{"id":"bumpgrade-agent-manifest","generatedFrom":"src/lib/agent-manifest.ts","updatedAt":"2026-05-29","site":"https://bumpgrade.com","caveat":"This manifest is public-safe. It exposes read contracts and planned MCP/tooling shape, not private admin data or permission to perform writes.","docs":[{"id":"doc-agent-index","title":"Agent docs index","route":"/agent-docs","purpose":"Human and agent-friendly index for Bumpgrade read contracts, source evidence, MCP direction, and safety boundaries.","status":"live","evidence":["Issue #12","public/llms.txt"]},{"id":"doc-agent-surface","title":"Bumpgrade agent surface","route":"/agent-docs/bumpgrade-agent-surface","purpose":"Orientation for what agents can read, what is planned, and what requires owner credentials.","status":"live","evidence":["Issue #12","/agent-docs/source-data"]},{"id":"doc-commerce-contract","title":"Bumpgrade commerce contract","route":"/agent-docs/bumpgrade-commerce-contract","purpose":"Stripe sandbox, checkout, webhook, billing, and confirmed-write safety boundaries.","status":"live","evidence":["Issue #11","Issue #34","/commerce/source-data"]},{"id":"doc-source-evidence","title":"Bumpgrade source evidence","route":"/agent-docs/bumpgrade-source-evidence","purpose":"How public claims resolve to source IDs, URLs, issues, PRs, work-log entries, and caveats.","status":"live","evidence":["/compare/source-data","/features/source-data","/roadmap/source-data"]},{"id":"doc-admin-surfaces","title":"Bumpgrade admin surfaces","route":"/agent-docs/bumpgrade-admin-surfaces","purpose":"Which admin pages require owner auth and which source-data routes are public-safe for agents.","status":"live","evidence":["/agent-docs/project-source-data","docs/agent/admin-surfaces.md"]},{"id":"doc-mcp-roadmap","title":"Bumpgrade MCP roadmap","route":"/agent-docs/bumpgrade-mcp","purpose":"First MCP resources and tools planned on top of the same public-safe contracts.","status":"live","evidence":["Issue #12","docs/agent/agent-ready.md"]},{"id":"doc-mobile-admin","title":"Bumpgrade mobile admin contract","route":"/agent-docs/bumpgrade-mobile-admin","purpose":"Shared iOS and Android publisher/admin app jobs, API dependencies, auth boundaries, and write-safety rules.","status":"live","evidence":["Issue #414","Issue #13","Issue #67","Issue #68","Issue #153","Issue #155","Issue #157","/mobile-admin/source-data"]}],"readContracts":[{"id":"read-feature-catalog","title":"Feature catalog","route":"/features/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/feature-catalog.ts","stableIds":["featureId","issue","status"],"safeForAgents":["Read feature status","Distinguish live from pending","Cite feature evidence"],"writeBoundary":"Feature status changes must land through GitHub issue/PR work and admin work-log updates."},{"id":"read-public-roadmap","title":"Public roadmap","route":"/roadmap/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/roadmap.ts","stableIds":["roadmapItemId","featureId","issue","status"],"safeForAgents":["Read public-safe roadmap state","Find blockers and next milestones","Cite issue evidence"],"writeBoundary":"Roadmap moves require an issue/PR or approved admin append path, not chat-only edits."},{"id":"read-comparisons","title":"Competitor comparisons and source evidence","route":"/compare/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/comparison-data.ts","stableIds":["competitorId","sourceId","seoTargetId"],"safeForAgents":["Resolve competitor claims","Read retrieved dates","Cite official source URLs"],"writeBoundary":"Refresh competitor claims from official sources before changing dated pricing, packaging, or feature claims."},{"id":"read-competitor-importers","title":"Competitor importers","route":"/imports/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/importers.ts","stableIds":["importerPlatformId","competitorId","sourceId","importInputKind","importSourceChecklistItemId","importDraftEntity","importReviewAreaStatus","importReview","importRecords","extractedFields","subscriberImportDepth","subscriberImportPreflight","subscriberImportCreation","subscriberAudiencePromotion","privateSubscriberRecords","privateRecordReviewRoute","privateRecordReviewActionApiRoute","edit_extracted_field","record_subscriber_import_preflight","create_subscriber_import_records","promote_subscriber_import_records_to_audience","export_private_subscriber_records"],"safeForAgents":["Read supported importer platforms","Resolve importer routes from competitor IDs","Inspect input kinds, platform-specific source checklists, export match templates, preflight signal labels, redacted sourceChecklistReview maps, exportFileAnalysis fields, platformExportMatches, private importReview metadata persistence, private structured import-record contracts, safe extractedFields plans, subscriberImportDepth metadata, subscriberImportPreflight actions, subscriberImportCreation actions, subscriberAudiencePromotion actions, owner-only privateSubscriberRecords inspection rules, owner-only subscriberPrivateExport metadata, private record review routes, review-action routes, extracted-field edit actions, duplicate-review fields, rollback routes, and saved private plan parts","Identify verified-publisher private-draft, private record review, private record review-action, and rollback routes for supported importer platforms","Cite safety gates and unsupported fields before describing migration capability","Cite issue #467 for the active importer feature request"],"writeBoundary":"Importer source-data is read-only. Platform-specific source checklists and export match templates describe what a prospect can bring before private plan creation. Public preflight review routes return redacted import maps, sourceChecklistReview status, exportFileAnalysis structure, and platformExportMatches without persisting records or echoing pasted source material, raw rows, raw file text, export file names, customer rows, credentials, sessions, or payment data. Private-draft importer APIs require a verified publisher session, exact confirmation, idempotency, and redacted responses; new private drafts persist safe importReview metadata with export analysis, platform export matches, and recognized match IDs only, then create private importRecords, safe extractedFields target plans, and subscriberImportDepth metadata for audience records without public source-data exposing private record content, raw values, raw contact rows, emails, names, sequence enrollments, sends, or exports. Private record review routes require the same verified publisher owner and can show safe structure plus saved private importer subscriber contact records after confirmed creation; public source-data, public preview routes, unauthenticated responses, and public agent contracts expose counts and redaction rules only. Private record review-action routes can mark records ready or needing cleanup, edit extracted field labels/status/prompts, record subscriberImportPreflight readiness/cleanup metadata, create private importer subscriber records from a confirmed fresh upload, add those saved contacts to the audience review list as imported_pending_review rows, and prepare an owner-only private subscriber CSV with redacted JSON responses and idempotency/confirmation evidence. Subscriber import creation stores private email/name data only in owner-scoped importer subscriber records and returns counts only; subscriberAudiencePromotion writes audience_subscribers and non-sending tag assignments, but creates no consent events, sequence enrollments, private exports, sends, or go-live effects. SubscriberPrivateExport returns private emails only in the same-owner CSV download; public source-data, unauthenticated responses, and JSON API responses expose counts and redaction rules only. Source URL and export file name duplicate review can reuse a matching private import plan. Private rollback routes archive importer-created plans and preserve saved plan content, structured import records, steps, and audit history, while public publishing, live checkout, subscriber sends, domains, fulfillment, account transfer, payment credential migration, and customer passwords remain outside this contract."},{"id":"read-commerce-contract","title":"Commerce contract","route":"/commerce/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/commerce.ts and src/lib/sandbox-checkout.ts","stableIds":["productId","priceId","checkoutIntentId","referralClickId","referralAttributionId","reviewOnlyCommissionLedgerId","commissionReviewActionId","postPurchaseDecisionId","auditCorrelationId"],"safeForAgents":["Read redacted commerce architecture","Separate sandbox from live billing","Inspect referral attribution evidence","Inspect review-only commission ledger evidence","Inspect owner review action boundaries","Inspect non-billing post-purchase decision evidence","Inspect write safety rules"],"writeBoundary":"Non-billing post-purchase decisions can be recorded only for trusted checkout state; billing-impacting and payable commission writes require exact confirmation, idempotency, stale-state checks, audit correlation, owner review, and webhook evidence."},{"id":"read-pricing-policy","title":"Pricing policy and free-build gates","route":"/pricing/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/pricing-plans.ts","stableIds":["pricingPolicyId","freeBuildModeId","freeBuildCapabilityId","paidGoLiveGateId","pricingPlanSlug"],"safeForAgents":["Read the free build-before-go-live policy from issue #466","Distinguish live signed-in private Free Build workspace creation from paid go-live actions","Confirm logged-out anonymous structured playground recovery, browser-recovery save limits, owner-gated and scheduled cleanup, additive claim-to-private-draft and private claim-record creation, and signed-in Free Build workspace creation are live","Cite paid go-live gates for publishing, checkout, subscriber sends, domains, and fulfillment"],"writeBoundary":"Agents may read the pricing policy only. Saving anonymous structured playground state is browser-scoped, rate-limited per browser recovery workspace, and redacted; owner cleanup and scheduled Cloudflare cleanup expire recovery without exposing private content; claim creates or reuses the verified account's Free Build workspace and adds a private launch draft plus private offer/product/audience/importer-review records without replacing existing work; creating signed-in Free Build workspaces uses authenticated account setup APIs; publishing, charging buyers, sending email, connecting domains, and fulfillment changes require paid-plan flows."},{"id":"read-anonymous-playground","title":"Anonymous playground recovery","route":"/playground/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/anonymous-playground.ts","stableIds":["anonymousPlaygroundId","anonymousPlaygroundRoute","anonymousPlaygroundGateId"],"safeForAgents":["Read the browser-scoped playground contract","Distinguish anonymous save, signed-in claim, owner cleanup routes, and scheduled cleanup triggers","Confirm rapid save limits are scoped to the browser recovery workspace without raw IP or user-agent storage","Confirm claim creates private Free Build workspace, private funnel draft records, and private offer/product/audience/importer-review records","Confirm owner-gated and scheduled cleanup expire old anonymous recovery and clear anonymous draft fields without exposing cleanup actors","Confirm recovery cookie values and token hashes are not public source-data","Cite paid go-live gates before discussing publishing, checkout, sends, domains, or fulfillment"],"writeBoundary":"Anonymous playground writes are limited to browser-scoped structured draft launch context, with rapid save limits per browser recovery workspace and no raw IP or user-agent storage. Cleanup requires an owner session and exact confirmation. Attaching a playground requires an authenticated, email-verified publisher account, reuses an existing private Free Build workspace when present, and adds only private funnel draft state and private claim records."},{"id":"read-admin-source","title":"Admin source-data bundle","route":"/agent-docs/project-source-data","kind":"json","auth":"public","sourceOfTruth":"D1 admin tables with fixture fallback in src/lib/admin-surface-data.ts","stableIds":["workLogEntryId","userJourneyId","markAttentionId","roadmapItemId"],"safeForAgents":["Read public-safe work-log entries","Read user journeys","Read owner attention summaries"],"writeBoundary":"Human admin pages require Better Auth; agent writes need approved scripts or future confirmed APIs.","legacyRoutes":["/admin/source-data"]},{"id":"read-project-roadmap-source","title":"Project roadmap source data","route":"/agent-docs/project-roadmap-source-data","kind":"json","auth":"public","sourceOfTruth":"D1 admin roadmap rows with fixture fallback in src/lib/admin-surface-data.ts","stableIds":["roadmapItemId","featureId","issue"],"safeForAgents":["Read owner-maintained roadmap records","Inspect status counts","Cite issue and PR evidence when present"],"writeBoundary":"Roadmap changes still require GitHub issue/PR work, admin scripts, or future confirmed-write APIs.","legacyRoutes":["/admin/roadmap/source-data"]},{"id":"read-project-work-log-source","title":"Project work-log source data","route":"/agent-docs/project-work-log-source-data","kind":"json","auth":"public","sourceOfTruth":"D1 admin work-log rows with fixture fallback in src/lib/admin-surface-data.ts","stableIds":["workLogEntryId","roadmapItemId","featureId"],"safeForAgents":["Read public-safe work-log entries","Cite shipped PRs and validation evidence","Find recently changed product surfaces"],"writeBoundary":"Work-log changes still require approved scripts or future confirmed-write APIs.","legacyRoutes":["/admin/work-log/source-data"]},{"id":"read-user-journey-source","title":"User journey source data","route":"/agent-docs/user-journey-source-data","kind":"json","auth":"public","sourceOfTruth":"D1 admin user-journey rows with fixture fallback in src/lib/admin-surface-data.ts","stableIds":["userJourneyId","featureId","roadmapItemId"],"safeForAgents":["Read named user journeys","Inspect owner/user goals","Cite edge cases and evidence links"],"writeBoundary":"User-journey changes still require approved scripts or future confirmed-write APIs.","legacyRoutes":["/admin/user-journeys/source-data"]},{"id":"read-owner-attention-source","title":"Owner attention source data","route":"/agent-docs/owner-attention-source-data","kind":"json","auth":"public","sourceOfTruth":"D1 owner-attention rows with fixture fallback in src/lib/admin-surface-data.ts","stableIds":["markAttentionId","roadmapItemId","featureId"],"safeForAgents":["Read public-safe owner-attention summaries","Separate blockers from FYI follow-ups","Cite related issues and PRs"],"writeBoundary":"Owner-attention changes still require approved scripts, email follow-up, or future confirmed-write APIs.","legacyRoutes":["/admin/for-mark/source-data"]},{"id":"read-director-status","title":"Director status dashboard","route":"/agent-docs/director-status-source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/director-status.ts over D1 admin records from src/lib/admin-surface-data.ts","stableIds":["directorWorkstreamId","directorWindowId","directorQueueLaneId","directorBriefingControlId","workLogEntryId","roadmapItemId","markAttentionId"],"safeForAgents":["Read director-level workstream rollups instead of raw niche work-log noise","Inspect briefing controls for past-day, past-week, executive queue, and workstream-map views","Inspect past 1 day and past 7 days change windows","Read collapsed workstream brief signals for due, doing, next, changed-7-days, and watchlist summaries","Read named recent-change digests for each director window with workstream provenance","Read due-now, in-flight, pending-next, and watchlist executive queue lanes with workstream provenance","Distinguish shipped, in-flight, pending, blocked, at-risk, and owner-action items with evidence links"],"writeBoundary":"This route is a read-only summary. Status changes still require updating roadmap, work-log, owner-attention, issue, PR, or future confirmed-write records.","legacyRoutes":["/admin/director/source-data"]},{"id":"read-agent-manifest","title":"Agent manifest","route":"/agent-docs/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/agent-manifest.ts","stableIds":["readContractId","mcpPlanId","agentDocId"],"safeForAgents":["Discover read contracts","Route to source-data APIs","Understand write boundaries"],"writeBoundary":"This route is read-only until confirmed-write agent APIs exist."},{"id":"read-content-surfaces","title":"Content surfaces","route":"/content/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/content-surfaces.ts","stableIds":["audienceSegmentId","audienceSegmentSlug","audienceSegmentRoute","resourceItemId","pricingPrincipleId","pricingTrackId","freeBuildModeId"],"safeForAgents":["Read use-case records","Resolve dedicated use-case routes","Read resource hub records","Read pricing caveats"],"writeBoundary":"Content changes must cite source-data routes, issues, or shipped evidence before public claims change."},{"id":"read-customer-proof","title":"Customer proof and trust signals","route":"/trust/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/customer-proof.ts","stableIds":["customerProofRecordId","customerProofPolicyId","customerProofSourceId"],"safeForAgents":["Read the current customer-proof approval policy","Confirm whether public testimonials, logos, metrics, or case studies are approved","Avoid inventing customer proof when approved records are absent"],"writeBoundary":"Customer proof records require source evidence, owner approval, public consent, and a PR or issue before public rendering."},{"id":"read-publisher-account-setup","title":"Publisher account, subdomain, and custom-domain setup","route":"/account/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/publisher-tenants.ts and D1 publisher tenant tables","stableIds":["publisherTenantId","publisherSubdomainReservationId","publisherCustomDomainId","publisherPlanEntitlementId","publisherFreeBuildWorkspaceId","publisherAuthBoundaryId","issue"],"safeForAgents":["Read signed-in Free Build workspace creation policy","Read paid-plan gate requirements","Read default Bumpgrade subdomain reservation policy","Read custom-domain DNS instruction and verification policy","Read cross-subdomain auth configuration and custom-domain login boundary","Distinguish Bumpgrade subdomains, existing custom domains, and the current no-domain-purchase policy"],"writeBoundary":"Free Build workspace creation requires a signed-in, email-confirmed publisher with explicit confirmation, idempotency, audit correlation, and redacted outputs; subdomain reservation and custom-domain onboarding also require active paid-plan entitlement. Bumpgrade does not sell, register, renew, transfer, or price domains today."},{"id":"read-funnel-contract","title":"Funnel source data","route":"/funnels/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/funnels.ts","stableIds":["funnelId","funnelStepId","funnelBlockId","funnelTemplateId","funnelBlockTemplateId","funnelDraftBlockEditId","funnelDraftBlockVisualStyleId","funnelDraftBlockCanvasLayoutId","funnelDraftBlockReorderId","funnelDraftBlockCrossStepMoveId","funnelCheckoutLinkId","funnelResourceDeliveryLinkId","funnelResourceDeliveryTokenId","funnelResourceDeliveryReceiptId","funnelWebinarEventLinkId","funnelWebinarResourceTemplateId","funnelRevisionId","funnelDraftId","funnelDraftDuplicateId","funnelDraftArchiveId","funnelDraftPurgeId","funnelDraftBulkPurgeId","funnelDraftBlockStructureEditId","funnelAuditEventId","funnelPurgeEventId","agentFunnelDraftWriteId","agentFunnelDraftWriteOperationId","agentFunnelResourceDeliveryTokenId","auditCorrelationId","checkoutIntentId","checkoutOfferStackId","offerId","funnelCheckoutUnlinkId","productDeliveryGateLinkId","agentActionId"],"safeForAgents":["Read seeded draft funnel","Inspect ordered steps","Inspect page blocks and write boundaries","Inspect reusable funnel templates and block-template write boundaries from issue #159","Discover owner-session template-to-draft creation from issue #161","Discover owner-session checkout-offer linking from issue #163","Discover public linked-checkout start rendering from issue #165","Discover aggregate owner-created product delivery-gate links from issue #409","Discover webinar and resource page-shape templates from issue #213","Discover owner-session private draft duplication from issue #215","Discover owner-session private draft archive/unpublish from issue #341","Discover owner-session archived-draft purge from issue #417","Discover owner-session bulk archived-draft purge from issue #417","Discover owner-session checkout unlinking from issue #417","Discover owner-session resource delivery linking from issue #417","Discover public funnel-scoped resource delivery tokens from issue #417","Discover owner-session agent-created resource delivery tokens from issue #417","Discover redacted resource-delivery receipt evidence from issue #417","Discover owner-session webinar event/replay linking from issue #417","Discover owner-session visual style controls for existing funnel blocks from issue #417","Discover owner-session bounded canvas layout controls for existing funnel blocks from issue #417","Discover owner-session block reordering from issue #417","Discover owner-session drag/drop block placement through existing move endpoints from issue #417","Discover owner-session cross-step block moves from issue #417","Discover owner-session direct agent-safe draft writes for block copy edits, visual style presets, bounded canvas layouts, reusable block add/remove, checkout linking/unlinking, resource-delivery linking, webinar-event linking, block movement, private duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge from issue #417","Discover owner-session granular draft block editing from issue #430","Discover owner-session draft block add/remove controls from issue #432","Discover owner-session editable draft, private preview, and exact-confirmed publish/archive/purge/checkout-unlink/resource-delivery-link/webinar-event-link capability from issues #91, #93, #95, #135, #163, #165, #213, #215, #341, #417, #430, and #432"],"writeBoundary":"Owner-session seed/create/template-create/duplicate/update/reorder/block-edit/block-style/block-canvas-layout/block-add/block-remove/block-reorder/block-cross-step-move/checkout-link/checkout-unlink/resource-delivery-link/webinar-event-link/archive/purge/bulk-purge draft writes, including webinar/resource template-to-draft creation, granular block title/body editing with preserved block metadata, curated block visual style presets with preserved block metadata, bounded canvas layout values with preserved block metadata, block add/remove from the reusable block library with checkout-linked block protection, within-step block reordering that preserves checkout/resource/webinar metadata, drag/drop block placement that reuses the same move endpoint modes with fresh revisions, cross-step block moves that preserve block metadata while changing step membership, checkout unlinking with preserved block identity and copy, resource delivery linking to public-safe product/access catalog assets, webinar event/replay linking to public-safe external URLs, private draft preview, exact-confirmed public publishing, exact-confirmed archive/unpublish, exact-confirmed archived-draft purge, and exact-confirmed bulk archived-draft purge with per-draft tombstone evidence exist at /admin/funnels. The owner-session /api/agent/funnels/draft-writes JSON API now lets agents perform private block copy edits, curated visual style presets, bounded canvas layout writes, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, within-step block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. The owner-session /api/agent/funnels/resource-delivery-tokens API can create a funnel-scoped resource delivery token for a published linked resource block after exact confirmation, idempotency, current published revision, checkout intent, entitlement, and audit correlation checks, with replays redacted because raw tokens are not stored. Successful redemption through the existing Bumpgrade download route records redacted resource-delivery receipt evidence with safe funnel, block, product, asset, and source metadata only. Agent style writes store only curated style IDs, canvas layout writes store only bounded x, y, width, height, and zIndex numbers, and both preserve block metadata. Direct agent block removal refuses checkout-linked blocks and keeps at least one block per step. Owner-confirmed direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived-draft purge and bulk archived-draft purge record tombstones before deleting already archived draft and step rows without deleting audit rows, product assets, R2 objects, buyer records, or billing state. Published linked checkout blocks can render the existing sandbox checkout start surface, published resource-linked blocks can render entitlement-safe resource access references and mint funnel-scoped private download tokens only when the submitted checkout intent and entitlement match the linked product and file asset, and published webinar-linked blocks can render external registration/replay references. Owner product delivery-gate writes are separate owner-authenticated product APIs that expose only aggregate funnel source-data. Direct agent template creation, unauthenticated public agent-created delivery tokens, non-archived purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, and unbounded arbitrary CSS/script layout editing require future confirmed-write APIs."},{"id":"read-admin-draft-funnels","title":"Admin draft funnels","route":"/admin/funnels","kind":"doc","auth":"owner-session","sourceOfTruth":"D1 tables funnel_drafts, funnel_draft_steps, funnel_audit_events, and funnel_purge_events","stableIds":["funnelDraftId","funnelDraftDuplicateId","funnelDraftArchiveId","funnelDraftPurgeId","funnelDraftBulkPurgeId","funnelCheckoutUnlinkId","funnelResourceDeliveryLinkId","funnelWebinarEventLinkId","funnelDraftBlockCanvasLayoutId","funnelDraftBlockReorderId","funnelDraftBlockCrossStepMoveId","funnelDraftBlockStructureEditId","funnelDraftBlockVisualStyleId","funnelDraftStepId","funnelDraftBlockId","funnelAuditEventId","funnelPurgeEventId","ownerUserId"],"safeForAgents":["Read private draft funnel rows only with an owner session","Preview private draft funnel state only with an owner session","Create private drafts from reusable templates only with an owner session, exact confirmation, and idempotency","Create private webinar/resource template drafts only as page-shape records, not as live scheduling or private asset delivery","Duplicate private drafts only with an owner session, exact confirmation, idempotency, and a fresh revision ID","Do not treat duplicated drafts as published, and do not assume checkout-link metadata is copied","Edit existing draft block titles and body copy only with an owner session, idempotency key, and a fresh revision ID","Do not treat block copy editing as block creation, deletion, reordering, checkout unlinking, live billing, fulfillment, or direct agent writing","Add reusable block-library blocks and remove safe unlinked blocks only with an owner session, idempotency key, and a fresh revision ID","Apply curated visual style presets only with an owner session, idempotency key, and a fresh revision ID","Set bounded canvas layout values only with an owner session, idempotency key, and a fresh revision ID","Move existing draft blocks up or down within the same step only with an owner session, idempotency key, and a fresh revision ID","Move existing draft blocks across steps only with an owner session, idempotency key, and a fresh revision ID","Treat drag/drop placement as owner-session UI on top of existing move modes, and treat bounded canvas layout as numeric x/y/width/height/z writes rather than arbitrary CSS or scripts","Unlink checkout metadata only with an owner session, exact confirmation, idempotency key, and a fresh revision ID","Do not remove checkout-linked blocks through block removal before the separate checkout unlink action clears metadata","Link resource and delivery blocks to product/access catalog assets only with an owner session, exact confirmation, idempotency key, and a fresh revision ID","Do not treat resource delivery links as arbitrary uploaded asset delivery, signed URL creation, live fulfillment automation, or private buyer access","Link webinar blocks to public-safe registration and optional replay URLs only with an owner session, exact confirmation, URL validation, idempotency key, and a fresh revision ID","Do not treat webinar event links as live scheduling, reminder automation, attendance tracking, replay hosting, provider secrets, or private registrant access","Attach the seeded sandbox checkout offer to private checkout blocks only with an owner session, exact confirmation, idempotency, and a fresh revision ID","Publish a draft only through owner-session UI or owner-session agent API with exact confirmation, idempotency, and a fresh revision ID","Archive private drafts or unpublish published D1 draft funnels only through owner-session UI or owner-session agent API with exact confirmation, idempotency, and a fresh revision ID","Treat archived draft funnels as read-only owner evidence after archive/unpublish","Purge already archived draft funnels only through owner-session UI or owner-session agent API with exact confirmation, idempotency, a fresh archived revision ID, audit correlation for agent calls, and a durable tombstone event","Bulk purge selected archived draft funnels only after every target passes fresh archived revision checks and each purged draft records its own tombstone","Do not treat purge as audit deletion, product asset deletion, R2 object deletion, buyer-record deletion, billing-state deletion, non-archived purge, or unauthenticated public agent writing","Check audit metadata before acting on draft state"],"writeBoundary":"The POST endpoint can seed, create, create from templates including webinar/resource page shapes, duplicate, update, reorder, block-edit, block-style, block-canvas-layout, block-add, block-remove, block-reorder, block-cross-step-move, checkout-link, checkout-unlink, resource-delivery-link, webinar-event-link, publish, archive/unpublish, purge already archived private draft steps, and bulk purge selected archived private draft steps for an authenticated owner. Block edits update title/body copy only and preserve block IDs, block kinds, and checkout-link/resource-link/webinar-link metadata. Block style updates store only a curated visual style ID and preserve block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and audit evidence. Block canvas layout updates store only bounded x, y, width, height, and zIndex numbers and preserve the same block metadata. Block add/remove uses reusable block-library items and refuses checkout-linked block removal until checkout metadata is unlinked through the dedicated confirmed action. Block reorder moves existing blocks only within the same step and preserves block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and step membership. The /admin/funnels drag/drop UI reuses block-reorder and cross-step move endpoint modes with fresh revisions; it does not add a separate write contract. Cross-step block moves append a block to another step, refuse to empty the source step, and preserve block IDs, kinds, copy, checkout-link metadata, resource-link metadata, webinar-link metadata, and audit evidence. Checkout linking/unlinking, resource delivery linking, and webinar event/replay linking preserve block ID, kind, title, body, step order, and audit evidence. Archived drafts become read-only owner evidence; archived-draft purge and bulk archived-draft purge record tombstones before deleting draft and step rows and do not delete audit rows, product assets, R2 objects, buyer records, or billing state. The /api/agent/funnels/draft-writes endpoint gives owner-session agents a JSON contract for private block copy edits, curated visual style presets, bounded canvas layouts, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge only after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. Agent style writes store only curated style IDs, agent canvas layout writes store only bounded numbers, and both preserve block metadata. Direct agent block removal refuses checkout-linked blocks and keeps at least one block per step. Direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived purge returns a redacted tombstone summary, and bulk purge returns redacted per-draft tombstones. Private preview is owner-gated; non-archived purge, unauthenticated public agent-created delivery tokens, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, unbounded arbitrary CSS/script layout editing, direct agent template creation, and unauthenticated public agent publishing are not live."