{"generatedAt":"2026-06-01T10:08:10.366Z","productionTouched":false,"dashboard":{"status":"blocked","headline":"Agent restoration is blocked by staging credentials and release gates.","counts":{"credentialBlockers":4,"smokeStepsBlockedByCredentials":6,"smokeStepsWaitingForOwnerApproval":0,"pendingApprovals":0,"recentAuditEvents":0,"runtimeSafetyBlockers":1,"productReadinessBlockedGates":2,"productReadinessHardeningGates":3,"productReadinessOwnerApprovalGates":5},"nextActions":["Create or identify staging credentials for Telegram, Gmail, Google Calendar, and Google Contacts.","Clear runtime safety blockers before any live test.","Finish hardening gates before production: durable storage, operator identity, and controlled n8n adapter.","Review owner-approval product readiness gates before live OCR, live duplicate-read, durable result storage, live sender, smoke, or cutover work."]},"credentialOwnerHandoff":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialMutationAllowed":false,"workflowActivationAllowed":false,"secretStorageAllowedInGit":false,"summary":"Owner handoff for the four remaining staging credential blockers. Record identities and confirmations only; never record credential values.","handoffItems":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","ownerAction":"Choose or create one staging Telegram bot credential with the exact required name, then confirm the bot username before any binding dry-run is treated as valid.","accountIdentityQuestion":"Which Telegram bot username should receive test messages for My Main Agent in staging?","safeEvidenceToRecord":["credential name","credential type","bot username","owner confirmation timestamp"],"forbiddenEvidence":["bot API token","chat private messages","production bot credential value"],"setupStopConditions":["The selected bot is used by production.","The bot username is unknown.","The credential name does not exactly match the required name."]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","ownerAction":"Create, select, or rename the staging Gmail OAuth credential only after confirming it authenticates robot@unsiyyat.com.","accountIdentityQuestion":"Does the OAuth consent/login account show robot@unsiyyat.com and not a personal mailbox?","safeEvidenceToRecord":["credential name","credential type","account email","owner mailbox confirmation"],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","private email content"],"setupStopConditions":["The OAuth account is not robot@unsiyyat.com.","The credential points to a personal or production-only mailbox.","The required mailbox identity cannot be verified."]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","ownerAction":"Create the missing staging Google Calendar OAuth credential with the exact required name and confirm the intended calendar scope.","accountIdentityQuestion":"Which calendar account and calendar scope should My Main Agent read or write during staging tests?","safeEvidenceToRecord":["credential name","credential type","account email","calendar scope confirmation"],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","calendar event private data"],"setupStopConditions":["The calendar account is not the intended staging account.","The calendar scope is broader than the owner approved.","The credential would expose production calendar data without approval."]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","ownerAction":"Create the missing staging Google Contacts OAuth credential with the exact required name and confirm the intended contacts scope.","accountIdentityQuestion":"Which contacts account and contacts scope should My Main Agent use during staging tests?","safeEvidenceToRecord":["credential name","credential type","account email","contacts scope confirmation"],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","private contact records"],"setupStopConditions":["The contacts account is not the intended staging account.","The contacts scope is broader than the owner approved.","The credential would expose production contact data without approval."]}],"ownerQuestions":[{"id":"telegram-bot-identity","prompt":"Which Telegram bot is the approved staging/test bot for My Main Agent?","expectedEvidence":"Bot username and n8n credential name only.","stopIf":"The bot is production-only, unknown, or not approved for test traffic."},{"id":"robot-mailbox-identity","prompt":"Should all Google OAuth credentials use robot@unsiyyat.com as the account identity?","expectedEvidence":"Account email and owner confirmation for Gmail, Calendar, and Contacts.","stopIf":"Any OAuth account is personal, wrong-domain, or not owner-approved."},{"id":"staging-scope-boundary","prompt":"Which staging read/write scopes are approved before smoke tests?","expectedEvidence":"Allowed mailbox, calendar, and contacts scopes, plus whether draft-only email tests are required.","stopIf":"The requested scope includes production data or side effects without explicit approval."}],"verificationCommands":["npm run audit:staging-credentials","npm run bind:confirmed-staging-credentials","curl -sS http://127.0.0.1:8787/credential-owner-handoff","curl -sS http://127.0.0.1:8787/operator-snapshot"],"stopConditions":["A credential value, token, client secret, password, or OAuth refresh/access value is pasted into chat, docs, git, logs, or tickets.","A production credential or production workflow is selected without explicit owner approval.","A required credential name does not exactly match the staging binding plan.","Any target workflow is active before credential binding or smoke testing.","The owner cannot confirm the bot, mailbox, calendar, or contacts account identity."]},"credentialEvidenceValidationGuide":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialValuesAllowed":false,"recordsPersisted":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"summary":"Local validation guide for safe owner confirmation records. The validator checks record shape and secret-like fields only; it does not store records, mutate credentials, bind credentials, or call n8n.","expectedRecords":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","requiredFields":["requiredName","credentialType","accountIdentity","ownerConfirmedBy","confirmedAt","scopeConfirmation"]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","requiredFields":["requiredName","credentialType","accountIdentity","ownerConfirmedBy","confirmedAt","scopeConfirmation"]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","requiredFields":["requiredName","credentialType","accountIdentity","ownerConfirmedBy","confirmedAt","scopeConfirmation"]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","requiredFields":["requiredName","credentialType","accountIdentity","ownerConfirmedBy","confirmedAt","scopeConfirmation"]}],"allowedRecordFields":["requiredName","credentialType","accountIdentity","ownerConfirmedBy","confirmedAt","scopeConfirmation","notes"],"validationRules":["Submit exactly one record for each required staging credential.","Use the exact required credential name and credential type.","Record account identity and scope confirmation only, never credential values.","Do not include extra fields whose names imply tokens, passwords, cookies, keys, sessions, OAuth values, or client secrets.","Stop at dry-run verification after all records pass."],"sampleSafeRecordShape":{"requiredName":"robot@unsiyyat.com Gmail","credentialType":"gmailOAuth2","accountIdentity":"robot@unsiyyat.com","ownerConfirmedBy":"Owner name","confirmedAt":"2026-05-18T22:10:00+04:00","scopeConfirmation":"Owner confirmed intended staging Gmail scope."},"stopConditions":["Any record includes a credential value, token, password, cookie, OAuth value, client secret, or exported credential JSON.","Any required credential record is missing or duplicated.","Any record uses a production account or a credential name that differs from the binding plan.","The next action would create credentials, bind credentials, run apply, create a backup, run smoke tests, or activate workflows."]},"credentialEvidenceValidationTemplate":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialValuesAllowed":false,"recordsPersisted":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"postEndpoint":"/credential-evidence-validation","summary":"Blank safe payload template for local owner evidence validation. Fill only account identity and scope confirmation fields; never add credential values.","instructions":["Copy the template payload into a local validation request only after owner confirms the account identity and scope.","Keep account identity high-level, such as robot@unsiyyat.com or the approved staging Telegram bot username.","Leave credential values, tokens, client secrets, OAuth values, passwords, cookies, and exported JSON out of the payload.","A blank template is expected to fail validation until all safe owner confirmation fields are filled."],"templatePayload":{"records":[{"requiredName":"My Main Agent Telegram Bot","credentialType":"telegramApi","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""},{"requiredName":"robot@unsiyyat.com Gmail","credentialType":"gmailOAuth2","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""},{"requiredName":"robot@unsiyyat.com Google Calendar","credentialType":"googleCalendarOAuth2Api","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""},{"requiredName":"robot@unsiyyat.com Google Contacts","credentialType":"googleContactsOAuth2Api","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""}]},"stopConditions":["Any record includes a credential value, token, password, cookie, OAuth value, client secret, or exported credential JSON.","Any required credential record is missing or duplicated.","Any record uses a production account or a credential name that differs from the binding plan.","The next action would create credentials, bind credentials, run apply, create a backup, run smoke tests, or activate workflows."]