{"product":{"platformName":"CVPortal","candidateBrand":"ChatMyApp","category":"agentic career dossier","seedWorkspace":"patrick-kelly"},"status":{"current":"prototype_with_production_schema_contract","productionReady":false,"productionEvidenceReady":false,"productionAccountAuthReady":false,"productionSaasIdentityReady":false,"productionReviewAiReady":false,"productionRetrievalWorkerReady":false,"reason":"The seed workspace has a verified production persistence contract, account-membership auth foundation, and local reindex jobs, but live production still needs durable Postgres account-membership auth, durable invited onboarding and provisioning, model-assisted portfolio/visual review, managed auth, database deployment, durable source-sync and embedding workers, cloud object storage, vector embeddings, commercial billing, hosted secrets, backups, monitoring, hosted production evidence artifacts, and an internet deployment review."},"launchReadiness":{"currentStage":"local_seed_prototype","currentStageLabel":"Local seed prototype","stageOrder":["not_ready","local_seed_prototype","controlled_hiring_launch","production_saas_ready"],"controlledHiringLaunchReady":false,"controlledLaunchEvidenceReady":false,"productionSaasReady":false,"productionEvidenceReady":false,"assessor":"npm run launch:assess -- --base-url={origin}","evidencePolicy":"check_ids_statuses_and_public_safe_stage_metadata_only"},"deploymentHardening":{"configProfile":"production","internetExposureReady":false,"liveAgentReady":false,"portfolioInterviewer":{"mode":"deterministic","provider":"deterministic","ready":true,"status":"deterministic","fallback":null,"model":null,"generatedCount":0,"error":null,"privacyBoundary":"candidate_private_review_only_no_publication","transcriptStorage":"model_request_not_stored_by_signal_dossier"},"visualArtifactAnalyzer":{"mode":"model_unconfigured","provider":"deterministic","ready":false,"status":"provider_not_configured","model":null,"generatedCount":0,"appliedFieldCount":0,"error":null,"output":"candidate_private_visual_review_suggestions","privacyBoundary":"candidate_private_review_only_no_publication","transcriptStorage":"model_request_not_stored_by_signal_dossier","ocrStatus":"not_claimed"},"transcriptStorageDefault":"metadata_only_no_raw_transcripts","transcriptStorage":{"rawTranscriptStorageEnabled":false,"visitorConsentRequired":true,"default":"metadata_only_no_raw_transcripts","consentField":"transcriptConsent","retentionDays":null,"transcriptPersistence":"optional_raw_transcripts_by_env"},"checks":[{"id":"session_secret","label":"Session signing secret","ok":true,"severity":"blocking","note":"Set SESSION_SECRET to a long random value before deployment."},{"id":"account_membership_auth","label":"Managed account membership auth","ok":false,"severity":"blocking","note":"Use managed account auth or set ACCOUNT_DATA_FILE and a long ACCOUNT_PASSWORD_SECRET for workspace membership sessions."},{"id":"account_auth_storage","label":"Account membership persistence","ok":true,"severity":"production_scale","note":"Production account membership auth should use durable Postgres account and membership rows rather than file-backed account JSON."},{"id":"workspace_admin_key","label":"Candidate workspace admin key","ok":false,"severity":"blocking","note":"Prefer account membership auth; workspace-scoped keys or WORKSPACE_ADMIN_KEY are prototype fallback paths."},{"id":"legacy_workspace_admin_key_disabled","label":"Legacy global workspace key disabled","ok":true,"severity":"production_scale","note":"Production SaaS should remove the legacy global WORKSPACE_ADMIN_KEY fallback and rely on account memberships, invited onboarding, or workspace-scoped credential hashes."},{"id":"invited_workspace_onboarding","label":"Invited workspace onboarding","ok":true,"severity":"blocking","note":"Enable ONBOARDING_INVITES_ENABLED only with ONBOARDING_INVITE_HASH_SECRET and hashed invite records; managed auth should replace this prototype bridge for SaaS launch."},{"id":"invited_onboarding_store","label":"Invited onboarding persistence","ok":true,"severity":"blocking","note":"Production invited onboarding should use durable workspace_invitations records rather than file-backed invite JSON."},{"id":"password_reset_recovery","label":"Password reset recovery","ok":false,"severity":"blocking","note":"Enable PASSWORD_RESETS_ENABLED with a long PASSWORD_RESET_HASH_SECRET separate from session and account-password secrets."},{"id":"password_reset_store","label":"Password reset persistence","ok":true,"severity":"blocking","note":"Production password reset tokens should use durable password_reset_tokens records or a managed identity provider."},{"id":"credential_delivery","label":"Credential delivery","ok":false,"severity":"blocking","note":"Configure private credential delivery before internet exposure so invite and reset tokens are not delivered through ad hoc operator paths."},{"id":"workspace_provision_store","label":"Workspace provisioning persistence","ok":true,"severity":"blocking","note":"Production invited onboarding should use durable Postgres provisioning for owner users, workspaces, and memberships."},{"id":"access_link_hash_secret","label":"Access-link HMAC secret","ok":true,"severity":"blocking","note":"Set ACCESS_LINK_HASH_SECRET to a long random value separate from SESSION_SECRET so cookie rotation does not invalidate submitted resume links."},{"id":"env_resume_access_codes","label":"Raw env resume-code fallback","ok":true,"severity":"production_scale","note":"Production should use generated workspace access links with hashed accessLinks; raw RESUME_ACCESS_CODES is a local/demo fallback only."},{"id":"cookie_secure","label":"Secure cookies","ok":true,"severity":"blocking","note":"Use COOKIE_SECURE=true behind HTTPS for internet deployments."},{"id":"rate_limits","label":"Public endpoint rate limits","ok":true,"severity":"blocking","note":"Verify-code, workspace-login, onboarding, chat, agent-query, and worker endpoints are throttled by hashed client identity."},{"id":"edge_abuse_controls","label":"Edge/API-gateway abuse controls","ok":false,"severity":"blocking","note":"Production internet exposure should sit behind edge/API-gateway route rate limits, WAF managed rules, bot/DDoS protection, origin-bypass blocking, abuse logging, and alerting."},{"id":"webpage_source_ingestion_safety","label":"Public webpage source-ingestion safety","ok":true,"severity":"blocking","note":"Keep WEBPAGE_ALLOW_LOCAL_FETCH=false and WEBPAGE_MAX_REDIRECTS between 0 and 10 so public webpage/profile sync cannot fetch local/private targets or unbounded redirects."},{"id":"content_feed_source_ingestion_safety","label":"Public content-feed source-ingestion safety","ok":true,"severity":"blocking","note":"RSS/Substack/blog/newsletter sync reuses the guarded public fetch boundary: no local/private targets by default, bounded manually revalidated redirects, and request-time DNS revalidation."},{"id":"security_headers","label":"Public response security headers","ok":true,"severity":"blocking","note":"Serve public and agent-readable responses with no-sniffing, frame blocking, referrer limits, permissions policy, and HSTS for non-loopback production hosts."},{"id":"browser_write_origin_guard","label":"Browser workspace write origin guard","ok":true,"severity":"blocking","note":"Cookie-authenticated candidate workspace writes reject mismatched Origin or Referer headers while keeping explicit server/operator credentials separate from browser session auth."},{"id":"browser_auth_mutation_origin_guard","label":"Browser auth/session mutation origin guard","ok":true,"severity":"blocking","note":"Browser auth, recovery, onboarding, and logout endpoints that issue, rotate, or clear cookies reject mismatched Origin or Referer headers before credential or session mutation logic runs."},{"id":"json_request_body_policy","label":"JSON request body policy","ok":true,"severity":"blocking","note":"JSON API endpoints reject non-JSON request bodies with 415 and malformed JSON with 400 before handler logic runs."},{"id":"api_method_policy","label":"API method discipline","ok":true,"severity":"blocking","note":"Known API, discovery, worker, and workspace routes reject unsupported HTTP methods with 405, an Allow header, and a stable method_not_allowed response code."},{"id":"discovery_head_policy","label":"Public discovery HEAD support","ok":true,"severity":"blocking","note":"Public health and agent discovery routes support HEAD with no response body so monitors, ATS systems, and recruiting agents can verify availability cheaply."},{"id":"canonical_public_origin","label":"Canonical public origin","ok":true,"severity":"blocking","note":"Set PUBLIC_BASE_URL to the HTTPS origin that should appear in agent docs, QR links, and generated resume access URLs."},{"id":"host_allowlist","label":"Allowed public hosts","ok":true,"severity":"blocking","note":"Set ALLOWED_PUBLIC_HOSTS and HOST_ENFORCEMENT_ENABLED=true so production rejects unexpected Host/X-Forwarded-Host values."