspect public-safe sequence provider-polling readiness without polling providers, reading polling payloads, creating polling results, receipt payloads, receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs, Inspect public-safe sequence receipt-payload readiness without polling providers, reading webhook or polling payloads, creating polling results, receipt payloads, delivery receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs, Inspect aggregate owner-subscriber, suppression, and timeline counts with redaction flags, Inspect suppression-aware broadcast readiness without recipient exposure, Inspect public-safe dry-run broadcast schedule intent counts without actor email or recipient payloads, Inspect broadcast preview and unsubscribe-footer safety without personalized body or recipient exposure, Inspect delivery queue readiness without recipient payloads, queue rows, or provider sends, Inspect delivery-batch dry runs without recipient payloads, queue messages, or provider sends, Inspect delivery queue message dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends, Inspect dispatch preflight dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends, Inspect dispatch attempt receipts without Cloudflare Queue producers, queue payload bodies, provider responses, or provider sends, Inspect owner-only broadcast and sequence test-send evidence without raw recipient email, subscriber payloads, Queue messages, public agent sends, or provider message IDs, Inspect sender-domain readiness without private DNS credentials, raw DNS records, provider secrets, or provider sends, Inspect provider-event readiness without provider secrets, raw provider payloads, provider responses, or provider message IDs, Inspect provider rate-limit readiness without provider secrets, provider limit secrets, raw provider payloads, provider responses, or provider message IDs, Inspect provider response readiness without provider secrets, raw response bodies, provider responses, or provider message IDs, Inspect send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue producers, or provider sends, Inspect Queue producer readiness without Queue messages, queue payload bodies, recipient payloads, or provider sends, Inspect Queue consumer readiness without Queue message consumption, acks, retry/dead-letter rows, queue payload body reads, recipient payloads, or provider sends, Inspect owner-confirmed import intents without raw contact rows, raw emails, actor emails, private notes, sequence enrollments, or sends, Inspect owner-confirmed import preflights without raw contact rows, raw emails, subscriber writes, exports, actor emails, private notes, sequence enrollments, or sends, Inspect aggregate audience export readiness without raw emails, subscriber IDs, export files, or export URLs, Inspect the public-safe unsubscribe/suppression write boundary, Inspect the owner-only CRM timeline note boundary, Inspect sequence and automation boundaries

Source of truthsrc/lib/audience-automation.ts + src/lib/audience-subscribers.ts + src/lib/audience-broadcasts.ts + src/lib/audience-imports.ts + src/lib/audience-exports.ts + src/lib/audience-sequence-readiness.ts + src/lib/audience-sequence-dispatch-preflights.ts + src/lib/audience-sequence-dispatch-attempts.ts + src/lib/audience-sequence-queue-producer-readiness.ts + src/lib/audience-sequence-queue-consumer-readiness.ts + src/lib/audience-sequence-provider-call-readiness.ts + src/lib/audience-sequence-delivery-attempt-readiness.ts + src/lib/audience-sequence-delivery-result-readiness.ts + src/lib/audience-sequence-delivery-status-webhook-readiness.ts + src/lib/audience-sequence-provider-polling-readiness.ts + src/lib/audience-sequence-receipt-payload-readiness.ts
Write boundaryPublic visitors can submit the seeded opt-in form with explicit consent and can record unsubscribe/suppression evidence without exposing list membership; known subscriber unsubscribe also pauses draft sequence enrollment state while public responses stay membership-safe. Verified owners can inspect private subscriber rows, create private CRM notes, view aggregate sequence delivery readiness, sequence schedule-intent dry runs, sequence delivery-batch dry runs, sequence queue-message dry runs, sequence dispatch preflight dry runs, sequence dispatch attempt receipts, sequence Queue producer readiness, sequence Queue consumer readiness, sequence provider-call readiness, sequence delivery-attempt readiness, sequence delivery-result readiness, sequence delivery-status webhook readiness, owner-only sequence test sends, broadcast readiness, preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, owner-only broadcast test sends, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, redacted import intents, redacted import preflights, and aggregate export readiness, and record dry-run sequence schedule intents, sequence delivery batches, sequence queue-message evidence, sequence dispatch preflight evidence, sequence dispatch attempt receipts, sequence Queue producer readiness gates, sequence Queue consumer readiness gates, sequence provider-call readiness gates, sequence delivery-attempt readiness gates, sequence delivery-result readiness gates, sequence delivery-status webhook readiness gates, owner-only sequence test sends, broadcast schedule intents, delivery batches, queue-message evidence, dispatch preflight evidence, dispatch attempt receipts, owner-only broadcast test sends, non-destructive import intents, and aggregate import preflights in /admin/audience; real contact imports, subscriber email delivery, real sequence scheduling, broadcast blasts, private exports, export file creation, direct agent subscriber writes, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider calls, delivery attempts, provider responses, provider message IDs, delivery results, webhooks, polling, and receipts require future confirmed-write APIs.
PublicOpen