},{"id":"create-owner-agent-funnel-draft-write","title":"Owner agent-safe funnel draft write","route":"/api/agent/funnels/draft-writes","kind":"api","auth":"owner-session","sourceOfTruth":"src/app/api/agent/funnels/draft-writes/route.ts plus D1 funnel draft audit events","stableIds":["agentFunnelDraftWriteId","agentFunnelDraftWriteOperationId","funnelDraftId","funnelDraftBlockId","funnelDraftBlockCanvasLayoutId","funnelRevisionId","funnelAuditEventId","idempotencyKey","auditCorrelationId"],"safeForAgents":["Inspect the owner-session direct agent-safe funnel draft write contract","Update private draft block title/body copy, apply curated visual style presets, set bounded canvas layout values, link checkout/resource-delivery/webinar-event metadata, move blocks, duplicate a private draft, publish a draft, archive/unpublish a draft, purge an already archived draft, or bulk purge selected archived drafts only after exact owner confirmation","Use idempotency, the current draft revision, and an audit correlation ID before writing","Confirm responses redact owner email, owner user ID, private session data, raw rows, private provider data, R2 keys, signed URLs, buyer data, billing mutation state, and public agent write state"],"writeBoundary":"This owner-session API records direct agent-safe funnel draft writes after exact confirmation, idempotency, current draft revision or per-target archived revisions, and audit correlation checks. It can update private draft block copy, apply curated visual style presets, set bounded canvas layout values, link checkout/resource-delivery/webinar-event metadata, move blocks, duplicate a private draft, publish a draft, archive/unpublish a draft, purge an already archived draft, and bulk purge selected archived drafts. Publishing creates a public route mutation with archive-draft rollback and no billing mutation. Style writes store only known style IDs, canvas layout writes store only bounded x, y, width, height, and zIndex numbers, and neither accepts arbitrary CSS or scripts. Archived-draft purge records a tombstone before deleting draft and step rows and returns a redacted tombstone summary; bulk purge validates all selected archived drafts before deletion and returns redacted per-draft tombstones. It does not purge non-archived drafts, create unauthenticated public agent writes, mutate billing, expose arbitrary private R2 delivery, create signed URLs, run live webinar or fulfillment automation, or expose owner identity in responses. Issue #417 tracks this slice."},{"id":"create-owner-agent-funnel-resource-delivery-token","title":"Owner agent funnel resource delivery token","route":"/api/agent/funnels/resource-delivery-tokens","kind":"api","auth":"owner-session","sourceOfTruth":"src/app/api/agent/funnels/resource-delivery-tokens/route.ts plus agent_funnel_resource_delivery_token_requests","stableIds":["agentFunnelResourceDeliveryTokenId","funnelId","funnelBlockId","funnelRevisionId","checkoutIntentId","productEntitlementId","productId","assetId","auditCorrelationId","idempotencyKey"],"safeForAgents":["Inspect the owner-session agent resource delivery token contract","Create a short-lived funnel-scoped private download token for a published resource block only after exact owner confirmation","Use idempotency, the current published funnel revision, checkout intent, entitlement, and audit correlation before writing","Treat idempotent replays as token-redacted audit responses because raw bearer tokens are not stored","Confirm responses redact owner identity, idempotency keys, private session data, raw rows, buyer data, R2 keys, signed URLs, and public route mutation state"],"writeBoundary":"This owner-session API creates a short-lived funnel-scoped private download token for a published resource block after exact confirmation, idempotency, current published funnel revision, checkout intent, entitlement, and audit correlation checks. It delegates entitlement, product, asset, and private R2-token validation to the existing funnel and product download-token path. Replays return only redacted audit metadata because raw bearer tokens are not stored. It does not create unauthenticated public agent writes, mutate billing, expose arbitrary private R2 delivery, create signed URLs, run live fulfillment automation, mutate public routes, or expose owner identity in responses. Issue #417 tracks this slice."},{"id":"read-checkout-offer-stack","title":"Checkout offer source data","route":"/offers/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/checkout-offers.ts","stableIds":["checkoutOfferStackId","offerId","orderBumpId","upsellId","downsellId","checkoutRevisionId","referralClickId","postPurchaseDecisionId","productDeliveryGateLinkId","agentActionId"],"safeForAgents":["Read seeded checkout offer stack","Inspect bump and upsell sequence","Inspect confirmed sandbox checkout start boundaries","Inspect optional referral-click attribution evidence","Inspect aggregate non-billing post-purchase decision counts","Inspect aggregate owner-created product delivery-gate counts for the seeded offer/funnel path"],"writeBoundary":"A confirmed sandbox checkout start can include the seeded primary offer, constrained order bump, and optional referral-click attribution evidence; trusted checkout state can record non-billing upsell/downsell follow-up decisions; owner product delivery-gate links can connect test checkout links to the seeded offer/funnel path behind owner auth; live billing, price mutation, fulfillment, commission writes, direct agent writes, and post-purchase charges require future confirmed-write APIs."},{"id":"read-product-access-catalog","title":"Product access source data","route":"/products/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/product-access.ts + src/lib/product-creation.ts + src/lib/product-delivery-gates.ts + src/lib/product-offer-access.ts + src/lib/product-entitlement-inspection.ts + src/lib/customer-product-entitlements.ts + src/lib/product-download-tokens.ts + src/lib/product-asset-uploads.ts + src/lib/product-protected-content.ts","stableIds":["productId","assetId","accessRuleId","entitlementTemplateId","productEntitlementInspectionId","customerProductEntitlementLookupId","productDownloadTokenId","productAssetUploadIntentId","productCreationIntentId","productOfferAccessGrantIntentId","productDeliveryGateLinkId","productEntitlementRevocationIntentId","productProtectedContentId","productProtectedContentDeliveryId","productPaymentPlanId","subscriptionPlanId","subscriptionMembershipAccessId","fulfillmentId","agentActionId"],"safeForAgents":["Read seeded product catalog","Inspect access rules","Inspect sandbox entitlement grant mappings","Inspect aggregate owner-entitlement counts and redaction flags","Inspect aggregate owner-created product, test checkout, delivery-gate, and test access-grant counts","Discover the customer-safe checkout intent entitlement lookup contract","Discover short-lived private R2-backed download-token boundaries","Discover owner-confirmed private asset upload-intent boundaries","Inspect owner-confirmed non-destructive revocation intent records","Inspect protected content readiness and the checkout-intent-scoped protected fixture delivery boundary","Inspect subscription-backed membership access state from trusted Stripe Billing webhook evidence","Inspect seeded product payment-plan read records without live amount, Stripe Price, or customer data exposure","Inspect entitlement and fulfillment boundaries"],"writeBoundary":"Trusted paid sandbox webhooks can grant idempotent entitlement rows for seeded checkout line items; trusted Stripe Billing subscription webhooks can sync checkout-linked membership access while state is active or trialing and pause it when subscription state is canceled, unpaid, incomplete_expired, or deleted; public source-data exposes seeded pay-in-full, installment, and subscription payment-plan read records without live amounts or provider IDs; verified owners can create draft products, create owner-created product test checkout links, link those links to seeded offer/funnel delivery gates, create owner-created product test offer/access grants, inspect private entitlement rows, owner-confirmed non-destructive revocation intents, and protected content readiness in /admin/products; customers can inspect checkout-intent-scoped entitlement status, create short-lived download tokens that stream a seeded private R2 fixture without buyer or provider identifiers, and read seeded protected course/member fixture bodies only after active-entitlement and trusted-checkout checks; verified owners can create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, and record non-destructive revocation intents after exact confirmation, idempotency, and stale entitlement status checks; Stripe Price creation, live payment-plan checkout, customer delivery of arbitrary uploads, signed object URLs, destructive revocation, live offer/funnel publishing, live fulfillment automation, Customer Portal actions, and private content writes require future authenticated confirmed-write APIs."},{"id":"read-customer-product-entitlements","title":"Customer product entitlement lookup","route":"/api/products/entitlements","kind":"api","auth":"public","sourceOfTruth":"src/lib/customer-product-entitlements.ts","stableIds":["checkoutIntentId","productEntitlementId","productId","entitlementTemplateId","fulfillmentTaskId"],"safeForAgents":["Inspect customer-safe product access for a known checkout intent","Confirm entitlement and fulfillment state without private buyer data","Confirm raw Stripe IDs, event IDs, metadata JSON, R2 keys, and signed URLs are excluded"],"writeBoundary":"This is a read-only checkout-intent-scoped lookup; signed downloads, protected lessons, buyer identity, entitlement mutation, destructive revocation, and live fulfillment require future authenticated confirmed-write APIs."},{"id":"read-subscription-membership-access","title":"Subscription membership access state","route":"/products/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/product-entitlements.ts + D1 billing_subscriptions and product_entitlements","stableIds":["subscriptionMembershipAccessId","checkoutIntentId","productEntitlementId","subscriptionPlanId","productId","entitlementTemplateId"],"safeForAgents":["Inspect the seeded monthly membership price and access-rule mapping","Confirm active/trialing Stripe Billing subscription state can activate checkout-linked membership access","Confirm canceled, unpaid, incomplete_expired, or deleted subscription state pauses membership access","Confirm buyer identity, raw subscription/customer IDs, webhook IDs, metadata JSON, member posts, private files, Customer Portal URLs, and progress rows are excluded"],"writeBoundary":"This is read-only subscription-backed membership access evidence. It does not create or mutate Stripe subscriptions, open Customer Portal sessions, expose raw Stripe IDs, deliver member posts/files, change pricing, or perform direct agent billing writes."},{"id":"create-sandbox-product-download-token","title":"Private R2 product download token","route":"/api/products/download-tokens","kind":"api","auth":"public","sourceOfTruth":"src/lib/product-download-tokens.ts","stableIds":["checkoutIntentId","productEntitlementId","productDownloadTokenId","assetId"],"safeForAgents":["Create a short-lived download token for an active checkout-linked file entitlement","Confirm private R2-backed fixture delivery does not expose private R2 keys or signed object URLs","Inspect token expiry, one-use replay rejection, entitlement scope, and current checkout-state revalidation"],"writeBoundary":"This creates a short-lived token and streams a seeded private R2-backed fixture through Bumpgrade after revalidating current entitlement status, checkout intent linkage, trusted checkout state, and asset scope; protected content, arbitrary asset uploads, destructive revocation, subscription access, and live fulfillment automation require future authenticated confirmed-write APIs."},{"id":"create-public-funnel-resource-delivery-token","title":"Published funnel resource delivery token","route":"/api/funnels/resource-delivery","kind":"api","auth":"public","sourceOfTruth":"src/lib/funnel-resource-delivery.ts + src/lib/product-download-tokens.ts","stableIds":["funnelId","funnelBlockId","funnelResourceDeliveryTokenId","funnelResourceDeliveryReceiptId","checkoutIntentId","productEntitlementId","productId","assetId"],"safeForAgents":["Create a short-lived Bumpgrade download token for a published D1 funnel resource block only when the checkout intent and entitlement match the linked product and file asset","Discover the owner-session agent route for the same scoped token when a verified owner wants agent-created delivery after exact confirmation and published-revision checks","Confirm private R2-backed delivery stays behind Bumpgrade download routes without exposing R2 keys, signed object URLs, buyer data, or raw entitlement rows","Read redacted receipt evidence after successful private download redemption without raw buyer, checkout, entitlement, token, R2, or signed URL data","Distinguish funnel-scoped token minting from arbitrary uploaded asset delivery, live fulfillment automation, live billing, provider-hosted media, or unauthenticated agent writes"],"writeBoundary":"This public API can mint a one-use Bumpgrade download route for a published D1 funnel resource/delivery block after checkout intent, entitlement, product, and file asset scope are revalidated. The owner-session agent route can create the same scoped token after exact confirmation, idempotency, audit correlation, and current published-revision checks. Successful download redemption records redacted receipt evidence with safe funnel, block, product, asset, and source metadata only. Neither route exposes private R2 keys, signed URLs, buyer data, raw funnel rows, raw entitlement rows, raw tokens, arbitrary uploaded assets, live fulfillment mutation, or unauthenticated public agent writes."},{"id":"read-protected-product-content","title":"Protected product content delivery fixture","route":"/api/products/protected-content","kind":"api","auth":"public","sourceOfTruth":"src/lib/product-protected-content.ts","stableIds":["checkoutIntentId","productEntitlementId","productProtectedContentId","productId","entitlementTemplateId"],"safeForAgents":["Read a seeded protected course/member fixture only with a known checkout intent and matching active entitlement","Confirm protected fixture delivery rechecks product/template scope and current paid/completed checkout state","Confirm buyer identity, raw Stripe IDs, webhook IDs, metadata JSON, R2 keys, signed URLs, arbitrary uploaded content, and progress rows are excluded"],"writeBoundary":"This route returns seeded protected fixture bodies for eligible checkout-linked entitlements only. It is not direct public agent write access, arbitrary private upload delivery, signed object URL access, progress tracking, subscription mutation, destructive revocation, or live fulfillment automation."},{"id":"read-admin-product-entitlements","title":"Admin product entitlements","route":"/admin/products","kind":"doc","auth":"owner-session","sourceOfTruth":"D1 tables product_entitlements, product_fulfillment_tasks, product_delivery_gate_links, product_entitlement_revocation_intents, product_protected_content_sections, checkout_intents, commerce_products, and commerce_prices","stableIds":["productId","entitlementTemplateId","productEntitlementId","productDeliveryGateLinkId","productEntitlementRevocationIntentId","productProtectedContentId","fulfillmentTaskId","checkoutIntentId","ownerUserId"],"safeForAgents":["Read private buyer entitlement rows only with an owner session","Inspect checkout status, product/price context, access rule, and queued fulfillment state","Inspect owner-created product delivery-gate links for the seeded offer/funnel path","Inspect owner-visible revocation intent records without removing access","Inspect owner-visible protected content readiness and which sections are eligible for checkout-scoped fixture delivery","Confirm public source-data redacts buyer email, raw Stripe IDs, hashes, metadata JSON, private R2 keys, and signed URLs"],"writeBoundary":"This owner page can inspect entitlement rows, create owner product delivery-gate links, and record non-destructive revocation intent evidence without removing access; protected fixture body delivery happens only through checkout-intent scoped customer checks. Signed object URLs, arbitrary uploaded content delivery, destructive revocation, subscription access changes, refunds, customer portals, private asset delivery, and direct public agent entitlement writes require future confirmed-write APIs."},{"id":"create-owner-product-test-checkout-link","title":"Owner product test checkout link","route":"/api/admin/products/test-checkout-links","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables product_test_checkout_links, commerce_products, commerce_prices, and product_creation_intents","stableIds":["productTestCheckoutLinkId","productId","testPriceId","ownerUserId","idempotencyKey","productUpdatedAt"],"safeForAgents":["Inspect the owner-only product test checkout link confirmation contract","Create a stable buyer-facing test checkout link only with an owner session","Confirm owner writes require exact confirmation, idempotency, and a current product updatedAt stale-state check","Confirm public source-data stays aggregate-only and omits checkout link IDs, owner identity, idempotency keys, raw buyer data, and raw Stripe IDs"],"writeBoundary":"This owner-session API records a buyer-facing test checkout link for an owner-created product after exact confirmation, idempotency, and a current product updatedAt check. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer copy, customer-facing fulfillment delivery, raw buyer exposure, or unauthenticated/direct public agent writes."},{"id":"complete-owner-product-test-checkout","title":"Owner product public test checkout","route":"/api/products/test-checkout","kind":"api","auth":"public","sourceOfTruth":"D1 tables product_test_checkout_purchases, product_test_checkout_links, checkout_intents, product_entitlements, product_fulfillment_tasks, commerce_products, commerce_prices, and payment_audit_events","stableIds":["productTestCheckoutPurchaseId","productTestCheckoutLinkId","productId","checkoutIntentId","productEntitlementId","fulfillmentTaskId","idempotencyKey","linkRevisionId"],"safeForAgents":["Inspect the public test checkout confirmation contract","Create synthetic paid test checkout/access evidence only through a known test checkout link","Use exact confirmation, idempotency, and current link revision checks before creating test access evidence","Confirm responses and source-data omit buyer email, buyer hashes, raw Stripe IDs, and idempotency keys"],"writeBoundary":"This public test-link API creates a synthetic paid checkout intent, entitlement row, fulfillment task evidence, and audit evidence after exact confirmation, idempotency, and a current link revision check. It does not create Stripe Checkout Sessions, live charges, live offer/funnel publishing, arbitrary fulfillment delivery, raw buyer exposure, or unconfirmed agent writes."},{"id":"create-owner-product-delivery-gate-link","title":"Owner product delivery-gate link","route":"/api/admin/products/delivery-gates","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables product_delivery_gate_links, product_test_checkout_links, commerce_products, and product_creation_intents","stableIds":["productDeliveryGateLinkId","productTestCheckoutLinkId","productId","checkoutOfferStackId","offerId","funnelId","ownerUserId","idempotencyKey","productUpdatedAt","linkRevisionId"],"safeForAgents":["Inspect the owner-only product delivery-gate confirmation contract","Link an owner-created product test checkout link to the seeded offer/funnel delivery gates only with an owner session","Confirm writes require exact confirmation, idempotency, a current product updatedAt check, and a current checkout-link revision check","Confirm public source-data stays aggregate-only and omits checkout link IDs, buyer data, owner identity, idempotency keys, private R2 keys, signed URLs, and raw Stripe IDs"],"writeBoundary":"This owner-session API records a delivery-gate link between an owner-created product test checkout link and the seeded offer/funnel path after exact confirmation, idempotency, product stale-state, and link revision checks. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer/funnel state, customer-facing fulfillment delivery, signed URLs, private R2 keys, raw buyer exposure, or unauthenticated/direct public agent writes."},{"id":"create-owner-product-offer-access-grant","title":"Owner product test offer/access grant","route":"/api/admin/products/offer-access-grants","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables product_offer_access_grant_intents, checkout_intents, product_entitlements, product_fulfillment_tasks, commerce_products, commerce_prices, and payment_audit_events","stableIds":["productOfferAccessGrantIntentId","productId","offerId","funnelId","checkoutIntentId","productEntitlementId","fulfillmentTaskId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only product test offer/access grant confirmation contract","Create synthetic paid test checkout/access grant evidence only with an owner session","Confirm public source-data stays aggregate-only and omits buyer email, buyer hashes, checkout intent IDs, entitlement IDs, idempotency keys, raw owner identity, and raw Stripe IDs","Use exact confirmation and idempotency before creating test grant evidence"],"writeBoundary":"This owner-session API records test offer/funnel linkage, a synthetic paid checkout intent, an entitlement row, fulfillment task evidence, and audit evidence after exact confirmation and idempotency. It does not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer copy, customer-facing fulfillment delivery, raw buyer exposure, or unauthenticated/direct public agent writes."},{"id":"create-owner-product-asset-upload-intent","title":"Owner private product asset upload intent","route":"/api/admin/products/assets","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table product_asset_uploads and PRODUCT_ASSETS R2 binding","stableIds":["productAssetUploadIntentId","productId","assetId","ownerUserId","idempotencyKey","catalogRevisionId"],"safeForAgents":["Inspect the owner-only private asset upload confirmation contract","Create small private product asset upload records only with an owner session","Confirm public responses omit R2 object keys, signed URLs, raw upload bodies, raw owner email, buyer data, and private metadata","Use idempotency and catalog revision checks before storing a private payload"],"writeBoundary":"This owner-session API stores small private payloads in PRODUCT_ASSETS and records redacted upload metadata in D1 after exact confirmation, idempotency, and catalog revision checks. It does not make uploaded assets customer-deliverable, create signed URLs, expose object keys, mutate entitlements, or allow unauthenticated/direct public agent writes."},{"id":"create-owner-product-revocation-intent","title":"Owner product revocation intent","route":"/api/admin/products/revocation-intents","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table product_entitlement_revocation_intents","stableIds":["productEntitlementRevocationIntentId","productEntitlementId","productId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only access-removal confirmation contract","Record non-destructive revocation intent records only with an owner session","Confirm public responses omit buyer identity, actor email, actor hash, target entitlement ids in public source-data, Stripe references, private reason notes, and metadata JSON","Use idempotency and current entitlement status checks before recording intent"],"writeBoundary":"This owner-session API records redacted revocation intent metadata in D1 after exact confirmation, idempotency, and stale entitlement status checks. It does not revoke access, mutate entitlement status, issue refunds, change subscriptions, notify customers, expose private reason text, or allow unauthenticated/direct public agent writes."