{"id":"bumpgrade-mobile-admin-contract","updatedAt":"2026-05-25","publicBaseUrl":"https://bumpgrade.com","parentIssue":13,"currentFollowupIssue":414,"status":"contract-ready","featureId":"feature-mobile-admin","stackDecision":"Start the publisher admin apps as an Expo React Native TypeScript workspace shared by iOS and Android, unless the child issue smoke tests expose a platform-specific reason to split native code. The repo has no existing native app tree, and the current web/admin state is already modeled as public-safe TypeScript/JSON contracts.","scaffoldBoundary":"Issue #13 ships the shared mobile-admin contract, API dependency map, jobs-to-be-done, and platform issue split. Issues #67 and #68 prove the first iOS and Android smoke surfaces, issue #153 adds the live public-safe dashboard source-data contract, issue #155 renders that dashboard in the app foundations, and issue #157 hydrates the dashboard from the live public route with fixture fallback. Issue #414 now adds the shared mobile owner-session contract, owner-gated private-row inspection API, confirmed-action UI contract, owner-gated audit-only action-intent API, owner-confirmed Director workstream review API, owner-confirmed commerce health review API, Director workstream digest bridge, push-notification boundary, and store-distribution readiness boundary to the iOS, Android, and Expo app foundations. Issue #428 adds low-risk owner-confirmed private-row workflow actions. This still does not ship installable private app distribution, push notifications, high-risk billing/publishing mobile mutations, App Store distribution, or Play Store distribution.","liveDashboard":{"id":"mobile-live-dashboard-source-data","issue":153,"renderedInScaffoldsIssue":155,"liveHydrationIssue":157,"status":"live-public-source-data-ready","route":"/mobile-admin/dashboard/source-data","purpose":"Give iOS, Android, web, and agents one public-safe mobile dashboard payload summarizing Director workstreams, features, roadmap state, work-log recency, attention counts, commerce contract state, and agent-readiness without exposing private admin data.","publicSafeReads":["/features/source-data","/roadmap/source-data","/admin/source-data","/admin/director/source-data","/admin/work-log/source-data","/admin/for-mark/source-data","/commerce/source-data","/agent-docs/source-data"],"redactionBoundary":"The dashboard exposes counts, statuses, route IDs, issue evidence, and recent public-safe work-log metadata only. It excludes private buyer rows, raw inbox bodies, owner email values, session IDs, R2 object keys, signed URLs, upload bodies, secret values, and write tokens."},"privateAuth":{"id":"mobile-private-owner-session","issue":414,"status":"owner-session-contract-ready","sessionRoute":"/api/auth/[...all]","loginRoute":"/login","callbackSurface":"/admin/director","acceptedRoles":["owner"],"sessionSemantics":"Mobile private views reuse the same Better Auth cookie/session, owner allowlist, verified-email gate, and admin role mapping as web admin. The mobile app must not invent mobile-only roles or bypass the web/admin owner boundary.","deniedStates":["signed_out","not_allowlisted","email_unverified","session_unavailable"],"platformBehavior":["iOS and Android show public-safe dashboard data while signed out.","Private mobile rows stay hidden until an owner session is accepted by the same admin auth contract as web.","A denied mobile session should route the owner through the shared login/callback flow rather than storing mobile-only credentials."],"redactionBoundary":"Mobile auth source-data may name routes, roles, denial states, and issue evidence, but it must not expose owner email values, session IDs, cookies, tokens, raw Better Auth payloads, or private admin rows."},"privateRowsApi":{"id":"mobile-private-rows-api","issue":414,"status":"owner-mobile-private-rows-ready","route":"/api/mobile-admin/private-rows","authBoundary":"owner-session","purpose":"Let a verified owner inspect read-only Mobile Admin private rows through the same Better Auth owner session used by web admin.","readBoundary":"The endpoint returns owner-only private row notes and synthetic private payload metadata only to authenticated owners. Public mobile source-data exposes route, status, counts, public row labels, and redaction flags without owner-only notes, private payload JSON, owner email values, session IDs, cookies, tokens, or raw rows.","publicSourceDataSummary":"/mobile-admin/source-data and /mobile-admin/dashboard/source-data may expose the private-row API route, status, counts, and redaction flags; owner-only GET /api/mobile-admin/private-rows is required before private row notes or private payload metadata are returned.","redactionFlags":["privateRowsIncludedInPublicSourceData=false","ownerOnlyNotesIncludedInPublicSourceData=false","privatePayloadIncludedInPublicSourceData=false","ownerEmailValuesIncluded=false","sessionIdentifiersIncluded=false","cookiesIncluded=false","tokensIncluded=false","rawRowsIncluded=false"]},"privateRowActionsApi":{"id":"mobile-private-row-actions-api","issue":428,"status":"owner-mobile-private-row-actions-ready","route":"/api/mobile-admin/private-rows/actions","authBoundary":"owner-session","purpose":"Let a verified owner mark Mobile Admin private rows read or deferred through a low-risk confirmed-write endpoint.","actionBoundary":"The endpoint mutates only private-row workflow state after exact confirmation, idempotency, stale row revision, stale-state token, and audit-correlation checks. It creates no billing mutation, commerce mutation, publishing mutation, push notification, distribution state change, moderation action, creator-speech action, or public agent write.","publicSourceDataSummary":"/mobile-admin/source-data and /mobile-admin/dashboard/source-data may expose the private-row action API route, status, counts, latest redacted action labels, and redaction flags; owner-only GET /api/mobile-admin/private-rows/actions?rowId=... is required before stale-state tokens are