},"credentialEvidencePacket":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"stagingMutationAllowed":false,"credentialValuesAllowed":false,"evidenceStorageAllowedInGit":false,"workflowActivationAllowed":false,"bindingApplyAllowed":false,"summary":"Evidence packet for the credential stage. It defines safe owner-confirmation records only; it must never contain credential values.","usageOrder":["Review owner handoff questions.","Create or select credentials manually in staging n8n.","Record safe evidence only.","Run confirmed credential binding dry-run.","Create an owner-approved staging backup before any apply step.","Apply binding only in a separate owner-approved operation."],"credentialEvidenceItems":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","ownerConfirmationStatement":"Which Telegram bot username should receive test messages for My Main Agent in staging? Record the answer without credential values.","evidenceFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail","forbiddenExample":"Any token or OAuth value."},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2","forbiddenExample":"Credential JSON export."},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name.","forbiddenExample":"Password, token, or client secret."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00","forbiddenExample":"Session cookie or OAuth callback payload."},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username.","forbiddenExample":"API token, refresh token, access token, password, or client secret."},{"id":"telegram-scope-confirmation","label":"Telegram scope confirmation","required":true,"safeExample":"credential name, credential type, bot username, owner confirmation timestamp","forbiddenExample":"bot API token, chat private messages, production bot credential value"}],"forbiddenEvidence":["bot API token","chat private messages","production bot credential value"],"preBindingCheck":"Dry-run must find telegramApi: My Main Agent Telegram Bot and all target workflows must remain inactive."},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","ownerConfirmationStatement":"Does the OAuth consent/login account show robot@unsiyyat.com and not a personal mailbox? Record the answer without credential values.","evidenceFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail","forbiddenExample":"Any token or OAuth value."},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2","forbiddenExample":"Credential JSON export."},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name.","forbiddenExample":"Password, token, or client secret."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00","forbiddenExample":"Session cookie or OAuth callback payload."},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username.","forbiddenExample":"API token, refresh token, access token, password, or client secret."},{"id":"gmail-scope-confirmation","label":"Gmail scope confirmation","required":true,"safeExample":"credential name, credential type, account email, owner mailbox confirmation","forbiddenExample":"OAuth access token, OAuth refresh token, client secret value, private email content"}],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","private email content"],"preBindingCheck":"Dry-run must find gmailOAuth2: robot@unsiyyat.com Gmail and all target workflows must remain inactive."},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","ownerConfirmationStatement":"Which calendar account and calendar scope should My Main Agent read or write during staging tests? Record the answer without credential values.","evidenceFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail","forbiddenExample":"Any token or OAuth value."},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2","forbiddenExample":"Credential JSON export."},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name.","forbiddenExample":"Password, token, or client secret."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00","forbiddenExample":"Session cookie or OAuth callback payload."},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username.","forbiddenExample":"API token, refresh token, access token, password, or client secret."},{"id":"google-calendar-scope-confirmation","label":"Google Calendar scope confirmation","required":true,"safeExample":"credential name, credential type, account email, calendar scope confirmation","forbiddenExample":"OAuth access token, OAuth refresh token, client secret value, calendar event private data"}],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","calendar event private data"],"preBindingCheck":"Dry-run must find googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar and all target workflows must remain inactive."},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","ownerConfirmationStatement":"Which contacts account and contacts scope should My Main Agent use during staging tests? Record the answer without credential values.","evidenceFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail","forbiddenExample":"Any token or OAuth value."},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2","forbiddenExample":"Credential JSON export."},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name.","forbiddenExample":"Password, token, or client secret."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00","forbiddenExample":"Session cookie or OAuth callback payload."},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username.","forbiddenExample":"API token, refresh token, access token, password, or client secret."},{"id":"google-contacts-scope-confirmation","label":"Google Contacts scope confirmation","required":true,"safeExample":"credential name, credential type, account email, contacts scope confirmation","forbiddenExample":"OAuth access token, OAuth refresh token, client secret value, private contact records"}],"forbiddenEvidence":["OAuth access token","OAuth refresh token","client secret value","private contact records"],"preBindingCheck":"Dry-run must find googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts and all target workflows must remain inactive."}],"preBindingVerificationCommands":["git status --short --branch","npm run verify","npm run bind:confirmed-staging-credentials","curl -sS http://127.0.0.1:8787/credential-evidence-packet","curl -sS http://127.0.0.1:8787/staging-backup-checklist"],"approvalGates":["Owner confirms the Telegram bot identity.","Owner confirms the Gmail OAuth account identity.","Owner confirms the Google Calendar account and scope.","Owner confirms the Google Contacts account and scope.","Owner approves the staging backup window before binding apply."],"stopConditions":["Any evidence includes a credential value, token, client secret, password, cookie, or OAuth access/refresh value.","The dry-run still reports missing credentials.","Any target workflow is active before binding or smoke testing.","A credential belongs to production or to the wrong account identity.","A staging backup and workflow export are not recorded before apply."]},"credentialBindingApplyPacket":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"stagingMutationAllowed":false,"bindingApplyExecuted":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"status":"blocked","summary":"4 credential areas still block the staging binding apply step.","credentialBlockers":[{"area":"Telegram","status":"needs-owner-choice","detail":"Seven telegramApi credentials exist in staging; owner must choose the bot identity for My Main Agent."},{"area":"Gmail","status":"needs-owner-choice","detail":"One gmailOAuth2 credential exists in staging; verify it matches robot@unsiyyat.com before binding."},{"area":"Google Calendar","status":"missing","detail":"No googleCalendarOAuth2Api credential was found in staging."},{"area":"Google Contacts","status":"missing","detail":"No googleContactsOAuth2Api credential was found in staging."}],"gates":[{"id":"local-baseline","title":"Local baseline is verified","status":"required","detail":"Local tests, workflow validation, and secret scan must pass before any staging apply operation.","evidenceToRecord":"`npm run verify` result and current commit hash."