Audience unsubscribe suppression

Inspect the unsubscribe/suppression confirmation contract, Record a public-safe unsubscribe preference only for the submitted email, Confirm responses do not reveal whether the email was already subscribed, Confirm sequence enrollment pause state is exposed only through aggregate source-data or owner views, Use idempotency before replaying a preference write

Source of truthD1 table audience_suppression_entries, subscriber status in audience_subscribers, and paused rows in audience_sequence_enrollments
Write boundaryThis public API records hashed unsubscribe/suppression evidence, marks known subscribers unsubscribed, and pauses known draft sequence enrollments without revealing list membership. It does not send email, export subscribers, expose suppression hashes or reasons publicly, include sequence state in public responses, or authorize direct agent subscriber management.
PublicOpen

Analytics and experiments source data

Read seeded event taxonomy, Inspect aggregate event counts, Inspect aggregate variant event counts, Inspect aggregate source attribution counts, Inspect aggregate assignment counts, Inspect aggregate funnel conversion report rows, Inspect aggregate report export sections without raw analytics downloads, Inspect fixture cohort comparison definitions with sample-size caveats, Inspect owner-reviewed cohort comparison evidence without winner or revenue claims, Inspect owner-reviewed alert threshold and anomaly-review evidence without automated alerts or traffic routing, Inspect owner-reviewed notification delivery readiness without sending alerts or writing inbox rows, Inspect owner-confirmed notification inbox records without recipients, email bodies, queue dispatch, or email sends, Inspect owner-confirmed notification dispatch preflights without recipients, email bodies, provider message IDs, queue payloads, queue dispatch, or email sends, Inspect owner-reviewed notification provider/domain readiness without provider configuration, provider secrets, sender credentials, private DNS credentials, provider sends, or verified-domain claims, Inspect owner-reviewed notification content/consent readiness without body templates, unsubscribe URLs, recipients, email bodies, provider message IDs, queue payloads, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue messages, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification queue-producer readiness without Queue producer execution, queue messages, queue payload bodies, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification queue-consumer readiness without Queue consumer execution, message consumption, message acknowledgement, retry/dead-letter rows, queue payload body reads, provider responses, provider sends, queue dispatch, or email sends, Inspect owner-reviewed notification provider-call readiness without provider sends, provider calls, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, Queue consumer execution, queue payload body reads, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-attempt readiness without provider sends, delivery attempts, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-result readiness without delivery results, delivery receipts, status webhooks, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-status-webhook readiness without delivery status webhooks, delivery receipts, receipt payloads, status webhook payloads, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification provider-polling readiness without provider polling execution, delivery receipts, receipt payloads, status webhook payloads, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification receipt-payload readiness without receipt payload capture, delivery receipts, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification delivery-receipt readiness without delivery receipt creation, receipt payload capture, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect owner-reviewed notification provider-status reconciliation readiness without provider polling execution, delivery receipt processing, receipt payload ingestion, provider status reconciliation execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends, Inspect dashboard-visible source attribution rows, Inspect fixed time-window metadata and aggregate source/conversion rows, Inspect metric formulas, Inspect seeded event capture boundary, Inspect browser-side page-view beacon boundary, Inspect seeded experiment assignment boundary, Inspect public-safe custom routing rules, seeded sandbox funnel copy routing, and baseline holdout metadata, Inspect owner-confirmed winner rollout and rollback evidence without raw event rows or raw assignment rows, Inspect experiment assignment boundaries, Inspect owner-confirmed experiment decision evidence without raw event rows or raw assignment rows