returned.","requiredInputs":["rowId","actionId","expectedRowUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"redactionFlags":["actorEmailIncluded=false","actorEmailHashIncluded=false","actorUserIdIncluded=false","privateNoteIncluded=false","privatePayloadIncluded=false","ownerOnlyNoteIncluded=false","idempotencyKeysIncluded=false","staleStateTokenIncludedInPublicSourceData=false","staleStateTokenHashIncluded=false","rawRowsIncluded=false","productionMutationCreated=false","billingMutationCreated=false","pushNotificationSent=false","distributionStateChanged=false"]},"directorReviewApi":{"id":"mobile-director-review-api","issue":414,"status":"owner-mobile-director-review-ready","route":"/api/mobile-admin/director-reviews","authBoundary":"owner-session","purpose":"Let a verified owner acknowledge a Director workstream from Mobile Admin after reviewing the current CEO-style status brief.","reviewBoundary":"The endpoint records low-risk production owner review state after exact confirmation, idempotency, current Director source-revision checks, stale-state token checks, and audit correlation. It changes only Director review state and creates no billing mutation, publishing mutation, push notification, distribution state change, public agent write, or private-row change.","publicSourceDataSummary":"/mobile-admin/source-data and /mobile-admin/dashboard/source-data may expose the Director review API route, status, counts, latest reviewed workstream labels, and redaction flags; owner-only GET /api/mobile-admin/director-reviews is required before stale-state tokens are returned.","requiredInputs":["workstreamId","expectedDirectorGeneratedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"redactionFlags":["actorEmailIncluded=false","actorEmailHashIncluded=false","actorUserIdIncluded=false","reviewNoteIncluded=false","idempotencyKeysIncluded=false","staleStateTokenIncludedInPublicSourceData=false","staleStateTokenHashIncluded=false","rawRowsIncluded=false","billingMutationCreated=false","pushNotificationSent=false","distributionStateChanged=false","publicAgentWriteCreated=false"]},"commerceReviewApi":{"id":"mobile-commerce-review-api","issue":414,"status":"owner-mobile-commerce-review-ready","route":"/api/mobile-admin/commerce-reviews","authBoundary":"owner-session","purpose":"Let a verified owner acknowledge current commerce health from Mobile Admin after reviewing the public-safe commerce source-data contract.","reviewBoundary":"The endpoint records low-risk owner commerce review state after exact confirmation, idempotency, current commerce source-revision checks, stale-state token checks, and audit correlation. It changes only commerce review state and creates no billing mutation, refund, subscription change, price change, fulfillment change, entitlement change, push notification, distribution state change, public agent write, or private-row change.","publicSourceDataSummary":"/mobile-admin/source-data and /mobile-admin/dashboard/source-data may expose the commerce review API route, status, counts, latest reviewed commerce target labels, and redaction flags; owner-only GET /api/mobile-admin/commerce-reviews is required before stale-state tokens are returned.","requiredInputs":["reviewTargetId","expectedCommerceGeneratedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"redactionFlags":["actorEmailIncluded=false","actorEmailHashIncluded=false","actorUserIdIncluded=false","reviewNoteIncluded=false","idempotencyKeysIncluded=false","staleStateTokenIncludedInPublicSourceData=false","staleStateTokenHashIncluded=false","rawRowsIncluded=false","billingMutationCreated=false","refundCreated=false","subscriptionChanged=false","priceChanged=false","fulfillmentStateChanged=false","entitlementStateChanged=false","pushNotificationSent=false","distributionStateChanged=false","publicAgentWriteCreated=false"]},"actionIntentApi":{"id":"mobile-action-intent-api","issue":414,"status":"owner-mobile-action-intent-ready","route":"/api/mobile-admin/actions","authBoundary":"owner-session","purpose":"Let a verified owner record an audit-only mobile action intent after exact confirmation, idempotency, stale-state, contract revision, source-route, and audit-correlation checks.","intentBoundary":"The endpoint records redacted action intent evidence only. It creates no production admin mutation, billing mutation, push notification, distribution state change, private mobile row exposure, or direct public agent write.","publicSourceDataSummary":"/mobile-admin/source-data and /mobile-admin/dashboard/source-data may expose route, status, counts, and redaction flags; owner-only GET /api/mobile-admin/actions is required before stale-state tokens are returned.","requiredInputs":["actionId","sourceRoute","expectedContractUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"redactionFlags":["actorEmailIncluded=false","actorEmailHashIncluded=false","actorUserIdIncluded=false","privateNoteIncluded=false","idempotencyKeysIncluded=false","staleStateTokenHashIncluded=false","productionMutationCreated=false","billingMutationCreated=false","pushNotificationSent=false","distributionStateChanged=false"]},"pushNotificationBoundary":{"id":"mobile-push-notification-boundary","issue":414,"status":"push-boundary-ready","sendCapability":"disabled-provider-contract-required","purpose":"Define the APNs/FCM provider, consent, payload, queue, audit, and redaction gates required before Mobile Admin can send or schedule push notifications.","requiredProviders":[{"platform":"ios","provider":"APNs","credentialBoundary":"APNs credentials, team identifiers, bundle identifiers, device tokens, and push payloads must stay out of public source-data and fixture files.","requiredEvidence":["APNs provider choice and credential storage path","iOS bundle ID and entitlement proof","Device-token registration contract","Owner-confirmed send preflight with idempotency and audit correlation"]},{"platform":"android","provider":"FCM","credentialBoundary":"FCM server keys, service account JSON, sender IDs, device tokens, and push payloads must stay out of public source-data and fixture files.","requiredEvidence":["FCM provider choice and credential storage path","Android package and google-services configuration proof","Device-token registration contract","Owner-confirmed send preflight with idempotency and audit correlation"]}],"deliveryScope":["No mobile push notification is sent by the current Mobile Admin contract.","No APNs or FCM provider call is made by the current Mobile Admin contract.","No device token, recipient address, push body, provider credential, queue row, or delivery receipt is exposed in public source-data.","Future push sends must require owner session, exact confirmation, idempotency, stale-state checks, audit