},{"id":"credential-evidence","title":"Credential evidence is recorded","status":"blocked","detail":"The owner-confirmed credential names, types, account identities, and scopes must be recorded without secret values.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts"},{"id":"credential-dry-run","title":"Confirmed binding dry-run passes","status":"blocked","detail":"Dry-run must find every exact credential and confirm target workflows are inactive.","evidenceToRecord":"`npm run bind:confirmed-staging-credentials` output with no missing credentials."},{"id":"staging-backup","title":"Fresh staging backup is recorded","status":"owner-approval-required","detail":"Preflight checklist for the backup that must exist before any owner-approved staging credential binding apply step.","evidenceToRecord":"Backup path, workflow export path, timestamp, host, size, and restore operator."},{"id":"owner-approval","title":"Owner approves the apply window","status":"owner-approval-required","detail":"Apply is a staging mutation and needs explicit approval immediately before the command is run.","evidenceToRecord":"Owner name, approval timestamp, staging target URL, and exact command."},{"id":"post-apply-audit","title":"Post-apply audit is planned","status":"required","detail":"After any future apply, rerun audit and keep workflows inactive until separate smoke-test approval.","evidenceToRecord":"`npm run audit:staging-credentials` output and inactive workflow status."}],"requiredCommandOrder":["git status --short --branch","npm run verify","npm run bind:confirmed-staging-credentials","curl -sS http://127.0.0.1:8787/staging-backup-checklist","owner-approved staging backup and workflow export","npm run bind:confirmed-staging-credentials -- --apply","npm run audit:staging-credentials"],"manualApplyCommand":"npm run bind:confirmed-staging-credentials -- --apply","auditRecordFields":["operator","owner approval timestamp","git commit hash","staging URL","backup path","workflow export path","dry-run output summary","apply command","post-apply audit result"],"stopConditions":["Any required credential is missing or has the wrong account identity.","Any target workflow is active.","The backup or workflow export is missing, stale, or points to production.","Owner approval is absent or not specific to the staging apply window.","The command target points to production or an unexpected n8n instance.","Any credential value, token, client secret, cookie, password, or OAuth access/refresh value appears in logs or evidence."]},"credentialConfirmationTemplate":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialMutationAllowed":false,"credentialValuesAllowed":false,"workflowActivationAllowed":false,"bindingApplyAllowed":false,"storageGuidance":"Use this as a safe record template only. Do not store credential values in git, chat, logs, tickets, or project docs.","summary":"Blank owner-confirmation template for the four remaining staging credentials. It defines safe fields and required checks, but it does not create, bind, or verify credentials.","records":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","confirmationStatement":"Which Telegram bot username should receive test messages for My Main Agent in staging? Record the answer without credential values.","allowedFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail"},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2"},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00"},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username."},{"id":"telegram-scope-confirmation","label":"Telegram scope confirmation","required":true,"safeExample":"credential name, credential type, bot username, owner confirmation timestamp"}],"requiredChecks":["Credential exists in staging n8n with exact name: My Main Agent Telegram Bot.","Credential type is exactly: telegramApi.","Owner confirmed the account identity and intended scope.","Dry-run must find telegramApi: My Main Agent Telegram Bot and all target workflows must remain inactive."],"forbiddenFields":["bot API token","chat private messages","production bot credential value"]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","confirmationStatement":"Does the OAuth consent/login account show robot@unsiyyat.com and not a personal mailbox? Record the answer without credential values.","allowedFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail"},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2"},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00"},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username."},{"id":"gmail-scope-confirmation","label":"Gmail scope confirmation","required":true,"safeExample":"credential name, credential type, account email, owner mailbox confirmation"}],"requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Gmail.","Credential type is exactly: gmailOAuth2.","Owner confirmed the account identity and intended scope.","Dry-run must find gmailOAuth2: robot@unsiyyat.com Gmail and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private email content"]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","confirmationStatement":"Which calendar account and calendar scope should My Main Agent read or write during staging tests? Record the answer without credential values.","allowedFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail"},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2"},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00"},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username."},{"id":"google-calendar-scope-confirmation","label":"Google Calendar scope confirmation","required":true,"safeExample":"credential name, credential type, account email, calendar scope confirmation"}],"requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Google Calendar.","Credential type is exactly: googleCalendarOAuth2Api.","Owner confirmed the account identity and intended scope.","Dry-run must find googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","calendar event private data"]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","confirmationStatement":"Which contacts account and contacts scope should My Main Agent use during staging tests? Record the answer without credential values.","allowedFields":[{"id":"credential-name","label":"Credential name","required":true,"safeExample":"robot@unsiyyat.com Gmail"},{"id":"credential-type","label":"Credential type","required":true,"safeExample":"gmailOAuth2"},{"id":"owner-confirmed-by","label":"Owner confirmation","required":true,"safeExample":"Owner name or approved operator name."},{"id":"confirmed-at","label":"Confirmation timestamp","required":true,"safeExample":"2026-05-18T21:10:00+04:00"},{"id":"account-identity","label":"Account identity","required":true,"safeExample":"robot@unsiyyat.com or approved staging Telegram bot username."},{"id":"google-contacts-scope-confirmation","label":"Google Contacts scope confirmation","required":true,"safeExample":"credential name, credential type, account email, contacts scope confirmation"}],"requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Google Contacts.","Credential type is exactly: googleContactsOAuth2Api.","Owner confirmed the account identity and intended scope.","Dry-run must find googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private contact records"]}],"verificationCommands":["curl -sS http://127.0.0.1:8787/credential-owner-handoff","curl -sS http://127.0.0.1:8787/credential-evidence-packet","curl -sS http://127.0.0.1:8787/credential-confirmation-template","npm run bind:confirmed-staging-credentials"],"stopConditions":["Any confirmation record includes a credential value, API key, token, password, cookie, OAuth access value, OAuth refresh value, or client secret.","The owner cannot confirm the Telegram bot username or Google account identity.","The credential name or type differs from the required staging binding plan.","A production credential, production account, or production workflow is selected without explicit owner approval.","Any target workflow is active before credential binding or smoke testing."]},"credentialOwnerActionPacket":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialMutationAllowed":false,"credentialValuesAllowed":false,"workflowActivationAllowed":false,"bindingApplyAllowed":false,"ownerManualActionRequired":true,"summary":"Owner-facing action packet for manually creating or selecting the four remaining staging credentials. It gives instructions and references only; it does not create, bind, verify, or activate anything.","officialReferences":[{"label":"n8n credentials library","url":"https://docs.n8n.io/integrations/builtin/credentials/","relevance":"General n8n credential setup reference."},{"label":"n8n Telegram credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/telegram/","relevance":"Telegram bot access token credential guidance for Telegram and Telegram Trigger nodes."},{"label":"n8n Google credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/google/","relevance":"OAuth2 guidance for Google service nodes including Gmail, Google Calendar, and Google Contacts."