},{"id":"read-audience-automation","title":"Audience automation source data","route":"/audience/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/audience-automation.ts + src/lib/audience-subscribers.ts + src/lib/audience-broadcasts.ts + src/lib/audience-imports.ts + src/lib/audience-exports.ts + src/lib/audience-sequence-readiness.ts + src/lib/audience-sequence-dispatch-preflights.ts + src/lib/audience-sequence-dispatch-attempts.ts + src/lib/audience-sequence-queue-producer-readiness.ts + src/lib/audience-sequence-queue-consumer-readiness.ts + src/lib/audience-sequence-provider-call-readiness.ts + src/lib/audience-sequence-delivery-attempt-readiness.ts + src/lib/audience-sequence-delivery-result-readiness.ts + src/lib/audience-sequence-delivery-status-webhook-readiness.ts + src/lib/audience-sequence-provider-polling-readiness.ts + src/lib/audience-sequence-receipt-payload-readiness.ts","stableIds":["subscriberId","subscriberInspectionId","subscriberSegmentId","optInFormId","leadMagnetId","subscriberTagId","emailSequenceId","sequenceEnrollmentPauseId","sequenceDeliveryReadinessId","sequenceScheduleIntentId","sequenceDeliveryBatchId","sequenceDeliveryQueueMessageId","sequenceDispatchPreflightId","sequenceDispatchAttemptId","sequenceQueueProducerReadinessId","sequenceQueueConsumerReadinessId","sequenceProviderCallReadinessId","sequenceDeliveryAttemptReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryStatusWebhookReadinessId","sequenceProviderPollingReadinessId","sequenceReceiptPayloadReadinessId","sequenceTestSendId","automationRuleId","broadcastDraftId","broadcastReadinessId","consentRecordId","suppressionEntryId","timelineEntryId","agentActionId","broadcastScheduleIntentId","broadcastPreviewSafetyId","broadcastQueueReadinessId","broadcastDeliveryBatchId","broadcastDeliveryQueueMessageId","broadcastDispatchPreflightId","broadcastDispatchAttemptId","broadcastTestSendId","broadcastSenderDomainReadinessId","broadcastProviderEventReadinessId","broadcastProviderRateLimitReadinessId","broadcastProviderResponseReadinessId","broadcastSendPayloadReadinessId","broadcastQueueProducerReadinessId","broadcastQueueConsumerReadinessId","audienceImportIntentId","audienceImportPreflightId","audienceExportReadinessId"],"safeForAgents":["Read seeded opt-in form","Inspect tags and segments","Inspect consent-backed capture boundary","Inspect aggregate unsubscribe-paused sequence enrollment evidence without contact identity","Inspect aggregate sequence delivery readiness without body templates, unsubscribe URLs, recipient payloads, queue payloads, provider sends, or provider message IDs","Inspect public-safe dry-run sequence schedule intent counts without actor email, recipient payloads, personalized bodies, unsubscribe URLs, queue payloads, provider sends, or provider message IDs","Inspect public-safe dry-run sequence delivery-batch, queue-message, dispatch preflight, and dispatch-attempt counts without actor email, delivery queue payloads, queue payload bodies, recipient payloads, personalized bodies, unsubscribe URLs, provider sends, provider responses, or provider message IDs","Inspect public-safe sequence Queue producer readiness without enabling Queue producers, Queue messages, queue payload bodies, recipient payloads, provider sends, provider responses, or provider message IDs","Inspect public-safe sequence Queue consumer readiness without enabling Queue consumers, consuming or acking Queue messages, creating retry/dead-letter rows, reading queue payload bodies, recipient payloads, provider sends, provider responses, or provider message IDs","Inspect public-safe sequence provider-call readiness without making provider calls, sending messages, creating delivery attempts, delivery results, webhooks, receipts, provider responses, or provider message IDs","Inspect public-safe sequence delivery-attempt readiness without creating delivery attempts, delivery results, webhooks, receipts, provider responses, provider message IDs, recipient payloads, personalized bodies, or unsubscribe URLs","Inspect public-safe sequence delivery-result readiness without creating delivery results, webhooks, receipts, provider responses, provider message IDs, delivery attempts, recipient payloads, personalized bodies, or unsubscribe URLs","Inspect public-safe sequence delivery-status webhook readiness without processing status webhooks, reading webhook payloads, polling providers, creating receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs","Inspect public-safe sequence provider-polling readiness without polling providers, reading polling payloads, creating polling results, receipt payloads, receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs","Inspect public-safe sequence receipt-payload readiness without polling providers, reading webhook or polling payloads, creating polling results, receipt payloads, delivery receipts, provider responses, provider message IDs, delivery attempts, delivery results, recipient payloads, personalized bodies, or unsubscribe URLs","Inspect aggregate owner-subscriber, suppression, and timeline counts with redaction flags","Inspect suppression-aware broadcast readiness without recipient exposure","Inspect public-safe dry-run broadcast schedule intent counts without actor email or recipient payloads","Inspect broadcast preview and unsubscribe-footer safety without personalized body or recipient exposure","Inspect delivery queue readiness without recipient payloads, queue rows, or provider sends","Inspect delivery-batch dry runs without recipient payloads, queue messages, or provider sends","Inspect delivery queue message dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends","Inspect dispatch preflight dry runs without Cloudflare Queue dispatch, recipient payloads, or provider sends","Inspect dispatch attempt receipts without Cloudflare Queue producers, queue payload bodies, provider responses, or provider sends","Inspect owner-only broadcast and sequence test-send evidence without raw recipient email, subscriber payloads, Queue messages, public agent sends, or provider message IDs","Inspect sender-domain readiness without private DNS credentials, raw DNS records, provider secrets, or provider sends","Inspect provider-event readiness without provider secrets, raw provider payloads, provider responses, or provider message IDs","Inspect provider rate-limit readiness without provider secrets, provider limit secrets, raw provider payloads, provider responses, or provider message IDs","Inspect provider response readiness without provider secrets, raw response bodies, provider responses, or provider message IDs","Inspect send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue producers, or provider sends","Inspect Queue producer readiness without Queue messages, queue payload bodies, recipient payloads, or provider sends","Inspect Queue consumer readiness without Queue message consumption, acks, retry/dead-letter rows, queue payload body reads, recipient payloads, or provider sends","Inspect owner-confirmed import intents without raw contact rows, raw emails, actor emails, private notes, sequence enrollments, or sends","Inspect owner-confirmed import preflights without raw contact rows, raw emails, subscriber writes, exports, actor emails, private notes, sequence enrollments, or sends","Inspect aggregate audience export readiness without raw emails, subscriber IDs, export files, or export URLs","Inspect the public-safe unsubscribe/suppression write boundary","Inspect the owner-only CRM timeline note boundary","Inspect sequence and automation boundaries"],"writeBoundary":"Public visitors can submit the seeded opt-in form with explicit consent and can record unsubscribe/suppression evidence without exposing list membership; known subscriber unsubscribe also pauses draft sequence enrollment state while public responses stay membership-safe. Verified owners can inspect private subscriber rows, create private CRM notes, view aggregate sequence delivery readiness, sequence schedule-intent dry runs, sequence delivery-batch dry runs, sequence queue-message dry runs, sequence dispatch preflight dry runs, sequence dispatch attempt receipts, sequence Queue producer readiness, sequence Queue consumer readiness, sequence provider-call readiness, sequence delivery-attempt readiness, sequence delivery-result readiness, sequence delivery-status webhook readiness, owner-only sequence test sends, broadcast readiness, preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, owner-only broadcast test sends, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, redacted import intents, redacted import preflights, and aggregate export readiness, and record dry-run sequence schedule intents, sequence delivery batches, sequence queue-message evidence, sequence dispatch preflight evidence, sequence dispatch attempt receipts, sequence Queue producer readiness gates, sequence Queue consumer readiness gates, sequence provider-call readiness gates, sequence delivery-attempt readiness gates, sequence delivery-result readiness gates, sequence delivery-status webhook readiness gates, owner-only sequence test sends, broadcast schedule intents, delivery batches, queue-message evidence, dispatch preflight evidence, dispatch attempt receipts, owner-only broadcast test sends, non-destructive import intents, and aggregate import preflights in /admin/audience; real contact imports, subscriber email delivery, real sequence scheduling, broadcast blasts, private exports, export file creation, direct agent subscriber writes, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider calls, delivery attempts, provider responses, provider message IDs, delivery results, webhooks, polling, and receipts require future confirmed-write APIs."},{"id":"create-owner-sequence-schedule-intent","title":"Owner sequence schedule dry-run intent","route":"/api/admin/audience/sequences/schedule-intents","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_schedule_intents, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceScheduleIntentId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only dry-run sequence schedule intent contract","Create dry-run sequence schedule intent records only with an owner session and exact confirmation","Use workspace revision, sequence status, expected readiness count, and idempotency checks before recording intent","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, personalized bodies, unsubscribe URLs, delivery queue rows, and provider message IDs"],"writeBoundary":"This owner-session API records dry-run sequence schedule intent metadata only. It does not schedule sequence steps, create delivery queue rows, create recipient payloads, create personalized bodies, expose unsubscribe URLs, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, and audit requirements."},{"id":"create-owner-sequence-delivery-batch","title":"Owner sequence delivery batch dry run","route":"/api/admin/audience/sequences/delivery-batches","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_delivery_batches, audience_sequence_schedule_intents, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDeliveryBatchId","sequenceScheduleIntentId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only dry-run sequence delivery-batch contract","Create dry-run sequence delivery batch records only with an owner session and exact confirmation","Use schedule intent, workspace revision, sequence status, expected readiness count, and idempotency checks before recording batch evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, recipient payloads, personalized bodies, body templates, unsubscribe URLs, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dry-run sequence delivery-batch metadata only. It does not schedule sequence steps, create delivery queue rows, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, and audit requirements."},{"id":"create-owner-sequence-delivery-queue-messages","title":"Owner sequence delivery queue-message dry run","route":"/api/admin/audience/sequences/delivery-queue-messages","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_delivery_queue_messages, audience_sequence_delivery_batches, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","sequenceScheduleIntentId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only dry-run sequence queue-message contract","Create dry-run sequence queue-message records only with an owner session and exact confirmation","Use sequence delivery batch, workspace revision, sequence status, expected readiness count, and idempotency checks before recording queue-message evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dry-run sequence queue-message metadata only. It does not schedule sequence steps, create delivery queue rows, create Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, rate-limit, Queue producer, Queue consumer, and audit requirements."},{"id":"create-owner-sequence-dispatch-preflight","title":"Owner sequence dispatch preflight dry run","route":"/api/admin/audience/sequences/dispatch-preflights","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_dispatch_preflights, audience_sequence_delivery_queue_messages, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only dry-run sequence dispatch preflight contract","Create dry-run sequence dispatch preflight records only with an owner session and exact confirmation","Use sequence queue-message evidence, workspace revision, sequence status, expected readiness count, provider-limit, suppression, sender-domain, audit, and idempotency checks before recording dispatch preflight evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dry-run sequence dispatch preflight metadata only. It does not schedule sequence steps, create delivery queue rows, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, Queue consumer, and audit requirements."},{"id":"create-owner-sequence-dispatch-attempt","title":"Owner sequence dispatch attempt receipt","route":"/api/admin/audience/sequences/dispatch-attempts","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_dispatch_attempts, audience_sequence_dispatch_preflights, audience_sequence_delivery_queue_messages, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only dry-run sequence dispatch attempt receipt contract","Create dry-run sequence dispatch attempt receipts only with an owner session and exact confirmation","Use sequence dispatch preflight evidence, workspace revision, sequence status, expected readiness count, provider-limit, suppression, sender-domain, Queue producer, Queue consumer, audit, and idempotency checks before recording attempt evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dry-run sequence dispatch attempt receipt metadata only. It does not schedule sequence steps, create delivery queue rows, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, Queue consumer, and audit requirements."},{"id":"create-owner-sequence-queue-producer-readiness","title":"Owner sequence Queue producer readiness","route":"/api/admin/audience/sequences/queue-producer-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_queue_producer_readiness, audience_sequence_dispatch_attempts, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence Queue producer readiness contract","Create sequence Queue producer readiness records only with an owner session and exact confirmation","Use sequence dispatch attempt evidence, workspace revision, sequence status, expected readiness count, payload, consumer, provider-limit, suppression, sender-domain, audit, and idempotency checks before recording producer readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence Queue producer readiness metadata only. It does not schedule sequence steps, create delivery queue rows, enable Cloudflare Queue producers, create Queue messages, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue consumer, payload, and audit requirements."},{"id":"create-owner-sequence-queue-consumer-readiness","title":"Owner sequence Queue consumer readiness","route":"/api/admin/audience/sequences/queue-consumer-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_queue_consumer_readiness, audience_sequence_queue_producer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence Queue consumer readiness contract","Create sequence Queue consumer readiness records only with an owner session and exact confirmation","Use current sequence Queue producer readiness evidence, workspace revision, sequence status, expected readiness count, payload-read, ack, retry, dead-letter, provider-handoff, backpressure, audit, and idempotency checks before recording consumer readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, queue ack/retry/dead-letter rows, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence Queue consumer readiness metadata only. It does not schedule sequence steps, create delivery queue rows, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, send email, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue producer, payload, provider-handoff, and audit requirements."},{"id":"create-owner-sequence-provider-call-readiness","title":"Owner sequence provider-call readiness","route":"/api/admin/audience/sequences/provider-call-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence provider-call readiness contract","Create sequence provider-call readiness records only with an owner session and exact confirmation","Use current sequence Queue consumer readiness evidence, workspace revision, sequence status, expected readiness count, provider-response, message-ID, delivery-attempt, receipt, backpressure, audit, and idempotency checks before recording provider-call readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, Queue ack/retry/dead-letter rows, provider call bodies, delivery attempts, delivery results, webhooks, receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence provider-call readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, Queue consumer, response, receipt, and audit requirements."},{"id":"create-owner-sequence-delivery-attempt-readiness","title":"Owner sequence delivery-attempt readiness","route":"/api/admin/audience/sequences/delivery-attempt-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDeliveryAttemptReadinessId","sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence delivery-attempt readiness contract","Create sequence delivery-attempt readiness records only with an owner session and exact confirmation","Use current sequence provider-call readiness evidence, workspace revision, sequence status, expected readiness count, provider-response, message-ID, delivery-attempt, receipt, backpressure, audit, and idempotency checks before recording delivery-attempt readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, Queue ack/retry/dead-letter rows, delivery attempt bodies, delivery attempts, delivery results, webhooks, receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence delivery-attempt readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, response, receipt, and audit requirements."},{"id":"create-owner-sequence-delivery-result-readiness","title":"Owner sequence delivery-result readiness","route":"/api/admin/audience/sequences/delivery-result-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDeliveryResultReadinessId","sequenceDeliveryAttemptReadinessId","sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence delivery-result readiness contract","Create sequence delivery-result readiness records only with an owner session and exact confirmation","Use current sequence delivery-attempt readiness evidence, workspace revision, sequence status, expected readiness count, delivery-result, webhook, receipt, backpressure, audit, and idempotency checks before recording delivery-result readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, Queue ack/retry/dead-letter rows, delivery result bodies, delivery attempts, delivery results, webhooks, receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence delivery-result readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, webhook, receipt, and audit requirements."},{"id":"create-owner-sequence-delivery-status-webhook-readiness","title":"Owner sequence delivery-status webhook readiness","route":"/api/admin/audience/sequences/delivery-status-webhook-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceDeliveryStatusWebhookReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryAttemptReadinessId","sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence delivery-status webhook readiness contract","Create sequence delivery-status webhook readiness records only with an owner session and exact confirmation","Use current sequence delivery-result readiness evidence, workspace revision, sequence status, expected readiness count, webhook, polling, receipt, backpressure, audit, and idempotency checks before recording delivery-status webhook readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, webhook payloads, provider polling payloads, receipt payloads, Queue ack/retry/dead-letter rows, delivery attempts, delivery results, webhooks, receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence delivery-status webhook readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, create provider polling results, create receipt payloads, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, receipt, and audit requirements."},{"id":"create-owner-sequence-provider-polling-readiness","title":"Owner sequence provider-polling readiness","route":"/api/admin/audience/sequences/provider-polling-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_provider_polling_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceProviderPollingReadinessId","sequenceDeliveryStatusWebhookReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryAttemptReadinessId","sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence provider-polling readiness contract","Create sequence provider-polling readiness records only with an owner session and exact confirmation","Use current sequence delivery-status webhook readiness evidence, workspace revision, sequence status, expected readiness count, polling, receipt, backpressure, audit, and idempotency checks before recording provider-polling readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, webhook payloads, provider polling payloads, receipt payloads, Queue ack/retry/dead-letter rows, delivery attempts, delivery results, webhooks, receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence provider-polling readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, delivery-status webhook, receipt, reconciliation, and audit requirements. Issue #378 tracks this slice."},{"id":"create-owner-sequence-receipt-payload-readiness","title":"Owner sequence receipt-payload readiness","route":"/api/admin/audience/sequences/receipt-payload-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_sequence_receipt_payload_readiness, audience_sequence_provider_polling_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_provider_call_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_enrollments, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["sequenceReceiptPayloadReadinessId","sequenceProviderPollingReadinessId","sequenceDeliveryStatusWebhookReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryAttemptReadinessId","sequenceProviderCallReadinessId","sequenceQueueConsumerReadinessId","sequenceQueueProducerReadinessId","sequenceDispatchAttemptId","sequenceDispatchPreflightId","sequenceDeliveryQueueMessageId","sequenceDeliveryBatchId","emailSequenceId","ownerUserId","idempotencyKey","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence receipt-payload readiness contract","Create sequence receipt-payload readiness records only with an owner session and exact confirmation","Use current sequence provider-polling readiness evidence, workspace revision, sequence status, expected readiness count, receipt-payload, delivery-receipt, retention, redaction, backpressure, audit, and idempotency checks before recording receipt-payload readiness","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, delivery queue payloads, Cloudflare Queue payloads, queue payload bodies, webhook payloads, provider polling payloads, receipt payloads, Queue ack/retry/dead-letter rows, delivery attempts, delivery results, webhooks, delivery receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate sequence receipt-payload readiness metadata only. It does not schedule sequence steps, create delivery queue rows, make provider calls, send email, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create delivery receipts, enable Cloudflare Queue consumers, consume Queue messages, ack Queue messages, create retry rows, create dead-letter rows, read queue payload bodies, create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, create unsubscribe URLs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, provider-limit, provider-call, delivery-attempt, delivery-result, delivery-status webhook, provider-polling, delivery-receipt, reconciliation, and audit requirements. Issue #380 tracks this slice."},{"id":"create-owner-broadcast-schedule-intent","title":"Owner broadcast schedule dry-run intent","route":"/api/admin/audience/broadcasts/schedule-intents","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_subscribers, audience_consent_events, and audience_suppression_entries","stableIds":["broadcastScheduleIntentId","broadcastDraftId","ownerUserId","idempotencyKey","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only dry-run schedule intent contract","Create dry-run schedule intent records only with an owner session and exact confirmation","Use draft revision, expected readiness count, and idempotency checks before recording intent","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, send queue rows, and provider message IDs"],"writeBoundary":"This owner-session API records dry-run broadcast schedule intent metadata only. It does not send email, create send queue rows, create provider message IDs, expose recipients, authorize public agent writes, or bypass future unsubscribe footer, sender-domain, suppression, and audit requirements."},{"id":"create-owner-broadcast-delivery-batch","title":"Owner broadcast delivery batch dry run","route":"/api/admin/audience/broadcasts/delivery-batches","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_broadcast_delivery_batches, audience_broadcast_schedule_intents, audience_broadcast_drafts, audience_broadcast_preview_safety, and audience_broadcast_queue_readiness","stableIds":["broadcastDeliveryBatchId","broadcastScheduleIntentId","broadcastDraftId","ownerUserId","idempotencyKey","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only delivery-batch dry-run contract","Create dry-run delivery batch records only with an owner session and exact confirmation","Use schedule intent, draft revision, expected readiness count, preview safety, queue readiness, and idempotency checks before recording batch evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, send queue messages, personalized bodies, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate delivery-batch dry-run metadata only. It does not send email, create recipient payloads, enqueue provider messages, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, and audit requirements."},{"id":"create-owner-broadcast-delivery-queue-messages","title":"Owner broadcast delivery queue message dry run","route":"/api/admin/audience/broadcasts/delivery-queue-messages","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_broadcast_delivery_queue_messages, audience_broadcast_delivery_batches, audience_broadcast_drafts, and audience_broadcast_queue_readiness","stableIds":["broadcastDeliveryQueueMessageId","broadcastDeliveryBatchId","broadcastDraftId","ownerUserId","idempotencyKey","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only queue-message dry-run contract","Create dry-run queue-message evidence only with an owner session and exact confirmation","Use delivery batch, draft revision, expected readiness count, queue readiness, and idempotency checks before recording queue-message evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, Cloudflare Queue message bodies, personalized bodies, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate queue-message dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, dispatch, and audit requirements."},{"id":"create-owner-broadcast-dispatch-preflight","title":"Owner broadcast dispatch preflight dry run","route":"/api/admin/audience/broadcasts/dispatch-preflights","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_broadcast_dispatch_preflights, audience_broadcast_delivery_queue_messages, audience_broadcast_drafts, and audience_broadcast_queue_readiness","stableIds":["broadcastDispatchPreflightId","broadcastDeliveryQueueMessageId","broadcastDraftId","ownerUserId","idempotencyKey","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only dispatch preflight dry-run contract","Create dry-run dispatch preflight evidence only with an owner session and exact confirmation","Use queue-message evidence, draft revision, expected readiness count, provider-limit, sender-domain, suppression, audit, and idempotency checks before recording dispatch preflight evidence","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, Cloudflare Queue message bodies, personalized bodies, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dispatch preflight dry-run metadata only. It does not send email, dispatch Cloudflare Queue messages, create recipient payloads, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements."},{"id":"create-owner-broadcast-dispatch-attempt","title":"Owner broadcast dispatch attempt receipt","route":"/api/admin/audience/broadcasts/dispatch-attempts","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_broadcast_dispatch_attempts, audience_broadcast_dispatch_preflights, audience_broadcast_drafts, and audience_broadcast_queue_readiness","stableIds":["broadcastDispatchAttemptId","broadcastDispatchPreflightId","broadcastDraftId","ownerUserId","idempotencyKey","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only dispatch attempt receipt contract","Create dry-run dispatch attempt receipts only with an owner session and exact confirmation","Use dispatch preflight evidence, draft revision, expected readiness count, queue producer mode, provider response gate, and idempotency checks before recording a receipt","Confirm responses omit actor email, recipient email, recipient names, suppression hashes, recipient payloads, Cloudflare Queue message bodies, queue payload bodies, personalized bodies, provider responses, and provider message IDs"],"writeBoundary":"This owner-session API records aggregate dispatch attempt receipt metadata only. It does not send email, dispatch Cloudflare Queue messages, create queue payload bodies, create recipient payloads, create provider responses, create provider message IDs, expose recipients, authorize public agent writes, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, queue-dispatch, and audit requirements."},{"id":"create-owner-sequence-test-send","title":"Owner sequence test send","route":"/api/admin/audience/sequences/test-sends","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table audience_sequence_test_sends and /audience/source-data sequence readiness records","stableIds":["sequenceTestSendId","emailSequenceId","emailSequenceStepId","ownerUserId","idempotencyKey","auditCorrelationId","expectedWorkspaceRevisionId"],"safeForAgents":["Inspect the owner-only sequence test-send confirmation contract","Create one owner-only sequence-step test-send record only with an owner session and exact confirmation","Use workspace revision, expected sequence status, expected readiness count, idempotency, and audit correlation before sending","Confirm responses omit raw owner email, recipient email hashes, actor hashes, idempotency keys, confirmation hashes, raw email bodies, provider errors, subscriber payloads, Queue messages, public agent sends, and provider message IDs"],"writeBoundary":"This owner-session API sends the seeded sequence-step preview only to the verified owner-session email through the configured Cloudflare Email binding or test capture, then stores redacted D1 evidence. It does not send to subscribers, create recipient payloads, dispatch or consume Cloudflare Queue messages, expose raw recipient email, expose raw email body, create provider message IDs, authorize public agent sequence sends, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, Queue, provider-response, webhook, retry, and dead-letter requirements. Issue #420 tracks this slice."},{"id":"create-owner-broadcast-test-send","title":"Owner broadcast test send","route":"/api/admin/audience/broadcasts/test-sends","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table audience_broadcast_test_sends, audience_broadcast_drafts, and audience_broadcast_preview_safety","stableIds":["broadcastTestSendId","broadcastDraftId","ownerUserId","idempotencyKey","auditCorrelationId","expectedDraftUpdatedAt"],"safeForAgents":["Inspect the owner-only broadcast test-send confirmation contract","Create one owner-only test-send record only with an owner session and exact confirmation","Use draft revision, expected readiness count, preview/footer safety, idempotency, and audit correlation before sending","Confirm responses omit raw owner email, recipient email hashes, actor hashes, idempotency keys, confirmation hashes, raw email bodies, provider errors, subscriber payloads, public agent sends, and provider message IDs"],"writeBoundary":"This owner-session API sends the seeded broadcast preview only to the verified owner-session email through the configured Cloudflare Email binding or test capture, then stores redacted D1 evidence. It does not send to subscribers, create recipient payloads, dispatch Cloudflare Queue messages, expose raw recipient email, expose raw email body, create provider message IDs, authorize public agent broadcast sends, or bypass future sender-domain, suppression, unsubscribe footer, provider-limit, Queue, provider-response, webhook, retry, and dead-letter requirements. Issue #420 tracks this slice."