{
  "schema": "https://saferpage.de/schemas/operator-api-runtime-controls.v1",
  "generated_at": "2026-06-09T10:55:00+00:00",
  "generated_from": "apps/api/server.py, apps/api/storage.py, infra/postgres/migrations/api-access.sql, infra/systemd/saferpage-api.service",
  "secret_policy": "This manifest exposes control presence only. It contains no API keys, hashes, peppers, HMAC secrets, IPs, user agents, database DSNs, raw payloads or visitor logs.",
  "controls": {
    "hashed_key_store_runtime": true,
    "scope_enforcement_runtime": true,
    "access_audit_runtime": true,
    "rate_limit_runtime": true,
    "revocation_runtime": true,
    "domain_claim_runtime": true,
    "write_hmac_runtime": true,
    "systemd_api_service_runtime": true
  },
  "evidence": {
    "hashed_key_store_runtime": "Migration and storage contract define key_prefix, key_hash, scopes, domain_scope, status, expiry and revocation fields.",
    "scope_enforcement_runtime": "Operator probe compares requested scope with key-record scopes and returns audited 403 scope_mismatch decisions.",
    "access_audit_runtime": "Operator probe writes sanitized Postgres audit events and falls back to sanitized JSONL events when database audit is unavailable.",
    "rate_limit_runtime": "Operator probe checks a server-side rate limit bucket and audits 429 rate_limited decisions.",
    "revocation_runtime": "Operator probe denies revoked and expired keys before any allow decision.",
    "domain_claim_runtime": "Operator scopes require domain_scope and audit domain-scope mismatches without exporting raw private scope data.",
    "write_hmac_runtime": "Write scopes require X-SaferPage-Signature and X-SaferPage-Idempotency-Key; HMAC secret remains server-side.",
    "systemd_api_service_runtime": "infra/systemd/saferpage-api.service defines the Python API as a restartable systemd service, and scripts/run-api-service-smoke.sh verifies systemd active/enabled plus /health."
  },
  "verification": {
    "syntax": "python3 -m py_compile apps/api/server.py apps/api/storage.py",
    "deny_smoke": "scripts/run-api-runtime-deny-smoke.sh",
    "service_smoke": "scripts/run-api-service-smoke.sh",
    "public_probe": "https://saferpage.de/api-zugriff/runtime-gate-probe-json"
  }
}