correlation, opt-in/consent evidence, payload review, and redaction."],"readinessChecklist":["Choose APNs/FCM credential storage and rotation policy.","Add private device-token registration and revocation contracts.","Add push send preflight records before provider calls.","Add queue, retry, delivery-result, and receipt boundaries before live sends.","Add simulator/emulator and physical-device evidence without treating simulator proof as production delivery."],"blockedBy":["No APNs credential plumbing is present in the repo.","No FCM credential plumbing is present in the repo.","No private device-token registration contract exists yet.","No owner-confirmed push send preflight or provider-call API exists yet."],"publicSourceDataSummary":"Public mobile source-data may expose provider names, disabled send status, required evidence, blocked-by reasons, and redaction flags. It must not expose APNs/FCM credentials, device tokens, recipient identities, push payload bodies, queue rows, provider responses, or delivery receipts.","redactionFlags":["apnsCredentialsIncluded=false","fcmCredentialsIncluded=false","deviceTokensIncluded=false","recipientIdentifiersIncluded=false","pushPayloadBodiesIncluded=false","providerResponsesIncluded=false","queueRowsIncluded=false","deliveryReceiptsIncluded=false","pushNotificationsSent=false"]},"distributionReadiness":{"id":"mobile-distribution-readiness-boundary","issue":414,"status":"distribution-boundary-ready","installableDistributionClaim":false,"purpose":"Separate simulator/emulator proof from installable iOS and Android distribution claims before Mobile Admin is described as App Store, TestFlight, Play Store, internal testing, or physical-device ready.","platformEvidence":[{"platform":"ios","currentEvidence":"The iOS app foundation has a simulator smoke target and screenshots, but physical-device proof is parked while the detected iPhone target is unavailable.","requiredBeforeClaim":["Available physical iPhone target or explicit simulator-only acceptance decision","Bundle identifier and signing profile decision","TestFlight or App Store Connect distribution path","Private-row/auth smoke proof labeled as simulator, physical device, or distribution evidence"],"blockedBy":["Detected iPhone target is unavailable to devicectl in the current environment."]},{"platform":"android","currentEvidence":"The Android app foundation has an emulator smoke target and screenshots, but physical-device proof is parked because no Android device is attached.","requiredBeforeClaim":["Attached Android physical device or explicit emulator-only acceptance decision","Release signing and package identity decision","Play Console/internal testing distribution path","Private-row/auth smoke proof labeled as emulator, physical device, or distribution evidence"],"blockedBy":["adb currently reports no attached physical Android devices in the project blocker audit."]}],"readinessChecklist":["Keep simulator and emulator screenshots labeled as non-distribution evidence.","Record physical-device smoke proof separately from simulator/emulator proof.","Record signing, bundle/package, and store-track decisions before claiming installability.","Do not label App Store, TestFlight, Play Store, or internal testing as live until platform evidence exists."],"publicSourceDataSummary":"Public mobile source-data may expose simulator/emulator status, required platform evidence, and current blockers. It must not expose signing credentials, provisioning profiles, keystore material, store account identifiers, private tester lists, or physical-device private rows.","redactionFlags":["signingCredentialsIncluded=false","provisioningProfilesIncluded=false","keystoreMaterialIncluded=false","storeAccountIdentifiersIncluded=false","privateTesterListsIncluded=false","physicalDevicePrivateRowsIncluded=false","appStoreDistributionLive=false","playStoreDistributionLive=false"]},"confirmedActions":[{"id":"mobile-confirm-review-agent-work","issue":414,"title":"Review and confirm agent work","status":"owner-director-review-api-ready","surface":"Owner-attention and work-log inbox","confirmationText":"ACKNOWLEDGE DIRECTOR WORKSTREAM","requiredInputs":["actorUserId","role","workstreamId","expectedDirectorGeneratedAt","idempotencyKey","staleStateToken","auditCorrelationId"],"safetyRules":["Require exact confirmation before public, billing-impacting, publishing, moderation, source-editing, or creator-speech writes.","Check the current source-data revision before accepting stale mobile approvals.","Return redacted result metadata only; never return raw private payloads to public source-data."],"mutationBoundary":"The current /api/mobile-admin/director-reviews endpoint can record owner-confirmed Director workstream review state for this action. /api/mobile-admin/actions remains available for audit-only action intent evidence, but higher-risk production mutations still require domain-specific confirmed-write APIs."},{"id":"mobile-confirm-commerce-health-review","issue":414,"title":"Review commerce health","status":"owner-commerce-review-api-ready","surface":"Commerce health summary","confirmationText":"ACKNOWLEDGE MOBILE COMMERCE HEALTH","requiredInputs":["actorUserId","role","reviewTargetId","expectedCommerceGeneratedAt","idempotencyKey","staleStateToken","auditCorrelationId"],"safetyRules":["Require exact confirmation before recording owner commerce-health review state.","Check the current /commerce/source-data revision before accepting stale mobile acknowledgements.","Return redacted result metadata only; never return buyer identity, Stripe identifiers, entitlement rows, signed URLs, or R2 object keys to public source-data."],"mutationBoundary":"The current /api/mobile-admin/commerce-reviews endpoint can record owner-confirmed commerce-health review state for this action. It does not create checkout, refund, subscription, price, fulfillment, entitlement, push, distribution, private-row, or public agent mutations."},{"id":"mobile-confirm-commerce-change","issue":414,"title":"Confirm commerce or fulfillment changes","status":"future-api-required","surface":"Commerce health summary","confirmationText":"CONFIRM MOBILE COMMERCE ACTION","requiredInputs":["actorUserId","role","priceId","amount","currency","idempotencyKey","staleStateToken","auditCorrelationId"],"safetyRules":["Verify amount, currency, product, price, and checkout mode before any billing-impacting action.","Record audit correlation and webhook evidence for live billing actions.","Keep buyer identity, entitlement rows, signed URLs, and R2 object keys out of public mobile output."],"mutationBoundary":"No mobile checkout, refund, subscription, price, fulfillment, or entitlement mutation is live until the shared confirmed-write API and platform evidence exist."