},{"id":"create-audience-unsubscribe-suppression","title":"Audience unsubscribe suppression","route":"/api/audience/unsubscribe","kind":"api","auth":"public","sourceOfTruth":"D1 table audience_suppression_entries, subscriber status in audience_subscribers, and paused rows in audience_sequence_enrollments","stableIds":["suppressionEntryId","sequenceEnrollmentPauseId","idempotencyKey"],"safeForAgents":["Inspect the unsubscribe/suppression confirmation contract","Record a public-safe unsubscribe preference only for the submitted email","Confirm responses do not reveal whether the email was already subscribed","Confirm sequence enrollment pause state is exposed only through aggregate source-data or owner views","Use idempotency before replaying a preference write"],"writeBoundary":"This public API records hashed unsubscribe/suppression evidence, marks known subscribers unsubscribed, and pauses known draft sequence enrollments without revealing list membership. It does not send email, export subscribers, expose suppression hashes or reasons publicly, include sequence state in public responses, or authorize direct agent subscriber management."},{"id":"create-owner-audience-crm-note","title":"Owner audience CRM timeline note","route":"/api/admin/audience/notes","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table audience_timeline_entries","stableIds":["timelineEntryId","subscriberId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only CRM note confirmation contract","Create a short private timeline note only with an owner session","Confirm public source-data exposes note counts and redaction flags, not note bodies","Use exact confirmation, idempotency, and expected subscriber status before writing"],"writeBoundary":"This owner-session API stores private audience timeline notes after exact confirmation, idempotency, and expected subscriber-status checks. It does not expose note bodies publicly, import contacts, send email, schedule broadcasts, export private data, or authorize unauthenticated/direct public agent writes."},{"id":"create-owner-audience-import-intent","title":"Owner audience import intent","route":"/api/admin/audience/import-intents","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table audience_import_intents","stableIds":["audienceImportIntentId","workspaceId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only audience import intent confirmation contract","Record non-destructive import intent metadata only with an owner session","Use exact confirmation, idempotency, workspace revision/status checks, and aggregate counts before writing","Confirm responses omit raw contact rows, raw emails, actor emails, actor hashes, private notes, CSV bodies, provider payloads, sequence enrollments, and send state"],"writeBoundary":"This owner-session API records redacted import intent metadata in D1 after exact confirmation, idempotency, and workspace stale-state checks. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes."},{"id":"create-owner-audience-import-preflight","title":"Owner audience import preflight","route":"/api/admin/audience/import-preflights","kind":"api","auth":"owner-session","sourceOfTruth":"D1 tables audience_import_preflights and audience_import_intents","stableIds":["audienceImportPreflightId","audienceImportIntentId","workspaceId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only audience import preflight confirmation contract","Record aggregate import preflight evidence only with an owner session","Use exact confirmation, idempotency, workspace revision/status checks, selected import-intent checks, and aggregate eligibility counts before writing","Confirm responses omit raw contact rows, raw emails, subscriber writes, actor emails, actor hashes, private notes, CSV bodies, provider payloads, exports, sequence enrollments, and send state"],"writeBoundary":"This owner-session API records redacted import preflight evidence in D1 after exact confirmation, idempotency, workspace stale-state checks, selected import-intent source checks, and aggregate count validation. It does not import contacts, create subscribers, store raw emails or contact rows, enroll sequences, export private data, send email, expose private notes, or allow unauthenticated/direct public agent subscriber writes."},{"id":"read-admin-audience-subscribers","title":"Admin audience subscribers","route":"/admin/audience","kind":"doc","auth":"owner-session","sourceOfTruth":"D1 tables audience_subscribers, audience_consent_events, audience_tag_assignments, audience_sequence_enrollments, audience_sequence_schedule_intents, audience_sequence_delivery_batches, audience_sequence_delivery_queue_messages, audience_sequence_dispatch_preflights, audience_sequence_dispatch_attempts, audience_sequence_queue_producer_readiness, audience_sequence_queue_consumer_readiness, audience_sequence_provider_call_readiness, audience_sequence_delivery_attempt_readiness, audience_sequence_delivery_result_readiness, audience_sequence_delivery_status_webhook_readiness, audience_sequence_test_sends, audience_suppression_entries, audience_timeline_entries, audience_import_intents, and audience_import_preflights","stableIds":["subscriberId","subscriberSegmentId","subscriberTagId","emailSequenceId","sequenceDeliveryReadinessId","sequenceScheduleIntentId","sequenceDeliveryBatchId","sequenceDeliveryQueueMessageId","sequenceDispatchPreflightId","sequenceDispatchAttemptId","sequenceQueueProducerReadinessId","sequenceQueueConsumerReadinessId","sequenceProviderCallReadinessId","sequenceDeliveryAttemptReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryStatusWebhookReadinessId","sequenceTestSendId","consentRecordId","suppressionEntryId","timelineEntryId","audienceImportIntentId","audienceImportPreflightId","audienceExportReadinessId","ownerUserId"],"safeForAgents":["Read private subscriber rows only with an owner session","Inspect consent counts, active tags, source form, draft sequence enrollment state, suppression totals, and private timeline notes","Inspect owner-visible aggregate sequence delivery readiness, dry-run sequence schedule intents, dry-run sequence delivery batches, dry-run sequence queue-message records, dry-run sequence dispatch preflight records, dry-run sequence dispatch attempt receipts, sequence Queue producer readiness gates, sequence Queue consumer readiness gates, sequence provider-call readiness gates, sequence delivery-attempt readiness gates, sequence delivery-result readiness gates, sequence delivery-status webhook readiness gates, owner-only sequence test sends, import intent, import preflight, and aggregate export readiness records without subscriber sending, importing, processing webhooks, polling providers, creating receipts, or exporting contacts","Confirm public source-data redacts email, name, suppression hashes, reasons, private note bodies, actor emails, raw IP, raw user agent, and private metadata"],"writeBoundary":"This owner page can create private CRM notes through the owner note API, record dry-run sequence schedule intents through the sequence schedule-intent API, record dry-run sequence delivery batches through the sequence delivery-batch API, record dry-run sequence queue-message evidence through the sequence delivery queue-message API, record dry-run sequence dispatch preflight evidence through the sequence dispatch preflight API, record dry-run sequence dispatch attempt receipts through the sequence dispatch attempt API, record sequence Queue producer readiness through the sequence Queue producer readiness API, record sequence Queue consumer readiness through the sequence Queue consumer readiness API, record sequence provider-call readiness through the sequence provider-call readiness API, record sequence delivery-attempt readiness through the sequence delivery-attempt readiness API, record sequence delivery-result readiness through the sequence delivery-result readiness API, record sequence delivery-status webhook readiness through the sequence delivery-status webhook readiness API, record owner-only sequence test sends through the sequence test-send API, record non-destructive import intents through the import intent API, record aggregate import preflights through the import preflight API, and inspect aggregate sequence delivery and export readiness; real imports, real sequence scheduling, subscriber sends, broadcasts, Cloudflare Queue producer execution, Queue messages, queue payload bodies, delivery attempts, delivery results, status webhooks, webhook payloads, provider polling, receipt payloads, receipts, private exports, export file creation, CRM automation, and direct agent subscriber writes require future confirmed-write APIs."},{"id":"read-analytics-experiments","title":"Analytics and experiments source data","route":"/analytics/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/analytics-experiments.ts + src/lib/analytics-conversion-report.ts + src/lib/analytics-experiment-winner-rollouts.ts","stableIds":["analyticsEventId","analyticsEventIngestionId","analyticsPageViewBeaconId","analyticsEventVariantAggregateId","analyticsEventSourceAggregateId","analyticsExperimentTrafficRoutingId","analyticsExperimentHoldoutRoutingId","analyticsExperimentCustomRoutingRuleId","analyticsExperimentRoutingSignal","experimentAssignmentId","analyticsExperimentDecisionId","analyticsExperimentWinnerRolloutId","analyticsExperimentWinnerRolloutStatus","analyticsExperimentWinnerRolloutRevision","analyticsReportExportId","analyticsReportExportSectionId","analyticsCohortFixtureId","analyticsCohortComparisonId","analyticsCohortReviewId","analyticsCohortReviewStatus","analyticsAlertThresholdId","analyticsAnomalyReviewId","analyticsAnomalyReviewStatus","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsNotificationReadinessStatus","analyticsNotificationInboxRecordId","analyticsNotificationInboxStatus","analyticsNotificationDispatchPreflightId","analyticsNotificationDispatchPreflightStatus","analyticsNotificationProviderDomainReadinessId","analyticsNotificationProviderDomainReadinessStatus","analyticsNotificationProviderDomainReadinessDisposition","analyticsNotificationContentConsentReadinessId","analyticsNotificationContentConsentReadinessStatus","analyticsNotificationContentConsentReadinessDisposition","analyticsNotificationSendPayloadReadinessId","analyticsNotificationSendPayloadReadinessStatus","analyticsNotificationSendPayloadReadinessDisposition","analyticsNotificationQueueProducerReadinessId","analyticsNotificationQueueProducerReadinessStatus","analyticsNotificationQueueProducerReadinessDisposition","analyticsNotificationQueueConsumerReadinessId","analyticsNotificationQueueConsumerReadinessStatus","analyticsNotificationQueueConsumerReadinessDisposition","analyticsNotificationProviderCallReadinessId","analyticsNotificationProviderCallReadinessStatus","analyticsNotificationProviderCallReadinessDisposition","analyticsNotificationDeliveryAttemptReadinessId","analyticsNotificationDeliveryAttemptReadinessStatus","analyticsNotificationDeliveryAttemptReadinessDisposition","analyticsNotificationDeliveryResultReadinessId","analyticsNotificationDeliveryResultReadinessStatus","analyticsNotificationDeliveryResultReadinessDisposition","analyticsNotificationDeliveryStatusWebhookReadinessId","analyticsNotificationDeliveryStatusWebhookReadinessStatus","analyticsNotificationDeliveryStatusWebhookReadinessDisposition","analyticsNotificationProviderPollingReadinessId","analyticsNotificationProviderPollingReadinessStatus","analyticsNotificationProviderPollingReadinessDisposition","analyticsNotificationReceiptPayloadReadinessId","analyticsNotificationReceiptPayloadReadinessStatus","analyticsNotificationReceiptPayloadReadinessDisposition","analyticsNotificationDeliveryReceiptReadinessId","analyticsNotificationDeliveryReceiptReadinessStatus","analyticsNotificationDeliveryReceiptReadinessDisposition","analyticsNotificationProviderStatusReconciliationReadinessId","analyticsNotificationProviderStatusReconciliationReadinessStatus","analyticsNotificationProviderStatusReconciliationReadinessDisposition","analyticsFunnelConversionReportId","utmSource","utmMedium","utmCampaign","referrerHost","metricId","funnelStepMetricId","experimentId","variantId","assignmentRuleId","reportId","agentActionId"],"safeForAgents":["Read seeded event taxonomy","Inspect aggregate event counts","Inspect aggregate variant event counts","Inspect aggregate source attribution counts","Inspect aggregate assignment counts","Inspect aggregate funnel conversion report rows","Inspect aggregate report export sections without raw analytics downloads","Inspect fixture cohort comparison definitions with sample-size caveats","Inspect owner-reviewed cohort comparison evidence without winner or revenue claims","Inspect owner-reviewed alert threshold and anomaly-review evidence without automated alerts or traffic routing","Inspect owner-reviewed notification delivery readiness without sending alerts or writing inbox rows","Inspect owner-confirmed notification inbox records without recipients, email bodies, queue dispatch, or email sends","Inspect owner-confirmed notification dispatch preflights without recipients, email bodies, provider message IDs, queue payloads, queue dispatch, or email sends","Inspect owner-reviewed notification provider/domain readiness without provider configuration, provider secrets, sender credentials, private DNS credentials, provider sends, or verified-domain claims","Inspect owner-reviewed notification content/consent readiness without body templates, unsubscribe URLs, recipients, email bodies, provider message IDs, queue payloads, provider sends, queue dispatch, or email sends","Inspect owner-reviewed notification send-payload readiness without recipient payloads, personalized bodies, raw payload bodies, queue messages, provider responses, provider sends, queue dispatch, or email sends","Inspect owner-reviewed notification queue-producer readiness without Queue producer execution, queue messages, queue payload bodies, provider responses, provider sends, queue dispatch, or email sends","Inspect owner-reviewed notification queue-consumer readiness without Queue consumer execution, message consumption, message acknowledgement, retry/dead-letter rows, queue payload body reads, provider responses, provider sends, queue dispatch, or email sends","Inspect owner-reviewed notification provider-call readiness without provider sends, provider calls, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, Queue consumer execution, queue payload body reads, queue dispatch, or email sends","Inspect owner-reviewed notification delivery-attempt readiness without provider sends, delivery attempts, provider responses, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification delivery-result readiness without delivery results, delivery receipts, status webhooks, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification delivery-status-webhook readiness without delivery status webhooks, delivery receipts, receipt payloads, status webhook payloads, provider polling, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification provider-polling readiness without provider polling execution, delivery receipts, receipt payloads, status webhook payloads, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification receipt-payload readiness without receipt payload capture, delivery receipts, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification delivery-receipt readiness without delivery receipt creation, receipt payload capture, status webhook payloads, provider polling execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect owner-reviewed notification provider-status reconciliation readiness without provider polling execution, delivery receipt processing, receipt payload ingestion, provider status reconciliation execution, provider responses, provider message IDs, provider secrets, sender credentials, private DNS credentials, queue dispatch, or email sends","Inspect dashboard-visible source attribution rows","Inspect fixed time-window metadata and aggregate source/conversion rows","Inspect metric formulas","Inspect seeded event capture boundary","Inspect browser-side page-view beacon boundary","Inspect seeded experiment assignment boundary","Inspect public-safe custom routing rules, seeded sandbox funnel copy routing, and baseline holdout metadata","Inspect owner-confirmed winner rollout and rollback evidence without raw event rows or raw assignment rows","Inspect experiment assignment boundaries","Inspect owner-confirmed experiment decision evidence without raw event rows or raw assignment rows"],"writeBoundary":"Seeded analytics events, browser-side seeded funnel page-view beacons with deterministic variant evidence and normalized source attribution, seeded experiment assignments, public-safe custom source/campaign routing rules, seeded sandbox funnel copy routing with a baseline holdout, owner-confirmed winner rollout and rollback routing from issue #422, owner-confirmed notification inbox records from issue #271, owner-confirmed notification dispatch preflights from issue #284, owner-reviewed provider/domain readiness records from issue #286, owner-reviewed content/consent readiness records from issue #288, owner-reviewed send-payload readiness records from issue #290, owner-reviewed queue-producer readiness records from issue #292, owner-reviewed queue-consumer readiness records from issue #294, owner-reviewed provider-call readiness records from issue #297, owner-reviewed delivery-attempt readiness records from issue #299, owner-reviewed delivery-result readiness records from issue #301, owner-reviewed delivery-status-webhook readiness records from issue #303, owner-reviewed provider-polling readiness records from issue #305, owner-reviewed receipt-payload readiness records from issue #307, owner-reviewed delivery-receipt readiness records from issue #309, owner-reviewed provider-status reconciliation readiness records from issue #311, and owner-confirmed experiment decision evidence can be captured with idempotency, source-route validation, aggregate count checks, and bot/preview suppression; fixed-window aggregate funnel conversion reports, dashboard-visible aggregate source counts, aggregate variant counts, aggregate report export metadata, owner-reviewed cohort comparison evidence from issue #265, owner-reviewed alert threshold/anomaly-review evidence from issue #267, owner-reviewed notification delivery readiness evidence from issue #269, redacted decision counts, and redacted winner rollout counts can be read from captured test events. Cookie assignment, contact analytics, raw campaign/referrer reporting, raw routing URL storage, raw analytics exports, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, queue dispatch, Queue producer execution, Queue consumer execution, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, body templates, unsubscribe URLs, customer alerts, custom events beyond the seeded boundary, raw/private exports, and direct public agent decision writes require future confirmed-write APIs."},{"id":"create-owner-analytics-experiment-decision","title":"Owner analytics experiment decision","route":"/api/admin/analytics/experiment-decisions","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_experiment_decisions plus analytics_events and analytics_experiment_assignments aggregates","stableIds":["analyticsExperimentDecisionId","analyticsDashboardId","experimentId","variantId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics experiment decision confirmation contract","Record owner-reviewed experiment decision evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate assignment counts, and sample-size caveat acknowledgement before writing","Confirm responses omit raw event rows, raw assignment rows, visitor keys, actor emails, actor hashes, private notes, contact analytics, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted experiment decision evidence in D1 after exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate count validation, and sample-size caveat acknowledgement. It does not route traffic, assign cookies, select automated winners, expose raw event rows, expose raw assignment rows, expose contact analytics, make revenue claims, or allow unauthenticated/direct public agent experiment writes. Issue #261 tracks this slice."},{"id":"create-owner-analytics-winner-rollout","title":"Owner analytics winner rollout","route":"/api/admin/analytics/winner-rollouts","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_experiment_winner_rollouts plus analytics_events and analytics_experiment_assignments aggregates","stableIds":["analyticsExperimentWinnerRolloutId","analyticsExperimentWinnerRolloutRevision","analyticsDashboardId","experimentId","variantId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics winner rollout and rollback confirmation contract","Record owner-reviewed winner rollout evidence only with an owner session","Record owner-reviewed rollback evidence only with a current rollout revision","Use exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate assignment counts, and sample-size caveat acknowledgement before writing","Confirm responses omit raw event rows, raw assignment rows, visitor keys, actor emails, actor hashes, private notes, contact analytics, raw routing URLs, raw/private exports, provider sends, Queue execution, and revenue claims"],"writeBoundary":"This owner-session API records redacted winner rollout and rollback evidence in D1 after exact confirmation, idempotency, dashboard revision checks, experiment status checks, aggregate count validation, current rollout revision checks, and sample-size caveat acknowledgement. Custom source/campaign rules stay ahead of winner rollout routing. It does not assign cookies, expose raw event rows, expose raw assignment rows, expose contact analytics, expose raw routing URLs, make revenue claims, call providers, dispatch queues, or allow unauthenticated/direct public agent experiment writes. Issue #422 tracks this slice."},{"id":"create-owner-analytics-notification-inbox-record","title":"Owner analytics notification inbox record","route":"/api/admin/analytics/notification-inbox-records","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_inbox_records plus analytics source-data readiness evidence","stableIds":["analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification inbox confirmation contract","Record owner-reviewed notification inbox evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit recipients, email bodies, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification inbox evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It creates owner-visible inbox records only; it does not send email, dispatch queues, alert customers, expose recipients, expose email bodies, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #271 tracks this slice."},{"id":"create-owner-analytics-notification-dispatch-preflight","title":"Owner analytics notification dispatch preflight","route":"/api/admin/analytics/notification-dispatch-preflights","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_dispatch_preflight_records plus analytics notification inbox/readiness source-data evidence","stableIds":["analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification dispatch preflight confirmation contract","Record owner-reviewed dispatch preflight evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, inbox record checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit recipients, email bodies, provider message IDs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification dispatch preflight evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox record checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible dispatch preflight evidence only; it does not send email, call providers, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #284 tracks this slice."},{"id":"create-owner-analytics-notification-provider-domain-readiness","title":"Owner analytics notification provider/domain readiness","route":"/api/admin/analytics/notification-provider-domain-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_provider_domain_readiness_records plus analytics notification dispatch-preflight/readiness source-data evidence","stableIds":["analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification provider/domain readiness confirmation contract","Record owner-reviewed provider/domain readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, dispatch preflight checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, recipients, email bodies, provider message IDs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider configuration, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification provider/domain readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider/domain readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #286 tracks this slice."},{"id":"create-owner-analytics-notification-content-consent-readiness","title":"Owner analytics notification content/consent readiness","route":"/api/admin/analytics/notification-content-consent-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_content_consent_readiness_records plus analytics notification provider-domain/readiness source-data evidence","stableIds":["analyticsNotificationContentConsentReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification content/consent readiness confirmation contract","Record owner-reviewed content/consent readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, provider/domain readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit body templates, unsubscribe URLs, recipients, email bodies, provider message IDs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification content/consent readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible body-template, unsubscribe, rate-limit, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #288 tracks this slice."},{"id":"create-owner-analytics-notification-send-payload-readiness","title":"Owner analytics notification send-payload readiness","route":"/api/admin/analytics/notification-send-payload-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_send_payload_readiness_records plus analytics notification content-consent/readiness source-data evidence","stableIds":["analyticsNotificationSendPayloadReadinessId","analyticsNotificationContentConsentReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification send-payload readiness confirmation contract","Record owner-reviewed send-payload readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current content/consent readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, provider responses, provider message IDs, queue messages, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification send-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current content/consent readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible payload-shape, unsubscribe-footer, consent/suppression recheck, recipient-scope, audit-correlation, and retention readiness evidence only; it does not send email, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, create queue messages, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #290 tracks this slice."},{"id":"create-owner-analytics-notification-queue-producer-readiness","title":"Owner analytics notification queue-producer readiness","route":"/api/admin/analytics/notification-queue-producer-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_queue_producer_readiness_records plus analytics notification send-payload/readiness source-data evidence","stableIds":["analyticsNotificationQueueProducerReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification queue-producer readiness confirmation contract","Record owner-reviewed queue-producer readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current send-payload readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit Queue payload bodies, Queue messages, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, provider responses, provider message IDs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, Queue producer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification queue-producer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, producer-mode, idempotency-policy, retry/dead-letter-policy, consumer-dependency, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #292 tracks this slice."},{"id":"create-owner-analytics-notification-queue-consumer-readiness","title":"Owner analytics notification queue-consumer readiness","route":"/api/admin/analytics/notification-queue-consumer-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_queue_consumer_readiness_records plus analytics notification queue-producer/readiness source-data evidence","stableIds":["analyticsNotificationQueueConsumerReadinessId","analyticsNotificationQueueProducerReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification queue-consumer readiness confirmation contract","Record owner-reviewed queue-consumer readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current queue-producer readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, provider responses, provider message IDs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, Queue producer execution, Queue consumer execution, provider calls, provider responses, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification queue-consumer readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-producer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible Queue binding, consumer-mode, producer-dependency, payload-read-policy, ack-policy, retry/dead-letter-policy, provider-handoff-dependency, idempotency-policy, backpressure, audit-correlation, and retention readiness evidence only; it does not send email, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, call providers, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #294 tracks this slice."