},{"label":"n8n Google Calendar node","url":"https://docs.n8n.io/integrations/builtin/app-nodes/n8n-nodes-base.googlecalendar/","relevance":"Google Calendar node operations and credential reference."}],"actionOrder":["Open staging n8n credentials UI.","Create or select Telegram credential.","Create or select Gmail OAuth credential.","Create or select Google Calendar OAuth credential.","Create or select Google Contacts OAuth credential.","Record only safe confirmation evidence.","Run confirmed credential binding dry-run.","Stop before backup, binding apply, smoke testing, or activation until separately approved."],"credentialActions":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","ownerActionRequired":true,"codexActionAllowed":false,"officialReferences":[{"label":"n8n Telegram credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/telegram/","relevance":"Telegram bot access token credential guidance for Telegram and Telegram Trigger nodes."},{"label":"n8n credentials library","url":"https://docs.n8n.io/integrations/builtin/credentials/","relevance":"General n8n credential setup reference."}],"manualSteps":["Owner chooses the approved staging Telegram bot or creates one through BotFather.","Owner creates or selects the n8n Telegram credential in staging only.","Credential name must be exactly `My Main Agent Telegram Bot`.","Bot access token is entered only in the n8n credential UI.","Record only the bot username, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Telegram scope confirmation"],"forbiddenActions":["Do not paste credential values into Codex, git, chat, tickets, logs, or project docs.","Do not use a production-only account or bot unless the owner explicitly approves that exact staging use.","Do not activate workflows after credential creation.","Do not run `npm run bind:confirmed-staging-credentials -- --apply` during credential creation."],"afterCreationChecks":["Run dry-run and confirm it finds telegramApi: My Main Agent Telegram Bot.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","ownerActionRequired":true,"codexActionAllowed":false,"officialReferences":[{"label":"n8n Google credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/google/","relevance":"OAuth2 guidance for Google service nodes including Gmail, Google Calendar, and Google Contacts."},{"label":"n8n credentials library","url":"https://docs.n8n.io/integrations/builtin/credentials/","relevance":"General n8n credential setup reference."}],"manualSteps":["Owner confirms the OAuth account is `robot@unsiyyat.com`.","Owner creates or selects the Gmail OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Gmail`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only the mailbox identity, credential name, credential type, owner name, timestamp, and approved scope summary."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Gmail scope confirmation"],"forbiddenActions":["Do not paste credential values into Codex, git, chat, tickets, logs, or project docs.","Do not use a production-only account or bot unless the owner explicitly approves that exact staging use.","Do not activate workflows after credential creation.","Do not run `npm run bind:confirmed-staging-credentials -- --apply` during credential creation."],"afterCreationChecks":["Run dry-run and confirm it finds gmailOAuth2: robot@unsiyyat.com Gmail.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","ownerActionRequired":true,"codexActionAllowed":false,"officialReferences":[{"label":"n8n Google credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/google/","relevance":"OAuth2 guidance for Google service nodes including Gmail, Google Calendar, and Google Contacts."},{"label":"n8n Google Calendar node","url":"https://docs.n8n.io/integrations/builtin/app-nodes/n8n-nodes-base.googlecalendar/","relevance":"Google Calendar node operations and credential reference."}],"manualSteps":["Owner confirms the Google account and calendar scope approved for staging tests.","Owner creates or selects the Google Calendar OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Google Calendar`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only account identity, calendar scope summary, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Calendar scope confirmation"],"forbiddenActions":["Do not paste credential values into Codex, git, chat, tickets, logs, or project docs.","Do not use a production-only account or bot unless the owner explicitly approves that exact staging use.","Do not activate workflows after credential creation.","Do not run `npm run bind:confirmed-staging-credentials -- --apply` during credential creation."],"afterCreationChecks":["Run dry-run and confirm it finds googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","ownerActionRequired":true,"codexActionAllowed":false,"officialReferences":[{"label":"n8n Google credentials","url":"https://docs.n8n.io/integrations/builtin/credentials/google/","relevance":"OAuth2 guidance for Google service nodes including Gmail, Google Calendar, and Google Contacts."},{"label":"n8n credentials library","url":"https://docs.n8n.io/integrations/builtin/credentials/","relevance":"General n8n credential setup reference."}],"manualSteps":["Owner confirms the Google account and contacts scope approved for staging tests.","Owner creates or selects the Google Contacts OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Google Contacts`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only account identity, contacts scope summary, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Contacts scope confirmation"],"forbiddenActions":["Do not paste credential values into Codex, git, chat, tickets, logs, or project docs.","Do not use a production-only account or bot unless the owner explicitly approves that exact staging use.","Do not activate workflows after credential creation.","Do not run `npm run bind:confirmed-staging-credentials -- --apply` during credential creation."],"afterCreationChecks":["Run dry-run and confirm it finds googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]}],"verificationCommands":["curl -sS http://127.0.0.1:8787/credential-owner-action-packet","curl -sS http://127.0.0.1:8787/credential-confirmation-template","npm run bind:confirmed-staging-credentials"],"stopConditions":["The owner cannot confirm the Telegram bot username, mailbox identity, calendar account, or contacts account.","Any credential value, API key, bot token, password, cookie, OAuth access token, OAuth refresh token, or client secret appears outside the n8n credential UI.","A credential name differs from the exact required staging name.","A selected account points to production-only data without explicit owner approval.","Any target workflow is active before binding, smoke testing, or production review."]},"credentialOwnerSessionBundle":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialValuesAllowed":false,"codexCredentialMutationAllowed":false,"bindingApplyAllowed":false,"backupExecutionAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"status":"ready-for-owner-session","title":"Owner credential session bundle","purpose":"Single safe operator packet for the owner credential session. It names the exact staging credentials, safe evidence, dry-run command, and stop gates without storing credential values or mutating n8n.","credentialBlockerCount":4,"credentialCards":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","requiredFor":["Telegram Trigger","Download File","Response1","Telegram1"],"ownerAction":"Choose or create the staging Telegram bot credential with this exact name.","safeEvidenceFields":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Telegram scope confirmation"],"confirmationStatement":"Which Telegram bot username should receive test messages for My Main Agent in staging? Record the answer without credential values.","requiredChecks":["Credential exists in staging n8n with exact name: My Main Agent Telegram Bot.","Credential type is exactly: telegramApi.","Owner confirmed the account identity and intended scope.","Dry-run must find telegramApi: My Main Agent Telegram Bot and all target workflows must remain inactive."],"forbiddenFields":["bot API token","chat private messages","production bot credential value"]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","requiredFor":["My main Mail Agent Gmail tool nodes"],"ownerAction":"Create or rename the Gmail OAuth credential only after verifying the mailbox identity.","safeEvidenceFields":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Gmail scope confirmation"],"confirmationStatement":"Does the OAuth consent/login account show robot@unsiyyat.com and not a personal mailbox? Record the answer without credential values.","requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Gmail.","Credential type is exactly: gmailOAuth2.","Owner confirmed the account identity and intended scope.","Dry-run must find gmailOAuth2: robot@unsiyyat.com Gmail and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private