Source of truthsrc/lib/analytics-experiments.ts + src/lib/analytics-conversion-report.ts + src/lib/analytics-experiment-winner-rollouts.ts
Write boundarySeeded analytics events, browser-side seeded funnel page-view beacons with deterministic variant evidence and normalized source attribution, seeded experiment assignments, public-safe custom source/campaign routing rules, seeded sandbox funnel copy routing with a baseline holdout, owner-confirmed winner rollout and rollback routing from issue #422, owner-confirmed notification inbox records from issue #271, owner-confirmed notification dispatch preflights from issue #284, owner-reviewed provider/domain readiness records from issue #286, owner-reviewed content/consent readiness records from issue #288, owner-reviewed send-payload readiness records from issue #290, owner-reviewed queue-producer readiness records from issue #292, owner-reviewed queue-consumer readiness records from issue #294, owner-reviewed provider-call readiness records from issue #297, owner-reviewed delivery-attempt readiness records from issue #299, owner-reviewed delivery-result readiness records from issue #301, owner-reviewed delivery-status-webhook readiness records from issue #303, owner-reviewed provider-polling readiness records from issue #305, owner-reviewed receipt-payload readiness records from issue #307, owner-reviewed delivery-receipt readiness records from issue #309, owner-reviewed provider-status reconciliation readiness records from issue #311, and owner-confirmed experiment decision evidence can be captured with idempotency, source-route validation, aggregate count checks, and bot/preview suppression; fixed-window aggregate funnel conversion reports, dashboard-visible aggregate source counts, aggregate variant counts, aggregate report export metadata, owner-reviewed cohort comparison evidence from issue #265, owner-reviewed alert threshold/anomaly-review evidence from issue #267, owner-reviewed notification delivery readiness evidence from issue #269, redacted decision counts, and redacted winner rollout counts can be read from captured test events. Cookie assignment, contact analytics, raw campaign/referrer reporting, raw routing URL storage, raw analytics exports, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, Queue producer execution, Queue consumer execution, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, body templates, unsubscribe URLs, customer alerts, custom events beyond the seeded boundary, raw/private exports, and direct public agent decision writes require future confirmed-write APIs.
PublicOpen

Affiliate and referral source data

Read seeded affiliate program, Inspect referral links and attribution rules, Inspect aggregate referral click counts, Inspect aggregate checkout attribution counts, Inspect aggregate review-only commission ledger counts, Inspect aggregate owner review and reversal action counts, Inspect public-safe partner performance reports, Inspect public-safe partner portal status pages without private partner auth, buyer data, payout accounts, tax forms, Stripe payout IDs, provider secrets, message bodies, queue rows, raw rows, or direct public agent writes, Inspect public-safe partner statement snapshots without payable statements, buyer data, payout accounts, tax forms, Stripe payout IDs, provider secrets, message bodies, queue rows, raw rows, or direct public agent writes, Inspect read-only payout preparation checklists, Inspect owner-confirmed payout preparation records without payout accounts, tax data, Stripe payout IDs, partner notification bodies, buyer data, raw ledger rows, or raw actor fields, Inspect owner-reviewed fraud review records without private fraud signals, buyer data, raw ledger/click/checkout rows, actor identity, payout accounts, tax data, Stripe payout IDs, or partner notification bodies, Inspect owner-confirmed fraud enforcement records without private fraud signals, buyer data, raw ledger/click/checkout rows, actor identity, payout accounts, tax data, Stripe payout IDs, payable commission state, or partner notification bodies, Inspect owner-reviewed partner notification readiness records without recipient emails, message bodies, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, or partner sends, Inspect owner-reviewed partner notification send preflight records without recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends, Inspect owner-reviewed notification provider readiness records without provider configuration, provider secrets, sender credentials, recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends, Inspect commission and payout review boundaries

Source of truthsrc/lib/affiliate-referrals.ts
Write boundarySeeded referral clicks can be captured with idempotency and destination-route validation, eligible clicks can be attached to sandbox checkout intents as evidence, trusted checkout attribution can create review-only commission ledger evidence, owner sessions can review, hold, or reverse that evidence, public-safe partner reports and partner portal status pages can be read, read-only payout preparation can be inspected, and owner sessions can record payout preparation, fraud review, fraud enforcement, partner notification readiness, partner notification send preflight, and notification provider readiness evidence; cookie assignment, buyer attribution finalization, payable commission writes, direct agent review writes, payout actions, tax collection, authenticated private partner portals, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, and queue dispatch require future confirmed-write APIs.
PublicOpen

Mobile admin contract

Read iOS and Android scope, Find API dependencies, Understand mobile owner-session requirements, Understand the owner-gated read-only mobile private-row boundary, Understand the low-risk owner-confirmed mobile private-row action boundary, Understand the owner-confirmed Director workstream review boundary, Understand the owner-confirmed commerce health review boundary, Understand the owner-gated audit-only mobile action intent boundary, Understand the Director workstream digest exposed to mobile clients, Understand push-notification provider requirements and disabled send status, Understand store-distribution requirements separately from simulator/emulator proof, Understand mobile confirmed-action write boundaries

Source of truthsrc/lib/mobile-admin.ts
Write boundaryMobile apps can inspect owner-gated private rows through /api/mobile-admin/private-rows, mark private rows read/deferred through /api/mobile-admin/private-rows/actions, record owner-confirmed Director workstream review state through /api/mobile-admin/director-reviews, record owner-confirmed commerce-health review state through /api/mobile-admin/commerce-reviews, and record owner-gated audit-only action intents through /api/mobile-admin/actions. Push sends, provider calls, device-token registration, installable distribution, physical-device proof, and high-risk billing/publishing production writes remain disabled until future domain-specific confirmed-write APIs and platform evidence exist; issue #414 exposes the shared owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action contract.
PublicOpen