},{"id":"trusted_proxy_headers","label":"Trusted proxy headers","ok":true,"severity":"blocking","note":"Set TRUST_PROXY_HEADERS=true only when the app is behind a trusted HTTPS reverse proxy that owns X-Forwarded-* headers."},{"id":"service_worker_auth","label":"Service worker authentication","ok":true,"severity":"blocking","note":"Set WORKER_CREDENTIAL_SECRET and WORKER_TOKEN_HASHES for service-authenticated source-sync workers."},{"id":"openai_api_key","label":"Live agent model key","ok":false,"severity":"runtime","note":"Set OPENAI_API_KEY for live hiring-manager chat; otherwise the app returns a clear 503."},{"id":"portfolio_interviewer_model","label":"Portfolio interviewer model assistance","ok":true,"severity":"runtime","note":"Set PORTFOLIO_INTERVIEWER_PROVIDER=openai plus OPENAI_API_KEY to generate private, model-assisted portfolio interview prompts; deterministic fallback remains available."},{"id":"visual_artifact_analyzer_model","label":"Visual artifact analyzer model assistance","ok":true,"severity":"runtime","note":"Set VISUAL_ARTIFACT_ANALYZER_PROVIDER=openai or PORTFOLIO_INTERVIEWER_PROVIDER=openai plus OPENAI_API_KEY to generate private, candidate-reviewed visual artifact descriptions."},{"id":"embedding_provider","label":"Embedding provider","ok":false,"severity":"production_scale","note":"Set EMBEDDING_PROVIDER=openai, EMBEDDING_MODEL=text-embedding-3-small, EMBEDDING_DIMENSIONS=1536, and EMBEDDING_API_KEY or OPENAI_API_KEY for managed vector workers."},{"id":"commercial_billing_readiness","label":"Commercial billing readiness","ok":false,"severity":"production_scale","note":"Production SaaS should use Stripe subscription billing with Prices, verified webhooks, customer portal self-service, tenant entitlement mapping, and tax posture."},{"id":"billing_entitlement_enforcement","label":"Billing entitlement enforcement","ok":false,"severity":"production_scale","note":"Production SaaS should enforce active or grace subscription entitlement for public dossier, chat, agent-query, memory-search, artifact-file, and access-link surfaces.","evidence":{"mode":"off","publicServingEnforced":false,"allowedEntitlementStatuses":["active","grace"],"protectedSurfaces":["verify_code","human_chat","agent_query","public_dossier_space","dossier_agent_package","public_memory_search","public_artifact_file","access_link_issuing"]}},{"id":"billing_plan_limits_enforcement","label":"Billing plan limits enforcement","ok":false,"severity":"production_scale","note":"Production SaaS should enforce workspace-write plan limits with a private Stripe Price-to-plan map so subscription tiers resolve without exposing Price IDs.","evidence":{"mode":"off","workspaceWriteEnforced":false,"pricePlanMapConfigured":false,"mappedPriceCount":0,"planCount":3,"protectedMetrics":["sources","artifacts","dossierSpaces","activeAccessLinks","interviewPrompts","interviewSessions"],"outputPolicy":"reports_plan_counts_metric_keys_and_enforcement_mode_without_stripe_price_ids_or_price_plan_map_values"}},{"id":"legal_disclosure_readiness","label":"Legal disclosure readiness","ok":false,"severity":"production_scale","note":"Commercial SaaS launch should use finalized, counsel-reviewed privacy and terms disclosures with public contact, operator entity, jurisdiction, version, and review metadata configured."},{"id":"workspace_storage","label":"Workspace persistence","ok":true,"severity":"production_scale","note":"Filesystem storage is acceptable for the local Patrick seed prototype, not hosted multi-user production."},{"id":"object_storage","label":"Private upload storage","ok":false,"severity":"production_scale","note":"Production should use private object storage with signed access and review-gated publishing."},{"id":"memory_storage","label":"Vector memory storage","ok":true,"severity":"production_scale","note":"Production retrieval should use managed Postgres pgvector memory chunks rather than the local filesystem lexical index."},{"id":"embedding_job_storage","label":"Embedding job persistence","ok":true,"severity":"production_scale","note":"Production embedding refresh should use durable Postgres embedding_jobs rows for managed worker claims."},{"id":"source_sync_job_storage","label":"Source-sync job persistence","ok":true,"severity":"production_scale","note":"Production source ingestion should use durable Postgres source_sync_jobs rows for managed worker claims and retry backoff."},{"id":"raw_transcript_default","label":"Transcript storage default","ok":true,"severity":"privacy","note":"Default analytics remain metadata-only unless raw transcripts are explicitly enabled."},{"id":"analytics_storage","label":"Interaction analytics storage","ok":true,"severity":"production_scale","note":"Production should store interaction metadata in tenant-scoped durable analytics tables while keeping raw transcripts off by default."},{"id":"audit_log_storage","label":"Operational audit log storage","ok":true,"severity":"production_scale","note":"Audit events are metadata-only locally; production should move audit logs to durable tenant-scoped storage."},{"id":"operations_backup_enabled","label":"Backups enabled","ok":true,"severity":"production_scale","note":"Set OPERATIONS_BACKUP_ENABLED=true after managed database/object backup policy is configured."},{"id":"operations_backup_provider","label":"Backup provider","ok":false,"severity":"production_scale","note":"Set OPERATIONS_BACKUP_PROVIDER to managed_postgres, pg_dump_s3, supabase, rds_snapshot, or external_managed."},{"id":"operations_backup_retention","label":"Backup retention","ok":true,"severity":"production_scale","note":"Set OPERATIONS_BACKUP_RETENTION_DAYS to at least 7; 30+ is recommended for early production."},{"id":"operations_backup_encryption","label":"Encrypted backups","ok":true,"severity":"production_scale","note":"Set OPERATIONS_BACKUP_ENCRYPTION=true when backup storage is encrypted at rest."},{"id":"operations_restore_drill","label":"Restore drill","ok":false,"severity":"production_scale","note":"Run npm run backup:drill and set OPERATIONS_RESTORE_DRILL_EVIDENCE_FILE, or set OPERATIONS_LAST_RESTORE_DRILL_AT after a restore drill."},{"id":"operations_managed_restore_coverage","label":"Managed restore coverage","ok":true,"severity":"production_scale","note":"When OPERATIONS_REQUIRE_MANAGED_RECOVERY_EVIDENCE=true, run npm run recovery:managed:drill so restore evidence covers both managed Postgres and private object storage."},{"id":"operations_runbook","label":"Incident runbook","ok":true,"severity":"production_scale","note":"Set OPERATIONS_RUNBOOK_URL to a private runbook covering backup restore, worker incidents, and access-link abuse response."},{"id":"operations_monitoring_enabled","label":"Monitoring enabled","ok":false,"severity":"production_scale","note":"Set OPERATIONS_MONITORING_ENABLED=true after uptime/health monitoring is configured."},{"id":"operations_error_tracking","label":"Error tracking","ok":false,"severity":"production_scale","note":"Set OPERATIONS_ERROR_TRACKING_DSN or OPERATIONS_ERROR_TRACKING_CONFIGURED=true for server-side error tracking."},{"id":"operations_alerting","label":"Alerting route","ok":false,"severity":"production_scale","note":"Set OPERATIONS_ALERT_WEBHOOK_URL or OPERATIONS_ALERT_EMAIL for production incident alerts."},{"id":"operations_oncall_contact","label":"On-call contact","ok":false,"severity":"production_scale","note":"Set OPERATIONS_ONCALL_CONTACT to a private owner/team contact for production incidents."},{"id":"operations_structured_logs","label":"Structured logs","ok":true,"severity":"production_scale","note":"Set OPERATIONS_STRUCTURED_LOGS=true when runtime logs are captured as structured events."},{"id":"operations_log_level","label":"Production log level","ok":true,"severity":"privacy","note":"Use info/warn/error level logging in production; avoid debug/trace logs around candidate-private workflows."