email content"]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","requiredFor":["My main Calendar Agent Google Calendar nodes"],"ownerAction":"Create the missing Google Calendar OAuth credential in staging with this exact name.","safeEvidenceFields":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Calendar scope confirmation"],"confirmationStatement":"Which calendar account and calendar scope should My Main Agent read or write during staging tests? Record the answer without credential values.","requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Google Calendar.","Credential type is exactly: googleCalendarOAuth2Api.","Owner confirmed the account identity and intended scope.","Dry-run must find googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","calendar event private data"]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","requiredFor":["My main Contacts Agent Google Contacts nodes"],"ownerAction":"Create the missing Google Contacts OAuth credential in staging with this exact name.","safeEvidenceFields":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Contacts scope confirmation"],"confirmationStatement":"Which contacts account and contacts scope should My Main Agent use during staging tests? Record the answer without credential values.","requiredChecks":["Credential exists in staging n8n with exact name: robot@unsiyyat.com Google Contacts.","Credential type is exactly: googleContactsOAuth2Api.","Owner confirmed the account identity and intended scope.","Dry-run must find googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts and all target workflows must remain inactive."],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private contact records"]}],"operatorSessionScript":[{"id":"open-staging-owner-session","title":"Open staging credential session","status":"ready","operatorInstruction":"Open the local Owner Bundle tab and the staging n8n credential UI with the owner present. Keep credential values inside n8n only.","ownerInstruction":"Use staging n8n only and do not paste credential values into chat, docs, logs, or tickets.","evidenceToRecord":"Session date, operator name, staging URL, and current git commit.","linkedEndpoint":"/credential-owner-session-bundle"},{"id":"create-or-select-exact-credentials","title":"Create or select exact credentials","status":"ready","operatorInstruction":"Read each exact credential name and type from the credential cards; do not ask for values.","ownerInstruction":"Create, select, or rename credentials with the exact required staging names.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts","linkedEndpoint":"/credential-owner-action-packet"},{"id":"record-safe-confirmations","title":"Record safe confirmations","status":"ready","operatorInstruction":"Record only account identity and intended scope confirmations from the allowed fields.","ownerInstruction":"Confirm bot username, Google account identity, and intended mail/calendar/contact scope only.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts","linkedEndpoint":"/credential-confirmation-template"},{"id":"run-dry-run-only","title":"Run dry-run only","status":"blocked","operatorInstruction":"Run the confirmed credential binding dry-run without apply, then stop on any missing or unexpected credential.","ownerInstruction":"Stay available to confirm identity if the dry-run output is unexpected.","evidenceToRecord":"Dry-run mode is `dry-run`.; Dry-run found list contains all four expected credential names.; Dry-run missing list is empty.; No credential value, token, password, OAuth access value, OAuth refresh value, cookie, or client secret appears in output.; No workflow is activated.; No command includes `-- --apply`.","linkedEndpoint":"/credential-post-creation-verification"},{"id":"stop-before-staging-mutation","title":"Stop before staging mutation","status":"future-gate","operatorInstruction":"Do not create backups, apply bindings, run smoke tests, or activate workflows in this session.","ownerInstruction":"Approve backup, apply, smoke testing, and activation later as separate explicit gates.","evidenceToRecord":"owner name; approval timestamp; staging URL; workflow ids; test chat identity; backup path; workflow export path; rollback decision point; post-activation health check command","linkedEndpoint":"/workflow-activation-gate"}],"copyableCommands":["git status --short --branch && npm run verify","curl -sS http://127.0.0.1:8787/credential-owner-session-bundle","curl -sS http://127.0.0.1:8787/credential-confirmation-template","npm run bind:confirmed-staging-credentials"],"completionCriteria":["Dry-run mode is `dry-run`.","Dry-run found list contains all four expected credential names.","Dry-run missing list is empty.","No credential value, token, password, OAuth access value, OAuth refresh value, cookie, or client secret appears in output.","No workflow is activated.","No command includes `-- --apply`."],"nextSafeGate":{"id":"credential-dry-run","title":"Run dry-run after owner credential work","command":"npm run bind:confirmed-staging-credentials","stopBefore":"npm run bind:confirmed-staging-credentials -- --apply"},"stopConditions":["Any evidence includes a credential value, token, client secret, password, cookie, or OAuth access/refresh value.","The dry-run still reports missing credentials.","Any target workflow is active before binding or smoke testing.","A credential belongs to production or to the wrong account identity.","A staging backup and workflow export are not recorded before apply.","Do not run `npm run bind:confirmed-staging-credentials -- --apply`.","Do not create backups, run smoke tests, or activate workflows during the owner credential session.","Do not touch production n8n, production SSH, DNS, hosting variables, billing, or production data.","Any confirmation record includes a credential value, API key, token, password, cookie, OAuth access value, OAuth refresh value, or client secret.","The owner cannot confirm the Telegram bot username or Google account identity.","The credential name or type differs from the required staging binding plan.","A production credential, production account, or production workflow is selected without explicit owner approval.","Any target workflow is active before credential binding or smoke testing.","The session needs backup, binding apply, live smoke testing, or workflow activation.","The owner cannot remain present for account identity and scope confirmation."]},"credentialOwnerSessionPlan":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"codexCredentialMutationAllowed":false,"credentialValuesAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"status":"ready-for-owner-session","summary":"4 staging credential areas still need owner-only creation or selection before dry-run verification.","ownerSessionGoal":"Create or select the four remaining staging credentials in n8n UI, record only safe owner confirmations, and stop at dry-run verification.","credentialBlockerCount":4,"credentialAgenda":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","ownerManualSteps":["Owner chooses the approved staging Telegram bot or creates one through BotFather.","Owner creates or selects the n8n Telegram credential in staging only.","Credential name must be exactly `My Main Agent Telegram Bot`.","Bot access token is entered only in the n8n credential UI.","Record only the bot username, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Telegram scope confirmation"],"afterCreationChecks":["Run dry-run and confirm it finds telegramApi: My Main Agent Telegram Bot.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","ownerManualSteps":["Owner confirms the OAuth account is `robot@unsiyyat.com`.","Owner creates or selects the Gmail OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Gmail`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only the mailbox identity, credential name, credential type, owner name, timestamp, and approved scope summary."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Gmail scope confirmation"],"afterCreationChecks":["Run dry-run and confirm it finds gmailOAuth2: robot@unsiyyat.com Gmail.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","ownerManualSteps":["Owner confirms the Google account and calendar scope approved for staging tests.","Owner creates or selects the Google Calendar OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Google Calendar`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only account identity, calendar scope summary, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Calendar scope confirmation"],"afterCreationChecks":["Run dry-run and confirm it finds googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","ownerManualSteps":["Owner confirms the Google account and contacts scope approved for staging tests.","Owner creates or selects the Google Contacts OAuth credential in staging only.","Credential name must be exactly `robot@unsiyyat.com Google Contacts`.","OAuth client values and authorization results are entered only in the n8n credential UI.","Record only account identity, contacts scope summary, credential name, credential type, owner name, and timestamp."],"safeEvidenceToRecord":["Credential name","Credential type","Owner confirmation","Confirmation timestamp","Account identity","Google Contacts scope confirmation"],"afterCreationChecks":["Run dry-run and confirm it finds googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts.","Confirm target workflows remain inactive.","Review `/credential-confirmation-template` before recording evidence.","Review `/credential-binding-apply-packet` before any future apply discussion."]