# Bumpgrade agent guide This file is for AI agents and people inspecting how to work with bumpgrade.com. Keep it accurate as public features, admin surfaces, and agent capabilities change. Canonical site: https://bumpgrade.com GitHub repo: https://github.com/markitics/bumpgrade ## Start Here - Public features: https://bumpgrade.com/features - Feature source data: https://bumpgrade.com/features/source-data - Users and use cases: https://bumpgrade.com/users - Resources: https://bumpgrade.com/resources - Brand kit: https://bumpgrade.com/brand - Brand source data: https://bumpgrade.com/brand/source-data - Pricing direction: https://bumpgrade.com/pricing - Content surface source data: https://bumpgrade.com/content/source-data - Publisher account setup: https://bumpgrade.com/account/setup - Publisher account source data: https://bumpgrade.com/account/source-data - Publisher subdomain reservation API: https://bumpgrade.com/api/account/publisher/subdomain - Funnel source data: https://bumpgrade.com/funnels/source-data - Seeded funnel preview: https://bumpgrade.com/funnels/indie-launch-sandbox - Admin draft funnels: https://bumpgrade.com/admin/funnels (human page requires Better Auth owner session) - Checkout offer source data: https://bumpgrade.com/offers/source-data - Seeded checkout offer preview: https://bumpgrade.com/offers/indie-launch-stack - Product access source data: https://bumpgrade.com/products/source-data - Seeded product access preview: https://bumpgrade.com/products/indie-launch-library - Customer product access lookup: https://bumpgrade.com/products/entitlements - Customer product access lookup API: https://bumpgrade.com/api/products/entitlements - Sandbox product download token API: https://bumpgrade.com/api/products/download-tokens - Protected product content API: https://bumpgrade.com/api/products/protected-content - Owner product revocation intent API: https://bumpgrade.com/api/admin/products/revocation-intents (human page/API requires Better Auth owner session) - Admin product entitlement inspection: https://bumpgrade.com/admin/products (human page requires Better Auth owner session) - Audience automation source data: https://bumpgrade.com/audience/source-data - Seeded audience automation preview: https://bumpgrade.com/audience/indie-launch-waitlist - Seeded audience opt-in API: https://bumpgrade.com/api/audience/opt-in - Seeded audience unsubscribe API: https://bumpgrade.com/api/audience/unsubscribe - Owner audience CRM note API: https://bumpgrade.com/api/admin/audience/notes (human page/API requires Better Auth owner session) - Owner audience dispatch preflight API: https://bumpgrade.com/api/admin/audience/broadcasts/dispatch-preflights (human page/API requires Better Auth owner session) - Owner audience dispatch attempt API: https://bumpgrade.com/api/admin/audience/broadcasts/dispatch-attempts (human page/API requires Better Auth owner session) - Admin audience subscriber inspection: https://bumpgrade.com/admin/audience (human page requires Better Auth owner session) - Analytics and experiments source data: https://bumpgrade.com/analytics/source-data - Seeded analytics dashboard preview: https://bumpgrade.com/analytics/indie-launch-dashboard - Seeded analytics event API: https://bumpgrade.com/api/analytics/events - Seeded analytics assignment API: https://bumpgrade.com/api/analytics/assignments - Owner analytics decision API: https://bumpgrade.com/api/admin/analytics/experiment-decisions (human page/API requires Better Auth owner session) - Owner analytics notification inbox API: https://bumpgrade.com/api/admin/analytics/notification-inbox-records (human page/API requires Better Auth owner session) - Owner analytics notification dispatch preflight API: https://bumpgrade.com/api/admin/analytics/notification-dispatch-preflights (human page/API requires Better Auth owner session) - Owner analytics notification provider/domain readiness API: https://bumpgrade.com/api/admin/analytics/notification-provider-domain-readiness (human page/API requires Better Auth owner session) - Owner analytics notification content/consent readiness API: https://bumpgrade.com/api/admin/analytics/notification-content-consent-readiness (human page/API requires Better Auth owner session) - Owner analytics notification send-payload readiness API: https://bumpgrade.com/api/admin/analytics/notification-send-payload-readiness (human page/API requires Better Auth owner session) - Owner analytics notification queue-producer readiness API: https://bumpgrade.com/api/admin/analytics/notification-queue-producer-readiness (human page/API requires Better Auth owner session) - Owner analytics notification queue-consumer readiness API: https://bumpgrade.com/api/admin/analytics/notification-queue-consumer-readiness (human page/API requires Better Auth owner session) - Owner analytics notification provider-call readiness API: https://bumpgrade.com/api/admin/analytics/notification-provider-call-readiness (human page/API requires Better Auth owner session) - Owner analytics notification delivery-attempt readiness API: https://bumpgrade.com/api/admin/analytics/notification-delivery-attempt-readiness (human page/API requires Better Auth owner session) - Owner analytics notification delivery-result readiness API: https://bumpgrade.com/api/admin/analytics/notification-delivery-result-readiness (human page/API requires Better Auth owner session) - Owner analytics notification delivery-status webhook readiness API: https://bumpgrade.com/api/admin/analytics/notification-delivery-status-webhook-readiness (human page/API requires Better Auth owner session) - Owner analytics notification provider-polling readiness API: https://bumpgrade.com/api/admin/analytics/notification-provider-polling-readiness (human page/API requires Better Auth owner session) - Owner analytics notification receipt-payload readiness API: https://bumpgrade.com/api/admin/analytics/notification-receipt-payload-readiness (human page/API requires Better Auth owner session) - Owner analytics notification delivery-receipt readiness API: https://bumpgrade.com/api/admin/analytics/notification-delivery-receipt-readiness (human page/API requires Better Auth owner session) - Owner analytics notification provider-status reconciliation readiness API: https://bumpgrade.com/api/admin/analytics/notification-provider-status-reconciliation-readiness (human page/API requires Better Auth owner session) - Owner-reviewed analytics cohort comparison evidence: https://bumpgrade.com/analytics/source-data - Owner-reviewed analytics alert threshold/anomaly-review evidence: https://bumpgrade.com/analytics/source-data - Owner-reviewed analytics notification delivery readiness evidence: https://bumpgrade.com/analytics/source-data - Seeded funnel page-view beacon with variant evidence: https://bumpgrade.com/funnels/indie-launch-sandbox - Affiliate/referral source data: https://bumpgrade.com/affiliates/source-data - Seeded affiliate partner preview: https://bumpgrade.com/affiliates/indie-launch-partners - Seeded affiliate click API: https://bumpgrade.com/api/affiliates/clicks - Public roadmap: https://bumpgrade.com/roadmap - Roadmap source data: https://bumpgrade.com/roadmap/source-data - Commerce source data: https://bumpgrade.com/commerce/source-data - Sandbox checkout API: https://bumpgrade.com/api/commerce/checkout - Stripe webhook endpoint: https://bumpgrade.com/api/stripe/webhook - Mobile admin source data: https://bumpgrade.com/mobile-admin/source-data - Mobile admin dashboard source data: https://bumpgrade.com/mobile-admin/dashboard/source-data - iOS mobile admin source data: https://bumpgrade.com/mobile-admin/ios/source-data - Android mobile admin source data: https://bumpgrade.com/mobile-admin/android/source-data - Login and signup: https://bumpgrade.com/login - Public comparisons: https://bumpgrade.com/compare - Comparison source data: https://bumpgrade.com/compare/source-data - ClickFunnels alternative: https://bumpgrade.com/compare/clickfunnels-alternative - Kit alternative: https://bumpgrade.com/compare/kit-alternative - Shopify alternative: https://bumpgrade.com/compare/shopify-alternative - SamCart alternative: https://bumpgrade.com/compare/samcart-alternative - Kajabi alternative: https://bumpgrade.com/compare/kajabi-alternative - Podia alternative: https://bumpgrade.com/compare/podia-alternative - Systeme.io alternative: https://bumpgrade.com/compare/systeme-io-alternative - Kartra alternative: https://bumpgrade.com/compare/kartra-alternative - ThriveCart alternative: https://bumpgrade.com/compare/thrivecart-alternative - Admin roadmap: https://bumpgrade.com/admin/roadmap (human page requires Better Auth owner session) - Admin source data: https://bumpgrade.com/admin/source-data - Admin roadmap source data: https://bumpgrade.com/admin/roadmap/source-data - Admin work log: https://bumpgrade.com/admin/work-log (human page requires Better Auth owner session) - Admin work-log source data: https://bumpgrade.com/admin/work-log/source-data - Admin user journeys: https://bumpgrade.com/admin/user-journeys (human page requires Better Auth owner session) - Admin user-journey source data: https://bumpgrade.com/admin/user-journeys/source-data - Mark attention: https://bumpgrade.com/admin/for-mark (human page requires Better Auth owner session) - Mark attention source data: https://bumpgrade.com/admin/for-mark/source-data - Codex project email workflow: tracked by issue #10, stored in D1 tables `codex_outbound_messages` and `codex_inbound_messages`, with raw inbound MIME stored in private R2 bucket `bumpgrade-mail`. ## Agent Docs - https://bumpgrade.com/agent-docs - https://bumpgrade.com/agent-docs/source-data - https://bumpgrade.com/agent-docs/bumpgrade-agent-surface - https://bumpgrade.com/agent-docs/bumpgrade-commerce-contract - https://bumpgrade.com/agent-docs/bumpgrade-source-evidence - https://bumpgrade.com/agent-docs/bumpgrade-admin-surfaces - https://bumpgrade.com/agent-docs/bumpgrade-mcp - https://bumpgrade.com/agent-docs/bumpgrade-mobile-admin ## Current Agent Contract - Agents should prefer documented APIs, manifests, MCP resources, and public agent docs over browser automation. - Agents must not invent pricing, customer, competitor, integration, roadmap, shipped-feature, or quote facts. - Source-grounded answers should cite stable source ids, source URLs, issue/PR evidence, and work-log entries when available. - `/agent-docs/source-data` is the current public-safe agent manifest. It lists docs, read contracts, evidence routes, MCP plans, and write-safety boundaries. - Comparison pages are source-linked snapshots. Refresh source URLs before using dated pricing, packaging, or feature-availability claims in a user-facing answer. - `/compare/source-data` exposes SEO target records for "ClickFunnels alternative", "ClickFunnels competitors", and adjacent indiepreneur platform comparison intent. Treat those as routing/search-intent metadata, not proof that planned Bumpgrade parity features have shipped. - `/content/source-data` exposes audience, resource, and pricing-direction records for public content surfaces. Pricing tracks include the published Bumpgrade account-plan names and amounts, but they are not proof of publisher-offer billing, trials, limits, or planned feature availability. - `/brand/source-data` exposes public logo, favicon, social-card, palette, typography, voice, and UI principles from issue #318. - `/account/source-data` exposes paid publisher tenant setup, default `*.bumpgrade.com` subdomain reservation policy, existing custom-domain DNS onboarding policy, D1 table boundaries, and cross-subdomain Better Auth configuration from issues #221, #222, #223, and #224. `POST /api/account/publisher/subdomain` requires a signed-in, email-confirmed publisher with an active paid-plan or launch-pilot entitlement, plus idempotency and audit correlation. `POST /api/account/publisher/custom-domain` starts existing-domain onboarding and DNS verification state for paid publishers after the default Bumpgrade hostname is reserved. Treat it as bring-your-own-domain setup, not domain purchasing. Bumpgrade does not sell, register, renew, transfer, or price domains today. Bumpgrade-hosted subdomains share the central identity session; customer-owned domains use the Bumpgrade sign-in handoff and tenant-scoped access checks instead of raw cross-domain cookie sharing. - `/funnels/source-data` exposes the first funnel/page-builder contract, seeded public preview, reusable funnel templates, block-template records, and owner-session editable draft capability from issues #91, #93, #95, #135, #159, #161, #163, #165, #213, #215, and #341. Treat the admin draft builder as private D1 draft creation, owner-confirmed template-to-draft creation, owner-confirmed checkout-offer linking on private checkout blocks, step edit/reorder, owner-gated private preview, exact-confirmed public publishing to `/funnels/{slug}`, and exact-confirmed archive/unpublish lifecycle actions that preserve draft evidence. Published linked checkout blocks can render