}],"workspaceAuth":{"accountMembershipsConfigured":false,"scopedWorkspaceCredentials":false,"legacyGlobalKeyConfigured":false,"invitedOnboardingEnabled":false,"invitedOnboardingStore":{"driver":"postgres","ready":true,"current":"postgres_workspace_invitations","persistence":"postgres_workspace_invitations","credentialStorage":"hmac_sha256_invite_hashes_only","target":"managed_auth_workspace_invitations","adapterBoundary":"onboarding_invitation_store"},"workspaceProvisionStore":{"driver":"postgres","ready":true,"current":"postgres_workspace_provisioning","persistence":"postgres_tenants_users_workspaces_memberships","credentialStorage":"hmac_password_hashes_only","target":"managed_auth_postgres_workspace_memberships","adapterBoundary":"workspace_provision_store"},"passwordReset":{"enabled":false,"driver":"postgres","ready":true,"current":"postgres_password_reset_tokens","persistence":"postgres_password_reset_tokens","credentialStorage":"hmac_sha256_reset_token_hashes_only","target":"managed_identity_password_reset","adapterBoundary":"password_reset_store","requestEndpoint":"/api/password-reset/request","confirmEndpoint":"/api/password-reset/confirm","delivery":{"driver":"disabled","ready":false,"current":"delivery_disabled","persistence":"none","credentialHandling":"no_raw_credential_delivery","adapterBoundary":"credential_delivery"},"deliveryFailurePolicy":{"enabled":true,"appliesTo":["/api/password-reset/request"],"requestEndpointNoEnumeration":true,"failedDeliveryResponseStatus":202,"failedDeliveryResetStatus":"revoked","storedMaterial":"hmac_reset_token_hash_only","publicResponseBody":"request_received_without_provider_error","auditBoundary":"metadata_only_delivery_status_and_reset_id","redacts":["raw_reset_token","action_url","recipient_email","provider_secret","provider_error_body","token_hash"]}},"sessionCookie":"workspace_scoped_signed_httponly","browserWriteOriginGuard":{"enabled":true,"enforcedFor":["workspace_session_cookie","account_membership_cookie"],"unsafeMethods":["POST","PUT","PATCH","DELETE"],"acceptedOriginHeaders":["Origin","Referer"],"allowedOrigins":["current_request_origin","configured_public_base_url"],"rejectsCrossOrigin":true,"missingOriginPolicy":"allowed_for_non_browser_clients","headerCredentialPolicy":"workspace_admin_key_and_worker_tokens_are_not_browser_cookie_auth"}},"browserAuthMutationGuard":{"enabled":true,"enforcedFor":["resume_session_cookie","workspace_session_cookie","account_membership_cookie","password_reset_session_rotation","invited_onboarding_session_creation"],"endpoints":["/api/verify-code","/api/logout","/api/workspace-login","/api/workspace-logout","/api/password-reset/request","/api/password-reset/confirm","/api/onboarding/accept-invite"],"unsafeMethods":["POST"],"acceptedOriginHeaders":["Origin","Referer"],"allowedOrigins":["current_request_origin","configured_public_base_url"],"rejectsCrossOrigin":true,"missingOriginPolicy":"allowed_for_non_browser_clients","rejectionCode":"cross_origin_browser_mutation"},"publicOrigin":{"publicBaseUrlConfigured":true,"publicBaseUrlProtocol":"https","publicBaseUrlHost":"cvportal.ai","publicBaseUrlHostAllowed":true,"trustProxyHeaders":true,"hostEnforcementEnabled":true,"allowedHostCount":2,"allowedHosts":["cvportal.ai","www.cvportal.ai"]},"securityHeaders":{"baselineEnabled":true,"contentTypeSniffing":"blocked","frameEmbedding":"denied","contentSecurityPolicy":{"enabled":true,"mode":"enforced","allowsInlineScripts":false,"allowsInlineStyles":true,"objectSources":"none","frameAncestors":"none","baseUri":"none","policy":"default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob:; font-src 'self'; connect-src 'self'; object-src 'none'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'"},"referrerPolicy":"strict-origin-when-cross-origin","permissionsPolicy":"camera/microphone/geolocation/payment/usb disabled","crossOriginOpenerPolicy":"same-origin","crossDomainPolicyFiles":"disabled","hsts":{"enabled":true,"mode":"max-age=15552000; includeSubDomains"}},"requestBodyPolicy":{"requiresJsonContentType":true,"acceptedMediaTypes":["application/json","application/*+json"],"malformedJsonStatus":400,"nonJsonStatus":415,"emptyBodyPolicy":"allowed_for_command_endpoints","appliesTo":["json_api_posts","json_api_patches","worker_json_commands"]},"apiMethodPolicy":{"knownRoutesRejectWrongMethod":true,"methodNotAllowedStatus":405,"allowHeader":true,"responseCode":"method_not_allowed","exactRouteCount":27,"workspaceRoutePatternCount":45,"appliesTo":["top_level_api_routes","well_known_discovery_routes","worker_routes","workspace_routes"],"fallbackStaticAllowedMethods":["GET","HEAD"]},"discoveryHeadPolicy":{"enabled":true,"statusCode":200,"bodyOmitted":true,"allowedMethods":["GET","HEAD"],"routes":["/api/health","/api/platform-readiness","/.well-known/cvportal-platform.json","/openapi.json","/.well-known/openapi.json","/api/agent-card","/.well-known/cvportal-agent-card.json","/llms.txt","/.well-known/agent-resume.json"],"appliesTo":["health_endpoint","platform_readiness","openapi","agent_card","llms_txt","agent_resume_manifest"]},"serviceWorkerAuth":{"configured":true,"credentialSecretConfigured":true,"credentialStorage":"hmac_sha256_hashes_only","acceptedHeaders":["Authorization: Bearer <token>","X-CVPortal-Worker-Key"]},"edgeAbuseControls":{"ready":false,"edgeLayerRequiredForProduction":true,"provider":"caddy","controls":{"enabled":true,"wafEnabled":false,"managedRulesEnabled":false,"botProtectionEnabled":false,"ddosProtectionEnabled":false,"originBypassBlocked":true,"loggingEnabled":true,"alertingEnabled":false},"routeCoverage":{"configured":false,"configuredRoutes":[],"requiredRoutes":["verify_code","workspace_login","onboarding","password_reset","billing","chat","agent_query","worker"],"coveredRoutes":[],"missingRoutes":["verify_code","workspace_login","onboarding","password_reset","billing","chat","agent_query","worker"],"complete":false},"outputPolicy":"provider_names_route_keys_and_boolean_evidence_only"},"commercialBilling":{"ready":false,"provider":"disabled","mode":"subscription","checkoutMode":"not_configured","target":"stripe_subscription_billing","summary":{"checks":9,"passed":0,"failed":9,"blockingFailures":9},"posture":{"liveMode":false,"apiVersion":"not_configured","recommendedApiVersion":"2026-02-25.clover","priceCount":0,"usesPrices":false,"deprecatedPlanIdsConfigured":false,"webhookEventCount":0,"missingWebhookEvents":["checkout.session.completed","customer.subscription.created","customer.subscription.updated","customer.subscription.deleted","invoice.paid","invoice.payment_failed"],"customerPortalEnabled":false,"entitlementPolicy":"not_configured","tenantMapping":"not_configured","taxMode":"not_configured"},"failedCheckIds":["billing_provider","billing_subscription_mode","stripe_live_secret","stripe_api_version","stripe_price_catalog","stripe_webhooks","stripe_customer_portal","billing_entitlements","billing_tax_mode"],"outputPolicy":"stripe_api_keys_webhook_secrets_price_ids_customer_ids_subscription_ids_checkout_session_ids_portal_urls_payment_methods_emails_and_raw_event_payloads_are_redacted"},"legalDisclosure":{"ready":false,"status":"prototype_placeholder_pending_review","publicDocuments":{"privacyNotice":"/privacy.html","terms":"/terms.html"},"documentsFinalized":false,"privacyNotice":{"finalized":false,"versionConfigured":false},"terms":{"finalized":false,"versionConfigured":false},"review":{"ownerConfigured":false,"reviewedAtConfigured":false,"validDate":false,"futureDate":false,"ageDays":null,"maxAgeDays":395,"current":false},"operatorEntityConfigured":false,"jurisdictionConfigured":false,"contact":{"configured":false,"channels":[]},"missing":["LEGAL_DOCUMENTS_FINALIZED","LEGAL_PRIVACY_NOTICE_FINALIZED","LEGAL_TERMS_FINALIZED","LEGAL_PRIVACY_NOTICE_VERSION","LEGAL_TERMS_VERSION","LEGAL_REVIEWED_AT","LEGAL_REVIEW_OWNER","LEGAL_OPERATOR_ENTITY","LEGAL_CONTACT_EMAIL_OR_URL","LEGAL_JURISDICTION"],"outputPolicy":"reports_legal_document_status_versions_review_age_and_contact_channels_without_contact_values_or_entity_names"},"sourceIngestion":{"webpage":{"localFetchAllowed":false,"maxRedirects":5,"redirectLimitBounded":true,"literalHostBlocking":true,"resolvedPrivateNetworkBlocking":true,"manualRedirectValidation":true,"requestTimeDnsRevalidation":true},"contentFeeds":{"localFetchAllowed":false,"maxRedirects":5,"redirectLimitBounded":true,"literalHostBlocking":true,"resolvedPrivateNetworkBlocking":true,"manualRedirectValidation":true,"requestTimeDnsRevalidation":true,"supportedTypes":["rss","substack","blog","newsletter"],"htmlLinkAutodiscovery":true,"substackDefaultFeedPathDiscovery":true}},"resumeAccessCodes":{"enabled":false,"configured":false,"entryCount":0,"defaultLocalFallbackActive":false,"productionUnsafe":false},"embeddingProvider":{"provider":"disabled","ready":false,"model":"local-lexical-index-v1","dimensions":1536,"mode":"unavailable","apiKeyConfigured":false},"auditLog":{"driver":"postgres","ready":true,"current":"postgres_audit_events","eventPrivacy":"metadata_only_no_request_bodies_no_credentials"},"operationalReadiness":{"internetExposureReady":false,"backup":{"enabled":true,"provider":"not_configured","retentionDays":30,"encrypted":true,"restoreDrill":{"configured":false,"fresh":false,"ageDays":null,"intervalDays":90,"source":null,"evidenceConfigured":false,"backupIdConfigured":false,"managed":false,"dataPlane":null,"managedCoverageReady":false},"managedRecoveryRequired":false},"observability":{"monitoringEnabled":false,"errorTrackingConfigured":false,"alertingConfigured":false,"oncallConfigured":false,"structuredLogs":true,"logLevel":"info","statusPageConfigured":false},"incidentResponse":{"runbookConfigured":true,"oncallConfigured":false}},"clientIdentity":{"scope":"hashed_ip_user_agent","ipSource":"trusted_x_forwarded_for_then_socket","trustProxyHeaders":true,"forwardedForTrusted":true,"rawIpExposed":false},"rateLimits":{"verifyCode":{"enabled":true,"max":100,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"workspaceLogin":{"enabled":true,"max":80,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"chat":{"enabled":true,"max":120,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"agentQuery":{"enabled":true,"max":80,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"worker":{"enabled":true,"max":300,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"billing":{"enabled":true,"max":80,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"onboarding":{"enabled":true,"max":30,"windowSeconds":600,"scope":"hashed_ip_user_agent"},"passwordReset":{"enabled":true,"max":30,"windowSeconds":600,"scope":"hashed_ip_user_agent"}},"launchReadiness":{"currentStage":"local_seed_prototype","currentStageLabel":"Local