{"ok":true,"checkedAt":"2026-06-02T19:12:11.778Z","profileVersion":"moral-trade-operations-v0.3-2026-05","purpose":"Public operating contract for core Moral Trade security headers, private-cache controls, rate-limit surfaces, email-outbox safety gates, retention lifecycle controls, observability metrics, fallback behavior, and rollout gates.","validation":{"status":"pass","validatorName":"moral-trade-operations-profile","validatorVersion":"moral-trade-operations-validator-v0.2","profileVersion":"moral-trade-operations-v0.3-2026-05","checks":[{"id":"security-headers","label":"Security headers and private cache controls","status":"pass","evidence":"strict_transport_security, x_content_type_options, x_frame_options, referrer_policy, permissions_policy, csp_report_only, private_no_store"},{"id":"rate-limit-surfaces","label":"Core rate-limit surfaces","status":"pass","evidence":"public_contract_read, signup, login, offer_create, privacy_access_request, match_concierge_request, offer_comment, offer_collection_read, offer_detail_read, offer_facets_read, offer_follow_write, offer_create_similar, saved_search_write, copilot_draft_review, match_signal_evaluate, challenge_appeal_evaluate, disclosure_evaluate, review_workflow_evaluate, profile_portability, background_opportunity_brief_read, background_opportunity_feedback_write, background_source_summary_write, background_intro_packet_write, wish_registry_search, analytics_ingest"},{"id":"privacy-session-controls","label":"Privacy and session controls","status":"pass","evidence":"supabase_auth_cookies, private_route_cache_control, data_right_requests, field_level_disclosure_grants, email_outbox_safety_gate, audit_events"},{"id":"retention-lifecycle-controls","label":"Retention lifecycle controls","status":"pass","evidence":"account_profile_lifecycle, private_wish_source_lifecycle, evidence_provenance_lifecycle, payment_donation_reference_lifecycle, analytics_attribution_lifecycle, notification_delivery_lifecycle, data_right_request_lifecycle"},{"id":"observability-metrics","label":"Operational metrics","status":"pass","evidence":"funnel_event_counts, route_error_rate, api_latency_p95, web_vitals, blocked_proposal_rate, email_outbox_suppression_count, privacy_incident_count, copilot_fallback_rate, evidence_review_sla, appeal_overturn_rate"},{"id":"fallback-controls","label":"Safe fallback controls","status":"pass","evidence":"deterministic_manual_fallback, invalid_copilot_output_no_state_change, provider_timeout_no_state_change, unsafe_email_no_provider_send, replay_safe_state_transitions"},{"id":"rollout-gates","label":"Rollout gates","status":"pass","evidence":"shadow_mode, assist_mode, guarded_automation, human_controlled_safety"},{"id":"operational-tests","label":"Operational test hooks","status":"pass","evidence":"security_header_source_smoke, private_cache_header_smoke, rate_limit_surface_smoke, retention_lifecycle_contract_smoke, email_outbox_safety_gate_smoke, operations_profile_validator, resilience_fallback_audit, health_route_contract_smoke, production_build"}],"blockers":[]},"publicContract":{"securityHeaders":["strict_transport_security","x_content_type_options","x_frame_options","referrer_policy","permissions_policy","csp_report_only","private_no_store"],"rateLimitSurfaces":["public_contract_read","signup","login","offer_create","privacy_access_request","match_concierge_request","offer_comment","offer_collection_read","offer_detail_read","offer_facets_read","offer_follow_write","offer_create_similar","saved_search_write","copilot_draft_review","match_signal_evaluate","challenge_appeal_evaluate","disclosure_evaluate","review_workflow_evaluate","profile_portability","background_opportunity_brief_read","background_opportunity_feedback_write","background_source_summary_write","background_intro_packet_write","wish_registry_search","analytics_ingest"],"privacyAndSessionControls":["supabase_auth_cookies","private_route_cache_control","data_right_requests","field_level_disclosure_grants","email_outbox_safety_gate","audit_events"],"retentionControls":[{"key":"account_profile_lifecycle","scope":"Authenticated account records, opt-in public profiles, profile export/import records, and profile portability schema metadata.","retentionWindow":"Kept while the account, public profile, or review record needs it; export, correction, deletion, and restriction requests must route through authenticated dashboard or privacy support lanes.","evidence":"src/app/privacy/page.tsx publishes account/profile retention and src/app/api/profile/export plus src/app/api/profile/import use private no-store profile portability APIs."