},{"id":"create-owner-analytics-notification-provider-call-readiness","title":"Owner analytics notification provider-call readiness","route":"/api/admin/analytics/notification-provider-call-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_provider_call_readiness_records plus analytics notification queue-consumer/readiness source-data evidence","stableIds":["analyticsNotificationProviderCallReadinessId","analyticsNotificationQueueConsumerReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification provider-call readiness confirmation contract","Record owner-reviewed provider-call readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current queue-consumer readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification provider-call readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current queue-consumer readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-call dependency readiness only; it does not send email, enable provider sends or calls, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #297 tracks this slice."},{"id":"create-owner-analytics-notification-delivery-attempt-readiness","title":"Owner analytics notification delivery-attempt readiness","route":"/api/admin/analytics/notification-delivery-attempt-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_delivery_attempt_readiness_records plus analytics notification provider-call/readiness source-data evidence","stableIds":["analyticsNotificationDeliveryAttemptReadinessId","analyticsNotificationProviderCallReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification delivery-attempt readiness confirmation contract","Record owner-reviewed delivery-attempt readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current provider-call readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification delivery-attempt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-call readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-attempt dependency readiness only; it does not send email, enable provider sends or calls, attempt delivery, configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #299 tracks this slice."},{"id":"create-owner-analytics-notification-delivery-result-readiness","title":"Owner analytics notification delivery-result readiness","route":"/api/admin/analytics/notification-delivery-result-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_delivery_result_readiness_records plus analytics notification delivery-attempt/readiness source-data evidence","stableIds":["analyticsNotificationDeliveryResultReadinessId","analyticsNotificationDeliveryAttemptReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification delivery-result readiness confirmation contract","Record owner-reviewed delivery-result readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current delivery-attempt readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, provider polling results, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification delivery-result readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-attempt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-result boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #301 tracks this slice."},{"id":"create-owner-analytics-notification-delivery-status-webhook-readiness","title":"Owner analytics notification delivery-status webhook readiness","route":"/api/admin/analytics/notification-delivery-status-webhook-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_delivery_status_webhook_readiness_records plus analytics notification delivery-result/readiness source-data evidence","stableIds":["analyticsNotificationDeliveryStatusWebhookReadinessId","analyticsNotificationDeliveryResultReadinessId","analyticsNotificationDeliveryAttemptReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification delivery-status webhook readiness confirmation contract","Record owner-reviewed delivery-status webhook readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current delivery-result readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, status webhook payloads, provider polling results, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification delivery-status webhook readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-result readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-status webhook boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #303 tracks this slice."},{"id":"create-owner-analytics-notification-provider-polling-readiness","title":"Owner analytics notification provider-polling readiness","route":"/api/admin/analytics/notification-provider-polling-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_provider_polling_readiness_records plus analytics notification delivery-status-webhook/readiness source-data evidence","stableIds":["analyticsNotificationProviderPollingReadinessId","analyticsNotificationDeliveryStatusWebhookReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification provider-polling readiness confirmation contract","Record owner-reviewed provider-polling readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current delivery-status-webhook readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, status webhook payloads, provider polling results, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider polling execution, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification provider-polling readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-status-webhook readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-polling boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #305 tracks this slice."},{"id":"create-owner-analytics-notification-receipt-payload-readiness","title":"Owner analytics notification receipt-payload readiness","route":"/api/admin/analytics/notification-receipt-payload-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_receipt_payload_readiness_records plus analytics notification provider-polling/readiness source-data evidence","stableIds":["analyticsNotificationReceiptPayloadReadinessId","analyticsNotificationProviderPollingReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification receipt-payload readiness confirmation contract","Record owner-reviewed receipt-payload readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current provider-polling readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, status webhook payloads, provider polling results, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider polling execution, receipt payload capture, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification receipt-payload readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current provider-polling readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible receipt-payload boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #307 tracks this slice."},{"id":"create-owner-analytics-notification-delivery-receipt-readiness","title":"Owner analytics notification delivery-receipt readiness","route":"/api/admin/analytics/notification-delivery-receipt-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_delivery_receipt_readiness_records plus analytics notification receipt-payload/readiness source-data evidence","stableIds":["analyticsNotificationDeliveryReceiptReadinessId","analyticsNotificationReceiptPayloadReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification delivery-receipt readiness confirmation contract","Record owner-reviewed delivery-receipt readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current receipt-payload readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, status webhook payloads, provider polling results, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider polling execution, receipt payload capture, delivery receipt creation, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification delivery-receipt readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current receipt-payload readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible delivery-receipt boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #309 tracks this slice."},{"id":"create-owner-analytics-notification-provider-status-reconciliation-readiness","title":"Owner analytics notification provider-status reconciliation readiness","route":"/api/admin/analytics/notification-provider-status-reconciliation-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"D1 table analytics_notification_provider_status_reconciliation_readiness_records plus analytics notification delivery-receipt/readiness source-data evidence","stableIds":["analyticsNotificationProviderStatusReconciliationReadinessId","analyticsNotificationDeliveryReceiptReadinessId","analyticsNotificationSendPayloadReadinessId","analyticsNotificationProviderDomainReadinessId","analyticsNotificationDispatchPreflightId","analyticsNotificationInboxRecordId","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsDashboardId","analyticsTimeWindow","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only analytics notification provider-status reconciliation readiness confirmation contract","Record owner-reviewed provider-status reconciliation readiness evidence only with an owner session","Use exact confirmation, idempotency, dashboard revision checks, notification readiness checks, current delivery-receipt readiness checks, fixed-window sample-size checks, and sample-size caveat acknowledgement before writing","Confirm responses omit provider secrets, sender credentials, private DNS credentials, provider responses, provider message IDs, delivery receipts, receipt payloads, status webhooks, status webhook payloads, provider polling results, provider status reconciliation payloads, Queue payload bodies, Queue messages, consumed messages, acknowledgements, retry/dead-letter rows, recipients, recipient payloads, personalized bodies, raw payload bodies, email bodies, body templates, unsubscribe URLs, queue payloads, raw analytics rows, actor emails, actor hashes, private notes, customer alerts, email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, provider polling execution, receipt payload capture, delivery receipt processing, provider status reconciliation execution, Queue producer execution, Queue consumer execution, queue dispatch, traffic routing, automated winners, and revenue claims"],"writeBoundary":"This owner-session API records redacted notification provider-status reconciliation readiness evidence in D1 after exact confirmation, idempotency, dashboard revision checks, notification readiness checks, notification inbox checks, notification dispatch preflight checks, provider/domain readiness checks, current send-payload readiness checks, current delivery-receipt readiness checks, fixed-window evidence validation, and sample-size caveat acknowledgement. It records owner-visible provider-status reconciliation boundary readiness only; it does not send email, enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, reconcile provider statuses, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, enable Queue producers, enable Queue consumers, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue messages, create Queue payload bodies, dispatch queues, alert customers, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose queue payloads, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or allow unauthenticated/direct public agent writes. Issue #311 tracks this slice."},{"id":"read-affiliate-referrals","title":"Affiliate and referral source data","route":"/affiliates/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/affiliate-referrals.ts","stableIds":["affiliateProgramId","affiliatePartnerId","affiliatePartnerPortalId","affiliatePartnerPortalRoute","affiliatePartnerPortalStatus","affiliatePartnerStatementSnapshotId","affiliatePartnerStatementSnapshotStatus","affiliatePartnerReportId","payoutPreparationId","payoutPreparationRecordId","payoutPreparationRecordStatus","fraudReviewRecordId","fraudReviewRecordStatus","fraudEnforcementRecordId","fraudEnforcementRecordStatus","partnerNotificationReadinessRecordId","partnerNotificationReadinessRecordStatus","partnerNotificationSendPreflightRecordId","partnerNotificationSendPreflightRecordStatus","partnerNotificationProviderReadinessRecordId","partnerNotificationProviderReadinessRecordStatus","referralLinkId","referralClickId","checkoutIntentId","referralAttributionId","reviewOnlyCommissionLedgerId","commissionReviewActionId","attributionRuleId","commissionRuleId","commissionLedgerId","payoutBatchId","reviewFlagId","auditEventId","agentActionId"],"safeForAgents":["Read seeded affiliate program","Inspect referral links and attribution rules","Inspect aggregate referral click counts","Inspect aggregate checkout attribution counts","Inspect aggregate review-only commission ledger counts","Inspect aggregate owner review and reversal action counts","Inspect public-safe partner performance reports","Inspect public-safe partner portal status pages without private partner auth, buyer data, payout accounts, tax forms, Stripe payout IDs, provider secrets, message bodies, queue rows, raw rows, or direct public agent writes","Inspect public-safe partner statement snapshots without payable statements, buyer data, payout accounts, tax forms, Stripe payout IDs, provider secrets, message bodies, queue rows, raw rows, or direct public agent writes","Inspect read-only payout preparation checklists","Inspect owner-confirmed payout preparation records without payout accounts, tax data, Stripe payout IDs, partner notification bodies, buyer data, raw ledger rows, or raw actor fields","Inspect owner-reviewed fraud review records without private fraud signals, buyer data, raw ledger/click/checkout rows, actor identity, payout accounts, tax data, Stripe payout IDs, or partner notification bodies","Inspect owner-confirmed fraud enforcement records without private fraud signals, buyer data, raw ledger/click/checkout rows, actor identity, payout accounts, tax data, Stripe payout IDs, payable commission state, or partner notification bodies","Inspect owner-reviewed partner notification readiness records without recipient emails, message bodies, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, or partner sends","Inspect owner-reviewed partner notification send preflight records without recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends","Inspect owner-reviewed notification provider readiness records without provider configuration, provider secrets, sender credentials, recipient emails, message bodies, send payloads, provider message IDs, queue rows, buyer data, raw rows, private fraud signals, payout accounts, tax data, Stripe IDs, provider-send enablement, or partner sends","Inspect commission and payout review boundaries"],"writeBoundary":"Seeded referral clicks can be captured with idempotency and destination-route validation, eligible clicks can be attached to sandbox checkout intents as evidence, trusted checkout attribution can create review-only commission ledger evidence, owner sessions can review, hold, or reverse that evidence, public-safe partner reports and partner portal status pages can be read, read-only payout preparation can be inspected, and owner sessions can record payout preparation, fraud review, fraud enforcement, partner notification readiness, partner notification send preflight, and notification provider readiness evidence; cookie assignment, buyer attribution finalization, payable commission writes, direct agent review writes, payout actions, tax collection, authenticated private partner portals, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, and queue dispatch require future confirmed-write APIs."},{"id":"create-owner-affiliate-payout-preparation-record","title":"Owner affiliate payout preparation record API","route":"/api/admin/affiliates/payout-preparation-records","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-payout-preparation-records.ts","stableIds":["payoutPreparationRecordId","affiliateProgramId","payoutPreparationId","payoutBatchId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate payout preparation confirmation contract","Record owner-reviewed payout preparation evidence only with an owner session","Use exact confirmation, idempotency, program revision checks, payout batch status checks, and payout evidence checks before writing","Confirm responses omit payout accounts, tax data, Stripe IDs, partner notification bodies, buyer data, raw ledger rows, actor emails, actor hashes, private notes, and private fraud signals"],"writeBoundary":"This owner-session API records redacted affiliate payout preparation evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, and payout evidence validation. It creates owner-visible preparation records only; it does not create payable commission state, Stripe payouts or transfers, payout accounts, tax records, partner notifications, fraud decisions, buyer data, raw ledger rows, or direct public agent payout writes. Issue #273 tracks this slice."},{"id":"create-owner-affiliate-fraud-review-record","title":"Owner affiliate fraud review record API","route":"/api/admin/affiliates/fraud-review-records","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-fraud-review-records.ts","stableIds":["fraudReviewRecordId","affiliateProgramId","reviewFlagId","payoutPreparationId","payoutBatchId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate fraud review confirmation contract","Record owner-reviewed fraud review evidence only with an owner session","Use exact confirmation, idempotency, program revision checks, payout batch status checks, review-flag checks, and linked-ledger count checks before writing","Confirm responses omit private fraud signals, buyer data, raw ledger rows, raw click rows, raw checkout rows, actor emails, actor hashes, private notes, payout accounts, tax data, Stripe IDs, and partner notification bodies"],"writeBoundary":"This owner-session API records redacted affiliate fraud review evidence in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible fraud review records only; it does not enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #275 tracks this slice."},{"id":"create-owner-affiliate-fraud-enforcement-record","title":"Owner affiliate fraud enforcement record API","route":"/api/admin/affiliates/fraud-enforcement-records","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-fraud-review-records.ts","stableIds":["fraudEnforcementRecordId","affiliateProgramId","reviewFlagId","payoutPreparationId","payoutBatchId","fraudReviewRecordStatus","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate fraud enforcement confirmation contract","Record owner-confirmed fraud enforcement only with an owner session","Use exact confirmation, idempotency, program revision checks, payout batch status checks, fraud-review contract checks, review-flag checks, and linked-ledger count checks before writing","Confirm responses omit private fraud signals, buyer data, raw ledger rows, raw click rows, raw checkout rows, actor emails, actor hashes, private notes, payout accounts, tax data, Stripe IDs, payable commission state, and partner notification bodies"],"writeBoundary":"This owner-session API records redacted affiliate fraud enforcement decisions in D1 after exact confirmation, idempotency, program revision checks, payout batch status checks, fraud review record status checks, review-flag checks, and linked-ledger evidence validation. It records owner-visible fraud enforcement only; it does not create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #424 tracks this slice."},{"id":"create-owner-affiliate-partner-notification-readiness-record","title":"Owner affiliate partner notification readiness record API","route":"/api/admin/affiliates/notification-readiness-records","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-partner-notification-readiness-records.ts","stableIds":["partnerNotificationReadinessRecordId","affiliateProgramId","affiliatePartnerReportId","affiliatePartnerId","payoutPreparationId","payoutBatchId","reviewFlagId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate partner notification readiness confirmation contract","Record owner-reviewed notification readiness evidence only with an owner session","Use exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, review-flag checks, and linked-ledger count checks before writing","Confirm responses omit recipient emails, message bodies, provider message IDs, queue rows, private fraud signals, buyer data, raw ledger rows, raw click rows, raw checkout rows, actor emails, actor hashes, private notes, payout accounts, tax data, and Stripe IDs"],"writeBoundary":"This owner-session API records redacted affiliate partner notification readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, review-flag checks, and linked-ledger evidence validation. It creates owner-visible readiness records only; it does not send partner notifications, call providers, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #277 tracks this slice."},{"id":"create-owner-affiliate-partner-notification-send-preflight-record","title":"Owner affiliate partner notification send preflight record API","route":"/api/admin/affiliates/notification-send-preflights","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-partner-notification-send-preflight-records.ts","stableIds":["partnerNotificationSendPreflightRecordId","partnerNotificationReadinessRecordStatus","affiliateProgramId","affiliatePartnerReportId","affiliatePartnerId","payoutPreparationId","payoutBatchId","reviewFlagId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate partner notification send preflight confirmation contract","Record owner-reviewed notification send preflight evidence only with an owner session","Use exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, review-flag checks, and linked-ledger count checks before writing","Confirm responses omit recipient emails, message bodies, send payloads, provider message IDs, queue rows, private fraud signals, buyer data, raw ledger rows, raw click rows, raw checkout rows, actor emails, actor hashes, private notes, payout accounts, tax data, and Stripe IDs"],"writeBoundary":"This owner-session API records redacted affiliate partner notification send preflight evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, review-flag checks, linked-ledger evidence validation, and provider-send-disabled checks. It creates owner-visible send preflight records only; it does not send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #279 tracks this slice."},{"id":"create-owner-affiliate-partner-notification-provider-readiness-record","title":"Owner affiliate partner notification provider readiness record API","route":"/api/admin/affiliates/notification-provider-readiness","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/affiliate-partner-notification-provider-readiness-records.ts","stableIds":["partnerNotificationProviderReadinessRecordId","partnerNotificationSendPreflightRecordStatus","affiliateProgramId","affiliatePartnerReportId","affiliatePartnerId","payoutPreparationId","payoutBatchId","reviewFlagId","ownerUserId","idempotencyKey"],"safeForAgents":["Inspect the owner-only affiliate partner notification provider readiness confirmation contract","Record owner-reviewed notification provider readiness evidence only with an owner session","Use exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, send preflight record status checks, review-flag checks, and linked-ledger count checks before writing","Confirm responses omit provider configuration, provider secrets, sender credentials, recipient emails, message bodies, send payloads, provider message IDs, queue rows, private fraud signals, buyer data, raw ledger rows, raw click rows, raw checkout rows, actor emails, actor hashes, private notes, payout accounts, tax data, and Stripe IDs"],"writeBoundary":"This owner-session API records redacted affiliate partner notification provider readiness evidence in D1 after exact confirmation, idempotency, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, send preflight record status checks, review-flag checks, linked-ledger evidence validation, provider-configuration-disabled checks, provider-secret-redaction checks, sender-credential-redaction checks, and provider-send-disabled checks. It creates owner-visible provider readiness records only; it does not configure notification providers, store provider secrets, store sender credentials, send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails or message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or allow direct public agent affiliate writes. Issue #281 tracks this slice."},{"id":"read-mobile-admin-contract","title":"Mobile admin contract","route":"/mobile-admin/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/mobile-admin.ts","stableIds":["mobileJobId","mobileApiDependencyId","mobilePrivateAuthId","mobilePrivateRowsApiId","mobilePrivateRowActionsApiId","mobileDirectorReviewApiId","mobileCommerceReviewApiId","mobileActionIntentApiId","mobilePushBoundaryId","mobileDistributionReadinessId","directorWorkstreamId","directorBriefSignalId","mobileConfirmedActionId","platformIssue","featureId"],"safeForAgents":["Read iOS and Android scope","Find API dependencies","Understand mobile owner-session requirements","Understand the owner-gated read-only mobile private-row boundary","Understand the low-risk owner-confirmed mobile private-row action boundary","Understand the owner-confirmed Director workstream review boundary","Understand the owner-confirmed commerce health review boundary","Understand the owner-gated audit-only mobile action intent boundary","Understand the Director workstream digest exposed to mobile clients","Understand push-notification provider requirements and disabled send status","Understand store-distribution requirements separately from simulator/emulator proof","Understand mobile confirmed-action write boundaries"],"writeBoundary":"Mobile apps can inspect owner-gated private rows through /api/mobile-admin/private-rows, mark private rows read/deferred through /api/mobile-admin/private-rows/actions, record owner-confirmed Director workstream review state through /api/mobile-admin/director-reviews, record owner-confirmed commerce-health review state through /api/mobile-admin/commerce-reviews, and record owner-gated audit-only action intents through /api/mobile-admin/actions. Push sends, provider calls, device-token registration, installable distribution, physical-device proof, and high-risk billing/publishing production writes remain disabled until future domain-specific confirmed-write APIs and platform evidence exist; issue #414 exposes the shared owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action contract."},{"id":"read-mobile-admin-dashboard","title":"Live mobile admin dashboard source data","route":"/mobile-admin/dashboard/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/mobile-admin-dashboard.ts","stableIds":["mobileDashboardCardId","directorWorkstreamId","directorBriefSignalId","directorWindowId","featureId","roadmapItemId","workLogEntryId","markAttentionId","mobilePrivateRowId","mobilePrivateRowActionId","mobileDirectorReviewId","mobileCommerceReviewId","mobilePushBoundaryId","mobileDistributionReadinessId","agentReadContractId"],"safeForAgents":["Read one public-safe mobile dashboard digest","Inspect live Director workstream, feature, roadmap, admin, commerce, and agent-readiness counts","Inspect redacted Director brief signals and 1-day/7-day change windows without raw attention or work-log bodies","Inspect public-safe private-row counts and labels without owner-only notes or payloads","Inspect redacted private-row workflow action counts without actor, note, idempotency, or stale-token details","Inspect redacted Director review counts without actor, note, idempotency, or stale-token details","Inspect redacted commerce review counts without actor, note, idempotency, or stale-token details","Inspect public-safe push-readiness and distribution-readiness blockers","Find iOS and Android source-data routes without scraping private admin pages"],"writeBoundary":"Public-safe digest; issue #414 exposes owner-session, private-row, private-row action, Director review, commerce review, action-intent, push-readiness, distribution-readiness, and confirmed-action requirements, but push notifications, physical-device proof, App Store/Play Store distribution, and high-risk billing/publishing confirmed mobile writes require future authenticated APIs and platform evidence."},{"id":"create-owner-mobile-admin-commerce-review","title":"Mobile admin commerce review API","route":"/api/mobile-admin/commerce-reviews","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/mobile-admin-commerce-reviews.ts","stableIds":["mobileCommerceReviewId","commerceReviewTargetId","auditCorrelationId","idempotencyKey","staleStateToken"],"safeForAgents":["Inspect the owner-only commerce review confirmation contract","Record owner acknowledgements for commerce source-data health only with an owner session","Use exact confirmation, idempotency, current commerce generated-at checks, stale-state token checks, and audit correlation before writing","Confirm responses omit actor email, actor hash, actor user id, idempotency keys, review notes, stale-state token hashes, and raw rows"],"writeBoundary":"This owner-session API records low-risk owner review state for commerce source-data targets in D1 after exact confirmation, idempotency, current commerce generated-at checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, refunds, subscription changes, price changes, fulfillment changes, entitlement changes, push notifications, distribution state changes, public agent writes, private-row changes, or high-risk production confirmed-write side effects. Issue #414 tracks this slice."