seed prototype","stageOrder":["not_ready","local_seed_prototype","controlled_hiring_launch","production_saas_ready"],"controlledHiringLaunchReady":false,"controlledLaunchEvidenceReady":false,"productionSaasReady":false,"productionEvidenceReady":false,"assessor":"npm run launch:assess -- --base-url={origin}","evidencePolicy":"check_ids_statuses_and_public_safe_stage_metadata_only"},"productionEvidence":{"ready":false,"controlledLaunchEvidenceReady":false,"productionSaasEvidenceReady":false,"requiredStage":"production_saas_ready","requiredArtifactCount":15,"configuredArtifactCount":0,"readableArtifactCount":0,"validJsonArtifactCount":0,"passingReportArtifactCount":0,"missingArtifactIds":["origin_host_controls","public_launch_smoke","source_ingestion_smoke","edge_abuse_controls","controlled_launch_rehearsal","deployment_env","postgres_data_plane_smoke","object_storage_smoke","embedding_retrieval_smoke","worker_deployment_plan","identity_deployment_plan","billing_readiness","managed_recovery_drill","multi_user_lifecycle_smoke","model_assisted_review_smoke"],"unreadableArtifactIds":[],"invalidJsonArtifactIds":[],"failedReportArtifactIds":[],"artifacts":[{"id":"origin_host_controls","label":"Origin and host controls evidence","requiredStage":"controlled_hiring_launch","envVars":["ORIGIN_HOST_READINESS_EVIDENCE_FILE","ORIGIN_HOST_CONTROLS_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"public_launch_smoke","label":"Public launch smoke evidence","requiredStage":"controlled_hiring_launch","envVars":["PUBLIC_LAUNCH_SMOKE_EVIDENCE_FILE","PUBLIC_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"source_ingestion_smoke","label":"Source-ingestion safety smoke evidence","requiredStage":"controlled_hiring_launch","envVars":["SOURCE_INGESTION_SMOKE_EVIDENCE_FILE","SOURCE_INGESTION_SAFETY_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"edge_abuse_controls","label":"Edge/API-gateway abuse-control evidence","requiredStage":"controlled_hiring_launch","envVars":["EDGE_ABUSE_CONTROL_EVIDENCE_FILE","EDGE_ABUSE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"controlled_launch_rehearsal","label":"Controlled launch rehearsal evidence","requiredStage":"controlled_hiring_launch","envVars":["CONTROLLED_LAUNCH_REHEARSAL_EVIDENCE_FILE","CONTROLLED_LAUNCH_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"deployment_env","label":"Deployment environment evidence","requiredStage":"production_saas_ready","envVars":["DEPLOYMENT_ENV_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"postgres_data_plane_smoke","label":"Managed Postgres data-plane smoke evidence","requiredStage":"production_saas_ready","envVars":["POSTGRES_DATA_PLANE_SMOKE_EVIDENCE_FILE","POSTGRES_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"object_storage_smoke","label":"Private object-storage smoke evidence","requiredStage":"production_saas_ready","envVars":["OBJECT_STORAGE_SMOKE_EVIDENCE_FILE","OBJECT_STORE_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"embedding_retrieval_smoke","label":"Embedding retrieval smoke evidence","requiredStage":"production_saas_ready","envVars":["EMBEDDING_RETRIEVAL_SMOKE_EVIDENCE_FILE","EMBEDDING_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"worker_deployment_plan","label":"Managed worker deployment-plan evidence","requiredStage":"production_saas_ready","envVars":["WORKER_DEPLOYMENT_PLAN_EVIDENCE_FILE","WORKER_DEPLOYMENT_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"identity_deployment_plan","label":"Production identity deployment-plan evidence","requiredStage":"production_saas_ready","envVars":["IDENTITY_DEPLOYMENT_PLAN_EVIDENCE_FILE","IDENTITY_DEPLOYMENT_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"billing_readiness","label":"Commercial billing readiness evidence","requiredStage":"production_saas_ready","envVars":["BILLING_READINESS_EVIDENCE_FILE","COMMERCIAL_BILLING_READINESS_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"managed_recovery_drill","label":"Managed recovery drill evidence","requiredStage":"production_saas_ready","envVars":["OPERATIONS_RESTORE_DRILL_EVIDENCE_FILE","MANAGED_RECOVERY_DRILL_EVIDENCE_FILE","MANAGED_RECOVERY_EVIDENCE_FILE","BACKUP_RESTORE_DRILL_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"multi_user_lifecycle_smoke","label":"Configured multi-user lifecycle smoke evidence","requiredStage":"production_saas_ready","envVars":["MULTI_USER_LIFECYCLE_SMOKE_EVIDENCE_FILE","MULTI_USER_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"model_assisted_review_smoke","label":"Model-assisted candidate-review smoke evidence","requiredStage":"production_saas_ready","envVars":["MODEL_ASSISTED_REVIEW_SMOKE_EVIDENCE_FILE","MODEL_REVIEW_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"}],"outputPolicy":"reports_artifact_ids_stage_ids_env_var_names_basenames_report_ok_failure_counts_and_json_readiness_only_without_paths_or_evidence_bodies"}},"productionEvidence":{"ready":false,"controlledLaunchEvidenceReady":false,"productionSaasEvidenceReady":false,"requiredStage":"production_saas_ready","requiredArtifactCount":15,"configuredArtifactCount":0,"readableArtifactCount":0,"validJsonArtifactCount":0,"passingReportArtifactCount":0,"missingArtifactIds":["origin_host_controls","public_launch_smoke","source_ingestion_smoke","edge_abuse_controls","controlled_launch_rehearsal","deployment_env","postgres_data_plane_smoke","object_storage_smoke","embedding_retrieval_smoke","worker_deployment_plan","identity_deployment_plan","billing_readiness","managed_recovery_drill","multi_user_lifecycle_smoke","model_assisted_review_smoke"],"unreadableArtifactIds":[],"invalidJsonArtifactIds":[],"failedReportArtifactIds":[],"artifacts":[{"id":"origin_host_controls","label":"Origin and host controls evidence","requiredStage":"controlled_hiring_launch","envVars":["ORIGIN_HOST_READINESS_EVIDENCE_FILE","ORIGIN_HOST_CONTROLS_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"public_launch_smoke","label":"Public launch smoke evidence","requiredStage":"controlled_hiring_launch","envVars":["PUBLIC_LAUNCH_SMOKE_EVIDENCE_FILE","PUBLIC_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"source_ingestion_smoke","label":"Source-ingestion safety smoke evidence","requiredStage":"controlled_hiring_launch","envVars":["SOURCE_INGESTION_SMOKE_EVIDENCE_FILE","SOURCE_INGESTION_SAFETY_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"edge_abuse_controls","label":"Edge/API-gateway abuse-control evidence","requiredStage":"controlled_hiring_launch","envVars":["EDGE_ABUSE_CONTROL_EVIDENCE_FILE","EDGE_ABUSE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"controlled_launch_rehearsal","label":"Controlled launch rehearsal evidence","requiredStage":"controlled_hiring_launch","envVars":["CONTROLLED_LAUNCH_REHEARSAL_EVIDENCE_FILE","CONTROLLED_LAUNCH_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"deployment_env","label":"Deployment environment evidence","requiredStage":"production_saas_ready","envVars":["DEPLOYMENT_ENV_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"postgres_data_plane_smoke","label":"Managed Postgres data-plane smoke evidence","requiredStage":"production_saas_ready","envVars":["POSTGRES_DATA_PLANE_SMOKE_EVIDENCE_FILE","POSTGRES_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"object_storage_smoke","label":"Private object-storage smoke evidence","requiredStage":"production_saas_ready","envVars":["OBJECT_STORAGE_SMOKE_EVIDENCE_FILE","OBJECT_STORE_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"embedding_retrieval_smoke","label":"Embedding retrieval smoke evidence","requiredStage":"production_saas_ready","envVars":["EMBEDDING_RETRIEVAL_SMOKE_EVIDENCE_FILE","EMBEDDING_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"worker_deployment_plan","label":"Managed worker deployment-plan evidence","requiredStage":"production_saas_ready","envVars":["WORKER_DEPLOYMENT_PLAN_EVIDENCE_FILE","WORKER_DEPLOYMENT_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"identity_deployment_plan","label":"Production identity deployment-plan evidence","requiredStage":"production_saas_ready","envVars":["IDENTITY_DEPLOYMENT_PLAN_EVIDENCE_FILE","IDENTITY_DEPLOYMENT_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"billing_readiness","label":"Commercial billing readiness evidence","requiredStage":"production_saas_ready","envVars":["BILLING_READINESS_EVIDENCE_FILE","COMMERCIAL_BILLING_READINESS_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"managed_recovery_drill","label":"Managed recovery drill evidence","requiredStage":"production_saas_ready","envVars":["OPERATIONS_RESTORE_DRILL_EVIDENCE_FILE","MANAGED_RECOVERY_DRILL_EVIDENCE_FILE","MANAGED_RECOVERY_EVIDENCE_FILE","BACKUP_RESTORE_DRILL_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"multi_user_lifecycle_smoke","label":"Configured multi-user lifecycle smoke