Live mobile admin dashboard source data

Read one public-safe mobile dashboard digest, Inspect live Director workstream, feature, roadmap, admin, commerce, and agent-readiness counts, Inspect redacted Director brief signals and 1-day/7-day change windows without raw attention or work-log bodies, Inspect public-safe private-row counts and labels without owner-only notes or payloads, Inspect redacted private-row workflow action counts without actor, note, idempotency, or stale-token details, Inspect redacted Director review counts without actor, note, idempotency, or stale-token details, Inspect redacted commerce review counts without actor, note, idempotency, or stale-token details, Inspect public-safe push-readiness and distribution-readiness blockers, Find iOS and Android source-data routes without scraping private admin pages

Source of truthsrc/lib/mobile-admin-dashboard.ts
Write boundaryPublic-safe digest; issue #414 exposes owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action requirements, but push notifications, physical-device proof, App Store/Play Store distribution, and high-risk billing/publishing confirmed mobile writes require future authenticated APIs and platform evidence.
PublicOpen

iOS mobile admin source data

Read iOS app-foundation status, Find simulator smoke command, Find screenshot evidence

Source of truthsrc/lib/mobile-admin-ios.ts and apps/mobile-admin
Write boundaryThe iOS slice is read-only until the shared confirmed-write API and mobile auth boundary exist.
PublicOpen

Android mobile admin source data

Read Android app-foundation status, Find emulator smoke command, Find screenshot evidence

Source of truthsrc/lib/mobile-admin-android.ts and apps/mobile-admin
Write boundaryThe Android slice is read-only until the shared confirmed-write API and mobile auth boundary exist.

Evidence

Claim resolution starts from stable IDs.

Source evidence
SourceJSON

/features/source-data

Bumpgrade feature status, audience, expected capabilities, issue ownership, and agent contract notes.

Stable IDsfeatureId, issue
CaveatFeature records must not be described as live unless status is live and issue/PR evidence supports it.
SourceJSON

/roadmap/source-data

Public roadmap item status, blocker notes, next milestones, issue links, and public evidence.

Stable IDsroadmapItemId, featureId, issue
CaveatRoadmap lane changes should come from merged issue work or explicit admin updates.
SourceJSON

/compare/source-data

Competitor records, official source URLs, retrieval dates, SEO targets, and caveats.

Stable IDscompetitorId, sourceId, seoTargetId
CaveatPricing, packaging, integrations, and feature availability require a fresh source refresh before citation.
SourceJSON

/agent-docs/project-source-data

Public-safe admin roadmap, work-log, user-journey, and owner-attention records.

Stable IDsworkLogEntryId, userJourneyId, markAttentionId, roadmapItemId
CaveatPrivate notes and owner-only decisions stay behind Better Auth or approved scripts.
SourceJSON

/agent-docs/director-status-source-data

Director workstream rollups, briefing controls, executive queue lanes, and recent-change digests.

Stable IDsdirectorWorkstreamId, directorWindowId, directorQueueLaneId, directorBriefingControlId
CaveatDirector rollups are summaries of public-safe admin records; raw private rows stay behind owner auth.
SourceJSON

/agent-docs/project-roadmap-source-data

Owner-maintained roadmap records, status counts, issue links, PR links, and evidence links.

Stable IDsroadmapItemId, featureId, issue
CaveatRoadmap status changes should come from merged issue work or explicit admin updates.
SourceJSON

/agent-docs/project-work-log-source-data

Public-safe work-log entries for substantive agent work, shipped features, validations, and surface updates.

Stable IDsworkLogEntryId, roadmapItemId, featureId
CaveatWork-log entries are audit evidence, not proof that a feature is live without issue, PR, and deploy context.
SourceJSON

/agent-docs/user-journey-source-data

Named user journeys, owner/user goals, expected paths, edge cases, and evidence links.

Stable IDsuserJourneyId, featureId, roadmapItemId
CaveatJourneys describe intended product paths and should be checked against live route evidence before public claims.
SourceJSON

/agent-docs/owner-attention-source-data

Public-safe owner-attention summaries, blocker flags, due timing, and related issue or PR links.

Stable IDsmarkAttentionId, roadmapItemId, featureId
CaveatOwner-attention summaries are coordination state and must not expose raw private notes or inbox bodies.
SourceJSON

/commerce/source-data

Redacted commerce architecture, sandbox checkout offer, referral attribution evidence, review-only commission ledger evidence, owner review action boundaries, non-billing post-purchase decision evidence, payment tables, webhook rules, and billing write safety.