}],"childIssues":[{"platform":"ios","issue":67,"title":"Build first iOS publisher admin app slice","firstMilestone":"Render the mobile admin digest, fetch the live dashboard route, and preserve fixture fallback in the Expo app foundation and iOS simulator smoke target.","validation":["Run npm run mobile:ios:validate to prove the fixture matches the shared contract and Xcode is available.","Run npm run mobile:ios:smoke to build, install, launch, live-read/fallback hydrate, and screenshot the iOS simulator target."],"status":"simulator-smoke-ready","appPath":"apps/mobile-admin","sourceDataRoute":"/mobile-admin/ios/source-data","fixturePath":"apps/mobile-admin/fixtures/mobile-admin-contract.json","smokeCommand":"npm run mobile:ios:smoke","screenshotPath":"/pr-screenshots/issue-67-ios-mobile-admin-simulator.png"},{"platform":"android","issue":68,"title":"Build first Android publisher admin app slice","firstMilestone":"Render the mobile admin digest, fetch the live dashboard route, and preserve fixture fallback in a native Android activity and emulator smoke target.","validation":["Run npm run mobile:android:validate to prove the fixture matches the shared contract and Android API 36 tooling is available.","Run npm run mobile:android:smoke to build, install, launch, live-read/fallback hydrate, and screenshot the Android emulator target."],"status":"emulator-smoke-ready","appPath":"apps/mobile-admin","sourceDataRoute":"/mobile-admin/android/source-data","fixturePath":"apps/mobile-admin/fixtures/mobile-admin-contract.json","smokeCommand":"npm run mobile:android:smoke","screenshotPath":"/pr-screenshots/issue-68-android-mobile-admin-emulator.png"}],"jobs":[{"id":"mobile-job-launch-status","title":"Check launch and platform status away from desktop","primaryUser":"Publisher or owner monitoring Bumpgrade from a phone","goal":"See whether Director workstreams such as marketing, security, mobile, funnels, checkout, products, email, analytics, agent work, and blockers are moving without opening the desktop admin app.","firstScreen":"Mobile admin digest","sourceRoutes":["/mobile-admin/dashboard/source-data","/admin/director/source-data","/features/source-data","/roadmap/source-data","/admin/source-data"],"writeBoundary":"Read-only in the first mobile slice."},{"id":"mobile-job-approve-agent-work","title":"Review agent work and confirm safe follow-up actions","primaryUser":"Owner receiving Codex, ChatGPT, Claude, or automation proposals","goal":"Inspect work-log entries, owner-attention items, screenshots, and required confirmations before approving public or billing-impacting work.","firstScreen":"Owner-attention and work-log inbox","sourceRoutes":["/mobile-admin/dashboard/source-data","/api/mobile-admin/private-rows","/api/mobile-admin/private-rows/actions","/admin/work-log/source-data","/admin/for-mark/source-data","/agent-docs/source-data"],"writeBoundary":"Confirmed writes need actor identity, confirmation text, idempotency key, stale-state check, audit correlation, and redaction."},{"id":"mobile-job-check-commerce","title":"Inspect offer and checkout health","primaryUser":"Publisher watching sales and fulfillment state","goal":"Read products, prices, sandbox/live checkout state, webhook evidence, and known Stripe blockers before taking action.","firstScreen":"Commerce health summary","sourceRoutes":["/mobile-admin/dashboard/source-data","/api/mobile-admin/commerce-reviews","/commerce/source-data","/api/commerce/checkout"],"writeBoundary":"Mobile can record owner-confirmed commerce-health review state through /api/mobile-admin/commerce-reviews, but no live checkout, refund, subscription, price, fulfillment, or entitlement mutation from mobile is live until higher-risk confirmed-write APIs ship."}],"apiDependencies":[{"id":"mobile-api-dashboard","route":"/mobile-admin/dashboard/source-data","purpose":"Live public-safe dashboard bundle for iOS and Android clients so mobile does not stitch or infer project state from hidden admin pages.","authBoundary":"public-safe","stableIds":["mobileDashboardCardId","directorWorkstreamId","directorBriefSignalId","directorBriefingControlId","featureId","roadmapItemId","workLogEntryId","markAttentionId","agentReadContractId"]},{"id":"mobile-api-director-status","route":"/admin/director/source-data","purpose":"Public-safe CEO-style workstream brief for mobile clients, including top-level workstreams, current focus, briefing controls, due/in-flight/pending/change signals, and redacted 1-day/7-day change windows.","authBoundary":"public-safe","stableIds":["directorWorkstreamId","directorBriefSignalId","directorBriefingControlId","directorWindowId","workLogEntryId","roadmapItemId"]},{"id":"mobile-api-admin-source","route":"/admin/source-data","purpose":"Public-safe roadmap, work-log, user-journey, and owner-attention digest for the first mobile admin screen.","authBoundary":"public-safe","stableIds":["workLogEntryId","userJourneyId","markAttentionId","roadmapItemId"]},{"id":"mobile-api-feature-catalog","route":"/features/source-data","purpose":"Feature status and issue evidence for the mobile dashboard.","authBoundary":"public-safe","stableIds":["featureId","issue","status"]},{"id":"mobile-api-roadmap","route":"/roadmap/source-data","purpose":"Public roadmap lanes, blockers, next milestones, and issue links.","authBoundary":"public-safe","stableIds":["roadmapItemId","featureId","issue","status"]},{"id":"mobile-api-commerce","route":"/commerce/source-data","purpose":"Redacted products, prices, checkout-intent, webhook, subscription, and audit architecture.","authBoundary":"public-safe","stableIds":["productId","priceId","checkoutIntentId","auditCorrelationId"]},{"id":"mobile-api-auth","route":"/api/auth/[...all]","purpose":"Better Auth session boundary for future private publisher/admin mobile views.","authBoundary":"owner-session","stableIds":["userId","sessionId","role"]},{"id":"mobile-api-private-rows","route":"/api/mobile-admin/private-rows","purpose":"Owner-session-only