},{"id":"create-owner-mobile-admin-director-review","title":"Mobile admin Director review API","route":"/api/mobile-admin/director-reviews","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/mobile-admin-director-reviews.ts","stableIds":["mobileDirectorReviewId","directorWorkstreamId","auditCorrelationId","idempotencyKey","staleStateToken"],"safeForAgents":["Inspect the owner-only Director review confirmation contract","Record owner acknowledgements for Director workstreams only with an owner session","Use exact confirmation, idempotency, current Director generated-at checks, stale-state token checks, and audit correlation before writing","Confirm responses omit actor email, actor hash, actor user id, idempotency keys, review notes, stale-state token hashes, and raw rows"],"writeBoundary":"This owner-session API records low-risk production owner review state for Director workstreams in D1 after exact confirmation, idempotency, current Director generated-at checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, publishing mutations, push notifications, distribution state changes, public agent writes, private-row changes, or high-risk production confirmed-write side effects. Issue #414 tracks this slice."},{"id":"create-owner-mobile-admin-private-row-action","title":"Mobile admin private-row actions API","route":"/api/mobile-admin/private-rows/actions","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/mobile-admin-private-row-actions.ts","stableIds":["mobilePrivateRowActionId","mobilePrivateRowId","auditCorrelationId","idempotencyKey","staleStateToken"],"safeForAgents":["Inspect the owner-only private-row action confirmation contract","Mark owner-only mobile private rows read or deferred only with an owner session","Use exact confirmation, idempotency, stale row revision checks, stale-state token checks, and audit correlation before writing","Confirm public source-data omits actor email, actor hash, actor user id, idempotency keys, private notes, owner-only notes, private payloads, stale-state tokens, stale-state token hashes, and raw rows"],"writeBoundary":"This owner-session API mutates only Mobile Admin private-row workflow state after exact confirmation, idempotency, stale row revision checks, stale-state token checks, audit correlation, and redaction. It does not create billing mutations, commerce mutations, publishing mutations, moderation actions, creator-speech actions, push notifications, distribution state changes, direct public agent writes, or high-risk production confirmed-write side effects. Issue #428 tracks this slice."},{"id":"read-owner-mobile-admin-private-rows","title":"Mobile admin private rows API","route":"/api/mobile-admin/private-rows","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/mobile-admin-private-rows.ts","stableIds":["mobilePrivateRowId","sourceRoute","sourceRecordId","readState"],"safeForAgents":["Inspect the owner-only mobile private-row contract","Read owner-only mobile rows only with an owner session","Confirm public source-data exposes route, status, counts, public row labels, and redaction flags only","Confirm public source-data omits owner-only notes, private payload JSON, owner email values, session IDs, cookies, tokens, and raw rows"],"writeBoundary":"This owner-session API reads Mobile Admin private rows from D1 and returns owner-only notes and synthetic private payload metadata only to authenticated owners. It does not create production admin mutations, billing mutations, push notifications, distribution state changes, customer data exposure, public agent writes, or domain-specific confirmed-write side effects. Issue #414 tracks this slice."},{"id":"create-owner-mobile-admin-action-intent","title":"Mobile admin action intent API","route":"/api/mobile-admin/actions","kind":"api","auth":"owner-session","sourceOfTruth":"src/lib/mobile-admin-actions.ts","stableIds":["mobileActionIntentId","mobileConfirmedActionId","sourceRoute","auditCorrelationId","idempotencyKey","staleStateToken"],"safeForAgents":["Inspect the owner-only mobile action-intent confirmation contract","Record audit-only mobile action intent evidence only with an owner session","Use exact confirmation, idempotency, contract revision checks, stale-state token checks, source-route allowlisting, and audit correlation before writing","Confirm responses omit actor email, actor hash, actor user id, idempotency keys, private notes, stale-state token hashes, raw rows, and mutation payloads"],"writeBoundary":"This owner-session API records redacted mobile action intent evidence in D1 after exact confirmation, idempotency, contract revision checks, stale-state token checks, source-route allowlisting, audit correlation, and redaction. It creates audit-only action intent rows; it does not create production admin mutations, billing mutations, push notifications, distribution state changes, private mobile row exposure, direct public agent writes, or domain-specific confirmed-write side effects. Issue #414 tracks this slice."},{"id":"read-ios-mobile-admin","title":"iOS mobile admin source data","route":"/mobile-admin/ios/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/mobile-admin-ios.ts and apps/mobile-admin","stableIds":["platformIssue","fixturePath","smokeCommand","simulatorBundleId"],"safeForAgents":["Read iOS app-foundation status","Find simulator smoke command","Find screenshot evidence"],"writeBoundary":"The iOS slice is read-only until the shared confirmed-write API and mobile auth boundary exist."},{"id":"read-android-mobile-admin","title":"Android mobile admin source data","route":"/mobile-admin/android/source-data","kind":"json","auth":"public","sourceOfTruth":"src/lib/mobile-admin-android.ts and apps/mobile-admin","stableIds":["platformIssue","fixturePath","smokeCommand","nativePackage","defaultAvd"],"safeForAgents":["Read Android app-foundation status","Find emulator smoke command","Find screenshot evidence"],"writeBoundary":"The Android slice is read-only until the shared confirmed-write API and mobile auth boundary exist."}],"sourceEvidenceRoutes":[{"id":"evidence-features","route":"/features/source-data","resolves":"Bumpgrade feature status, audience, expected capabilities, issue ownership, and agent contract notes.","stableIds":["featureId","issue"],"volatileClaims":"Feature records must not be described as live unless status is live and issue/PR evidence supports it."},{"id":"evidence-roadmap","route":"/roadmap/source-data","resolves":"Public roadmap item status, blocker notes, next milestones, issue links, and public evidence.","stableIds":["roadmapItemId","featureId","issue"],"volatileClaims":"Roadmap lane changes should come from merged issue work or explicit admin updates."},{"id":"evidence-comparisons","route":"/compare/source-data","resolves":"Competitor records, official source URLs, retrieval dates, SEO targets, and caveats.","stableIds":["competitorId","sourceId","seoTargetId"],"volatileClaims":"Pricing, packaging, integrations, and feature availability require a fresh source refresh before citation."},{"id":"evidence-admin","route":"/agent-docs/project-source-data","resolves":"Public-safe admin roadmap, work-log, user-journey, and owner-attention records.","stableIds":["workLogEntryId","userJourneyId","markAttentionId","roadmapItemId"],"volatileClaims":"Private notes and owner-only decisions stay behind Better Auth or approved scripts.","legacyRoutes":["/admin/source-data"]},{"id":"evidence-director-status","route":"/agent-docs/director-status-source-data","resolves":"Director workstream rollups, briefing controls, executive queue lanes, and recent-change digests.","stableIds":["directorWorkstreamId","directorWindowId","directorQueueLaneId","directorBriefingControlId"],"volatileClaims":"Director rollups are summaries of public-safe admin records; raw private rows stay behind owner auth.","legacyRoutes":["/admin/director/source-data"]},{"id":"evidence-admin-roadmap","route":"/agent-docs/project-roadmap-source-data","resolves":"Owner-maintained roadmap records, status counts, issue links, PR links, and evidence links.","stableIds":["roadmapItemId","featureId","issue"],"volatileClaims":"Roadmap status changes should come from merged issue work or explicit admin updates.","legacyRoutes":["/admin/roadmap/source-data"]},{"id":"evidence-admin-work-log","route":"/agent-docs/project-work-log-source-data","resolves":"Public-safe work-log entries for substantive agent work, shipped features, validations, and surface updates.","stableIds":["workLogEntryId","roadmapItemId","featureId"],"volatileClaims":"Work-log entries are audit evidence, not proof that a feature is live without issue, PR, and deploy context.","legacyRoutes":["/admin/work-log/source-data"]},{"id":"evidence-user-journeys","route":"/agent-docs/user-journey-source-data","resolves":"Named user journeys, owner/user goals, expected paths, edge cases, and evidence links.","stableIds":["userJourneyId","featureId","roadmapItemId"],"volatileClaims":"Journeys describe intended product paths and should be checked against live route evidence before public claims.","legacyRoutes":["/admin/user-journeys/source-data"]},{"id":"evidence-owner-attention","route":"/agent-docs/owner-attention-source-data","resolves":"Public-safe owner-attention summaries, blocker flags, due timing, and related issue or PR links.","stableIds":["markAttentionId","roadmapItemId","featureId"],"volatileClaims":"Owner-attention summaries are coordination state and must not expose raw private notes or inbox bodies.","legacyRoutes":["/admin/for-mark/source-data"]},{"id":"evidence-commerce","route":"/commerce/source-data","resolves":"Redacted commerce architecture, sandbox checkout offer, referral attribution evidence, review-only commission ledger evidence, owner review action boundaries, non-billing post-purchase decision evidence, payment tables, webhook rules, and billing write safety.","stableIds":["productId","priceId","checkoutIntentId","referralClickId","referralAttributionId","commissionReviewActionId","reviewOnlyCommissionLedgerId","postPurchaseDecisionId","auditCorrelationId"],"volatileClaims":"Live payment capability, one-click post-purchase charging, fulfillment, and payable commission state are not enabled until separate rollout and webhook smoke evidence prove them."},{"id":"evidence-pricing-policy","route":"/pricing/source-data","resolves":"Bumpgrade account-plan pricing, logged-out anonymous playground status, signed-in Free Build workspace status, paid go-live gates, setup add-on, and redaction policy.","stableIds":["free-build-before-go-live","freeBuildCapabilityId","paidGoLiveGateId","pricingPlanSlug"],"volatileClaims":"Anonymous playground persistence, browser-recovery save limits, owner-gated and scheduled cleanup controls, additive claim-to-private-draft and private claim-record creation, and signed-in Free Build workspace creation are live; paid go-live actions still require entitlement and confirmation."},{"id":"evidence-anonymous-playground","route":"/playground/source-data","resolves":"Browser-scoped logged-out structured playground recovery, save route, save-limit policy, claim route, additive claim merge policy, owner-gated cleanup route, scheduled cleanup trigger, private draft creation, private claim-record creation, cookie and retention boundaries, redaction policy, and paid go-live gates.","stableIds":["anonymousPlaygroundId","anonymousPlaygroundRoute","anonymousPlaygroundGateId"],"volatileClaims":"The playground saves structured launch context before signup, limits rapid repeat saves per browser recovery workspace without raw IP or user-agent storage, can expire old anonymous recovery through owner or scheduled cleanup, and can create a private launch draft plus private offer/product/audience/importer-review records after verified-account claim; it is not public publishing, live checkout, subscriber sends, domain reservation, fulfillment, or product access."},{"id":"evidence-agent-manifest","route":"/agent-docs/source-data","resolves":"Agent doc links, read contracts, evidence routes, MCP plan, and write-safety rules.","stableIds":["agentDocId","readContractId","mcpPlanId","evidenceRouteId"],"volatileClaims":"The manifest is discovery metadata; it does not grant write permission."},{"id":"evidence-content-surfaces","route":"/content/source-data","resolves":"Audience segments, resource hub records, pricing principles, planned pricing tracks, issue links, and agent boundaries.","stableIds":["audienceSegmentId","resourceItemId","pricingPrincipleId","pricingTrackId"],"volatileClaims":"Experiment, Grow, Enterprise, and White glove setup are the current public pricing records; future limits, trials, and usage-meter rates still need current source evidence before being cited."},{"id":"evidence-customer-proof","route":"/trust/source-data","resolves":"Customer-proof approval policy, approved record counts, public redaction boundary, and the current absence or presence of approved testimonials, logos, metrics, case studies, and endorsements.","stableIds":["customer-proof-approval-policy","customerProofRecordId","customerProofSourceId"],"volatileClaims":"Agents must not invent customer names, logos, testimonials, revenue, conversion metrics, endorsements, or case studies. Only approved customer-proof records in this route may be cited as customer proof."},{"id":"evidence-publisher-account-setup","route":"/account/source-data","resolves":"Paid publisher tenant setup, Bumpgrade subdomain reservation rules, custom-domain DNS onboarding, D1 table boundaries, cross-subdomain auth configuration, and the no-domain-purchase launch policy.","stableIds":["publisherTenantId","publisherSubdomainReservationId","publisherCustomDomainId","publisherPlanEntitlementId","issue"],"volatileClaims":"Default Bumpgrade subdomain reservation and existing-domain DNS onboarding are live for paid accounts; Bumpgrade-hosted subdomains share the central identity session, custom domains use a Bumpgrade login handoff, and Bumpgrade does not sell or register domains today."},{"id":"evidence-funnels","route":"/funnels/source-data","resolves":"Seeded funnel, ordered steps, page blocks, reusable funnel templates including webinar/resource page shapes, block-template library records, owner-session template-to-draft capability, owner-session checkout-link capability, owner-session checkout-unlink capability, owner-session resource delivery link capability, public and owner-session agent funnel resource delivery token capability, owner-session webinar event link capability, owner-session archived-draft purge capability, owner-session visual block style capability, owner-session block reorder capability, owner-session cross-step block move capability, public funnel checkout-start capability, aggregate owner product delivery-gate counts, revision ID, preview route, source-data route, published D1 funnel summaries, owner-gated draft capability, D1 table names, and confirmed-write boundary.","stableIds":["funnelId","funnelStepId","funnelBlockId","funnelTemplateId","funnelBlockTemplateId","funnelCheckoutLinkId","funnelCheckoutUnlinkId","funnelResourceDeliveryLinkId","funnelResourceDeliveryTokenId","agentFunnelResourceDeliveryTokenId","funnelWebinarEventLinkId","funnelDraftPurgeId","funnelPurgeEventId","funnelDraftBlockVisualStyleId","funnelDraftBlockReorderId","funnelDraftBlockCrossStepMoveId","funnelWebinarResourceTemplateId","funnelRevisionId","funnelDraftId","funnelAuditEventId","checkoutIntentId","checkoutOfferStackId","offerId","productDeliveryGateLinkId"],"volatileClaims":"The public funnel contract exposes template and block-template records, webinar/resource page-shape records, owner-gated template-create, checkout-link, checkout-unlink, resource-delivery-link, public and owner-session agent funnel resource delivery token, webinar-event-link, archived-draft purge, visual block style presets, within-step block-reorder, cross-step block-move, editable draft, publish capability metadata, direct agent-safe visual style presets, reusable block add/remove, checkout linking/unlinking, resource-delivery linking, webinar-event linking, block movement, public publishing, archive/unpublish, and archived-draft purge metadata, public sandbox checkout-start rendering metadata, entitlement-safe resource access references, external webinar registration/replay references, and aggregate owner product delivery-gate counts; it does not expose unpublished private draft copy, direct agent template creation, unauthenticated public agent-created delivery tokens, direct agent non-archived or bulk purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, or unconfirmed agent edits."},{"id":"evidence-checkout-offers","route":"/offers/source-data","resolves":"Seeded checkout offer stack, primary offer, selectable order bump, optional referral-click attribution evidence, upsell, downsell, non-billing post-purchase decision contract, aggregate decision counts, aggregate owner product delivery-gate counts, checkout route, revision ID, and confirmed-write boundary.","stableIds":["checkoutOfferStackId","offerId","orderBumpId","upsellId","downsellId","checkoutRevisionId","referralClickId","postPurchaseDecisionId","productDeliveryGateLinkId"],"volatileClaims":"The checkout-offer contract now includes a confirmed sandbox checkout start for the seeded primary offer plus constrained order bump, optional referral-click attribution evidence, non-billing upsell/downsell decision evidence, and aggregate owner product delivery-gate counts; it is not live billing, one-click upsell charging, fulfillment, commission writes, price mutation, or direct agent write capability."},{"id":"evidence-products-access","route":"/products/source-data","resolves":"Seeded product catalog, assets, access rules, entitlement templates, payment-plan records, sandbox webhook grant mappings, aggregate owner-entitlement inspection counts, aggregate owner-created product, test checkout, delivery-gate, and test grant counts, customer-safe lookup contract, private R2-backed fixture delivery contract, owner-confirmed private asset upload intent contract, owner-confirmed non-destructive revocation intent contract, protected content readiness, checkout-intent-scoped protected fixture delivery, redaction flags, preview route, revision ID, and confirmed-write boundary.","stableIds":["productId","assetId","accessRuleId","entitlementTemplateId","productEntitlementInspectionId","customerProductEntitlementLookupId","productDownloadTokenId","productAssetUploadIntentId","productCreationIntentId","productTestCheckoutLinkId","productDeliveryGateLinkId","productOfferAccessGrantIntentId","productEntitlementRevocationIntentId","productProtectedContentId","productProtectedContentDeliveryId","productPaymentPlanId","subscriptionPlanId","fulfillmentId"],"volatileClaims":"The product/access contract includes seeded payment-plan read records, sandbox webhook-backed entitlement row grants, owner-only entitlement inspection, customer-safe checkout intent lookup, short-lived tokens that stream a seeded private R2 fixture, owner-created product test checkout links, owner product delivery-gate links, owner-confirmed private asset upload records, owner-confirmed non-destructive revocation intent records, protected content readiness, and checkout-intent-scoped seeded protected fixture delivery; it is not live payment-plan checkout, signed object URL access, customer delivery of arbitrary uploads, destructive revocation, subscription access mutation, live offer/funnel publishing, live charges, or live fulfillment automation."},{"id":"evidence-audience-automation","route":"/audience/source-data","resolves":"Seeded audience automation workspace, opt-in form, consent-backed capture API, aggregate subscriber inspection counts, redaction flags, tags, segments, lead magnet, sequence, aggregate sequence delivery readiness, dry-run sequence schedule intent counts, dry-run sequence delivery-batch counts, dry-run sequence queue-message counts, dry-run sequence dispatch preflight counts, dry-run sequence dispatch attempt receipt counts, sequence Queue producer readiness counts, sequence Queue consumer readiness counts, sequence provider-call readiness counts, sequence delivery-attempt readiness counts, sequence delivery-result readiness counts, sequence delivery-status webhook readiness counts, sequence provider-polling readiness counts, sequence receipt-payload readiness counts, broadcast draft, broadcast readiness, dry-run broadcast schedule intent counts, broadcast preview safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness gates, provider-event readiness gates, provider rate-limit readiness gates, provider response readiness gates, send-payload readiness gates, Queue producer readiness gates, Queue consumer readiness gates, provider-call readiness gates, delivery-attempt readiness gates, delivery-result readiness gates, delivery-status webhook readiness gates, provider-polling readiness gates, receipt-payload readiness gates, owner-confirmed import intent evidence, owner-confirmed import preflight evidence, aggregate export readiness evidence, and confirmed-write boundary.","stableIds":["subscriberSegmentId","subscriberId","subscriberInspectionId","optInFormId","leadMagnetId","emailSequenceId","sequenceEnrollmentPauseId","sequenceDeliveryReadinessId","sequenceScheduleIntentId","sequenceDeliveryBatchId","sequenceDeliveryQueueMessageId","sequenceDispatchPreflightId","sequenceDispatchAttemptId","sequenceQueueProducerReadinessId","sequenceQueueConsumerReadinessId","sequenceProviderCallReadinessId","sequenceDeliveryAttemptReadinessId","sequenceDeliveryResultReadinessId","sequenceDeliveryStatusWebhookReadinessId","sequenceProviderPollingReadinessId","sequenceReceiptPayloadReadinessId","automationRuleId","broadcastReadinessId","broadcastScheduleIntentId","broadcastPreviewSafetyId","broadcastQueueReadinessId","broadcastDeliveryBatchId","broadcastDeliveryQueueMessageId","broadcastDispatchPreflightId","broadcastDispatchAttemptId","broadcastSenderDomainReadinessId","broadcastProviderEventReadinessId","broadcastProviderRateLimitReadinessId","broadcastProviderResponseReadinessId","broadcastSendPayloadReadinessId","broadcastQueueProducerReadinessId","broadcastQueueConsumerReadinessId","audienceImportIntentId","audienceImportPreflightId","audienceExportReadinessId"],"volatileClaims":"The audience automation contract includes consent-backed opt-in capture, aggregate owner-inspection evidence, unsubscribe/suppression evidence, unsubscribe-paused sequence enrollment aggregates, aggregate sequence delivery readiness from issue #351, dry-run sequence schedule intents from issue #354, dry-run sequence delivery batches from issue #358, dry-run sequence queue-message evidence from issue #360, dry-run sequence dispatch preflight evidence from issue #362, dry-run sequence dispatch attempt receipt evidence from issue #364, sequence Queue producer readiness from issue #366, sequence Queue consumer readiness from issue #368, sequence provider-call readiness from issue #370, sequence delivery-attempt readiness from issue #372, sequence delivery-result readiness from issue #374, sequence delivery-status webhook readiness from issue #376, sequence provider-polling readiness from issue #378, sequence receipt-payload readiness from issue #380, private owner-note counts, broadcast readiness, dry-run broadcast schedule intent counts, preview/footer safety, queue readiness, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, provider-call readiness, delivery-attempt readiness, delivery-result readiness, delivery-status webhook readiness, provider-polling readiness, receipt-payload readiness, owner-confirmed import intents, owner-confirmed import preflights, and aggregate export readiness evidence from issue #347; it is not contact import, raw import row storage, raw email storage, subscriber creation from imports, real sequence scheduling, live email sending, private export, export file creation, private DNS/provider setup, provider webhook processing, webhook payload reading or creation, provider polling, provider polling payload reading or creation, provider polling result creation, receipt payload creation, delivery receipt creation, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, queue payload body creation or reading, Queue message consumption, Queue message acknowledgements, ack/retry/dead-letter row creation, provider calls, delivery attempts, delivery results, webhooks, receipts, delivery queue row creation, recipient payload creation, raw payload body storage, provider response creation, provider message creation, personalized body generation, unsubscribe URL creation, body template exposure, or direct public agent subscriber write capability."},{"id":"evidence-analytics-experiments","route":"/analytics/source-data","resolves":"Seeded analytics event taxonomy, event capture API, browser-side page-view beacon boundary, dashboard-visible aggregate source attribution rows, fixed time-window metadata, aggregate event counts, aggregate variant event counts, aggregate source attribution counts, assignment API, aggregate assignment counts, aggregate funnel conversion reports, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, metric formulas, experiment variants, assignment rule, owner-confirmed experiment decision evidence, and confirmed-write boundary.","stableIds":["analyticsEventId","analyticsEventIngestionId","analyticsPageViewBeaconId","analyticsEventVariantAggregateId","analyticsEventSourceAggregateId","experimentAssignmentId","analyticsExperimentDecisionId","analyticsReportExportId","analyticsReportExportSectionId","analyticsCohortFixtureId","analyticsCohortComparisonId","analyticsCohortReviewId","analyticsCohortReviewStatus","analyticsAlertThresholdId","analyticsAnomalyReviewId","analyticsAnomalyReviewStatus","analyticsNotificationReadinessId","analyticsNotificationChannelId","analyticsNotificationReadinessStatus","analyticsNotificationInboxRecordId","analyticsNotificationInboxStatus","analyticsNotificationDispatchPreflightId","analyticsNotificationDispatchPreflightStatus","analyticsFunnelConversionReportId","analyticsTimeWindow","analyticsExperimentTrafficRoutingId","analyticsExperimentHoldoutRoutingId","utmSource","utmMedium","utmCampaign","referrerHost","metricId","experimentId","variantId","assignmentRuleId"],"volatileClaims":"The affiliate/referral contract includes seeded click capture, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal action boundaries, aggregate counts, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records; it is not cookie assignment, buyer attribution finalization, payable statement creation, payable commission state, private fraud signal exposure, tax collection, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, authenticated private partner portal access, direct agent review automation, or Stripe payout capability."},{"id":"evidence-affiliate-referrals","route":"/affiliates/source-data","resolves":"Seeded affiliate program, partner records, referral links, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, owner-reviewed notification provider readiness records, referral click capture API, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal actions, aggregate counts, attribution rules, commission rules, ledger fixtures, payout batch, review flags, and confirmed-write boundary.","stableIds":["affiliateProgramId","affiliatePartnerId","affiliatePartnerPortalId","affiliatePartnerStatementSnapshotId","affiliatePartnerReportId","payoutPreparationId","payoutPreparationRecordId","payoutPreparationRecordStatus","fraudReviewRecordId","fraudReviewRecordStatus","partnerNotificationReadinessRecordId","partnerNotificationReadinessRecordStatus","partnerNotificationSendPreflightRecordId","partnerNotificationSendPreflightRecordStatus","partnerNotificationProviderReadinessRecordId","partnerNotificationProviderReadinessRecordStatus","referralLinkId","referralClickId","checkoutIntentId","referralAttributionId","reviewOnlyCommissionLedgerId","commissionReviewActionId","commissionRuleId","commissionLedgerId","payoutBatchId"],"volatileClaims":"The affiliate/referral contract includes seeded click capture, checkout attribution evidence, review-only commission ledger evidence, owner review/reversal action boundaries, aggregate counts, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records; it is not cookie assignment, buyer attribution finalization, payable statement creation, payable commission state, private fraud signal exposure, tax collection, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, authenticated private partner portal access, direct agent review automation, or Stripe payout capability."},{"id":"evidence-mobile-admin","route":"/mobile-admin/source-data","resolves":"Mobile jobs-to-be-done, iOS and Android child issues, live dashboard source-data route, API dependencies, stack decision, and write boundaries.","stableIds":["mobileJobId","mobileApiDependencyId","platformIssue","mobileDashboardCardId"],"volatileClaims":"The mobile contract and live public dashboard digest are live, but installable iOS and Android app claims require #67 and #68 smoke evidence."},{"id":"evidence-mobile-admin-dashboard","route":"/mobile-admin/dashboard/source-data","resolves":"Public-safe mobile dashboard digest with feature counts, roadmap counts, recent work-log metadata, attention counts, commerce table counts, agent-readiness counts, and platform source-data routes.","stableIds":["mobileDashboardCardId","featureId","roadmapItemId","workLogEntryId","markAttentionId","agentReadContractId"],"volatileClaims":"The dashboard is a public-safe read contract with owner-session and confirmed-action requirements, not private mobile rows, push notifications, live confirmed writes, App Store distribution, or Play Store distribution."},{"id":"evidence-ios-mobile-admin","route":"/mobile-admin/ios/source-data","resolves":"iOS app-foundation path, generated fixture, simulator target, validation command, smoke command, and screenshot evidence.","stableIds":["platformIssue","fixturePath","simulatorBundleId"],"volatileClaims":"The iOS simulator smoke target renders owner-session and confirmed-action requirements, but it is not App Store distribution, push notification support, private mobile rows, or live confirmed-write capability."},{"id":"evidence-android-mobile-admin","route":"/mobile-admin/android/source-data","resolves":"Android app-foundation path, generated fixture asset, native package, emulator target, validation command, smoke command, and screenshot evidence.","stableIds":["platformIssue","fixturePath","nativePackage","defaultAvd"],"volatileClaims":"The Android emulator smoke target renders owner-session and confirmed-action requirements, but it is not Play Store distribution, push notification support, private mobile rows, or live confirmed-write capability."