Stable IDsproductId, priceId, checkoutIntentId, referralClickId, referralAttributionId, commissionReviewActionId, reviewOnlyCommissionLedgerId, postPurchaseDecisionId, auditCorrelationId
CaveatLive payment capability, one-click post-purchase charging, fulfillment, and payable commission state are not enabled until separate rollout and webhook smoke evidence prove them.
SourceJSON

/pricing/source-data

Bumpgrade account-plan pricing, logged-out anonymous playground status, signed-in Free Build workspace status, paid go-live gates, setup add-on, and redaction policy.

Stable IDsfree-build-before-go-live, freeBuildCapabilityId, paidGoLiveGateId, pricingPlanSlug
CaveatAnonymous playground persistence, browser-recovery save limits, owner-gated and scheduled cleanup controls, additive claim-to-private-draft and private claim-record creation, and signed-in Free Build workspace creation are live; paid go-live actions still require entitlement and confirmation.
SourceJSON

/playground/source-data

Browser-scoped logged-out structured playground recovery, save route, save-limit policy, claim route, additive claim merge policy, owner-gated cleanup route, scheduled cleanup trigger, private draft creation, private claim-record creation, cookie and retention boundaries, redaction policy, and paid go-live gates.

Stable IDsanonymousPlaygroundId, anonymousPlaygroundRoute, anonymousPlaygroundGateId
CaveatThe playground saves structured launch context before signup, limits rapid repeat saves per browser recovery workspace without raw IP or user-agent storage, can expire old anonymous recovery through owner or scheduled cleanup, and can create a private launch draft plus private offer/product/audience/importer-review records after verified-account claim; it is not public publishing, live checkout, subscriber sends, domain reservation, fulfillment, or product access.
SourceJSON

/agent-docs/source-data

Agent doc links, read contracts, evidence routes, MCP plan, and write-safety rules.

Stable IDsagentDocId, readContractId, mcpPlanId, evidenceRouteId
CaveatThe manifest is discovery metadata; it does not grant write permission.
SourceJSON

/content/source-data

Audience segments, resource hub records, pricing principles, planned pricing tracks, issue links, and agent boundaries.

Stable IDsaudienceSegmentId, resourceItemId, pricingPrincipleId, pricingTrackId
CaveatExperiment, Grow, Enterprise, and White glove setup are the current public pricing records; future limits, trials, and usage-meter rates still need current source evidence before being cited.
SourceJSON

/trust/source-data

Customer-proof approval policy, approved record counts, public redaction boundary, and the current absence or presence of approved testimonials, logos, metrics, case studies, and endorsements.

Stable IDscustomer-proof-approval-policy, customerProofRecordId, customerProofSourceId
CaveatAgents must not invent customer names, logos, testimonials, revenue, conversion metrics, endorsements, or case studies. Only approved customer-proof records in this route may be cited as customer proof.
SourceJSON

/account/source-data

Paid publisher tenant setup, Bumpgrade subdomain reservation rules, custom-domain DNS onboarding, D1 table boundaries, cross-subdomain auth configuration, and the no-domain-purchase launch policy.

Stable IDspublisherTenantId, publisherSubdomainReservationId, publisherCustomDomainId, publisherPlanEntitlementId, issue
CaveatDefault Bumpgrade subdomain reservation and existing-domain DNS onboarding are live for paid accounts; Bumpgrade-hosted subdomains share the central identity session, custom domains use a Bumpgrade login handoff, and Bumpgrade does not sell or register domains today.
SourceJSON

/funnels/source-data

Seeded funnel, ordered steps, page blocks, reusable funnel templates including webinar/resource page shapes, block-template library records, owner-session template-to-draft capability, owner-session checkout-link capability, owner-session checkout-unlink capability, owner-session resource delivery link capability, public and owner-session agent funnel resource delivery token capability, owner-session webinar event link capability, owner-session archived-draft purge capability, owner-session visual block style capability, owner-session block reorder capability, owner-session cross-step block move capability, public funnel checkout-start capability, aggregate owner product delivery-gate counts, revision ID, preview route, source-data route, published D1 funnel summaries, owner-gated draft capability, D1 table names, and confirmed-write boundary.

