{
  "schema": "https://saferpage.de/schemas/security-feed-runtime-controls.v1",
  "generated_at": "2026-06-09T08:34:43+00:00",
  "generated_from": "scripts/run-security-feed-schedule.py, apps/web/public/security-scanner-center.php, apps/web/public/security-feed-runner.php",
  "secret_policy": "This manifest exposes control presence only. It contains no URLhaus keys, Google API keys, webhook secrets, feed raw payloads, IPs, user agents, database DSNs or visitor logs.",
  "controls": {
    "credential_manifest_no_secret": true,
    "activation_gate_before_external_run": true,
    "execute_ready_required": true,
    "storage_approval_required": true,
    "storage_canary_no_external_feeds": true,
    "public_runner_state_sanitized": true,
    "dry_run_smoke_isolated_state": true
  },
  "evidence": {
    "credential_manifest_no_secret": "Runner state exports env_ref and present flags only, never secret values.",
    "activation_gate_before_external_run": "Runner checks /sicherheit/{domain}/feed-activation-json before any feed-live run.",
    "execute_ready_required": "External feed-live endpoint is called only when activation_ready=true and runner has --execute-ready.",
    "storage_approval_required": "Feed observations are stored only with SAFERPAGE_SECURITY_FEED_STORAGE_APPROVED=yes after a live connector result.",
    "storage_canary_no_external_feeds": "Storage Canary is synthetic, private, and explicitly does not call external feeds or publish hits.",
    "public_runner_state_sanitized": "Public state contains metrics, policy, gate decisions and report links, not raw feed payloads.",
    "dry_run_smoke_isolated_state": "scripts/run-security-feed-dry-run-smoke.sh redirects state to temporary files and asserts executed_count=0 and stored_observation_count=0."
  }
}