}],"publicAdminSourceDataAliases":[{"id":"director-status-source-data","title":"Director status source data","route":"/agent-docs/director-status-source-data","sourceRoute":"/admin/director/source-data"},{"id":"project-source-data","title":"Project source data","route":"/agent-docs/project-source-data","sourceRoute":"/admin/source-data"},{"id":"project-roadmap-source-data","title":"Project roadmap source data","route":"/agent-docs/project-roadmap-source-data","sourceRoute":"/admin/roadmap/source-data"},{"id":"project-work-log-source-data","title":"Project work-log source data","route":"/agent-docs/project-work-log-source-data","sourceRoute":"/admin/work-log/source-data"},{"id":"user-journey-source-data","title":"User journey source data","route":"/agent-docs/user-journey-source-data","sourceRoute":"/admin/user-journeys/source-data"},{"id":"owner-attention-source-data","title":"Owner attention source data","route":"/agent-docs/owner-attention-source-data","sourceRoute":"/admin/for-mark/source-data"}],"mcpPlan":[{"id":"mcp-resource-features","resourceOrTool":"resource bumpgrade://features","status":"ready-contract","backedBy":"/features/source-data","purpose":"Expose feature IDs, statuses, issues, evidence, and agent-contract notes.","safetyBoundary":"Read-only; feature status changes still happen through issue/PR/admin workflows."},{"id":"mcp-resource-roadmap","resourceOrTool":"resource bumpgrade://roadmap","status":"ready-contract","backedBy":"/roadmap/source-data","purpose":"Expose roadmap lanes, public evidence, blockers, and next milestones.","safetyBoundary":"Read-only until a confirmed roadmap update API exists."},{"id":"mcp-resource-claims","resourceOrTool":"tool resolve_public_claim","status":"planned","backedBy":"/compare/source-data, /features/source-data, /roadmap/source-data, /agent-docs/project-work-log-source-data","purpose":"Resolve a public claim to source IDs, URLs, issues, PRs, and work-log evidence.","safetyBoundary":"Must return caveats when evidence is stale, missing, planned-only, or private."},{"id":"mcp-resource-competitor-importers","resourceOrTool":"resource bumpgrade://importers","status":"ready-contract","backedBy":"/imports/source-data","purpose":"Expose importer platform IDs, competitor mappings, input kinds, platform-specific source checklists, export match templates, preflight signal labels, redacted sourceChecklistReview maps, exportFileAnalysis fields, platformExportMatches, private structured import-record contracts, safe extractedFields plans, subscriberImportDepth metadata, subscriberImportPreflight actions, subscriberImportCreation actions, subscriberAudiencePromotion actions, owner-only privateSubscriberRecords inspection rules, owner-only subscriberPrivateExport actions, private record review routes, review-action routes, extracted-field edit actions, saved private plan parts, duplicate-review statuses, rollback routes, limitations, and safety gates.","safetyBoundary":"Read-only; public export parsing returns redacted structure only. Public source-data exposes the importRecords, extractedFields, subscriberImportDepth, subscriberImportPreflight, subscriberImportCreation, subscriberAudiencePromotion, owner-only privateSubscriberRecords inspection contracts, and owner-only subscriberPrivateExport contracts but not private record content, raw values, or private subscriber emails. Confirmed promotion creates imported-pending audience review rows only; confirmed private subscriber export returns contact values only in a same-owner CSV download. No raw public export storage, public publishing, checkout migration, consent event creation, sequence enrollment, subscriber send, public export, domain, fulfillment, or account-to-account transfer may be performed by this resource."},{"id":"mcp-resource-commerce","resourceOrTool":"resource bumpgrade://commerce","status":"ready-contract","backedBy":"/commerce/source-data","purpose":"Expose redacted commerce architecture, sandbox checkout status, referral attribution evidence, and billing write rules.","safetyBoundary":"No live billing, commission write, payout mutation, or destructive action may be performed by this resource."},{"id":"mcp-resource-pricing-policy","resourceOrTool":"resource bumpgrade://pricing-policy","status":"ready-contract","backedBy":"/pricing/source-data","purpose":"Expose pricing plans, logged-out anonymous structured playground state, browser-recovery save limits, anonymous cleanup controls including the scheduled trigger, signed-in Free Build workspace state, and paid go-live gates.","safetyBoundary":"Read-only pricing resource; anonymous structured playground saves are browser-scoped and rate-limited per browser recovery workspace, cleanup is owner-gated or scheduled and redacted, claim creates or reuses the verified account's Free Build workspace and adds private draft work plus private claim records, signed-in Free Build workspace creation uses authenticated account setup APIs, and public publishing, live checkout, subscriber sends, domains, and fulfillment remain behind paid entitlement."},{"id":"mcp-resource-anonymous-playground","resourceOrTool":"resource bumpgrade://anonymous-playground","status":"ready-contract","backedBy":"/playground/source-data","purpose":"Expose the logged-out structured playground recovery, save-limit, claim, owner-gated cleanup, scheduled cleanup, private claim-record, redaction, retention, and go-live gate contract.","safetyBoundary":"No public publishing, billing mutation, subscriber send, domain reservation, fulfillment, private claim-record disclosure, expired draft disclosure, cleanup actor disclosure, cookie disclosure, or token-hash disclosure may be performed from this resource."},{"id":"mcp-resource-content","resourceOrTool":"resource bumpgrade://content-surfaces","status":"ready-contract","backedBy":"/content/source-data","purpose":"Expose personas, resource records, pricing caveats, and content-surface issue evidence.","safetyBoundary":"Read-only; public resource and pricing claims still require source evidence or shipped product proof."},{"id":"mcp-resource-funnels","resourceOrTool":"resource bumpgrade://funnels","status":"ready-contract","backedBy":"/funnels/source-data","purpose":"Expose seeded funnel, published D1 funnels, ordered steps, blocks, reusable templates including webinar/resource page shapes, block templates, owner-gated draft duplication capability, owner-gated block-edit capability, owner-gated visual block style capability, owner-gated bounded canvas layout capability, owner-gated block add/remove capability, owner-gated block reorder capability, owner-gated cross-step block move capability, owner-gated archive/unpublish capability, owner-gated archived-draft purge capability, owner-gated bulk archived-draft purge capability, checkout-link capability, checkout-unlink capability, resource-delivery-link capability, public and owner-session agent funnel resource delivery token capability, webinar-event-link capability, public funnel checkout-start capability, revision IDs, owner-gated draft capability, and write-safety boundaries.","safetyBoundary":"Public resource stays read-only; published linked checkout blocks can render the sandbox checkout start surface, published resource-linked blocks can render entitlement-safe product access references and mint funnel-scoped private download tokens only after checkout intent and entitlement scope match, published webinar-linked blocks can render external event/replay references, and owner-session draft create/seed/template-create/duplicate/update/reorder/block-edit/block-style/block-canvas-layout/block-add/block-remove/block-reorder/block-cross-step-move/checkout-link/checkout-unlink/resource-delivery-link/webinar-event-link/archive/purge/bulk-purge, drag/drop block placement through existing move modes, webinar/resource template-to-draft, private preview, exact-confirmed publish, exact-confirmed archive/unpublish, exact-confirmed archived-draft purge, and exact-confirmed bulk archived-draft purge exist in admin UI. The owner-session /api/agent/funnels/draft-writes JSON API now allows direct agent-safe block copy edits, curated visual style presets, bounded canvas layouts, reusable block add/remove, checkout-offer linking, checkout unlinking, resource-delivery linking, webinar-event linking, block reordering, cross-step block moves, private draft duplication, public publishing, archive/unpublish, archived-draft purge, and bulk archived-draft purge after exact confirmation, idempotency, current revision or per-target archived revisions, and audit correlation checks. The owner-session /api/agent/funnels/resource-delivery-tokens API can create a funnel-scoped resource delivery token for a published linked resource block after exact confirmation, idempotency, current published revision, checkout intent, entitlement, and audit correlation checks, with replays redacted because raw tokens are not stored. Agent style writes store only curated style IDs, agent canvas layout writes store only bounded numbers, and both preserve block metadata. Direct agent publishing creates a public route mutation with archive-draft rollback and no billing mutation. Direct agent archived purge and bulk archived-draft purge record tombstones first and do not delete audit rows, product assets, R2 objects, buyer records, or billing state. Direct agent template creation, unauthenticated public agent-created delivery tokens, non-archived purge, unauthenticated public agent publishing, live billing, live webinar scheduling, attendance tracking, replay hosting, arbitrary uploaded private asset delivery, signed URLs, live fulfillment automation, and unbounded arbitrary CSS/script layout editing require future confirmed-write contracts."},{"id":"mcp-tool-duplicate-funnel-draft","resourceOrTool":"tool duplicate_funnel_draft","status":"planned","backedBy":"/admin/funnels and /api/admin/funnels/drafts","purpose":"Duplicate a private draft funnel for an authenticated owner using the same D1 tables and audit model.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current draft revision, audit event, and redaction. Checkout-link metadata must not be copied by default, and the duplicate must remain private until separately published."},{"id":"mcp-tool-archive-funnel-draft","resourceOrTool":"tool archive_funnel_draft","status":"planned","backedBy":"/admin/funnels and /api/admin/funnels/drafts","purpose":"Archive a private draft funnel or unpublish a published D1 draft funnel for an authenticated owner using the same D1 tables and audit model.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current draft revision, audit event, and redaction. Archiving makes the draft read-only, clears the public preview route, and removes the draft from published source-data without deleting draft rows, steps, blocks, checkout links, or audit records."},{"id":"mcp-tool-purge-funnel-draft","resourceOrTool":"tool purge_funnel_draft","status":"planned","backedBy":"/admin/funnels and /api/admin/funnels/drafts","purpose":"Purge an already archived draft funnel for an authenticated owner using the same D1 tables plus purge tombstone evidence.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current archived draft revision, a durable funnel_purge_events tombstone, and redaction. It may delete only one archived draft and its step rows; audit rows, product assets, R2 objects, buyer records, billing state, non-archived drafts, and unauthenticated public writes remain out of scope."},{"id":"mcp-tool-bulk-purge-funnel-drafts","resourceOrTool":"tool bulk_purge_archived_funnel_drafts","status":"planned","backedBy":"/admin/funnels, /api/admin/funnels/drafts, and /api/agent/funnels/draft-writes","purpose":"Bulk purge selected already archived draft funnels for an authenticated owner using the same D1 tables plus one purge tombstone per draft.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current archived draft revisions for every selected draft, all-target prevalidation, durable funnel_purge_events tombstones, and redaction. It may delete only archived draft and step rows; audit rows, product assets, R2 objects, buyer records, billing state, non-archived drafts, and unauthenticated public writes remain out of scope."},{"id":"mcp-tool-create-funnel-draft","resourceOrTool":"tool create_funnel_draft","status":"planned","backedBy":"/admin/funnels and /api/admin/funnels/drafts","purpose":"Create a private draft funnel for an authenticated owner using the same D1 tables and audit model.","safetyBoundary":"Requires owner identity, explicit confirmation, idempotency key, audit event, stale-state check, and redaction before an agent may call it directly."},{"id":"mcp-tool-edit-funnel-step","resourceOrTool":"tool edit_funnel_step","status":"planned","backedBy":"/admin/funnels and /api/admin/funnels/drafts","purpose":"Edit or reorder a private draft funnel step for an authenticated owner using the same D1 tables and audit model.","safetyBoundary":"Requires owner identity, explicit confirmation for creator-speech edits, idempotency key, audit event, stale-state check, and redaction before an agent may call it directly."},{"id":"mcp-resource-checkout-offers","resourceOrTool":"resource bumpgrade://checkout-offers","status":"ready-contract","backedBy":"/offers/source-data","purpose":"Expose seeded checkout offer stack, primary offer, constrained order bump, optional referral attribution evidence, upsell, downsell, aggregate post-purchase decision evidence, aggregate owner product delivery-gate counts, revision IDs, and billing boundaries.","safetyBoundary":"Read-only for agents; the public UI can start a sandbox checkout only after exact confirmation and can record non-billing follow-up decisions after trusted checkout state, while owner product delivery-gate writes require owner auth and live billing, offer writes, fulfillment, commission writes, and post-purchase charges require confirmed-write contracts."},{"id":"mcp-resource-product-access","resourceOrTool":"resource bumpgrade://product-access","status":"ready-contract","backedBy":"/products/source-data","purpose":"Expose seeded products, assets, access rules, entitlement templates, payment-plan records, revision IDs, aggregate owner-entitlement inspection counts, aggregate owner-created product, test checkout, delivery-gate, and test grant counts, customer-safe checkout intent lookup, short-lived private R2-backed download-token boundaries with redemption revalidation, owner-confirmed private asset upload-intent boundaries, owner-created product test checkout and offer/access grant boundaries, owner-created product delivery-gate boundaries, owner-confirmed non-destructive revocation intent boundaries, protected content readiness, and fulfillment boundaries.","safetyBoundary":"Read-mostly for public agents; payment-plan records are seeded read semantics without live amounts, Stripe Price creation, Checkout Sessions, customer records, or provider IDs. Customer lookup requires a checkout intent reference and redacts buyer/provider/private asset data. Token delivery streams only the seeded fixture through Bumpgrade. Owner product creation, owner-created product test checkout links, owner-created product delivery-gate links, and owner-created product test grants require owner auth, exact confirmation, idempotency, stale-state checks where applicable, and redaction. Owner-upload intents require owner auth, exact confirmation, idempotency, catalog revision checks, and redaction. Owner revocation intents require owner auth, exact confirmation, idempotency, current entitlement status checks, and redaction, but still do not mutate entitlement state. Protected-content records remain constrained to checkout-scoped fixture delivery; customer delivery of arbitrary uploads, real protected body delivery, subscription access changes, destructive revocation, live offer/funnel publishing, live charges, and fulfillment actions remain unavailable."},{"id":"mcp-tool-create-product-delivery-gate-link","resourceOrTool":"tool create_product_delivery_gate_link","status":"planned","backedBy":"/api/admin/products/delivery-gates","purpose":"Create owner-confirmed delivery-gate linkage between an owner-created product test checkout link and the seeded offer/funnel path for an authenticated owner on top of the same D1 contract.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current product updatedAt, current checkout-link revision, audit metadata, and redacted output. It must not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer/funnel state, signed URLs, private R2 keys, customer delivery, public buyer records, or direct public agent writes."},{"id":"mcp-tool-create-product-offer-access-grant","resourceOrTool":"tool create_product_offer_access_grant","status":"planned","backedBy":"/api/admin/products/offer-access-grants","purpose":"Create owner-confirmed test offer/funnel linkage and synthetic paid test access grant evidence for an authenticated owner on top of the same D1 contract.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, audit metadata, and redacted output. It must not create Stripe products, Stripe prices, Checkout Sessions, live charges, published offer copy, public buyer records, or direct public agent writes."},{"id":"mcp-tool-create-product-asset-upload-intent","resourceOrTool":"tool create_product_asset_upload_intent","status":"planned","backedBy":"/api/admin/products/assets","purpose":"Create a small private product asset upload record for an authenticated owner on top of the same D1/R2 contract.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, catalog revision check, audit metadata, and redacted output. It must not expose R2 object keys, signed URLs, raw upload bodies, buyer data, or make uploaded assets customer-deliverable."},{"id":"mcp-tool-create-product-revocation-intent","resourceOrTool":"tool create_product_revocation_intent","status":"planned","backedBy":"/api/admin/products/revocation-intents","purpose":"Record a non-destructive product access-removal intent for an authenticated owner on top of the same D1 contract.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, current entitlement status check, audit metadata, and redacted output. It must not mutate entitlement status, issue refunds, change subscriptions, notify customers, expose private reason text, or enable direct public agent revocation writes."},{"id":"mcp-resource-audience-automation","resourceOrTool":"resource bumpgrade://audience-automation","status":"ready-contract","backedBy":"/audience/source-data","purpose":"Expose seeded opt-in forms, lead magnets, tags, segments, sequences, broadcasts, automation rules, aggregate subscriber inspection counts, aggregate suppression counts, aggregate CRM timeline counts, aggregate sequence delivery readiness from issue #351, dry-run sequence schedule intent counts from issue #354, dry-run sequence delivery-batch counts from issue #358, dry-run sequence queue-message counts from issue #360, dry-run sequence dispatch preflight counts from issue #362, dry-run sequence dispatch attempt receipt counts from issue #364, sequence Queue producer readiness counts from issue #366, sequence Queue consumer readiness counts from issue #368, sequence provider-call readiness counts from issue #370, sequence delivery-attempt readiness counts from issue #372, sequence delivery-result readiness counts from issue #374, sequence delivery-status webhook readiness counts from issue #376, sequence provider-polling readiness counts from issue #378, sequence receipt-payload readiness counts from issue #380, broadcast readiness counts, dry-run broadcast schedule intent counts, preview/footer safety records, queue readiness records, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness gates, provider-event readiness gates, provider rate-limit readiness gates, provider response readiness gates, send-payload readiness gates, Queue producer readiness gates, Queue consumer readiness gates, provider-call readiness gates, delivery-attempt readiness gates, delivery-result readiness gates, delivery-status webhook readiness gates, provider-polling readiness gates, receipt-payload readiness gates, owner-confirmed import intent evidence, owner-confirmed import preflight evidence, aggregate audience export readiness from issue #347, redaction flags, consent boundaries, unsubscribe boundaries, owner-note boundaries, and owner sequence-schedule/sequence-delivery-batch/sequence-queue-message/sequence-dispatch-preflight/sequence-dispatch-attempt/sequence-Queue-producer-readiness/sequence-Queue-consumer-readiness/sequence-provider-call-readiness/sequence-delivery-attempt-readiness/sequence-delivery-result-readiness/sequence-delivery-status-webhook-readiness/sequence-provider-polling-readiness/sequence-receipt-payload-readiness/broadcast-schedule/delivery-batch/queue-message/dispatch-preflight/dispatch-attempt/import-intent/import-preflight boundaries.","safetyBoundary":"Seeded public opt-in capture, public-safe unsubscribe/suppression evidence, owner-gated subscriber inspection, owner-only CRM notes, aggregate sequence delivery readiness, owner-confirmed dry-run sequence schedule intents, owner-confirmed dry-run sequence delivery batches, owner-confirmed dry-run sequence queue-message evidence, owner-confirmed dry-run sequence dispatch preflight evidence, owner-confirmed dry-run sequence dispatch attempt receipts, owner-reviewed sequence Queue producer readiness, owner-reviewed sequence Queue consumer readiness, owner-reviewed sequence provider-call readiness, owner-reviewed sequence delivery-attempt readiness, owner-reviewed sequence delivery-result readiness, owner-reviewed sequence delivery-status webhook readiness, owner-reviewed sequence provider-polling readiness, owner-reviewed sequence receipt-payload readiness, read-only broadcast readiness, preview/footer safety, queue readiness, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, provider-call readiness, delivery-attempt readiness, delivery-result readiness, delivery-status webhook readiness, provider-polling readiness, receipt-payload readiness, owner-confirmed dry-run broadcast schedule intents, owner-confirmed delivery-batch dry runs, owner-confirmed queue-message dry runs, owner-confirmed dispatch preflight dry runs, owner-confirmed dispatch attempt receipts, owner-confirmed import intents, owner-confirmed import preflights, and aggregate export readiness are live; real imports, raw contact row storage, subscriber creation from imports, real sequence scheduling, real sends, private DNS/provider setup, provider webhooks, Cloudflare Queue dispatch, Queue producer execution, Queue consumer execution, Queue message consumption or acknowledgements, queue payload bodies, delivery queue rows, retry/dead-letter rows, provider calls, delivery attempts, delivery results, webhooks, webhook payloads, provider polling, provider polling payloads, polling results, receipt payloads, delivery receipts, recipient payloads, personalized bodies, body templates, unsubscribe URLs, provider responses, provider message IDs, private exports, export files, export URLs, CRM automation, and direct public agent subscriber writes require confirmed-write contracts."},{"id":"mcp-tool-create-sequence-delivery-result-readiness","resourceOrTool":"tool create_sequence_delivery_result_readiness","status":"planned","backedBy":"/api/admin/audience/sequences/delivery-result-readiness","purpose":"Record owner-reviewed sequence delivery-result readiness evidence on top of the same D1 contract from issue #374.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision checks, sequence status checks, current sequence delivery-attempt readiness checks, readiness-count checks, provider-response, message-ID, delivery-result, webhook, receipt, backpressure, audit metadata, and redacted output. It must not make provider calls, send messages, create provider responses, create provider message IDs, create delivery attempts or results, process webhooks, create receipts, enable Queue consumers, consume or ack Queue messages, create retry/dead-letter rows, read or create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, expose unsubscribe URLs, expose raw recipient identity, or enable direct public agent writes."},{"id":"mcp-tool-create-sequence-delivery-status-webhook-readiness","resourceOrTool":"tool create_sequence_delivery_status_webhook_readiness","status":"planned","backedBy":"/api/admin/audience/sequences/delivery-status-webhook-readiness","purpose":"Record owner-reviewed sequence delivery-status webhook readiness evidence on top of the same D1 contract from issue #376.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision checks, sequence status checks, current sequence delivery-result readiness checks, readiness-count checks, webhook, polling, receipt, backpressure, audit metadata, and redacted output. It must not make provider calls, send messages, create provider responses, create provider message IDs, create delivery attempts or results, process status webhooks, read or create webhook payloads, poll providers, create provider polling results, create receipt payloads, create receipts, enable Queue consumers, consume or ack Queue messages, create retry/dead-letter rows, read or create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, expose unsubscribe URLs, expose raw recipient identity, or enable direct public agent writes."},{"id":"mcp-tool-create-sequence-provider-polling-readiness","resourceOrTool":"tool create_sequence_provider_polling_readiness","status":"planned","backedBy":"/api/admin/audience/sequences/provider-polling-readiness","purpose":"Record owner-reviewed sequence provider-polling readiness evidence on top of the same D1 contract from issue #378.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision checks, sequence status checks, current sequence delivery-status webhook readiness checks, readiness-count checks, polling, receipt, backpressure, audit metadata, and redacted output. It must not make provider calls, send messages, create provider responses, create provider message IDs, create delivery attempts or results, process status webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create receipts, enable Queue consumers, consume or ack Queue messages, create retry/dead-letter rows, read or create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, expose unsubscribe URLs, expose raw recipient identity, or enable direct public agent writes."},{"id":"mcp-tool-create-sequence-receipt-payload-readiness","resourceOrTool":"tool create_sequence_receipt_payload_readiness","status":"planned","backedBy":"/api/admin/audience/sequences/receipt-payload-readiness","purpose":"Record owner-reviewed sequence receipt-payload readiness evidence on top of the same D1 contract from issue #380.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision checks, sequence status checks, current sequence provider-polling readiness checks, readiness-count checks, receipt-payload, delivery-receipt, retention, redaction, backpressure, audit metadata, and redacted output. It must not make provider calls, send messages, create provider responses, create provider message IDs, create delivery attempts or results, process status webhooks, read or create webhook payloads, poll providers, read or create provider polling payloads, create provider polling results, create receipt payloads, create delivery receipts, enable Queue consumers, consume or ack Queue messages, create retry/dead-letter rows, read or create queue payload bodies, create recipient payloads, create personalized bodies, expose body templates, expose unsubscribe URLs, expose raw recipient identity, or enable direct public agent writes."},{"id":"mcp-tool-create-audience-import-intent","resourceOrTool":"tool create_audience_import_intent","status":"planned","backedBy":"/api/admin/audience/import-intents","purpose":"Record a non-destructive audience import intent for an authenticated owner on top of the same D1 contract from issue #253.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision/status checks, aggregate counts, audit metadata, and redacted output. It must not import contacts, store raw emails or contact rows, create sequence enrollments, send email, expose private notes, or enable direct public agent subscriber writes."},{"id":"mcp-tool-create-audience-import-preflight","resourceOrTool":"tool create_audience_import_preflight","status":"planned","backedBy":"/api/admin/audience/import-preflights","purpose":"Record aggregate audience import preflight evidence for an authenticated owner on top of the same D1 contract from issue #259.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, workspace revision/status checks, selected import-intent source checks, aggregate count validation, audit metadata, and redacted output. It must not import contacts, create subscribers, store raw emails or contact rows, export private data, create sequence enrollments, send email, expose private notes, or enable direct public agent subscriber writes."},{"id":"mcp-resource-analytics-experiments","resourceOrTool":"resource bumpgrade://analytics-experiments","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose seeded event taxonomy, browser-side page-view beacon boundaries, public-safe custom routing rules, seeded sandbox funnel copy routing, owner-confirmed winner rollout evidence, dashboard-visible aggregate source attribution rows, fixed time-window metadata, aggregate event counts, aggregate source attribution counts, aggregate variant event counts, aggregate assignment counts, aggregate conversion report rows, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, owner-reviewed notification delivery-status webhook readiness evidence, owner-reviewed notification provider-polling readiness evidence, owner-reviewed notification receipt-payload readiness evidence, owner-reviewed notification delivery-receipt readiness evidence, owner-reviewed notification provider-status reconciliation readiness evidence, owner-confirmed experiment decision evidence, metric formulas, experiment variants, assignment rules, and sample-size caveats.","safetyBoundary":"Seeded event capture, browser-side page-view beacons with deterministic variant evidence and normalized source attribution, deterministic assignment, public-safe custom source/campaign routing rules, seeded sandbox funnel copy routing, owner-confirmed winner rollout and rollback evidence, dashboard-visible fixed-window aggregate source rows, aggregate conversion reporting, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox records, owner-confirmed dispatch preflight evidence, staged notification readiness through provider-status reconciliation evidence, and owner-confirmed decision evidence are live; cookie assignment, raw visitor tracking, raw referrer/query reporting, raw routing URL storage, raw analytics exports, contact analytics, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, delivery status webhooks, status webhooks, provider polling, receipt payload capture, delivery receipt creation, provider status reconciliation, queue dispatch, customer alerts, custom events beyond the seeded boundary, and public decision writes require confirmed-write contracts."