Stable IDsfunnelId, funnelStepId, funnelBlockId, funnelTemplateId, funnelBlockTemplateId, funnelCheckoutLinkId, funnelCheckoutUnlinkId, funnelResourceDeliveryLinkId, funnelResourceDeliveryTokenId, agentFunnelResourceDeliveryTokenId, funnelWebinarEventLinkId, funnelDraftPurgeId, funnelPurgeEventId, funnelDraftBlockVisualStyleId, funnelDraftBlockReorderId, funnelDraftBlockCrossStepMoveId, funnelWebinarResourceTemplateId, funnelRevisionId, funnelDraftId, funnelAuditEventId, checkoutIntentId, checkoutOfferStackId, offerId, productDeliveryGateLinkId
CaveatThe public funnel contract exposes template and block-template records, webinar/resource page-shape records, owner-gated template-create, checkout-link, checkout-unlink, resource-delivery-link, public and owner-session agent funnel resource delivery token, webinar-event-link, archived-draft purge, visual block style presets, within-step block-reorder, cross-step block-move, editable draft, publish capability metadata, direct agent-safe visual style presets, reusable block add/remove, checkout linking/unlinking, resource-delivery linking, webinar-event linking, block movement, public publishing, archive/unpublish, and archived-draft purge metadata, public sandbox checkout-start rendering metadata, entitlement-safe resource access references, external webinar registration/replay references, and aggregate owner product delivery-gate counts; it does not expose unpublished private draft copy, direct agent template creation, unauthenticated public agent-created delivery tokens, direct agent non-archived or bulk purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, or unconfirmed agent edits.
SourceJSON

/offers/source-data

Seeded checkout offer stack, primary offer, selectable order bump, optional referral-click attribution evidence, upsell, downsell, non-billing post-purchase decision contract, aggregate decision counts, aggregate owner product delivery-gate counts, checkout route, revision ID, and confirmed-write boundary.

Stable IDscheckoutOfferStackId, offerId, orderBumpId, upsellId, downsellId, checkoutRevisionId, referralClickId, postPurchaseDecisionId, productDeliveryGateLinkId
CaveatThe checkout-offer contract now includes a confirmed sandbox checkout start for the seeded primary offer plus constrained order bump, optional referral-click attribution evidence, non-billing upsell/downsell decision evidence, and aggregate owner product delivery-gate counts; it is not live billing, one-click upsell charging, fulfillment, commission writes, price mutation, or direct agent write capability.
SourceJSON

/products/source-data

Seeded product catalog, assets, access rules, entitlement templates, payment-plan records, sandbox webhook grant mappings, aggregate owner-entitlement inspection counts, aggregate owner-created product, test checkout, delivery-gate, and test grant counts, customer-safe lookup contract, private R2-backed fixture delivery contract, owner-confirmed private asset upload intent contract, owner-confirmed non-destructive revocation intent contract, protected content readiness, checkout-intent-scoped protected fixture delivery, redaction flags, preview route, revision ID, and confirmed-write boundary.

Stable IDsproductId, assetId, accessRuleId, entitlementTemplateId, productEntitlementInspectionId, customerProductEntitlementLookupId, productDownloadTokenId, productAssetUploadIntentId, productCreationIntentId, productTestCheckoutLinkId, productDeliveryGateLinkId, productOfferAccessGrantIntentId, productEntitlementRevocationIntentId, productProtectedContentId, productProtectedContentDeliveryId, productPaymentPlanId, subscriptionPlanId, fulfillmentId
CaveatThe product/access contract includes seeded payment-plan read records, sandbox webhook-backed entitlement row grants, owner-only entitlement inspection, customer-safe checkout intent lookup, short-lived tokens that stream a seeded private R2 fixture, owner-created product test checkout links, owner product delivery-gate links, owner-confirmed private asset upload records, owner-confirmed non-destructive revocation intent records, protected content readiness, and checkout-intent-scoped seeded protected fixture delivery; it is not live payment-plan checkout, signed object URL access, customer delivery of arbitrary uploads, destructive revocation, subscription access mutation, live offer/funnel publishing, live charges, or live fulfillment automation.
SourceJSON

/audience/source-data

Seeded audience automation workspace, opt-in form, consent-backed capture API, aggregate subscriber inspection counts, redaction flags, tags, segments, lead magnet, sequence, aggregate sequence delivery readiness, dry-run sequence schedule intent counts, dry-run sequence delivery-batch counts, dry-run sequence queue-message counts, dry-run sequence dispatch preflight counts, dry-run sequence dispatch attempt receipt counts, sequence Queue producer readiness counts, sequence Queue consumer readiness counts, sequence provider-call readiness counts, sequence delivery-attempt readiness counts, sequence delivery-result readiness counts, sequence delivery-status webhook readiness counts, sequence provider-polling readiness counts, sequence receipt-payload readiness counts, broadcast draft, broadcast readiness, dry-run broadcast schedule intent counts, broadcast preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness gates, provider-event readiness gates, provider rate-limit readiness gates, provider response readiness gates, send-payload readiness gates, Queue producer readiness gates, Queue consumer readiness gates, provider-call readiness gates, delivery-attempt readiness gates, delivery-result readiness gates, delivery-status webhook readiness gates, provider-polling readiness gates, receipt-payload readiness gates, owner-confirmed import intent evidence, owner-confirmed import preflight evidence, aggregate export readiness evidence, and confirmed-write boundary.