private row inspection for Mobile Admin clients, with public source-data limited to route, status, counts, public row labels, and redaction flags.","authBoundary":"owner-session","stableIds":["mobilePrivateRowId","sourceRoute","sourceRecordId","readState"]},{"id":"mobile-api-private-row-actions","route":"/api/mobile-admin/private-rows/actions","purpose":"Owner-confirmed private row workflow actions for Mobile Admin clients, limited to low-risk mark-read and defer mutations with redacted audit evidence.","authBoundary":"owner-session","stableIds":["mobilePrivateRowActionId","mobilePrivateRowId","idempotencyKey","auditCorrelationId","staleStateToken"]},{"id":"mobile-api-confirmed-writes","route":"/api/mobile-admin/actions","purpose":"Owner-gated mobile action-intent endpoint for redacted audit-only confirmation evidence before future domain-specific confirmed-write APIs mutate admin, publishing, commerce, or agent-proposal state.","authBoundary":"owner-confirmed-intent","stableIds":["agentActionId","idempotencyKey","auditCorrelationId","staleStateToken"]},{"id":"mobile-api-director-review","route":"/api/mobile-admin/director-reviews","purpose":"Owner-confirmed Director workstream acknowledgement API for mobile clients, with exact confirmation, stale Director payload checks, idempotency, audit correlation, and redaction.","authBoundary":"owner-session","stableIds":["directorWorkstreamId","mobileDirectorReviewId","idempotencyKey","auditCorrelationId","staleStateToken"]},{"id":"mobile-api-commerce-review","route":"/api/mobile-admin/commerce-reviews","purpose":"Owner-confirmed commerce-health acknowledgement API for mobile clients, with exact confirmation, stale commerce source-data checks, idempotency, audit correlation, and redaction.","authBoundary":"owner-session","stableIds":["commerceReviewTargetId","mobileCommerceReviewId","idempotencyKey","auditCorrelationId","staleStateToken"]},{"id":"mobile-api-push-boundary","route":"/mobile-admin/source-data","purpose":"Public-safe push-notification readiness boundary for APNs/FCM provider requirements, disabled send status, blockers, and redaction flags before any Mobile Admin push sends exist.","authBoundary":"public-safe","stableIds":["mobilePushBoundaryId","provider","readinessChecklist","blockedBy"]},{"id":"mobile-api-distribution-boundary","route":"/mobile-admin/source-data","purpose":"Public-safe distribution readiness boundary that separates simulator/emulator evidence from physical-device and App Store/Play Store claims.","authBoundary":"public-safe","stableIds":["mobileDistributionReadinessId","platform","requiredBeforeClaim","blockedBy"]}],"confirmedWriteRules":["The first private mobile row slice is read-only through /api/mobile-admin/private-rows and cannot mutate production state.","The first Mobile Admin private-row confirmed-write slice can mark private rows read or deferred through /api/mobile-admin/private-rows/actions, but it cannot mutate billing, commerce, publishing, moderation, creator speech, push notifications, distribution, or public agent state.","The first domain-specific Mobile Admin confirmed-write slice can acknowledge Director workstreams through /api/mobile-admin/director-reviews, but it mutates only low-risk owner review state.","The first Mobile Admin commerce review slice can acknowledge commerce source-data health through /api/mobile-admin/commerce-reviews, but it cannot create checkouts, refunds, subscription changes, price changes, fulfillment changes, entitlement changes, push notifications, distribution state, private-row changes, or public agent writes.","The first mobile app slices can record audit-only action intents through /api/mobile-admin/actions, but higher-risk production mutations remain disabled until additional domain-specific confirmed-write APIs exist.","Do not ship mobile-only product semantics; mobile reads and writes must map to the same feature, roadmap, commerce, admin, and agent contracts as web.","Public, destructive, billing-impacting, publishing, moderation, source-editing, and creator-speech writes require explicit confirmation text.","Billing-impacting mobile actions require amount, currency, price/product stale-state checks, idempotency, audit correlation, redaction, and webhook evidence.","Mobile push sends remain disabled until APNs/FCM provider configuration, device-token registration, send preflight, queue, delivery-result, receipt, idempotency, consent, audit, and redaction boundaries exist.","Mobile distribution remains disabled until physical-device proof and App Store/TestFlight or Play Store/internal-testing evidence are recorded separately from simulator/emulator proof.","Private admin data requires an authenticated owner or publisher session; public source-data routes must remain safe for anonymous agents."],"privateRowsSummary":{"id":"mobile-admin-private-rows-contract","status":"owner-mobile-private-rows-ready","issue":414,"parentIssue":13,"apiRoute":"/api/mobile-admin/private-rows","source":"d1","loadError":null,"auth":{"required":true,"boundary":"owner-session","sessionRoute":"/api/auth/[...all]","acceptedRoles":["owner"]},"counts":{"privateRows":2,"requiresActionRows":1,"unreadRows":2,"ownerOnlyNotes":2,"privatePayloadRows":2},"latestRows":[{"id":"mobile-private-row-director-queue","rowKind":"owner_director_queue","title":"Director queue is ready for mobile owner review","summary":"Synthetic owner-only row proving Mobile Admin can read a private queue through the shared owner session without exposing notes to public source-data.","sourceRoute":"/admin/director/source-data","sourceRecordId":"bumpgrade-director-status","priority":"high","readState":"unread","requiresAction":true,"privateFieldsAvailable":true,"createdAt":"2026-05-24T10:23:58.000Z","updatedAt":"2026-05-24T10:33:58.000Z"},{"id":"mobile-private-row-action-intent-followup","rowKind":"mobile_action_intent_followup","title":"Action-intent API needs domain-specific write follow-up","summary":"Synthetic owner-only row tying the audit-only action-intent API to the next confirmed-write milestone.","sourceRoute":"/api/mobile-admin/actions","sourceRecordId":"mobile-admin-action-intent-contract","priority":"normal","readState":"unread","requiresAction":false,"privateFieldsAvailable":true,"createdAt":"2026-05-24T10:28:58.000Z","updatedAt":"2026-05-24T10:33:58.000Z"}],"redaction":{"privateRowsIncludedInPublicSourceData":false,"ownerOnlyNotesIncludedInPublicSourceData":false,"privatePayloadIncludedInPublicSourceData":false,"ownerEmailValuesIncluded":false,"sessionIdentifiersIncluded":false,"cookiesIncluded":false,"tokensIncluded":false,"rawRowsIncluded":false},"privateFieldsExcluded":["ownerOnlyNote","privatePayload","privatePayloadJson","rawRows","ownerEmail","sessionId","cookie","token"],"readBoundary":"Issue #414 lets verified owners inspect Mobile Admin private rows through an owner-session-only API. Public mobile source-data exposes route, status, counts, public row labels, and redaction flags only; it does not expose owner-only notes, private payload JSON, owner email values, session IDs, cookies, tokens, or raw rows."