evidence","requiredStage":"production_saas_ready","envVars":["MULTI_USER_LIFECYCLE_SMOKE_EVIDENCE_FILE","MULTI_USER_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"},{"id":"model_assisted_review_smoke","label":"Model-assisted candidate-review smoke evidence","requiredStage":"production_saas_ready","envVars":["MODEL_ASSISTED_REVIEW_SMOKE_EVIDENCE_FILE","MODEL_REVIEW_SMOKE_EVIDENCE_FILE"],"configured":false,"configuredEnvVar":null,"fileName":null,"readable":false,"validJson":false,"reportOk":null,"reportFailureCount":null,"reportBlockingFailureCount":null,"ready":false,"status":"not_configured"}],"outputPolicy":"reports_artifact_ids_stage_ids_env_var_names_basenames_report_ok_failure_counts_and_json_readiness_only_without_paths_or_evidence_bodies"},"legal":{"ready":false,"status":"prototype_placeholder_pending_review","publicDocuments":{"privacyNotice":"/privacy.html","terms":"/terms.html"},"documentsFinalized":false,"privacyNotice":{"finalized":false,"versionConfigured":false},"terms":{"finalized":false,"versionConfigured":false},"review":{"ownerConfigured":false,"reviewedAtConfigured":false,"validDate":false,"futureDate":false,"ageDays":null,"maxAgeDays":395,"current":false},"operatorEntityConfigured":false,"jurisdictionConfigured":false,"contact":{"configured":false,"channels":[]},"missing":["LEGAL_DOCUMENTS_FINALIZED","LEGAL_PRIVACY_NOTICE_FINALIZED","LEGAL_TERMS_FINALIZED","LEGAL_PRIVACY_NOTICE_VERSION","LEGAL_TERMS_VERSION","LEGAL_REVIEWED_AT","LEGAL_REVIEW_OWNER","LEGAL_OPERATOR_ENTITY","LEGAL_CONTACT_EMAIL_OR_URL","LEGAL_JURISDICTION"],"outputPolicy":"reports_legal_document_status_versions_review_age_and_contact_channels_without_contact_values_or_entity_names"},"accountAuth":{"driver":"postgres","ready":true,"current":"postgres_users_workspace_memberships","persistence":"postgres_users_workspace_memberships","target":"managed_auth_postgres_workspace_memberships","adapterBoundary":"account_store","invitedOnboarding":{"enabled":false,"driver":"postgres","ready":true,"current":"postgres_workspace_invitations","persistence":"postgres_workspace_invitations","credentialStorage":"hmac_sha256_invite_hashes_only","target":"managed_auth_workspace_invitations","adapterBoundary":"onboarding_invitation_store","provisioning":{"driver":"postgres","ready":true,"current":"postgres_workspace_provisioning","persistence":"postgres_tenants_users_workspaces_memberships","credentialStorage":"hmac_password_hashes_only","target":"managed_auth_postgres_workspace_memberships","adapterBoundary":"workspace_provision_store"}},"passwordReset":{"enabled":false,"driver":"postgres","ready":true,"current":"postgres_password_reset_tokens","persistence":"postgres_password_reset_tokens","credentialStorage":"hmac_sha256_reset_token_hashes_only","target":"managed_identity_password_reset","adapterBoundary":"password_reset_store","requestEndpoint":"/api/password-reset/request","confirmEndpoint":"/api/password-reset/confirm","delivery":{"driver":"disabled","ready":false,"current":"delivery_disabled","persistence":"none","credentialHandling":"no_raw_credential_delivery","adapterBoundary":"credential_delivery"},"deliveryFailurePolicy":{"enabled":true,"appliesTo":["/api/password-reset/request"],"requestEndpointNoEnumeration":true,"failedDeliveryResponseStatus":202,"failedDeliveryResetStatus":"revoked","storedMaterial":"hmac_reset_token_hash_only","publicResponseBody":"request_received_without_provider_error","auditBoundary":"metadata_only_delivery_status_and_reset_id","redacts":["raw_reset_token","action_url","recipient_email","provider_secret","provider_error_body","token_hash"]}},"notes":["Postgres account records use tenant/workspace-scoped users and workspace_memberships.","Current password login reads HMAC password hashes server-side; public readiness and session APIs redact credential hashes.","Managed auth can populate auth_provider/auth_subject while preserving workspace membership checks."]},"commercialBilling":{"provider":"disabled","ready":false,"target":"stripe_subscription_billing","mode":"subscription","checkoutMode":"not_configured","recommendedApiVersion":"2026-02-25.clover","planCli":"npm run billing:plan","posture":{"liveMode":false,"apiVersion":"not_configured","recommendedApiVersion":"2026-02-25.clover","priceCount":0,"usesPrices":false,"deprecatedPlanIdsConfigured":false,"webhookEventCount":0,"missingWebhookEvents":["checkout.session.completed","customer.subscription.created","customer.subscription.updated","customer.subscription.deleted","invoice.paid","invoice.payment_failed"],"customerPortalEnabled":false,"entitlementPolicy":"not_configured","tenantMapping":"not_configured","taxMode":"not_configured"},"summary":{"checks":9,"passed":0,"failed":9,"blockingFailures":9},"failedCheckIds":["billing_provider","billing_subscription_mode","stripe_live_secret","stripe_api_version","stripe_price_catalog","stripe_webhooks","stripe_customer_portal","billing_entitlements","billing_tax_mode"],"privacy":{"outputPolicy":"stripe_api_keys_webhook_secrets_price_ids_customer_ids_subscription_ids_checkout_session_ids_portal_urls_payment_methods_emails_and_raw_event_payloads_are_redacted"},"runtime":{"enabled":false,"checkoutConfigured":false,"customerPortalConfigured":false,"webhookConfigured":false,"accountMembershipRequired":true,"workspaceAdminKeyAccepted":false,"entitlementPolicy":"subscription_status_required","entitlementEnforcement":{"mode":"off","enforced":false,"monitoringOnly":false,"publicServingEnforced":false,"allowedEntitlementStatuses":["active","grace"],"protectedSurfaces":["verify_code","human_chat","agent_query","public_dossier_space","dossier_agent_package","public_memory_search","public_artifact_file","access_link_issuing"],"publicServingPausedWhenUnentitled":false,"decisionPolicy":"public_hiring_surfaces_require_active_or_grace_subscription_entitlement_when_enforcement_is_public_serving"},"planLimitEnforcement":{"mode":"off","enabled":false,"enforced":false,"monitoringOnly":false,"defaultPlanKey":"starter","planCount":3,"pricePlanMapConfigured":false,"mappedPriceCount":0,"protectedMetrics":["sources","artifacts","dossierSpaces","activeAccessLinks","interviewPrompts","interviewSessions"],"outputPolicy":"plan_limit_status_reports_redacted_plan_keys_usage_counts_limits_and_remaining_capacity_without_stripe_price_ids_or_subscription_ids"},"statusEndpoint":"/api/workspaces/{workspaceSlug}/billing/status","checkoutSessionEndpoint":"/api/workspaces/{workspaceSlug}/billing/checkout-session","customerPortalEndpoint":"/api/workspaces/{workspaceSlug}/billing/customer-portal","webhookEndpoint":"/api/billing/stripe/webhook"},"storage":{"driver":"postgres","ready":true,"current":"postgres_billing_customers_subscriptions_webhooks","persistence":"postgres_billing_tables","target":"managed_postgres_billing_tables","adapterBoundary":"billing_store","identifierPolicy":"provider_customer_subscription_and_event_ids_are_server_private"}},"storage":{"driver":"postgres","ready":true,"current":"postgres_normalized_workspace","persistence":"postgres_tenant_workspace_tables","target":"postgres_pgvector_object_storage","adapterBoundary":"workspace_store","notes":["Postgres workspace-store hydrates the current workspace JSON contract from normalized tenant/workspace tables.","Workspace saves project the JSON workspace into the production schema and upsert rows transactionally.","The adapter preserves hashed-only access links and private workspace records behind server-side workspace auth."],"rawUploadServing":"blocked_by_static_file_server","transcriptStorageDefault":"metadata_only_no_raw_transcripts"},"objectStorage":{"driver":"filesystem","ready":true,"current":"filesystem_objects","persistence":"local_private_files","target":"s3_supabase_object_storage","adapterBoundary":"object_store","publicServing":"blocked_by_static_file_server","reviewedAssetEndpoint":"/api/workspaces/{workspaceSlug}/artifacts/{artifactId}/file","reviewedAssetPolicy":"candidate_private_download_or_reviewed_public_safe_only","readinessEndpoint":"/api/workspaces/{workspaceSlug}/object-storage-readiness","seedObjectPublisher":"npm run seed:objects -- --object-store={filesystem|s3|supabase}","seedObjectVerification":"npm run seed:objects:verify","uploadSmoke":"npm run object-storage:smoke -- --object-store={filesystem|s3|supabase}","notes":["Current prototype stores uploaded objects as private local files.","Published assets should be served only after candidate review copies or maps them into an explicit public-safe asset path."]