the existing sandbox checkout start surface after exact confirmation. It is not direct agent template creation, live billing mutation, one-click upsell charging, drag-and-drop visual editing, physical deletion, or an unconfirmed agent-write API. - `/offers/source-data` exposes the checkout offer stack with a primary sandbox offer, constrained order bump, upsell, and downsell. `/offers/indie-launch-stack` can start a confirmed sandbox checkout for the primary offer plus seeded order bump after exact confirmation, and eligible referral click IDs can be attached to checkout intents as attribution evidence. Review-only commission ledger evidence can be created from trusted checkout attribution. `/api/commerce/post-purchase-decisions` can record non-billing upsell/downsell follow-up decisions after trusted checkout state with exact confirmation, idempotency, and stale-state checks. `/commerce/checkout/success` only opens that path after the redacted contract reports trusted webhook eligibility. Treat it as sandbox checkout-start, referral-click-to-checkout, non-payable ledger, and non-billing post-purchase decision evidence, not live billing, one-click upsell charging, fulfillment, payable commission writes, arbitrary order-bump mutation, payout mutation, or a confirmed-write agent API. - `/products/source-data` exposes the product/access catalog with digital download, course, membership, service, event, bundle, entitlement template, and sandbox webhook grant records. Trusted paid sandbox webhooks can create idempotent entitlement rows and public-safe fulfillment task evidence. `/admin/products` is owner-gated and can inspect private entitlement rows, buyer email, checkout state, product and price context, access rules, and queued fulfillment evidence. `/products/entitlements` and `/api/products/entitlements` can inspect checkout-intent-scoped customer entitlement and fulfillment status without buyer email, hashes, raw Stripe identifiers, event IDs, metadata JSON, private R2 keys, or signed URLs. `/api/products/download-tokens` can create short-lived tokens for active file entitlements, and `/api/products/downloads?token={token}` revalidates current entitlement status, checkout intent linkage, trusted checkout state, and asset scope before streaming a seeded private R2-backed fixture through Bumpgrade while rejecting replayed or expired tokens. `/api/products/protected-content` can return seeded course/member fixture bodies only for a known checkout intent, matching active entitlement, protected content section id, and current paid/completed checkout state. Public product source-data exposes aggregate entitlement inspection counts, customer lookup contract metadata, download-token contract metadata, owner upload intent metadata, owner-confirmed non-destructive revocation intent metadata, protected content readiness, protected fixture delivery metadata, subscription-backed membership access metadata, and redaction flags only. `/api/admin/products/assets` lets verified owners create small private asset upload records after exact confirmation, idempotency, and catalog revision checks, but those records are not customer-deliverable yet. `/api/admin/products/revocation-intents` lets verified owners record non-destructive access-removal intent after exact confirmation, idempotency, and current entitlement status checks, but it does not revoke access. Treat it as grant-boundary, owner-inspection, customer-safe lookup, private fixture delivery, protected fixture delivery, owner upload-intent, revocation-intent, protected-content-readiness, and subscription-membership access evidence, not signed object URLs, customer delivery of arbitrary uploads, arbitrary protected body delivery, destructive revocation, live fulfillment automation, Customer Portal actions, or a confirmed-write agent API. - `/audience/source-data` exposes the first audience automation workspace with opt-in form, lead magnet, tags, segments, sequence, broadcast draft, automation records, aggregate owner-inspection counts, aggregate suppression counts, aggregate CRM timeline counts, broadcast readiness counts, dry-run schedule intent counts, preview/footer safety records, queue readiness records, delivery-batch dry-run records, dry-run queue-message records, dispatch preflight records, dispatch attempt records, sender-domain