Stable IDssubscriberSegmentId, subscriberId, subscriberInspectionId, optInFormId, leadMagnetId, emailSequenceId, sequenceEnrollmentPauseId, sequenceDeliveryReadinessId, sequenceScheduleIntentId, sequenceDeliveryBatchId, sequenceDeliveryQueueMessageId, sequenceDispatchPreflightId, sequenceDispatchAttemptId, sequenceQueueProducerReadinessId, sequenceQueueConsumerReadinessId, sequenceProviderCallReadinessId, sequenceDeliveryAttemptReadinessId, sequenceDeliveryResultReadinessId, sequenceDeliveryStatusWebhookReadinessId, sequenceProviderPollingReadinessId, sequenceReceiptPayloadReadinessId, automationRuleId, broadcastReadinessId, broadcastScheduleIntentId, broadcastPreviewSafetyId, broadcastQueueReadinessId, broadcastDeliveryBatchId, broadcastDeliveryQueueMessageId, broadcastDispatchPreflightId, broadcastDispatchAttemptId, broadcastSenderDomainReadinessId, broadcastProviderEventReadinessId, broadcastProviderRateLimitReadinessId, broadcastProviderResponseReadinessId, broadcastSendPayloadReadinessId, broadcastQueueProducerReadinessId, broadcastQueueConsumerReadinessId, audienceImportIntentId, audienceImportPreflightId, audienceExportReadinessId
CaveatThe audience automation contract includes consent-backed opt-in capture, aggregate owner-inspection evidence, unsubscribe/suppression evidence, unsubscribe-paused sequence enrollment aggregates, aggregate sequence delivery readiness from issue #351, dry-run sequence schedule intents from issue #354, dry-run sequence delivery batches from issue #358, dry-run sequence queue-message evidence from issue #360, dry-run sequence dispatch preflight evidence from issue #362, dry-run sequence dispatch attempt receipt evidence from issue #364, sequence Queue producer readiness from issue #366, sequence Queue consumer readiness from issue #368, sequence provider-call readiness from issue #370, sequence delivery-attempt readiness from issue #372, sequence delivery-result readiness from issue #374, sequence delivery-status webhook readiness from issue #376, sequence provider-polling readiness from issue #378, sequence receipt-payload readiness from issue #380, private owner-note counts, broadcast readiness, dry-run broadcast schedule intent counts, preview/footer safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, provider-call readiness, delivery-attempt readiness, delivery-result readiness, delivery-status webhook readiness, provider-polling readiness, receipt-payload readiness, owner-confirmed import intents, owner-confirmed import preflights, and aggregate export readiness evidence from issue #347; it is not contact import, raw import row storage, raw email storage, subscriber creation from imports, real sequence scheduling, live email sending, private export, export file creation, private DNS/provider setup, provider webhook processing, webhook payload reading or creation, provider polling, provider polling payload reading or creation, provider polling result creation, receipt payload creation, delivery receipt creation, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload body creation or reading, Queue message consumption, Queue message acknowledgements, ack/retry/dead-letter row creation, provider calls, delivery attempts, delivery results, webhooks, receipts, delivery queue row creation, recipient payload creation, raw payload body storage, provider response creation, provider message creation, personalized body generation, unsubscribe URL creation, body template exposure, or direct public agent subscriber write capability.
SourceJSON

/analytics/source-data

Seeded analytics event taxonomy, event capture API, browser-side page-view beacon boundary, dashboard-visible aggregate source attribution rows, fixed time-window metadata, aggregate event counts, aggregate variant event counts, aggregate source attribution counts, assignment API, aggregate assignment counts, aggregate funnel conversion reports, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, metric formulas, experiment variants, assignment rule, owner-confirmed experiment decision evidence, and confirmed-write boundary.

Stable IDsanalyticsEventId, analyticsEventIngestionId, analyticsPageViewBeaconId, analyticsEventVariantAggregateId, analyticsEventSourceAggregateId, experimentAssignmentId, analyticsExperimentDecisionId, analyticsReportExportId, analyticsReportExportSectionId, analyticsCohortFixtureId, analyticsCohortComparisonId, analyticsCohortReviewId, analyticsCohortReviewStatus, analyticsAlertThresholdId, analyticsAnomalyReviewId, analyticsAnomalyReviewStatus, analyticsNotificationReadinessId, analyticsNotificationChannelId, analyticsNotificationReadinessStatus, analyticsNotificationInboxRecordId, analyticsNotificationInboxStatus, analyticsNotificationDispatchPreflightId, analyticsNotificationDispatchPreflightStatus, analyticsFunnelConversionReportId, analyticsTimeWindow, analyticsExperimentTrafficRoutingId, analyticsExperimentHoldoutRoutingId, utmSource, utmMedium, utmCampaign, referrerHost, metricId, experimentId, variantId, assignmentRuleId
CaveatThe affiliate/referral contract includes seeded click capture, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal action boundaries, aggregate counts, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records; it is not cookie assignment, buyer attribution finalization, payable statement creation, payable commission state, private fraud signal exposure, tax collection, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, authenticated private partner portal access, direct agent review automation, or Stripe payout capability.
SourceJSON