}],"sessionSteps":[{"id":"baseline","title":"Confirm local baseline","status":"ready","ownerRole":"No action required.","operatorRole":"Run local verification and confirm the current git commit before the owner opens n8n credentials.","evidenceToRecord":"Commit hash and `npm run verify` result.","command":"git status --short --branch && npm run verify"},{"id":"manual-credential-work","title":"Owner creates or selects staging credentials","status":"ready","ownerRole":"Use the staging n8n credential UI only. Enter credential values only there.","operatorRole":"Read the exact required names, types, and safe evidence fields; do not receive credential values.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts","command":"curl -sS http://127.0.0.1:8787/credential-owner-action-packet"},{"id":"safe-confirmation-records","title":"Record safe owner confirmations","status":"ready","ownerRole":"Confirm account identity and intended scope without sharing credential values.","operatorRole":"Record only allowed confirmation fields and reject forbidden fields.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts","command":"curl -sS http://127.0.0.1:8787/credential-confirmation-template"},{"id":"dry-run-only","title":"Run credential binding dry-run only","status":"blocked","ownerRole":"Stay available to confirm account identity if dry-run finds unexpected credential metadata.","operatorRole":"Run dry-run without `-- --apply`; stop on any missing or unexpected credential.","evidenceToRecord":"Dry-run mode is `dry-run`.; Dry-run found list contains all four expected credential names.; Dry-run missing list is empty.; No credential value, token, password, OAuth access value, OAuth refresh value, cookie, or client secret appears in output.; No workflow is activated.; No command includes `-- --apply`.","command":"npm run bind:confirmed-staging-credentials"},{"id":"apply-gate","title":"Stop before staging mutation","status":"future-gate","ownerRole":"Approve a separate staging backup and binding apply window only after dry-run passes.","operatorRole":"Do not run apply, backup, smoke testing, or activation during this owner credential session.","evidenceToRecord":"Local baseline is verified; Credential evidence is recorded; Confirmed binding dry-run passes; Fresh staging backup is recorded; Owner approves the apply window; Post-apply audit is planned","command":"curl -sS http://127.0.0.1:8787/credential-binding-apply-packet"}],"safeArtifacts":["/credential-owner-handoff","/credential-owner-action-packet","/credential-evidence-packet","/credential-confirmation-template","/credential-post-creation-verification","/credential-binding-apply-packet","/operator","/operator-snapshot"],"forbiddenDuringSession":["Any evidence includes a credential value, token, client secret, password, cookie, or OAuth access/refresh value.","The dry-run still reports missing credentials.","Any target workflow is active before binding or smoke testing.","A credential belongs to production or to the wrong account identity.","A staging backup and workflow export are not recorded before apply.","Do not run `npm run bind:confirmed-staging-credentials -- --apply`.","Do not create backups, run smoke tests, or activate workflows during the owner credential session.","Do not touch production n8n, production SSH, DNS, hosting variables, billing, or production data."],"nextGateAfterSession":{"id":"post-creation-dry-run","status":"blocked","command":"npm run bind:confirmed-staging-credentials","stopBefore":"npm run bind:confirmed-staging-credentials -- --apply"}},"credentialOwnerWorksheet":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialValuesAllowed":false,"recordsPersisted":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"summary":"Owner-session worksheet for recording safe, non-secret credential confirmations before local evidence validation and dry-run.","worksheetRows":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","currentStatus":"needs-owner-choice","accountIdentityPrompt":"Record only the account email or approved staging Telegram bot username.","ownerConfirmationPrompt":"Which Telegram bot username should receive test messages for My Main Agent in staging? Record the answer without credential values.","scopeConfirmationPrompt":"Record the intended staging scope in plain language, without tokens or OAuth values.","safeFields":["Credential name: robot@unsiyyat.com Gmail","Credential type: gmailOAuth2","Owner confirmation: Owner name or approved operator name.","Confirmation timestamp: 2026-05-18T21:10:00+04:00","Account identity: robot@unsiyyat.com or approved staging Telegram bot username.","Telegram scope confirmation: credential name, credential type, bot username, owner confirmation timestamp"],"forbiddenFields":["bot API token","chat private messages","production bot credential value"],"localValidationRecord":{"requiredName":"My Main Agent Telegram Bot","credentialType":"telegramApi","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""}},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","currentStatus":"needs-owner-choice","accountIdentityPrompt":"Record only the account email or approved staging Telegram bot username.","ownerConfirmationPrompt":"Does the OAuth consent/login account show robot@unsiyyat.com and not a personal mailbox? Record the answer without credential values.","scopeConfirmationPrompt":"Record the intended staging scope in plain language, without tokens or OAuth values.","safeFields":["Credential name: robot@unsiyyat.com Gmail","Credential type: gmailOAuth2","Owner confirmation: Owner name or approved operator name.","Confirmation timestamp: 2026-05-18T21:10:00+04:00","Account identity: robot@unsiyyat.com or approved staging Telegram bot username.","Gmail scope confirmation: credential name, credential type, account email, owner mailbox confirmation"],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private email content"],"localValidationRecord":{"requiredName":"robot@unsiyyat.com Gmail","credentialType":"gmailOAuth2","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""}},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","currentStatus":"missing","accountIdentityPrompt":"Record only the account email or approved staging Telegram bot username.","ownerConfirmationPrompt":"Which calendar account and calendar scope should My Main Agent read or write during staging tests? Record the answer without credential values.","scopeConfirmationPrompt":"Record the intended staging scope in plain language, without tokens or OAuth values.","safeFields":["Credential name: robot@unsiyyat.com Gmail","Credential type: gmailOAuth2","Owner confirmation: Owner name or approved operator name.","Confirmation timestamp: 2026-05-18T21:10:00+04:00","Account identity: robot@unsiyyat.com or approved staging Telegram bot username.","Google Calendar scope confirmation: credential name, credential type, account email, calendar scope confirmation"],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","calendar event private data"],"localValidationRecord":{"requiredName":"robot@unsiyyat.com Google Calendar","credentialType":"googleCalendarOAuth2Api","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""}},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","currentStatus":"missing","accountIdentityPrompt":"Record only the account email or approved staging Telegram bot username.","ownerConfirmationPrompt":"Which contacts account and contacts scope should My Main Agent use during staging tests? Record the answer without credential values.","scopeConfirmationPrompt":"Record the intended staging scope in plain language, without tokens or OAuth values.","safeFields":["Credential name: robot@unsiyyat.com Gmail","Credential type: gmailOAuth2","Owner confirmation: Owner name or approved operator name.","Confirmation timestamp: 2026-05-18T21:10:00+04:00","Account identity: robot@unsiyyat.com or approved staging Telegram bot username.","Google Contacts scope confirmation: credential name, credential type, account email, contacts scope confirmation"],"forbiddenFields":["OAuth access token","OAuth refresh token","client secret value","private contact records"],"localValidationRecord":{"requiredName":"robot@unsiyyat.com Google Contacts","credentialType":"googleContactsOAuth2Api","accountIdentity":"","ownerConfirmedBy":"","confirmedAt":"","scopeConfirmation":"","notes":""}}],"operatorInstructions":["Open this worksheet with the owner present