},"privateRowActionSummary":{"id":"mobile-admin-private-row-action-contract","status":"owner-mobile-private-row-actions-ready","issue":428,"parentIssue":414,"apiRoute":"/api/mobile-admin/private-rows/actions","source":"d1","loadError":null,"auth":{"required":true,"boundary":"owner-session","sessionRoute":"/api/auth/[...all]","acceptedRoles":["owner"]},"confirmation":{"required":true,"exactTextByAction":{"mobile-private-row-mark-read":"MARK PRIVATE ROW READ","mobile-private-row-defer":"DEFER PRIVATE ROW"}},"allowedActions":[{"id":"mobile-private-row-mark-read","issue":428,"title":"Mark private row read","status":"owner-mobile-private-row-actions-ready","confirmationText":"MARK PRIVATE ROW READ","sourceRoute":"/api/mobile-admin/private-rows","requiredInputs":["rowId","actionId","expectedRowUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"staleStateTokenRequired":true,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false},{"id":"mobile-private-row-defer","issue":428,"title":"Defer private row","status":"owner-mobile-private-row-actions-ready","confirmationText":"DEFER PRIVATE ROW","sourceRoute":"/api/mobile-admin/private-rows","requiredInputs":["rowId","actionId","expectedRowUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"staleStateTokenRequired":true,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false}],"selectedRow":null,"counts":{"privateRowActions":0,"markReadActions":0,"deferActions":0,"productionMutationsCreatedRecords":0,"billingMutationsCreatedRecords":0,"pushNotificationsSentRecords":0,"distributionStateChangedRecords":0},"latestActions":[],"redaction":{"actorEmailIncluded":false,"actorEmailHashIncluded":false,"actorUserIdIncluded":false,"privateNoteIncluded":false,"privatePayloadIncluded":false,"ownerOnlyNoteIncluded":false,"idempotencyKeysIncluded":false,"staleStateTokenIncludedInPublicSourceData":false,"staleStateTokenHashIncluded":false,"rawRowsIncluded":false,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false},"privateFieldsExcluded":["actorEmail","actorEmailHash","actorUserId","idempotencyKey","privateNote","privateNoteSha256","ownerOnlyNote","privatePayload","privatePayloadJson","confirmationTextSha256","staleStateToken","staleStateTokenSha256","rawRows","metadataJson"],"writeBoundary":"Issue #428 lets verified owners mark Mobile Admin private rows read or deferred after exact confirmation, idempotency, stale row revision checks, stale-state token checks, audit correlation, and redaction. It mutates only the private row workflow state; it creates no billing mutation, commerce mutation, publishing mutation, push notification, distribution state change, creator-speech action, moderation action, or public agent write."},"directorReviewSummary":{"id":"mobile-admin-director-review-contract","status":"owner-mobile-director-review-ready","issue":414,"parentIssue":414,"apiRoute":"/api/mobile-admin/director-reviews","sourceRoute":"/admin/director/source-data","source":"d1","loadError":null,"auth":{"required":true,"boundary":"owner-session","sessionRoute":"/api/auth/[...all]","acceptedRoles":["owner"]},"confirmation":{"required":true,"exactText":"ACKNOWLEDGE DIRECTOR WORKSTREAM"},"directorGeneratedAt":"2026-07-06T21:45:02.640Z","allowedWorkstreams":[{"id":"marketing","title":"Marketing","status":"done","currentFocus":"Homepage, positioning, feature catalog, comparison pages, SEO, resources, and public launch copy.","counts":{"active":0,"pending":0,"shipped":4,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"product-commerce","title":"Product / Commerce","status":"on_track","currentFocus":"Advanced funnel editing, resource delivery, and agent-safe writes","counts":{"active":1,"pending":1,"shipped":3,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"audience-email","title":"Audience / Email","status":"on_track","currentFocus":"Live email delivery, automation execution, and agent-safe writes","counts":{"active":0,"pending":1,"shipped":1,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"analytics-growth","title":"Analytics / Growth","status":"on_track","currentFocus":"Live analytics automation, experiment routing, notification execution, and agent-safe writes","counts":{"active":1,"pending":1,"shipped":4,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"mobile-admin","title":"Mobile Admin","status":"on_track","currentFocus":"Publisher admin apps for iOS and Android","counts":{"active":1,"pending":0,"shipped":0,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"agent-readiness","title":"Agent Readiness","status":"done","currentFocus":"Agent docs, manifests, source-data contracts, MCP roadmap, stable IDs, and write-safety boundaries.","counts":{"active":0,"pending":0,"shipped":1,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"security-trust","title":"Security / Trust","status":"at_risk","currentFocus":"Decision needed: Choose and verify audience sender before subscriber email delivery","counts":{"active":0,"pending":0,"shipped":4,"blocked":0,"needsMark":2,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"infrastructure","title":"Infrastructure","status":"done","currentFocus":"Cloudflare, D1, deploys, CI, runtime boundaries, migrations, and production operations.","counts":{"active":0,"pending":0,"shipped":1,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true},{"id":"operations-control","title":"Operations / Project Control","status":"done","currentFocus":"Roadmap, work-log, owner-attention queue, director dashboard, decisions, blockers, and project