{
  "schema": "https://saferpage.de/schemas/delivery-runtime-controls.v1",
  "generated_at": "2026-06-09T10:44:00+00:00",
  "generated_from": "scripts/run-alert-dispatch.py, apps/web/public/operator-delivery-credential-preflight.php",
  "secret_policy": "This manifest exposes control presence only. It contains no webhook URLs, Slack or Teams URLs, API keys, HMAC secrets, recipients, target URLs, raw payloads, IPs, user agents, database DSNs or visitor logs.",
  "controls": {
    "credential_manifest_no_secret": true,
    "dispatch_approval_gate": true,
    "execute_ready_required": true,
    "hmac_signature_contract": true,
    "idempotency_contract": true,
    "local_file_sink_sanitized": true,
    "public_runner_state_sanitized": true,
    "dry_run_smoke_isolated_state": true
  },
  "evidence": {
    "credential_manifest_no_secret": "Runner state exports env_ref and present flags only, never secret values or target URLs.",
    "dispatch_approval_gate": "Runner sends configured channels only when SAFERPAGE_ALERT_DISPATCH_APPROVED=yes is active.",
    "execute_ready_required": "Runner still requires --execute-ready before any configured channel is sent.",
    "hmac_signature_contract": "Generic webhook deliveries use X-SaferPage-Signature with HMAC-SHA256 over the compact JSON request body when SAFERPAGE_WEBHOOK_SECRET is present.",
    "idempotency_contract": "Each outbox item carries an idempotency key and body_sha256 for receiver dedupe and replay diagnostics.",
    "local_file_sink_sanitized": "The local file sink writes JSONL summary rows with host, counts, severity, title, idempotency key and body hash only.",
    "public_runner_state_sanitized": "Public state contains channel ids, env refs, hashes and statuses, not target URLs, recipients or raw payloads.",
    "dry_run_smoke_isolated_state": "scripts/run-alert-dispatch-dry-run-smoke.sh writes only temporary state files and verifies sent_count=0 plus external_send_attempt_count=0."
  },
  "verification": {
    "syntax": "python3 -m py_compile scripts/run-alert-dispatch.py",
    "dry_run_smoke": "scripts/run-alert-dispatch-dry-run-smoke.sh",
    "public_preflight": "https://saferpage.de/integrationen/delivery-credential-preflight-json",
    "public_runner_state": "https://saferpage.de/alarme/dispatch-runner-json"
  },
  "disclaimer": "This manifest proves runtime guard presence and public evidence shape. It does not activate productive delivery and does not prove that any external receiver is configured."
}