readiness records, provider-event readiness records, provider rate-limit readiness records, provider response readiness records, send-payload readiness records, Queue producer readiness records, Queue consumer readiness records, owner-confirmed import intent records, owner-confirmed import preflight records, aggregate export readiness records, aggregate sequence delivery readiness records, redaction flags, the `/api/audience/opt-in` write boundary, the `/api/audience/unsubscribe` suppression write boundary, and the owner-gated `/api/admin/audience/notes` CRM note boundary plus `/api/admin/audience/broadcasts/schedule-intents` and `/api/admin/audience/broadcasts/delivery-batches` and `/api/admin/audience/broadcasts/delivery-queue-messages` and `/api/admin/audience/broadcasts/dispatch-preflights` and `/api/admin/audience/broadcasts/dispatch-attempts` and `/api/admin/audience/import-intents` and `/api/admin/audience/import-preflights`. `/audience/indie-launch-waitlist` can capture explicit-consent waitlist opt-ins and record normalized subscriber, consent, seeded tag, and draft sequence enrollment evidence. It can also record an unsubscribe preference without revealing whether the email is already on the list. `/admin/audience` is owner-gated and can inspect private subscriber rows, suppression totals, private CRM timeline notes, broadcast readiness, preview safety, queue readiness, dry-run schedule intents, delivery-batch dry runs, queue-message dry runs, dispatch preflight dry runs, dispatch attempt receipts, sender-domain readiness, provider-event readiness, provider rate-limit readiness, provider response readiness, send-payload readiness, Queue producer readiness, Queue consumer readiness, non-destructive import intents, aggregate import preflights, aggregate export readiness, and aggregate sequence delivery readiness. Treat the public contract as seeded opt-in capture, unsubscribe evidence, owner-only note evidence, and aggregate broadcast readiness/schedule intent/preview safety/queue readiness/delivery-batch/queue-message/dispatch preflight/dispatch attempt/sender-domain/provider-event/provider rate-limit/provider response/send-payload/Queue producer/Queue consumer/import-intent/import-preflight/export-readiness/sequence-delivery-readiness evidence, not live email sending, sequence delivery, Cloudflare Queue producer or consumer execution, Cloudflare Queue dispatch, real contact import, raw contact row storage, subscriber creation from imports, CRM automation, private export, suppression-list administration, or a direct agent subscriber-write API. - `/analytics/source-data` exposes the first analytics and experimentation workspace with event definitions, aggregate event counts, aggregate source attribution counts, aggregate variant event counts, aggregate assignment counts, owner-confirmed experiment decision evidence, owner-confirmed notification inbox aggregate evidence, owner-confirmed dispatch preflight aggregate evidence, owner-reviewed provider/domain readiness aggregate evidence, owner-reviewed content/consent readiness aggregate evidence, owner-reviewed send-payload readiness aggregate evidence, owner-reviewed queue-producer readiness aggregate evidence, owner-reviewed queue-consumer readiness aggregate evidence, owner-reviewed provider-call readiness aggregate evidence, owner-reviewed delivery-attempt readiness aggregate evidence, owner-reviewed delivery-result readiness aggregate evidence, owner-reviewed delivery-status webhook readiness aggregate evidence, owner-reviewed provider-polling readiness aggregate evidence, owner-reviewed receipt-payload readiness aggregate evidence, owner-reviewed delivery-receipt readiness aggregate evidence, owner-reviewed provider-status reconciliation readiness aggregate evidence, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed alert threshold/anomaly-review evidence, owner-reviewed notification delivery readiness evidence, owner-confirmed notification inbox evidence, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, owner-reviewed content/consent readiness evidence, owner-reviewed send-payload readiness evidence, owner-reviewed queue-producer readiness evidence, owner-reviewed queue-consumer readiness evidence, owner-reviewed provider-call readiness evidence, owner-reviewed delivery-attempt readiness evidence, owner-reviewed