hygiene.","counts":{"active":0,"pending":0,"shipped":3,"blocked":0,"needsMark":0,"changedPastDay":0,"changedPastWeek":0},"expectedDirectorGeneratedAt":"director-revision-5f7df4ec05c8a5c5","staleStateTokenRequired":true}],"counts":{"directorReviews":0,"reviewedWorkstreams":0,"productionAdminStateRecordedRows":0,"billingMutationCreatedRows":0,"pushNotificationSentRows":0,"distributionStateChangedRows":0,"publicAgentWriteCreatedRows":0},"latestReviews":[],"redaction":{"actorEmailIncluded":false,"actorEmailHashIncluded":false,"actorUserIdIncluded":false,"reviewNoteIncluded":false,"idempotencyKeysIncluded":false,"staleStateTokenIncludedInPublicSourceData":false,"staleStateTokenHashIncluded":false,"rawRowsIncluded":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false,"publicAgentWriteCreated":false},"privateFieldsExcluded":["actorEmail","actorEmailHash","actorUserId","idempotencyKey","reviewNote","reviewNoteSha256","confirmationTextSha256","staleStateToken","staleStateTokenSha256","rawRows","metadataJson"],"writeBoundary":"Issue #414 lets verified owners acknowledge a Director workstream from Mobile Admin after exact confirmation, idempotency, current Director source-revision checks, stale-state token checks, audit correlation, and redaction. It records low-risk production owner review state only; it does not create billing mutations, publishing mutations, push notifications, distribution state changes, public agent writes, or private-row changes."},"commerceReviewSummary":{"id":"mobile-admin-commerce-review-contract","status":"owner-mobile-commerce-review-ready","issue":414,"parentIssue":414,"apiRoute":"/api/mobile-admin/commerce-reviews","sourceRoute":"/commerce/source-data","source":"d1","loadError":null,"auth":{"required":true,"boundary":"owner-session","sessionRoute":"/api/auth/[...all]","acceptedRoles":["owner"]},"confirmation":{"required":true,"exactText":"ACKNOWLEDGE MOBILE COMMERCE HEALTH"},"commerceGeneratedAt":"commerce-revision-d34352df17650b39","allowedReviewTargets":[{"id":"commerce_products","title":"Commerce Products","status":"live","purpose":"Canonical Bumpgrade product records for products, memberships, services, downloads, and future offers.","publicSafeFieldCount":7,"serverPrivateFieldCount":2,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"commerce_prices","title":"Commerce Prices","status":"live","purpose":"Stable price records mapped to Stripe Prices for one-time and subscription checkout.","publicSafeFieldCount":7,"serverPrivateFieldCount":2,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"checkout_intents","title":"Checkout Intents","status":"live","purpose":"Idempotent checkout-start record created before Stripe is called.","publicSafeFieldCount":8,"serverPrivateFieldCount":12,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"checkout_referral_attributions","title":"Checkout Referral Attributions","status":"live","purpose":"Public-safe evidence that a validated seeded referral click was attached to a sandbox checkout intent.","publicSafeFieldCount":8,"serverPrivateFieldCount":8,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"checkout_post_purchase_decisions","title":"Checkout Post Purchase Decisions","status":"live","purpose":"Non-billing post-purchase upsell/downsell decision evidence for trusted sandbox checkout intents before one-click charging exists.","publicSafeFieldCount":9,"serverPrivateFieldCount":7,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"affiliate_commission_ledger_entries","title":"Affiliate Commission Ledger Entries","status":"live","purpose":"Review-only, non-payable commission ledger evidence created from trusted checkout referral attribution before payout workflows exist.","publicSafeFieldCount":11,"serverPrivateFieldCount":8,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"affiliate_commission_ledger_actions","title":"Affiliate Commission Ledger Actions","status":"live","purpose":"Owner-gated review, hold, and reversal actions for review-only commission ledger evidence before payout mutation exists.","publicSafeFieldCount":10,"serverPrivateFieldCount":9,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"stripe_webhook_events","title":"Stripe Webhook Events","status":"live","purpose":"Webhook idempotency and redacted event evidence keyed by Stripe event id.","publicSafeFieldCount":5,"serverPrivateFieldCount":3,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"billing_subscriptions","title":"Billing Subscriptions","status":"live","purpose":"Subscription access state derived from Stripe Billing events.","publicSafeFieldCount":7,"serverPrivateFieldCount":7,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"payment_audit_events","title":"Payment Audit Events","status":"live","purpose":"Redacted audit trail for billing-impacting checkout, webhook, and agent actions.","publicSafeFieldCount":6,"serverPrivateFieldCount":3,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"product_entitlements","title":"Product Entitlements","status":"live","purpose":"Idempotent product access grants derived from trusted paid checkout webhook evidence.","publicSafeFieldCount":9,"serverPrivateFieldCount":5,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"product_fulfillment_tasks","title":"Product Fulfillment Tasks","status":"live","purpose":"Public-safe fulfillment queue evidence created with entitlement rows before private delivery exists.","publicSafeFieldCount":7,"serverPrivateFieldCount":1,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"product_asset_uploads","title":"Product Asset Uploads","status":"live","purpose":"Owner-confirmed private product asset upload records backed by PRODUCT_ASSETS without exposing object keys, signed URLs, upload bodies, or private metadata.","publicSafeFieldCount":8,"serverPrivateFieldCount":6,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"product_entitlement_revocation_intents","title":"Product Entitlement Revocation Intents","status":"live","purpose":"Owner-visible revocation intent records that document confirmation, stale-state, audit, and non-destructive boundaries before live entitlement removal exists.","publicSafeFieldCount":9,"serverPrivateFieldCount":9,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true},{"id":"product_protected_content_sections","title":"Product Protected Content Sections","status":"live","purpose":"Protected content readiness metadata for future course and member-area delivery without exposing protected bodies or enabling customer