/affiliates/source-data

Seeded affiliate program, partner records, referral links, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, owner-reviewed notification provider readiness records, referral click capture API, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal actions, aggregate counts, attribution rules, commission rules, ledger fixtures, payout batch, review flags, and confirmed-write boundary.

Stable IDsaffiliateProgramId, affiliatePartnerId, affiliatePartnerPortalId, affiliatePartnerStatementSnapshotId, affiliatePartnerReportId, payoutPreparationId, payoutPreparationRecordId, payoutPreparationRecordStatus, fraudReviewRecordId, fraudReviewRecordStatus, partnerNotificationReadinessRecordId, partnerNotificationReadinessRecordStatus, partnerNotificationSendPreflightRecordId, partnerNotificationSendPreflightRecordStatus, partnerNotificationProviderReadinessRecordId, partnerNotificationProviderReadinessRecordStatus, referralLinkId, referralClickId, checkoutIntentId, referralAttributionId, reviewOnlyCommissionLedgerId, commissionReviewActionId, commissionRuleId, commissionLedgerId, payoutBatchId
CaveatThe affiliate/referral contract includes seeded click capture, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal action boundaries, aggregate counts, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records; it is not cookie assignment, buyer attribution finalization, payable statement creation, payable commission state, private fraud signal exposure, tax collection, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, authenticated private partner portal access, direct agent review automation, or Stripe payout capability.
SourceJSON

/mobile-admin/source-data

Mobile jobs-to-be-done, iOS and Android child issues, live dashboard source-data route, API dependencies, stack decision, and write boundaries.

Stable IDsmobileJobId, mobileApiDependencyId, platformIssue, mobileDashboardCardId
CaveatThe mobile contract and live public dashboard digest are live, but installable iOS and Android app claims require #67 and #68 smoke evidence.
SourceJSON

/mobile-admin/dashboard/source-data

Public-safe mobile dashboard digest with feature counts, roadmap counts, recent work-log metadata, attention counts, commerce table counts, agent-readiness counts, and platform source-data routes.

Stable IDsmobileDashboardCardId, featureId, roadmapItemId, workLogEntryId, markAttentionId, agentReadContractId
CaveatThe dashboard is a public-safe read contract with owner-session and confirmed-action requirements, not private mobile rows, push notifications, live confirmed writes, App Store distribution, or Play Store distribution.
SourceJSON

/mobile-admin/ios/source-data

iOS app-foundation path, generated fixture, simulator target, validation command, smoke command, and screenshot evidence.

Stable IDsplatformIssue, fixturePath, simulatorBundleId
CaveatThe iOS simulator smoke target renders owner-session and confirmed-action requirements, but it is not App Store distribution, push notification support, private mobile rows, or live confirmed-write capability.
SourceJSON

/mobile-admin/android/source-data

Android app-foundation path, generated fixture asset, native package, emulator target, validation command, smoke command, and screenshot evidence.

Stable IDsplatformIssue, fixturePath, nativePackage, defaultAvd
CaveatThe Android emulator smoke target renders owner-session and confirmed-action requirements, but it is not Play Store distribution, push notification support, private mobile rows, or live confirmed-write capability.

Baseline

The shared agent workflow follows Bumpgrade project standards.

AGENTS.md is adapted with Bumpgrade project constants, project stack, required product surfaces, and Bumpgrade Codex email identity.

docs/working-agreements.md carries the issue/branch/PR, screenshot, validation, work-log, and owner-attention workflow.

docs/agent/* carries admin-surface, agent-ready, screenshot, work-log, and user-journey rules.

docs/keep-working/* carries the repo-tracked goal-runner and status-update skills.

public/llms.txt points agents to current Bumpgrade feature, roadmap, comparison, commerce, admin, and agent-doc routes.

Boundaries

Owner and write actions are explicit.

Admin auth

Human admin pages require Better Auth owner sessions. Public-safe source-data routes do not bypass that boundary.

Confirmed writes

Require confirmation, idempotency, stale-state checks, audit correlation, and redaction for public, destructive, billing-impacting, moderation, source-editing, publishing, or creator-speech writes.

No secrets

Keep secrets, raw provider IDs, private user data, private inbox bodies, and storage keys out of prompt-visible output.