delivery-result readiness evidence, owner-reviewed delivery-status webhook readiness evidence, owner-reviewed provider-polling readiness evidence, owner-reviewed receipt-payload readiness evidence, owner-reviewed delivery-receipt readiness evidence, owner-reviewed provider-status reconciliation readiness evidence, aggregate funnel conversion report rows, metric formulas, variants, assignment rules, and the `/api/analytics/events` and `/api/analytics/assignments` write boundaries. The seeded funnel preview emits a session-idempotent page-view beacon through the analytics event API, with deterministic variant evidence, normalized UTM/source attribution, and server-side bot and preview suppression. The analytics dashboard preview renders aggregate source attribution rows from the same public-safe source-data and supports fixed all-time, 24-hour, 7-day, and 30-day aggregate source/conversion windows. Treat it as seeded event capture, seeded page-view beacon, seeded assignment, dashboard-visible fixed-window aggregate evidence, owner-reviewed decision evidence, aggregate report export metadata, owner-reviewed cohort comparison evidence, owner-reviewed threshold review evidence, owner-reviewed notification readiness evidence, owner-confirmed notification inbox evidence, owner-confirmed dispatch preflight evidence, owner-reviewed provider/domain readiness evidence, owner-reviewed content/consent readiness evidence, owner-reviewed send-payload readiness evidence, owner-reviewed queue-producer readiness evidence, owner-reviewed queue-consumer readiness evidence, owner-reviewed provider-call readiness evidence, owner-reviewed delivery-attempt readiness evidence, owner-reviewed delivery-result readiness evidence, owner-reviewed delivery-status webhook readiness evidence, owner-reviewed provider-polling readiness evidence, owner-reviewed receipt-payload readiness evidence, owner-reviewed delivery-receipt readiness evidence, owner-reviewed provider-status reconciliation readiness evidence, and aggregate/source-data evidence, not cookie assignment, automated alert sends, owner email sends, provider sends, provider calls, delivery attempts, delivery results, provider responses, provider message IDs, delivery receipts, status webhooks, provider polling, provider status reconciliation, provider configuration, provider secrets, sender credentials, private DNS credentials, body templates, unsubscribe URLs, Queue producer execution, Queue consumer execution, queue dispatch, queue messages, queue message consumption, queue acknowledgements, retry/dead-letter rows, queue payload body reads, queue payload bodies, recipient payloads, personalized bodies, raw payload bodies, customer alerts, traffic routing, contact-level analytics, raw referrer/query exposure, raw event or assignment exposure, raw analytics exports, automated winners, direct public agent analytics writes, revenue claims, or statistically meaningful proof. - `/affiliates/source-data` exposes the first affiliate/referral workspace with partner records, referral links, public-safe partner reports, aggregate click counts, checkout attribution evidence, aggregate review-only commission ledger counts, read-only payout preparation, owner-confirmed payout preparation records, owner-reviewed fraud review records, owner-reviewed partner notification readiness records, owner-reviewed partner notification send preflight records, attribution rules, commission rules, ledger fixtures, payout review, fraud flags, and the `/api/affiliates/clicks` write boundary. Treat it as seeded click capture, referral-click-to-checkout, review-only ledger evidence, owner review evidence, aggregate partner report evidence, payout preparation checklist evidence, and owner-confirmed payout preparation record evidence, owner-reviewed fraud review evidence, and owner-reviewed partner notification readiness evidence, and owner-reviewed partner notification send preflight evidence, not cookie assignment, buyer attribution finalization, payable commission state, payout account storage, tax collection, fraud enforcement, Stripe payout capability, partner notification sends, provider-send enablement, provider calls, send payload creation, queue dispatch, private partner portal access, direct agent review writes, or payable commission execution. Owner sessions can review, hold, or