},"analyticsStorage":{"driver":"postgres","ready":true,"current":"postgres_interaction_events_agent_transcripts","persistence":"postgres_interaction_events_agent_transcripts","target":"postgres_interaction_events_agent_transcripts","adapterBoundary":"analytics_store","transcriptPersistence":"optional_raw_transcripts_by_env","transcriptStorageDefault":"metadata_only_no_raw_transcripts","transcriptCapturePolicy":{"rawTranscriptStorageEnabled":false,"visitorConsentRequired":true,"default":"metadata_only_no_raw_transcripts","consentField":"transcriptConsent","retentionDays":null,"transcriptPersistence":"optional_raw_transcripts_by_env"},"transcriptRetentionWorker":{"serviceWorkerAuth":"hmac_token_hashes_configured","serviceWorkerEndpoint":"/api/worker/transcript-retention/purge","defaultMode":"purge_expired_records","dryRunSupported":true,"outputPolicy":"counts_only_no_transcript_text_no_paths_no_credentials"},"notes":["Postgres analytics writes interaction metadata to tenant/workspace-scoped interaction_events.","Resume session hashes are linked through resume_sessions when available, while candidate reports still omit session and IP hashes.","Raw transcripts remain separate in agent_transcripts and are written only when STORE_RAW_TRANSCRIPTS=true."]},"auditLogStorage":{"driver":"postgres","ready":true,"current":"postgres_audit_events","persistence":"postgres_audit_events","target":"postgres_audit_events","adapterBoundary":"audit_log_store","eventPrivacy":"metadata_only_no_request_bodies_no_credentials","notes":["Postgres audit events are tenant/workspace-aware where a workspace slug is available.","System-level worker events can be recorded without raw request bodies or credential material.","Candidate/admin audit APIs should continue to redact actor hashes, IP hashes, session hashes, and raw metadata bodies."]},"memoryStorage":{"driver":"pgvector","ready":true,"current":"postgres_pgvector_memory_chunks","persistence":"postgres_memory_chunks","target":"postgres_pgvector_memory_chunks","adapterBoundary":"memory_store","embeddingStatus":"pgvector_memory_chunks_ready_embeddings_optional","vectorQueryProvider":{"provider":"disabled","ready":false,"model":"local-lexical-index-v1","dimensions":1536,"mode":"unavailable","apiKeyConfigured":false},"vectorQueryMode":"fallback_lexical","notes":["Postgres memory retrieval reads workspace-scoped memory_chunks with public/private visibility filters.","Indexing upserts current workspace evidence into memory_chunks without exposing object keys or storage paths.","Rows can carry embeddings for pgvector workers; vector query retrieval is used when a query vector is supplied and lexical scoring remains available as a fallback."]},"embeddingJobs":{"driver":"postgres","ready":true,"current":"postgres_embedding_jobs_memory_chunks","persistence":"postgres_embedding_jobs_memory_chunks","target":"postgres_embedding_jobs_memory_chunks","adapterBoundary":"embedding_job_store","worker":"transactional_postgres_embedding_worker","embeddingStatus":"managed_embedding_worker_ready","inlineProcessing":false,"serviceWorkerAuth":"hmac_token_hashes_configured","serviceWorkerEndpoint":"/api/worker/embedding-jobs/process","provider":{"provider":"disabled","ready":false,"model":"local-lexical-index-v1","dimensions":1536,"mode":"unavailable","apiKeyConfigured":false},"maxAttempts":3,"retryBaseSeconds":60,"notes":["Postgres embedding jobs persist workspace-level reindex requests as chunk-scoped embedding_jobs rows.","Jobs store chunk plans, body hashes, and metadata without raw object keys or storage paths.","Managed workers claim queued/retrying rows transactionally with FOR UPDATE SKIP LOCKED and write vectors to memory_chunks.embedding."]},"sourceSyncJobs":{"driver":"postgres","ready":true,"current":"postgres_source_sync_jobs","persistence":"postgres_source_sync_jobs","target":"postgres_source_sync_jobs","adapterBoundary":"source_sync_job_store","worker":"transactional_postgres_claim_runner","inlineProcessing":false,"serviceWorkerAuth":"hmac_token_hashes_configured","serviceWorkerEndpoint":"/api/worker/source-sync-jobs/process","retryPolicy":"source_sync_retry_backoff_v1","maxAttempts":3,"retryBaseSeconds":60,"notes":["Postgres source-sync jobs use row-level transactional claims with FOR UPDATE SKIP LOCKED.","Jobs remain metadata-only and expose legacy source/job ids rather than raw source URLs or connector secrets.","Production workers can claim queued/retrying jobs by workspace, source, or globally across due jobs."]},"portfolioInterviewer":{"mode":"deterministic","provider":"deterministic","ready":true,"status":"deterministic","fallback":null,"model":null,"generatedCount":0,"error":null,"privacyBoundary":"candidate_private_review_only_no_publication","transcriptStorage":"model_request_not_stored_by_signal_dossier","endpoint":"/api/workspaces/{workspaceSlug}/interview-prompts/generate","output":"candidate_private_interview_prompts","answerFlow":"answers_create_review_needed_claim_candidates_before_publication"},"visualArtifactAnalyzer":{"mode":"model_unconfigured","provider":"deterministic","ready":false,"status":"provider_not_configured","model":null,"generatedCount":0,"appliedFieldCount":0,"error":null,"output":"candidate_private_visual_review_suggestions","privacyBoundary":"candidate_private_review_only_no_publication","transcriptStorage":"model_request_not_stored_by_signal_dossier","ocrStatus":"not_claimed","endpoint":"/api/workspaces/{workspaceSlug}/artifacts/{artifactId}/visual-analysis","answerFlow":"suggestions_remain_private_until_candidate_reviews_artifact","fallback":null},"schemaContract":{"version":20260601,"ok":true,"requiredTables":28,"projectedRowCounts":{"schema_contract_versions":1,"tenants":1,"users":1,"workspaces":1,"workspace_memberships":1,"workspace_invitations":0,"password_reset_tokens":0,"asset_files":4,"source_connections":4,"source_sync_jobs":4,"artifacts":4,"projects":3,"claims":3,"claim_evidence":8,"interview_prompts":3,"interview_answers":0,"dossier_spaces":4,"dossier_space_evidence":24,"access_links":7,"resume_sessions":0,"interaction_events":0,"audit_events":0,"agent_transcripts":0,"memory_chunks":19,"embedding_jobs":19,"billing_customers":0,"billing_subscriptions":0,"billing_webhook_events":0},"guardrails":{"globalActiveWorkspaceSlugUnique":true},"warnings":[],"errors":[]},"capabilities":{"seedWorkspaceProjection":true,"candidateWorkspace":true,"workspaceScopedAdminAuth":true,"accountMembershipAuth":true,"publishedDossierSpaces":true,"agentDossierPackages":true,"agentDossierPackageMarkdown":true,"agentCardDiscovery":true,"openApiDiscovery":true,"llmsTxtDiscovery":true,"legalPolicyDocuments":true,"legalDisclosureReadiness":true,"canonicalPublicOrigin":true,"tenantQualifiedWorkspaceRoutes":true,"dossierBuilder":true,"dossierEvidencePicker":true,"gatedAccessLinks":true,"brandedQrLinks":true,"reviewApprovalFlow":true,"reviewedArtifactFileServing":true,"portfolioInterviewPrompts":true,"modelAssistedPortfolioInterviewer":true,"interviewEvidenceExtraction":true,"artifactEvidenceExtraction":true,"candidateClaimEditing":true,"candidateReviewedVisualEvidence":true,"candidatePrivateVisualArtifactAnalysis":true,"modelAssistedVisualArtifactAnalyzer":true,"manualDossierRouting":true,"roleSpecificResumeDraftPackages":true,"liveResumeSpaceBuilder":true,"liveResumeSpaceReadinessGuidance":true,"candidatePrivateResumePackages":true,"candidatePrivateDossierLaunchPackets":true,"candidateProfileManagement":true,"candidateWorkspaceDataExport":true,"transcriptRetentionPurgeCli":true,"metadataAnalytics":true,"sourceAwareAnalytics":true,"sourceManagement":true,"sourceConnectorCatalog":true,"sourceOnboardingRecommendations":true,"sourceOnboardingInterviewPrompts":true,"sourceOnboardingWorkflow":true,"sourceOnboardingActionRunner":true,"analyticsChannelStatusGrouping":true,"analyticsFilters":true,"candidateMemoryStatusPanel":true,"auditLogs":true,"candidatePrivateDeploymentHandoff":true,"candidatePrivateDeploymentHandoffMarkdown":true,"candidatePrivateLaunchEvidenceLedger":true,"candidatePrivateObjectStorageReadiness":true,"publicSecurityHeaders":true,"adminActionAudit":true,"sourceSyncWorkerAudit":true,"publicEndpointRateLimits":true,"edgeAbuseControlPlanCli":true,"promptInjectionGuardrails":true,"reindexJobs":true,"sourceSyncJobs":true,"bulkSourceSyncQueue":true,"structuredSourcePacketImport":true,"sourceSyncWorker":true,"serviceAuthenticatedSourceSyncWorker":true,"serviceAuthenticatedEmbeddingWorker":true,"serviceAuthenticatedTranscriptRetentionWorker":true,"managedEmbeddingWorker":true,"managedWorkerRunnerCli":true,"managedWorkerDeploymentPlanCli":true,"identityDeploymentPlanCli":true,"commercialBillingReadinessCli":true,"commercialBillingRuntimeApi":true,"stripeBillingWebhookIngestion":true,"billingEntitlementStatus":true,"billingEntitlementEnforcementRuntime":true,"billingEntitlementEnforcedPublicServing":false,"billingPlanLimitEnforcementRuntime":true,"billingPlanLimitEnforcedWorkspaceWrites":false,"accountMemberOnlyBillingSessions":true,"productionPreflightCli":true,"deploymentHandoffCli":true,"originHostReadinessCli":true,"launchReadinessCli":true,"controlledLaunchRehearsalCli":true,"sourceSecretScanCli":true,"sourceIngestionSmokeCli":true,"publicLaunchSmokeCli":true,"objectStorageSmokeCli":true,"embeddingRetrievalSmokeCli":true,"modelAssistedReviewSmokeCli":true,"databaseDeployCli":true,"postgresDataPlaneSmokeCli":true,"deploymentEnvBootstrapCli":true,"seedObjectPublisherCli":true,"operationalReadinessCli":true,"workspaceProvisioningCli":true,"backupRestoreDrillCli":true,"managedRecoveryDrillCli":true,"multiUserLifecycleSmokeCli":true,"invitedWorkspaceOnboarding":true,"passwordResetTokens":true,"credentialDelivery":true,"webhookCredentialDelivery":false,"privateCredentialOutbox":false,"postgresWorkspaceInvitations":true,"postgresWorkspaceProvisioning":true,"postgresPasswordResetTokens":true,"sourceIngestion":["manual","upload_text_markdown_json","upload_pdf_text","upload_image_metadata","upload_image_candidate_visual_description","upload_image_model_assisted_visual_analysis","devbrain_codex_export_upload_review","structured_devbrain_codex_source_packet_import","local_project_manual_source_upload_review","rss","substack_blog_newsletter_rss","content_feed_autodiscovery","github_public_repo_profile","youtube_public_channel_playlist_feed","public_webpage_profile"],"plannedSourceIngestion":["image_ocr"],"visualEvidenceBoundary":"Image