},{"id":"mcp-resource-analytics-winner-rollouts","resourceOrTool":"resource bumpgrade://analytics-winner-rollouts","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-confirmed analytics winner rollout and rollback evidence from issue #422.","safetyBoundary":"This resource reads aggregate winner rollout counts, active rollout public metadata, selected treatment variant IDs, current rollout revisions, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose raw event rows, raw assignment rows, visitor keys, contact analytics, raw routing URLs, private notes, actor emails, actor hashes, raw/private exports, provider sends, Queue execution, public agent writes, or revenue claims."},{"id":"mcp-resource-analytics-report-exports","resourceOrTool":"resource bumpgrade://analytics-report-exports","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose aggregate analytics report export metadata, fixture cohort comparison definitions, and owner-reviewed cohort comparison evidence from issues #263 and #265.","safetyBoundary":"This resource reads aggregate report sections, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose raw analytics event rows, raw experiment assignment rows, visitor keys, contact analytics, raw referrer URLs, raw query strings, private notes, traffic routing, automated winners, or revenue claims."},{"id":"mcp-resource-analytics-alert-reviews","resourceOrTool":"resource bumpgrade://analytics-alert-reviews","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed alert threshold and anomaly-review evidence from issue #267.","safetyBoundary":"This resource reads aggregate threshold review prompts, selected fixed windows, sample-size caveats, owner review state, and redaction flags only. It must not expose raw analytics rows, visitor keys, contact analytics, raw referrer URLs, raw query strings, private notes, customer alerts, traffic routing, automated winners, or revenue claims."},{"id":"mcp-resource-analytics-notification-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification delivery readiness evidence from issue #269.","safetyBoundary":"This resource reads future owner-notification readiness, channel metadata, dependency IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not send alerts, write inbox rows, expose recipients, expose email bodies, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-inbox-records","resourceOrTool":"resource bumpgrade://analytics-notification-inbox-records","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-confirmed analytics notification inbox record evidence from issue #271.","safetyBoundary":"This resource reads aggregate owner-notification inbox record counts, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose recipients, expose email bodies, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-dispatch-preflights","resourceOrTool":"resource bumpgrade://analytics-notification-dispatch-preflights","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-confirmed analytics notification dispatch preflight evidence from issue #284.","safetyBoundary":"This resource reads aggregate owner-notification dispatch preflight counts, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-provider-domain-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-provider-domain-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification provider/domain readiness evidence from issue #286.","safetyBoundary":"This resource reads aggregate owner-notification provider/domain readiness counts, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not configure providers, store provider secrets, store sender credentials, expose private DNS credentials, verify sender domains, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-content-consent-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-content-consent-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification content/consent readiness evidence from issue #288.","safetyBoundary":"This resource reads aggregate owner-notification content/consent readiness counts, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose body templates, expose unsubscribe URLs, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-send-payload-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-send-payload-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification send-payload readiness evidence from issue #290.","safetyBoundary":"This resource reads aggregate owner-notification send-payload readiness counts, content/consent readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, create queue messages, expose queue payloads, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-queue-producer-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-queue-producer-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification queue-producer readiness evidence from issue #292.","safetyBoundary":"This resource reads aggregate owner-notification queue-producer readiness counts, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable Queue producers, create Queue messages, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-queue-consumer-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-queue-consumer-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification queue-consumer readiness evidence from issue #294.","safetyBoundary":"This resource reads aggregate owner-notification queue-consumer readiness counts, queue-producer readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-provider-call-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-provider-call-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification provider-call readiness evidence from issue #297.","safetyBoundary":"This resource reads aggregate owner-notification provider-call readiness counts, queue-consumer readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, configure providers, create provider responses, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-delivery-attempt-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-delivery-attempt-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification delivery-attempt readiness evidence from issue #299.","safetyBoundary":"This resource reads aggregate owner-notification delivery-attempt readiness counts, provider-call readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, configure providers, create provider responses, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-delivery-result-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-delivery-result-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification delivery-result readiness evidence from issue #301.","safetyBoundary":"This resource reads aggregate owner-notification delivery-result readiness counts, delivery-attempt readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-delivery-status-webhook-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-delivery-status-webhook-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification delivery-status webhook readiness evidence from issue #303.","safetyBoundary":"This resource reads aggregate owner-notification delivery-status webhook readiness counts, delivery-result readiness IDs, delivery-attempt readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-provider-polling-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-provider-polling-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification provider-polling readiness evidence from issue #305.","safetyBoundary":"This resource reads aggregate owner-notification provider-polling readiness counts, delivery-status-webhook readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-receipt-payload-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-receipt-payload-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification receipt-payload readiness evidence from issue #307.","safetyBoundary":"This resource reads aggregate owner-notification receipt-payload readiness counts, provider-polling readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-delivery-receipt-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-delivery-receipt-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification delivery-receipt readiness evidence from issue #309.","safetyBoundary":"This resource reads aggregate owner-notification delivery-receipt readiness counts, receipt-payload readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-resource-analytics-notification-provider-status-reconciliation-readiness","resourceOrTool":"resource bumpgrade://analytics-notification-provider-status-reconciliation-readiness","status":"ready-contract","backedBy":"/analytics/source-data","purpose":"Expose owner-reviewed analytics notification provider-status reconciliation readiness evidence from issue #311.","safetyBoundary":"This resource reads aggregate owner-notification provider-status reconciliation readiness counts, delivery-receipt readiness IDs, send-payload readiness IDs, provider/domain readiness IDs, dispatch preflight IDs, inbox record IDs, readiness IDs, channel IDs, selected fixed windows, sample-size caveats, and redaction flags only. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, process delivery receipts, ingest receipt payloads, reconcile provider statuses, expose provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, select winners, or make revenue claims."},{"id":"mcp-tool-create-analytics-experiment-decision","resourceOrTool":"tool create_analytics_experiment_decision","status":"planned","backedBy":"/api/admin/analytics/experiment-decisions","purpose":"Record owner-confirmed analytics experiment decision evidence on top of the same D1 contract from issue #261.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, experiment status checks, fixed time-window selection, aggregate count validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not route traffic, assign cookies, choose automated winners, expose raw event rows, expose raw assignment rows, expose contact analytics, make revenue claims, or enable direct public agent experiment writes."},{"id":"mcp-tool-create-analytics-winner-rollout","resourceOrTool":"tool create_analytics_winner_rollout","status":"planned","backedBy":"/api/admin/analytics/winner-rollouts","purpose":"Record owner-confirmed analytics winner rollout or rollback evidence on top of the same D1 contract from issue #422.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, experiment status checks, fixed time-window selection, aggregate count validation, sample-size caveat acknowledgement, current rollout revision checks for rollback, audit metadata, and redacted output. Custom source/campaign rules stay ahead of winner rollout routing. It must not assign cookies, expose raw event rows, expose raw assignment rows, expose contact analytics, expose raw routing URLs, make revenue claims, call providers, dispatch queues, or enable direct public agent experiment writes."},{"id":"mcp-tool-create-analytics-notification-inbox-record","resourceOrTool":"tool create_analytics_notification_inbox_record","status":"planned","backedBy":"/api/admin/analytics/notification-inbox-records","purpose":"Record owner-confirmed analytics notification inbox evidence on top of the same D1 contract from issue #271.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not expose recipients, expose email bodies, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-dispatch-preflight","resourceOrTool":"tool create_analytics_notification_dispatch_preflight","status":"planned","backedBy":"/api/admin/analytics/notification-dispatch-preflights","purpose":"Record owner-confirmed analytics notification dispatch preflight evidence on top of the same D1 contract from issue #284.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current inbox record checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-provider-domain-readiness","resourceOrTool":"tool create_analytics_notification_provider_domain_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-provider-domain-readiness","purpose":"Record owner-reviewed analytics notification provider/domain readiness evidence on top of the same D1 contract from issue #286.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current dispatch preflight checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not configure providers, store provider secrets, store sender credentials, verify sender domains, expose private DNS credentials, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-content-consent-readiness","resourceOrTool":"tool create_analytics_notification_content_consent_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-content-consent-readiness","purpose":"Record owner-reviewed analytics notification content/consent readiness evidence on top of the same D1 contract from issue #288.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current provider/domain readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not expose body templates, expose unsubscribe URLs, expose recipients, expose email bodies, expose provider message IDs, expose queue payloads, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-send-payload-readiness","resourceOrTool":"tool create_analytics_notification_send_payload_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-send-payload-readiness","purpose":"Record owner-reviewed analytics notification send-payload readiness evidence on top of the same D1 contract from issue #290.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current content/consent readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, create queue messages, expose queue payloads, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-queue-producer-readiness","resourceOrTool":"tool create_analytics_notification_queue_producer_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-queue-producer-readiness","purpose":"Record owner-reviewed analytics notification queue-producer readiness evidence on top of the same D1 contract from issue #292.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current send-payload readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable Queue producers, create Queue messages, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-queue-consumer-readiness","resourceOrTool":"tool create_analytics_notification_queue_consumer_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-queue-consumer-readiness","purpose":"Record owner-reviewed analytics notification queue-consumer readiness evidence on top of the same D1 contract from issue #294.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current queue-producer readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider responses, expose provider message IDs, dispatch queues, send email, call providers, configure providers, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-provider-call-readiness","resourceOrTool":"tool create_analytics_notification_provider_call_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-provider-call-readiness","purpose":"Record owner-reviewed analytics notification provider-call readiness evidence on top of the same D1 contract from issue #297.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current queue-consumer readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, configure providers, create provider responses, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-delivery-attempt-readiness","resourceOrTool":"tool create_analytics_notification_delivery_attempt_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-delivery-attempt-readiness","purpose":"Record owner-reviewed analytics notification delivery-attempt readiness evidence on top of the same D1 contract from issue #299.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current provider-call readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, configure providers, create provider responses, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, expose provider message IDs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-delivery-result-readiness","resourceOrTool":"tool create_analytics_notification_delivery_result_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-delivery-result-readiness","purpose":"Record owner-reviewed analytics notification delivery-result readiness evidence on top of the same D1 contract from issue #301.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current delivery-attempt readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-delivery-status-webhook-readiness","resourceOrTool":"tool create_analytics_notification_delivery_status_webhook_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-delivery-status-webhook-readiness","purpose":"Record owner-reviewed analytics notification delivery-status webhook readiness evidence on top of the same D1 contract from issue #303.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current delivery-result readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, create delivery receipts, expose receipt payloads, process status webhooks, poll providers, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-provider-polling-readiness","resourceOrTool":"tool create_analytics_notification_provider_polling_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-provider-polling-readiness","purpose":"Record owner-reviewed analytics notification provider-polling readiness evidence on top of the same D1 contract from issue #305.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current delivery-status-webhook readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-receipt-payload-readiness","resourceOrTool":"tool create_analytics_notification_receipt_payload_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-receipt-payload-readiness","purpose":"Record owner-reviewed analytics notification receipt-payload readiness evidence on top of the same D1 contract from issue #307.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current provider-polling readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-delivery-receipt-readiness","resourceOrTool":"tool create_analytics_notification_delivery_receipt_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-delivery-receipt-readiness","purpose":"Record owner-reviewed analytics notification delivery-receipt readiness evidence on top of the same D1 contract from issue #309.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current receipt-payload readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, create delivery receipts, expose receipt payloads, process status webhooks, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-tool-create-analytics-notification-provider-status-reconciliation-readiness","resourceOrTool":"tool create_analytics_notification_provider_status_reconciliation_readiness","status":"planned","backedBy":"/api/admin/analytics/notification-provider-status-reconciliation-readiness","purpose":"Record owner-reviewed analytics notification provider-status reconciliation readiness evidence on top of the same D1 contract from issue #311.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, dashboard revision checks, notification readiness checks, current delivery-receipt readiness checks, fixed time-window evidence validation, sample-size caveat acknowledgement, audit metadata, and redacted output. It must not enable provider sends or calls, attempt delivery, create delivery results, process delivery-status webhooks, poll providers, process delivery receipts, ingest receipt payloads, reconcile provider statuses, configure providers, create provider responses, expose provider message IDs, store provider secrets, store sender credentials, expose private DNS credentials, enable Queue producers, enable Queue consumers, create Queue messages, consume Queue messages, acknowledge Queue messages, create retry/dead-letter rows, read Queue payload bodies, create Queue payload bodies, expose queue payloads, expose recipients, create recipient payloads, create personalized bodies, store raw payload bodies, expose email bodies, expose body templates, expose unsubscribe URLs, dispatch queues, send email, alert customers, route traffic, choose automated winners, expose raw analytics rows, make revenue claims, or enable direct public agent writes."},{"id":"mcp-resource-affiliate-referrals","resourceOrTool":"resource bumpgrade://affiliate-referrals","status":"ready-contract","backedBy":"/affiliates/source-data","purpose":"Expose seeded affiliate programs, partner records, referral links, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, owner-reviewed notification provider readiness records, aggregate click counts, checkout attribution evidence, attribution rules, commission fixtures, payout review, and fraud flags.","safetyBoundary":"Seeded referral click capture, checkout attribution evidence, review-only commission evidence, owner review actions, public-safe partner reports, public-safe partner portal status pages, public-safe partner statement snapshots, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-confirmed fraud enforcement records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, and owner-reviewed notification provider readiness records are live; buyer attribution finalization, payable statement creation, payable commission writes, tax handling, payout account access, partner notification sends, provider-send enablement, provider configuration, provider secret storage, provider calls, send payload creation, queue dispatch, and Stripe payouts require confirmed-write contracts."},{"id":"mcp-tool-create-affiliate-payout-preparation-record","resourceOrTool":"tool create_affiliate_payout_preparation_record","status":"planned","backedBy":"/api/admin/affiliates/payout-preparation-records","purpose":"Record owner-confirmed affiliate payout preparation evidence on top of the same D1 contract from issue #273.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, program revision checks, payout batch status checks, payout-preparation evidence validation, audit metadata, and redacted output. It must not create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, enforce fraud decisions, expose buyer data, expose raw ledger rows, or enable direct public agent writes."},{"id":"mcp-tool-create-affiliate-fraud-review-record","resourceOrTool":"tool create_affiliate_fraud_review_record","status":"planned","backedBy":"/api/admin/affiliates/fraud-review-records","purpose":"Record owner-reviewed affiliate fraud review evidence on top of the same D1 contract from issue #275.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, program revision checks, payout batch status checks, review-flag checks, linked-ledger count validation, audit metadata, and redacted output. It must not enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, notify partners, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or enable direct public agent writes."},{"id":"mcp-tool-create-affiliate-partner-notification-readiness-record","resourceOrTool":"tool create_affiliate_partner_notification_readiness_record","status":"planned","backedBy":"/api/admin/affiliates/notification-readiness-records","purpose":"Record owner-reviewed affiliate partner notification readiness evidence on top of the same D1 contract from issue #277.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, review-flag checks, linked-ledger count validation, audit metadata, and redacted output. It must not send partner notifications, call providers, create queue rows, expose recipient emails, expose message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or enable direct public agent writes."},{"id":"mcp-tool-create-affiliate-partner-notification-send-preflight-record","resourceOrTool":"tool create_affiliate_partner_notification_send_preflight_record","status":"planned","backedBy":"/api/admin/affiliates/notification-send-preflights","purpose":"Record owner-reviewed affiliate partner notification send preflight evidence on top of the same D1 contract from issue #279.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, review-flag checks, linked-ledger count validation, provider-send-disabled checks, audit metadata, and redacted output. It must not send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails, expose message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or enable direct public agent writes."},{"id":"mcp-tool-create-affiliate-partner-notification-provider-readiness-record","resourceOrTool":"tool create_affiliate_partner_notification_provider_readiness_record","status":"planned","backedBy":"/api/admin/affiliates/notification-provider-readiness","purpose":"Record owner-reviewed affiliate partner notification provider readiness evidence on top of the same D1 contract from issue #281.","safetyBoundary":"Requires owner identity, exact confirmation, idempotency key, program revision checks, partner report checks, payout batch status checks, payout preparation record status checks, fraud review record status checks, notification readiness record status checks, send preflight record status checks, review-flag checks, linked-ledger count validation, provider-configuration-disabled checks, provider-secret-redaction checks, sender-credential-redaction checks, provider-send-disabled checks, audit metadata, and redacted output. It must not configure notification providers, store provider secrets, store sender credentials, send partner notifications, enable provider sends, call providers, create send payloads, create queue rows, expose recipient emails, expose message bodies, expose provider message IDs, enforce fraud decisions, create payable commission state, create Stripe payouts or transfers, store payout accounts, collect tax data, expose buyer data, expose raw ledger/click/checkout rows, expose private fraud signals, or enable direct public agent writes."},{"id":"mcp-resource-publisher-account","resourceOrTool":"resource bumpgrade://publisher-account","status":"ready-contract","backedBy":"/account/source-data","purpose":"Expose paid publisher tenant, Bumpgrade subdomain setup, custom-domain DNS onboarding, and publisher-site auth boundaries from issues #221, #222, #223, and #224.","safetyBoundary":"Read-only MCP resource for setup policy; reserving a subdomain or starting custom-domain onboarding requires authenticated publisher context, active paid-plan entitlement, idempotency, audit correlation, DNS verification state, and redaction. Shared Bumpgrade identity never bypasses tenant-scoped access checks."},{"id":"mcp-tool-propose-update","resourceOrTool":"tool propose_admin_update","status":"planned","backedBy":"/agent-docs/project-source-data and future confirmed-write APIs","purpose":"Create proposed feature, roadmap, journey, or work-log updates for owner review.","safetyBoundary":"Requires actor identity, confirmation text, idempotency key, stale-state check, and audit correlation before writing."},{"id":"mcp-resource-mobile-admin","resourceOrTool":"resource bumpgrade://mobile-admin","status":"ready-contract","backedBy":"/mobile-admin/source-data","purpose":"Expose the shared iOS and Android mobile admin plan, jobs, API dependencies, and confirmed-write boundaries.","safetyBoundary":"Read-only; mobile writes require a future confirmed-write action API and authenticated actor."},{"id":"mcp-resource-mobile-admin-dashboard","resourceOrTool":"resource bumpgrade://mobile-admin/dashboard","status":"ready-contract","backedBy":"/mobile-admin/dashboard/source-data","purpose":"Expose the public-safe mobile dashboard digest, including the redacted Director workstream brief, that iOS, Android, web, and agents can share.","safetyBoundary":"Read-only; no private admin rows, raw attention bodies, raw work-log bodies, write tokens, R2 object keys, signed URLs, or secret values."},{"id":"mcp-resource-ios-mobile-admin","resourceOrTool":"resource bumpgrade://mobile-admin/ios","status":"ready-contract","backedBy":"/mobile-admin/ios/source-data","purpose":"Expose the first iOS app slice, simulator smoke command, fixture path, and screenshot evidence.","safetyBoundary":"Read-only; native mobile writes and private account data remain unavailable."}],"writeSafetyRules":["Prefer source-data routes and manifests over browser automation when a server-side contract exists.","Do not invent pricing, customer, integration, roadmap, shipped-feature, testimonial, or competitor facts.","Cite stable IDs, issue/PR/work-log evidence, source URLs, and retrieved dates for public claims.","Keep secrets, raw provider IDs, private user data, private inbox bodies, and storage keys out of prompt-visible output.","Require confirmation, idempotency, stale-state checks, audit correlation, and redaction for public, destructive, billing-impacting, moderation, source-editing, publishing, or creator-speech writes.","Distinguish planned architecture, sandbox behavior, and live production capability."],"starterBaselineEvidence":{"sourceRepo":"markitics/laurelharned","sourceLabel":"agent-ready project starter documentation","adoptedShape":["AGENTS.md is adapted with Bumpgrade project constants, project stack, required product surfaces, and Bumpgrade Codex email identity.","docs/working-agreements.md carries the issue/branch/PR, screenshot, validation, work-log, and owner-attention workflow.","docs/agent/* carries admin-surface, agent-ready, screenshot, work-log, and user-journey rules.","docs/keep-working/* carries the repo-tracked goal-runner and status-update skills.","public/llms.txt points agents to current Bumpgrade feature, roadmap, comparison, commerce, admin, and agent-doc routes."]}}