reverse review-only commission evidence through the gated admin action API. - Public, destructive, moderation, publishing, source-editing, billing-impacting, or creator-speech writes require explicit confirmation, idempotency, stale-state checks, audit correlation, and redaction. - Human admin pages are protected by Better Auth owner sessions. Public-safe `/admin/*/source-data` routes remain readable for agents and must not contain private notes, secrets, raw provider ids, or private user data. - Codex project email sends shipped notices as `Bumpgrade Codex ` and polls trusted replies from `m@rkmoriarty.com`, `mark@awesound.com`, and `markmoriarty@stripe.com` only when Cloudflare sender-authentication evidence aligns. Private inbox bodies, raw MIME, and attachments must not be pasted into GitHub or public source-data. - Stripe commerce architecture is documented in `docs/features/payments.md`. Bumpgrade defaults to sandbox mode; `/api/commerce/checkout` can create sandbox Checkout Sessions from D1 prices and can attach eligible referral click evidence to checkout intents. `/api/affiliates/commission-ledger` can create review-only commission evidence, and `/api/admin/affiliates/commission-ledger/actions` lets owner sessions review, hold, or reverse that evidence without making it payable. `/affiliates/source-data` exposes read-only payout preparation rows, and `/api/admin/affiliates/payout-preparation-records` lets owner sessions record redacted payout preparation evidence. `/api/admin/affiliates/fraud-review-records` lets owner sessions record redacted fraud review evidence. `/api/admin/affiliates/notification-readiness-records` lets owner sessions record redacted partner notification readiness evidence. `/api/admin/affiliates/notification-send-preflights` lets owner sessions record redacted partner notification send preflight evidence. `/api/admin/affiliates/notification-provider-readiness` lets owner sessions record redacted partner notification provider readiness evidence, but live billing, payable commission writes, payout mutation, direct agent review writes, payout account storage, tax collection, Stripe payouts, fraud enforcement, private fraud signal exposure, recipient exposure, provider configuration, provider secret storage, sender credential storage, provider-send enablement, provider calls, send payload creation, queue dispatch, and partner notification sends remain disabled. Agents must not start billing-impacting or payout-impacting checkout work without exact confirmation, idempotency, audit correlation, stale-state checks, owner review, and webhook evidence. - Mobile admin planning is documented in `docs/features/mobile-admin.md` and `/mobile-admin/source-data`. The iOS scaffold is documented in `/mobile-admin/ios/source-data`, and the Android scaffold is documented in `/mobile-admin/android/source-data`, but App Store/Play Store distribution, private mobile auth, push notifications, and mobile writes are not live yet. - Phone verification and SMS provider research is tracked by issue #53 and `docs/features/phone-verification-sms.md`. Phone collection, SMS OTP, SMS marketing, and provider credentials are not live Bumpgrade capabilities. - Secrets, bearer tokens, storage keys, private database ids, private user data, and provider credentials must not be passed as prompt-visible tool input. ## Planned Agent Capabilities Keep this section synchronized with `/admin/roadmap`. - Feature and roadmap status read access. - Work-log read access. - User-journey read access. - Public-safe admin source-data reads for roadmap, work log, user journeys, and Mark attention. - Better Auth publisher accounts and owner-gated private admin pages. - Competitor research and comparison-claim read access. - Funnel, offer, checkout, product, audience automation, analytics, experiments, affiliate/referral, and pricing-plan read access backed by redacted D1 commerce records. - Source evidence resolution by stable source id. - MCP resources and tools for repeated agent workflows. ## Not Ready Unless Documented Elsewhere - Do not automate private admin UI when a server-side API or MCP tool exists. - Do not publish, delete, edit source evidence, or change public feature status unless a documented confirmed-write contract exists. - Do not treat pending roadmap ideas as live product features.