before editing staging credentials.","Read exact credential names and types to the owner; keep credential values inside n8n only.","Fill only safe confirmation fields in a local validation payload after owner confirmation.","Validate records locally, then run dry-run only and stop before backup or apply."],"ownerInstructions":["Create, select, or rename credentials only in the staging n8n credential UI.","Confirm account identity and intended staging scope only.","Do not paste tokens, passwords, client secrets, OAuth values, cookies, or exported credential JSON into chat, docs, logs, or this worksheet."],"localValidationEndpoint":"/credential-evidence-validation","localValidationTemplateEndpoint":"/credential-evidence-validation-template","dryRunCommand":"npm run bind:confirmed-staging-credentials","stopConditions":["Any record includes a credential value, token, password, cookie, OAuth value, client secret, or exported credential JSON.","Any required credential record is missing or duplicated.","Any record uses a production account or a credential name that differs from the binding plan.","The next action would create credentials, bind credentials, run apply, create a backup, run smoke tests, or activate workflows.","The worksheet would need to store submitted owner confirmation records.","The next step would mutate staging, create a backup, bind credentials, run smoke tests, or activate workflows."]},"credentialPostCreationVerification":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"status":"blocked","summary":"4 credential areas still block post-creation dry-run verification.","credentialBlockers":[{"area":"Telegram","status":"needs-owner-choice","detail":"Seven telegramApi credentials exist in staging; owner must choose the bot identity for My Main Agent."},{"area":"Gmail","status":"needs-owner-choice","detail":"One gmailOAuth2 credential exists in staging; verify it matches robot@unsiyyat.com before binding."},{"area":"Google Calendar","status":"missing","detail":"No googleCalendarOAuth2Api credential was found in staging."},{"area":"Google Contacts","status":"missing","detail":"No googleContactsOAuth2Api credential was found in staging."}],"expectedCredentials":[{"credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","requiredFor":["Telegram Trigger","Download File","Response1","Telegram1"]},{"credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","requiredFor":["My main Mail Agent Gmail tool nodes"]},{"credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","requiredFor":["My main Calendar Agent Google Calendar nodes"]},{"credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","requiredFor":["My main Contacts Agent Google Contacts nodes"]}],"dryRunCommand":"npm run bind:confirmed-staging-credentials","forbiddenApplyCommand":"npm run bind:confirmed-staging-credentials -- --apply","checks":[{"id":"safe-confirmation-records","title":"Safe confirmation records exist","status":"blocked","command":"curl -sS http://127.0.0.1:8787/credential-confirmation-template","passCriteria":"Each required credential has owner-confirmed identity and scope recorded without secret values.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts"},{"id":"local-baseline","title":"Local baseline is clean","status":"required","command":"git status --short --branch && npm run verify","passCriteria":"Working tree has only intended local changes and full verification passes.","evidenceToRecord":"Current commit hash, git status summary, and `npm run verify` result."},{"id":"credential-dry-run","title":"Credential binding dry-run finds all expected credentials","status":"blocked","command":"npm run bind:confirmed-staging-credentials","passCriteria":"Command exits 0, reports four found credentials, reports zero missing credentials, and does not use `-- --apply`.","evidenceToRecord":"Dry-run JSON summary with found names, missing count, mode `dry-run`, and checked timestamp."},{"id":"inactive-workflow-proof","title":"Target workflows remain inactive","status":"blocked","command":"npm run audit:staging-credentials","passCriteria":"Audit confirms target workflow activation remains blocked and no workflow activation occurred.","evidenceToRecord":"Audit output summary and target workflow ids."},{"id":"next-gate-review","title":"Next gate is reviewed before mutation","status":"required","command":"curl -sS http://127.0.0.1:8787/credential-binding-apply-packet","passCriteria":"Operator confirms backup, owner approval, and apply are still separate future gates.","evidenceToRecord":"Reviewed apply packet status and stop conditions."}],"passSignals":["Dry-run mode is `dry-run`.","Dry-run found list contains all four expected credential names.","Dry-run missing list is empty.","No credential value, token, password, OAuth access value, OAuth refresh value, cookie, or client secret appears in output.","No workflow is activated.","No command includes `-- --apply`."],"stopConditions":["Dry-run exits non-zero or reports any missing credential.","Dry-run output includes a credential value or secret-like material.","Any selected credential has the wrong bot, mailbox, calendar account, contacts account, or scope.","Any target workflow is active.","An operator attempts backup, binding apply, smoke testing, or workflow activation before explicit owner approval.","The command target points to production or an unexpected n8n instance."]},"credentialSetup":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"workflowActivationAllowed":false,"bindingDryRunAllowed":true,"bindingApplyAllowed":false,"requiredCredentials":[{"area":"Telegram","credentialType":"telegramApi","requiredName":"My Main Agent Telegram Bot","requiredFor":["Telegram Trigger","Download File","Response1","Telegram1"],"setupAction":"Choose or create the staging Telegram bot credential with this exact name.","ownerConfirmation":"Confirm this is the intended staging/test bot before binding.","currentStatus":"needs-owner-choice"},{"area":"Gmail","credentialType":"gmailOAuth2","requiredName":"robot@unsiyyat.com Gmail","requiredFor":["My main Mail Agent Gmail tool nodes"],"setupAction":"Create or rename the Gmail OAuth credential only after verifying the mailbox identity.","ownerConfirmation":"Confirm the OAuth account is robot@unsiyyat.com and not a human/operator inbox.","currentStatus":"needs-owner-choice"},{"area":"Google Calendar","credentialType":"googleCalendarOAuth2Api","requiredName":"robot@unsiyyat.com Google Calendar","requiredFor":["My main Calendar Agent Google Calendar nodes"],"setupAction":"Create the missing Google Calendar OAuth credential in staging with this exact name.","ownerConfirmation":"Confirm the account is allowed to read and write only the intended calendar scope.","currentStatus":"missing"},{"area":"Google Contacts","credentialType":"googleContactsOAuth2Api","requiredName":"robot@unsiyyat.com Google Contacts","requiredFor":["My main Contacts Agent Google Contacts nodes"],"setupAction":"Create the missing Google Contacts OAuth credential in staging with this exact name.","ownerConfirmation":"Confirm the account is allowed to search and manage only the intended contacts scope.","currentStatus":"missing"}],"verificationCommands":["npm run audit:staging-credentials","npm run bind:confirmed-staging-credentials","curl -sS http://127.0.0.1:8787/operator-dashboard"],"stopConditions":["Any target workflow is active before binding.","A credential belongs to the wrong Telegram bot or Google account.","A credential name differs from the required exact name.","A production account or production workflow is selected without explicit owner approval."]},"smokePlan":{"environment":"staging","workflowActivationAllowed":false,"activationRule":"Workflow activation is never automatic; it requires passing staging smoke tests, a fresh backup, and explicit owner approval.","steps":[{"id":"local-readiness-report","title":"Local credential readiness report","risk":"local","requiredCredentialAreas":[],"ownerApprovalRequired":false,"operatorInput":"GET /credential-readiness","expectedResult":"Report shows activation is blocked until all required credentials are available.","status":"ready","blockers":[]},{"id":"confirmed-credential-binding-dry-run","title":"Confirmed credential binding dry-run","risk":"local","requiredCredentialAreas":[],"ownerApprovalRequired":false,"operatorInput":"npm run bind:confirmed-staging-credentials","expectedResult":"Dry-run lists found and missing credentials without changing n8n.","status":"ready","blockers":[]},{"id":"telegram-text-route","title":"Telegram text route through main agent","workflowKey":"main","risk":"side-effecting","requiredCredentialAreas":["Telegram","OpenAI","Tavily"],"ownerApprovalRequired":true,"operatorInput":"Send a short harmless text from an approved test Telegram chat.","expectedResult":"Main agent answers in the test chat and does not call mail, calendar, or contacts tools.","status":"blocked-by-credentials","blockers":["Telegram credential is not available"]},{"id":"telegram-voice-route","title":"Telegram voice route