delivery.","publicSafeFieldCount":10,"serverPrivateFieldCount":6,"expectedCommerceGeneratedAt":"commerce-revision-d34352df17650b39","staleStateTokenRequired":true}],"counts":{"commerceReviews":0,"reviewedTargets":0,"commerceStateRecordedRows":0,"billingMutationCreatedRows":0,"refundCreatedRows":0,"subscriptionChangedRows":0,"priceChangedRows":0,"fulfillmentStateChangedRows":0,"entitlementStateChangedRows":0,"pushNotificationSentRows":0,"distributionStateChangedRows":0,"publicAgentWriteCreatedRows":0},"latestReviews":[],"redaction":{"actorEmailIncluded":false,"actorEmailHashIncluded":false,"actorUserIdIncluded":false,"reviewNoteIncluded":false,"idempotencyKeysIncluded":false,"staleStateTokenIncludedInPublicSourceData":false,"staleStateTokenHashIncluded":false,"rawRowsIncluded":false,"billingMutationCreated":false,"refundCreated":false,"subscriptionChanged":false,"priceChanged":false,"fulfillmentStateChanged":false,"entitlementStateChanged":false,"pushNotificationSent":false,"distributionStateChanged":false,"publicAgentWriteCreated":false},"privateFieldsExcluded":["actorEmail","actorEmailHash","actorUserId","idempotencyKey","reviewNote","reviewNoteSha256","confirmationTextSha256","staleStateToken","staleStateTokenSha256","rawRows","metadataJson"],"writeBoundary":"Issue #414 lets verified owners acknowledge current commerce-health state from Mobile Admin after exact confirmation, idempotency, current commerce source-revision checks, stale-state token checks, audit correlation, and redaction. It records low-risk owner review state only; it does not create billing mutations, refunds, subscription changes, price changes, fulfillment changes, entitlement changes, push notifications, distribution state changes, public agent writes, or private-row changes."},"actionIntentSummary":{"id":"mobile-admin-action-intent-contract","status":"owner-mobile-action-intent-ready","issue":414,"parentIssue":13,"apiRoute":"/api/mobile-admin/actions","contractUpdatedAt":"2026-05-25","source":"d1","loadError":null,"auth":{"required":true,"boundary":"owner-session","sessionRoute":"/api/auth/[...all]","acceptedRoles":["owner"]},"confirmation":{"required":true,"exactTextByAction":{"mobile-confirm-review-agent-work":"ACKNOWLEDGE DIRECTOR WORKSTREAM","mobile-confirm-commerce-health-review":"ACKNOWLEDGE MOBILE COMMERCE HEALTH","mobile-confirm-commerce-change":"CONFIRM MOBILE COMMERCE ACTION"}},"allowedActions":[{"id":"mobile-confirm-review-agent-work","issue":414,"title":"Review and confirm agent work","status":"owner-director-review-api-ready","surface":"Owner-attention and work-log inbox","confirmationText":"ACKNOWLEDGE DIRECTOR WORKSTREAM","sourceRoutes":["/admin/for-mark/source-data","/admin/work-log/source-data","/admin/director/source-data","/agent-docs/source-data"],"requiredInputs":["actionId","sourceRoute","expectedContractUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"staleStateTokenRequired":true,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false},{"id":"mobile-confirm-commerce-health-review","issue":414,"title":"Review commerce health","status":"owner-commerce-review-api-ready","surface":"Commerce health summary","confirmationText":"ACKNOWLEDGE MOBILE COMMERCE HEALTH","sourceRoutes":["/commerce/source-data","/features/source-data","/roadmap/source-data"],"requiredInputs":["actionId","sourceRoute","expectedContractUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"staleStateTokenRequired":true,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false},{"id":"mobile-confirm-commerce-change","issue":414,"title":"Confirm commerce or fulfillment changes","status":"future-api-required","surface":"Commerce health summary","confirmationText":"CONFIRM MOBILE COMMERCE ACTION","sourceRoutes":["/commerce/source-data","/features/source-data","/roadmap/source-data"],"requiredInputs":["actionId","sourceRoute","expectedContractUpdatedAt","staleStateToken","confirmationText","idempotencyKey","auditCorrelationId"],"staleStateTokenRequired":true,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false}],"counts":{"actionIntents":0,"reviewAgentWorkIntents":0,"commerceChangeIntents":0,"productionMutationsCreatedRecords":0,"billingMutationsCreatedRecords":0,"pushNotificationsSentRecords":0,"distributionStateChangedRecords":0},"latestIntents":[],"redaction":{"actorEmailIncluded":false,"actorEmailHashIncluded":false,"actorUserIdIncluded":false,"privateNoteIncluded":false,"idempotencyKeysIncluded":false,"staleStateTokenIncludedInPublicSourceData":false,"staleStateTokenHashIncluded":false,"rawRowsIncluded":false,"productionMutationCreated":false,"billingMutationCreated":false,"pushNotificationSent":false,"distributionStateChanged":false},"privateFieldsExcluded":["actorEmail","actorEmailHash","actorUserId","idempotencyKey","privateNote","privateNoteSha256","confirmationTextSha256","staleStateToken","staleStateTokenSha256","rawRows","metadataJson"],"writeBoundary":"Issue #414 lets verified owners record audit-only mobile action intents after exact confirmation, idempotency, contract revision checks, stale-state token checks, audit correlation, source-route allowlisting, and redaction. It creates no production admin mutation, billing mutation, push notification, distribution state change, private mobile row exposure, or direct public agent write."},"caveat":"This is the shared mobile admin contract and app-foundation plan. The iOS and Android first slices now have simulator/emulator smoke evidence, /mobile-admin/dashboard/source-data is the live public-safe dashboard bridge with a redacted Director workstream digest, and issue #414 renders the owner-session, private-row API, Director review API, commerce review API, action-intent API, push-readiness boundary, distribution-readiness boundary, and confirmed-action requirements in the app foundations. /api/mobile-admin/private-rows is owner-session-only and read-only, /api/mobile-admin/private-rows/actions can mutate only low-risk private-row workflow state after owner confirmation, /api/mobile-admin/director-reviews can record owner-confirmed Director workstream acknowledgements, /api/mobile-admin/commerce-reviews can record owner-confirmed commerce-health acknowledgements, /api/mobile-admin/actions can record owner-gated audit-only action intents, and App Store/TestFlight or Play Store/internal-testing distribution, live push notifications, physical-device proof, and high-risk billing/publishing mobile mutations are not live yet."}