OCR is not claimed. Model-assisted visual descriptions, alt text, and prompts are available only inside authenticated candidate review when configured; visual artifacts still require candidate review before public retrieval.","retrieval":{"current":"workspace_lexical_seed","memoryIndex":"postgres_pgvector_memory_chunks","reindexJobs":"postgres_embedding_jobs_memory_chunks","sourceSyncJobs":"postgres_source_sync_jobs","vectorQueries":"requires_pgvector_and_embedding_provider","planned":"workspace_scoped_pgvector_index_with_visibility_filters"}},"agentReadable":{"resumeManifest":"/.well-known/agent-resume.json","agentCard":"/.well-known/cvportal-agent-card.json","platformManifest":"/.well-known/cvportal-platform.json","openApi":"/openapi.json","wellKnownOpenApi":"/.well-known/openapi.json","llmsTxt":"/llms.txt","privacyNotice":"/privacy.html","terms":"/terms.html","knowledgePolicy":"/agent-knowledge-policy.md","workspace":"/api/workspaces/patrick-kelly","tenantQualifiedWorkspace":"/api/tenants/patrick-kelly/workspaces/patrick-kelly","workspaceSearch":"/api/workspaces/patrick-kelly/search?q={query}&publishedOnly=true","tenantQualifiedWorkspaceSearch":"/api/tenants/patrick-kelly/workspaces/patrick-kelly/search?q={query}&publishedOnly=true","memorySearch":"/api/workspaces/patrick-kelly/memory-search?q={query}&publishedOnly=true","tenantQualifiedMemorySearch":"/api/tenants/patrick-kelly/workspaces/patrick-kelly/memory-search?q={query}&publishedOnly=true","artifactFile":"/api/workspaces/patrick-kelly/artifacts/{artifactId}/file","candidateVisualArtifactAnalysis":"/api/workspaces/patrick-kelly/artifacts/{artifactId}/visual-analysis","candidateArtifactClaimExtraction":"/api/workspaces/patrick-kelly/artifacts/{artifactId}/extract-claims","sourceSyncJobs":"/api/workspaces/patrick-kelly/source-sync-jobs","sourceConnectors":"/api/workspaces/patrick-kelly/source-connectors","sourceOnboarding":"/api/workspaces/patrick-kelly/source-onboarding","sourceOnboardingPromptGenerator":"/api/workspaces/patrick-kelly/interview-prompts/generate","sourceOnboardingActions":"/api/workspaces/patrick-kelly/source-onboarding/actions","enqueueSourceSyncJobs":"/api/workspaces/patrick-kelly/source-sync-jobs/enqueue","processSourceSyncJobs":"/api/workspaces/patrick-kelly/source-sync-jobs/process","importSourcePacket":"/api/workspaces/patrick-kelly/source-packets","candidateMemoryStatus":"/api/workspaces/patrick-kelly/memory-status","candidateMemoryIndexRefresh":"/api/workspaces/patrick-kelly/memory-index","candidateEmbeddingJobs":"/api/workspaces/patrick-kelly/embedding-jobs","candidateSourceUpdate":"/api/workspaces/patrick-kelly/sources/{sourceId}","interviewPromptGenerator":"/api/workspaces/patrick-kelly/interview-prompts/generate","serviceWorkerProcessSourceSyncJobs":"/api/worker/source-sync-jobs/process","serviceWorkerProcessEmbeddingJobs":"/api/worker/embedding-jobs/process","serviceWorkerPurgeExpiredTranscripts":"/api/worker/transcript-retention/purge","workerDeploymentPlan":"npm run worker:deploy:plan","identityDeploymentPlan":"npm run identity:plan","billingReadinessPlan":"npm run billing:plan","candidateBillingStatus":"/api/workspaces/patrick-kelly/billing/status","candidateBillingCheckoutSession":"/api/workspaces/patrick-kelly/billing/checkout-session","candidateBillingCustomerPortal":"/api/workspaces/patrick-kelly/billing/customer-portal","stripeBillingWebhook":"/api/billing/stripe/webhook","seedObjectPublisher":"npm run seed:objects -- --object-store={filesystem|s3|supabase}","objectStorageSmoke":"npm run object-storage:smoke","embeddingRetrievalSmoke":"npm run embedding:smoke","modelAssistedReviewSmoke":"npm run model-review:smoke -- --base-url={origin}","postgresDataPlaneSmoke":"npm run postgres:smoke","transcriptRetentionPurge":"npm run transcripts:purge -- --dry-run","managedRecoveryDrill":"npm run recovery:managed:drill","multiUserLifecycleSmoke":"npm run multi-user:smoke","passwordResetTokenIssue":"npm run password-reset:issue","credentialDeliveryConfig":"CREDENTIAL_DELIVERY_DRIVER={filesystem|webhook}","sourceSecretScan":"npm run secrets:scan","sourceIngestionSmoke":"npm run source-ingestion:smoke","deploymentHandoff":"npm run deploy:handoff -- --base-url={origin}","originHostReadiness":"npm run origin:plan -- --base-url={origin}","launchReadiness":"npm run launch:assess -- --base-url={origin}","controlledLaunchRehearsal":"npm run launch:rehearse -- --public-base-url={https-origin} --base-url={origin}","publicLaunchSmoke":"npm run smoke:public -- --base-url={origin}","publicDiscoverySmoke":"npm run smoke:public:discovery -- --base-url={origin}","edgeAbuseControls":"npm run edge:plan","candidateDeploymentHandoff":"/api/workspaces/patrick-kelly/deployment-handoff?strict=false","candidateDeploymentHandoffMarkdown":"/api/workspaces/patrick-kelly/deployment-handoff.md?strict=false","candidateObjectStorageReadiness":"/api/workspaces/patrick-kelly/object-storage-readiness","candidateResumePackage":"/api/workspaces/patrick-kelly/resume-packages","candidateResumeSpaceBuilder":"/api/workspaces/patrick-kelly/resume-space-builds","candidateDossierLaunchPacket":"/api/workspaces/patrick-kelly/resume-packages","candidateProfile":"/api/workspaces/patrick-kelly/profile","candidateWorkspaceDataExport":"/api/workspaces/patrick-kelly/data-export","auditEvents":"/api/workspaces/patrick-kelly/audit-events","dossierSpace":"/api/workspaces/patrick-kelly/dossier-spaces/{spaceSlug}","dossierAgentPackage":"/api/workspaces/patrick-kelly/dossier-spaces/{spaceSlug}/agent-package","dossierAgentPackageMarkdown":"/api/workspaces/patrick-kelly/dossier-spaces/{spaceSlug}/agent-package.md"},"privacyBoundary":{"publicAgentsSee":"reviewed public-safe/generalized/published evidence only","tenantRouting":"tenant-qualified workspace routes fail closed when the tenant slug does not match the workspace tenant identity; legacy slug-only routes remain compatibility aliases","candidateWorkspaceMayContain":"private review material, uploads, source metadata, draft claims, and candidate interview answers","accessTokens":"bearer tokens are hashed at rest; raw generated codes and QR bearer URLs are returned only once","analytics":"candidate-visible reports aggregate metadata and omit transcript text, session hashes, and IP hashes","transcriptConsent":"raw hiring-manager transcripts are never stored by default; when enabled, visitor consent is required unless the operator explicitly disables that guard","auditLogs":"candidate-visible operational audit events omit request bodies, raw source bodies, credentials, tokens, emails, paths, transcripts, and public access-code material","candidateDeploymentHandoff":"candidate-private deployment handoff groups production preflight gaps into operator actions while omitting secret values, hashes, access codes, transcripts, local paths, and private source bodies","candidateLaunchEvidenceLedger":"candidate-private deployment handoff includes a launch evidence ledger with stage status, check ids, artifact ids, env var names, redacted commands, acceptance counts, and mutation boundaries only; it omits secret values, hashes, access codes, transcripts, local paths, source bodies, and evidence payloads","candidateDeploymentHandoffMarkdown":"candidate-private Markdown handoff export renders the same redacted deployment packet for operators and agents; it requires workspace authorization and omits secret values, hashes, access codes, transcripts, local paths, private source bodies, and evidence payload bodies","candidateObjectStorageReadiness":"candidate-private object-storage readiness reports driver posture, seed-object verification counts, smoke-evidence status, and safe operator commands while omitting object keys, storage paths, bucket names, endpoints, credentials, payloads, hashes, local paths, and raw evidence bodies","candidateResumePackage":"candidate-private resume package generation returns the raw access code, QR payload, and role-specific Markdown insert once while persisting only a hashed access-link record","candidateResumeSpaceBuilder":"candidate-private live resume-space builder creates or updates a role dossier space, selects reviewed public-safe evidence, publishes it locally, and issues the same one-time hashed-at-rest resume package","candidateResumeSpaceReadiness":"live resume-space builds include candidate-private readiness guidance that connects selected evidence to source-onboarding