},{"key":"private_wish_source_lifecycle","scope":"Private wishes, source summaries, approved source-derived profile signals, matching preferences, and consent-gated background-networking inputs.","retentionWindow":"Kept only for the consent scope or review workflow that needs it; expired or revoked source summaries and profile signals stop affecting matching, and exact wishes, raw source text, source notes, and shadow-run drafts remain excluded from public cards, analytics, public contract routes, and search previews.","evidence":"Data-model and disclosure contracts require field-level grants, stage scope, expiry, and private/public boundaries before disclosure."},{"key":"evidence_provenance_lifecycle","scope":"Evidence metadata, reviewer decisions, state-transition event records, and append-only provenance activities.","retentionWindow":"Append-only review/provenance records are retained for audit integrity; corrections append new activities rather than mutating prior records, and raw evidence artifacts are excluded from public APIs.","evidence":"Provenance contract publishes append-only persistence tables, correction rules, sample bundle summaries, and raw-artifact exclusion."},{"key":"payment_donation_reference_lifecycle","scope":"Stripe payment identifiers, donation-route handoff references, payment status, amount, cadence, and review evidence notes.","retentionWindow":"Retained only where reconciliation, dispute handling, audit integrity, or compliance needs require it; public routes must not claim custody, escrow, or guarantee payment protection.","evidence":"Privacy and terms pages publish payment/donation processor boundaries and non-custody claims."},{"key":"analytics_attribution_lifecycle","scope":"Approved funnel event type, route path, coarse metadata buckets, partner attribution, and optional authenticated profile id.","retentionWindow":"Only redacted funnel records are eligible for storage; exact wishes, contact details, report bodies, raw source notes, private evidence artifacts, and free-form payloads are excluded before insert. Browser-level opt-out clears attribution and suppresses optional funnel-event inserts.","evidence":"src/lib/measurement-plan.ts defines approved events and analytics-objection guardrails; src/lib/growth.ts builds privacy-safe funnel event records and names the opt-out cookie."},{"key":"notification_delivery_lifecycle","scope":"Email/in-app delivery rows, digest preferences, quiet-hour windows, source cooldown state, opt-out state, suppression status, and failed-delivery diagnostics.","retentionWindow":"Preference rows and delivery records are retained to honor opt-outs, enforce discovery cooldowns, diagnose failed or suppressed delivery, and avoid exposing private wish text, contact details, exact terms, payment amounts, agreement IDs, evidence, or source notes in notifications.","evidence":"Privacy page publishes notification processor boundaries and notification retention purpose; email-copy tests cover generic copy and sender-side suppression before provider delivery."},{"key":"data_right_request_lifecycle","scope":"Access, correction, deletion, restriction, and processor-clarification requests.","retentionWindow":"Requests keep the minimum status, request type, due date, requester scope, and resolution metadata needed to complete and audit the rights lane; destructive or corrective details must remain private no-store.","evidence":"Privacy, terms, dashboard, and privacy_access_requests actions expose access/correction/deletion/restriction request lanes."}],"observabilityMetrics":["funnel_event_counts","route_error_rate","api_latency_p95","web_vitals","blocked_proposal_rate","email_outbox_suppression_count","privacy_incident_count","copilot_fallback_rate","evidence_review_sla","appeal_overturn_rate"],"fallbackControls":["deterministic_manual_fallback","invalid_copilot_output_no_state_change","provider_timeout_no_state_change","unsafe_email_no_provider_send","replay_safe_state_transitions"],"resilienceFallbackTests":["invalid_copilot_output_no_state_change","copilot_timeout_manual_fallback","provider_timeout_no_state_change","state_transition_replay_idempotency"],"rolloutGates":["shadow_mode","assist_mode","guarded_automation","human_controlled_safety"],"operationalTests":["security_header_source_smoke","private_cache_header_smoke","rate_limit_surface_smoke","retention_lifecycle_contract_smoke","email_outbox_safety_gate_smoke","operations_profile_validator","resilience_fallback_audit","health_route_contract_smoke","production_build"]},"blockers":[]}