gaps and next actions without exposing raw source URLs, prompt text, answer text, or claim text","candidateDossierLaunchPacket":"candidate-private resume packages include a launch packet with agent review URLs, citation IDs, smoke commands, access metadata, and an explicit redaction boundary; operator-only bearer URL/code/QR material is returned once and is not exposed by public agent packages","candidateProfile":"candidate profile edits are authenticated workspace writes for public-safe identity fields; private evidence and credentials are not accepted in profile payloads","candidateWorkspaceDataExport":"candidate-private workspace data export returns redacted inventory, analytics, audit, billing, and review metadata while omitting raw workspace JSON, source URLs, private evidence bodies, transcript text, access-code hashes, bearer material, object keys, storage paths, local paths, vectors, and credentials","transcriptRetentionPurge":"operator transcript-retention purge reports counts and retention policy only; it omits transcript text, local paths, database URLs, credentials, and raw storage internals, and defaults to dry-run unless explicitly purged","transcriptRetentionWorker":"service-authenticated transcript-retention worker purges only records past retention_until and returns counts-only metadata; it omits transcript text, worker tokens, hashes, local paths, database URLs, and credentials","legalDocuments":"public privacy notice and use terms expose current behavior; production SaaS readiness requires finalized counsel-reviewed legal metadata while public readiness omits contact values, entity names, and reviewer names","agentCard":"agent-card discovery reports public-safe published dossier routing, query contracts, and boundaries only; it omits private review records, raw evidence bodies, access-code hashes, transcripts, local paths, object keys, and storage internals","dossierPackageMarkdown":"Markdown dossier packages are rendered from the same reviewed public-safe JSON package and omit private review records, raw evidence bodies, access-code hashes, transcripts, local paths, object keys, and storage internals","promptInjection":"current visitor prompts are classified before model calls; prior prompt-injection attempts in chat history are omitted from model context","portfolioInterviewer":"model-assisted prompt generation, when configured, runs only inside the authenticated candidate workspace and creates private review prompts rather than public claims","visualArtifactAnalyzer":"model-assisted visual artifact analysis, when configured, runs only inside the authenticated candidate workspace; suggestions update private review fields and require candidate approval before any public retrieval","artifactEvidenceExtraction":"artifact claim extraction runs only inside the authenticated candidate workspace, creates private review claim candidates from imported/uploaded evidence, and requires candidate approval before any claim can reach public retrieval or published dossiers","sourcePacketImport":"structured DevBrain/Codex/project packets import as candidate-private review artifacts, generate private interview prompts, and require explicit candidate review before any packet-derived evidence can reach public search or published agents","sourceSecretScan":"source secret scanning reports rule ids, file paths, and line numbers only; it does not print matched secret-like values","sourceIngestionSmoke":"source-ingestion smoke exercises public webpage/feed guardrails with local fixtures and redacts source URLs, source bodies, imported text, artifact bodies, local paths, credentials, and private-network targets","deploymentHandoff":"deployment handoff turns preflight gaps into operator actions while omitting secret values, hashes, access codes, transcripts, local paths, and private source bodies","originHostReadiness":"origin/host readiness fetches the hosted readiness endpoint and reports public origin, host allowlist, proxy, cookie, header, cache, and manifest booleans only; it omits response bodies, cookies, access material, local paths, and secret values","launchReadiness":"launch readiness reports stage ids, check ids, statuses, and public-safe stage metadata only; it omits secret values, hashes, access codes, transcripts, local paths, private source bodies, and infrastructure internals","controlledLaunchRehearsal":"controlled launch rehearsal reports stage ids, check ids, counts, public-origin protocols, and redacted preflight summaries only; it omits secret values, hashes, access codes, raw env contents, transcripts, local paths, private source bodies, and infrastructure internals","publicLaunchSmoke":"public launch smoke reports endpoint status, citation counts, and model readiness while redacting access codes, cookies, bearer URLs, QR payloads, model answer text, transcripts, and secret-like fields; discovery-only mode skips access verification, chat, and agent-query side effects","edgeAbuseControls":"edge abuse-control reports expose provider names, route keys, and boolean evidence only; no WAF rule bodies, log payloads, request bodies, IPs, access codes, or secrets","objectStorageSmoke":"object-storage smoke writes and reads upload-shaped text, PDF, image, and screenshot payloads while redacting object keys, storage paths, bucket names, endpoints, credentials, payload text, hashes, and raw bodies","embeddingRetrievalSmoke":"embedding retrieval smoke calls readiness, the service-authenticated embedding worker, and public pgvector memory search while redacting worker tokens, queries, vectors, result text, hashes, raw bodies, and secret-like values","candidateMemoryStatus":"candidate-private memory status exposes index counts, stale state, retrieval mode, and embedding job metadata without memory bodies, extracted text, vectors, object keys, storage paths, or credentials","modelAssistedReviewSmoke":"model-assisted review smoke runs inside the authenticated candidate workspace, uploads disposable private-review artifacts, keeps suggestions private until candidate review, and redacts workspace keys, cookies, prompt text, model text, image payloads, object keys, and storage paths","workerDeploymentPlan":"worker deployment planning validates managed worker base URL, jobs, mode, cadence, target, and app/worker secret separation while redacting raw tokens, hashes, env values, local paths, and connection strings","identityDeploymentPlan":"identity deployment planning validates account membership auth, invited onboarding, password reset, private credential delivery, secure cookies, and prototype key fallback posture while redacting emails, passwords, raw invite codes, reset tokens, action URLs, HMAC hashes, provider secrets, local paths, and connection strings","billingReadiness":"billing readiness validates Stripe subscription mode, Price catalog, webhook events, customer portal, entitlement mapping, and tax posture while redacting Stripe API keys, webhook secrets, price IDs, customer IDs, subscription IDs, checkout session IDs, portal URLs, emails, payment methods, and raw event payloads","billingRuntime":"billing runtime APIs require account-membership workspace sessions for checkout and customer portal access; when entitlement enforcement is enabled, public hiring surfaces require an active or grace subscription; when plan-limit enforcement is enabled, candidate workspace writes are checked against redacted plan usage limits while readiness and status summaries redact Stripe customer IDs, subscription IDs, Price IDs, checkout session IDs, portal URLs, emails, payment methods, and raw webhook payloads","postgresDataPlaneSmoke":"Postgres data-plane smoke writes and reads metadata-only adapter evidence while redacting database URLs, credentials, source URLs, hashes, transcripts, and raw bodies","managedRecoveryDrill":"managed recovery drill evidence validates managed Postgres and private object-storage restore coverage while redacting backup identifiers, bucket names, object keys, database URLs, credentials, local paths, and private backup contents","multiUserLifecycleSmoke":"multi-user lifecycle smoke provisions disposable candidate workspaces, verifies account membership isolation, publishes reviewed dossier evidence, and issues a hashed resume package while redacting emails, passwords, workspace admin keys, access codes, access URLs, QR payloads, HMAC secrets, hashes, local paths, and connection strings","passwordReset":"password reset issue/request/confirm persists HMAC reset-token hashes only; request-time private delivery failures revoke just-created reset records while the public API still returns no-enumeration 202; raw reset tokens are written once to ignored bootstrap files or configured delivery channels and redacted from CLI reports, readiness, logs, and public APIs","credentialDelivery":"credential delivery may carry raw invite or reset material only to a private outbox or configured provider; public receipts, readiness, logs, and API responses omit message bodies, action URLs, tokens, invite codes, provider secrets, and recipient emails"}}