through main agent","workflowKey":"main","risk":"side-effecting","requiredCredentialAreas":["Telegram","OpenAI"],"ownerApprovalRequired":true,"operatorInput":"Send a short harmless voice message from an approved test Telegram chat.","expectedResult":"Voice is transcribed and answered only in the test chat.","status":"blocked-by-credentials","blockers":["Telegram credential is not available"]},{"id":"mail-read-only-search","title":"Mail read-only search","workflowKey":"mail","risk":"live-read","requiredCredentialAreas":["Gmail","OpenAI"],"ownerApprovalRequired":true,"operatorInput":"Ask for a read-only lookup against robot@unsiyyat.com with no reply/send instruction.","expectedResult":"Mail agent returns a summary and creates no draft, reply, label, or send action.","status":"blocked-by-credentials","blockers":["Gmail credential is not available"]},{"id":"mail-draft-only-reply","title":"Mail draft-only reply","workflowKey":"mail","risk":"draft-write","requiredCredentialAreas":["Gmail","OpenAI"],"ownerApprovalRequired":true,"operatorInput":"Ask for a draft reply to a test message only.","expectedResult":"Mail agent creates or proposes only a draft; no email is sent.","status":"blocked-by-credentials","blockers":["Gmail credential is not available"]},{"id":"calendar-read-only-lookup","title":"Calendar read-only lookup","workflowKey":"calendar","risk":"live-read","requiredCredentialAreas":["Google Calendar","OpenAI"],"ownerApprovalRequired":true,"operatorInput":"Ask what is on the approved test calendar for a safe test day.","expectedResult":"Calendar agent reads events and does not create, update, or delete events.","status":"blocked-by-credentials","blockers":["Google Calendar credential is not available"]},{"id":"contacts-read-only-lookup","title":"Contacts read-only lookup","workflowKey":"contacts","risk":"live-read","requiredCredentialAreas":["Google Contacts","OpenAI"],"ownerApprovalRequired":true,"operatorInput":"Ask for a lookup of a known test contact.","expectedResult":"Contacts agent reads the test contact and does not create or update contacts.","status":"blocked-by-credentials","blockers":["Google Contacts credential is not available"]}]},"readinessTimeline":{"environment":"staging","productionTouched":false,"stagingMutationAllowed":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"status":"ready-for-owner-session","currentStageId":"owner-credential-session","nextSafeStep":"Run the owner credential session and create or select four staging credentials in n8n UI only.","counts":{"done":2,"ready":1,"blocked":4,"ownerApprovalRequired":0,"futureGate":3},"stages":[{"id":"workflow-import-and-relink","title":"Workflow import and relink","status":"done","ownerApprovalRequired":false,"summary":"Staging workflows are imported, main agent tool workflow ids are relinked, and workflows remain inactive.","evidenceToRecord":"Relinked workflow ids and inactive workflow status.","linkedEndpoint":"/workflow-registry","stopCondition":"Any target workflow becomes active before credential binding and smoke testing."},{"id":"local-product-guardrails","title":"Local product guardrails","status":"done","ownerApprovalRequired":false,"summary":"Local API guardrails, audit planning, approval queue, operator console, and documentation are available.","evidenceToRecord":"`npm run verify` result and current commit hash.","linkedEndpoint":"/operator-dashboard","stopCondition":"Local verification fails or the working tree contains unrelated changes."},{"id":"owner-credential-session","title":"Owner credential session","status":"ready","ownerApprovalRequired":true,"summary":"4 staging credential areas still need owner-only creation or selection before dry-run verification.","evidenceToRecord":"My Main Agent Telegram Bot; robot@unsiyyat.com Gmail; robot@unsiyyat.com Google Calendar; robot@unsiyyat.com Google Contacts","linkedEndpoint":"/credential-owner-session-plan","stopCondition":"Credential values appear outside n8n credential UI or account identity cannot be confirmed."},{"id":"post-creation-dry-run","title":"Post-creation dry-run","status":"blocked","ownerApprovalRequired":false,"summary":"4 credential areas still block post-creation dry-run verification.","evidenceToRecord":"Dry-run mode is `dry-run`.; Dry-run found list contains all four expected credential names.; Dry-run missing list is empty.; No credential value, token, password, OAuth access value, OAuth refresh value, cookie, or client secret appears in output.; No workflow is activated.; No command includes `-- --apply`.","linkedEndpoint":"/credential-post-creation-verification","stopCondition":"Dry-run reports missing credentials, wrong account identity, active workflows, or secret-like output."},{"id":"staging-backup-preflight","title":"Staging backup preflight","status":"blocked","ownerApprovalRequired":true,"summary":"Preflight checklist for the backup that must exist before any owner-approved staging credential binding apply step.","evidenceToRecord":"Backup path, workflow export path, timestamp, host, size, and restore operator.","linkedEndpoint":"/staging-backup-checklist","stopCondition":"Backup or workflow export is missing, stale, or points to production."},{"id":"credential-binding-apply","title":"Credential binding apply","status":"blocked","ownerApprovalRequired":true,"summary":"4 credential areas still block the staging binding apply step.","evidenceToRecord":"operator; owner approval timestamp; git commit hash; staging URL; backup path; workflow export path; dry-run output summary; apply command; post-apply audit result","linkedEndpoint":"/credential-binding-apply-packet","stopCondition":"Owner approval is missing, workflows are active, backup is missing, or target is production."},{"id":"staging-smoke-tests","title":"Staging smoke tests","status":"blocked","ownerApprovalRequired":true,"summary":"Smoke tests are blocked until Telegram, Gmail, Google Calendar, and Google Contacts credentials are ready.","evidenceToRecord":"local-readiness-report; confirmed-credential-binding-dry-run; telegram-text-route; telegram-voice-route; mail-read-only-search; mail-draft-only-reply; calendar-read-only-lookup; contacts-read-only-lookup","linkedEndpoint":"/staging-smoke-plan","stopCondition":"Any smoke step needs non-test private data, causes an unintended side effect, or lacks approval."},{"id":"controlled-n8n-adapter","title":"Controlled n8n adapter","status":"future-gate","ownerApprovalRequired":true,"summary":"Programmatic backend should execute n8n only after credentials, smoke tests, auth, audit, and timeouts are ready.","evidenceToRecord":"Adapter implementation commit, approval id, timeout/retry behavior, and audit trace.","linkedEndpoint":"/n8n-adapter-plan","stopCondition":"Live n8n call would run without durable audit, operator auth, approval id, or tested credentials."},{"id":"workflow-activation","title":"Workflow activation","status":"future-gate","ownerApprovalRequired":true,"summary":"Workflow activation remains a separate owner-approved operation after staging passes.","evidenceToRecord":"Owner approval, inactive-to-active change record, rollback path, and post-activation health check.","linkedEndpoint":"/workflow-activation-gate","stopCondition":"Activation is attempted before staging smoke tests, backup evidence, and rollback proof."},{"id":"production-cutover","title":"Production cutover","status":"future-gate","ownerApprovalRequired":true,"summary":"The product is not production-ready; clear blocked and hardening gates first.","evidenceToRecord":"Owner approval, production backup proof, rollback path, staging pass record, and deployment target.","linkedEndpoint":"/product-readiness","stopCondition":"Any staging, backup, auth, audit, adapter, runtime safety, or owner approval gate remains open."}],"stopConditions":["Any target workflow is active before credential binding, smoke testing, or activation approval.","Any credential value, token, client secret, password, cookie, OAuth access value, or OAuth refresh value appears outside n8n credential UI.","A required credential is missing or points to the wrong Telegram bot, mailbox, calendar account, or contacts account.","A command target points to production or an unexpected n8n instance.","Backup, apply, live smoke testing, workflow activation, or production work is attempted without explicit owner approval."]},"operationRunbook":{"environment":"staging","productionTouched":false,"stagingMutationAllowed":false,"workflowActivationAllowed":false,"currentStage":"credential creation or selection","summary":"4 credential areas still block staging smoke tests and workflow activation.","credentialBlockers":[{"area":"Telegram","status":"needs-owner-choice","detail":"Seven telegramApi credentials exist in staging; owner must choose the bot identity for My Main Agent."},{"area":"Gmail","status":"needs-owner-choice","detail":"One gmailOAuth2 credential exists in staging; verify it matches robot@unsiyyat.com before binding."},{"area":"Google Calendar","status":"missing","detail":"No googleCalendarOAuth2Api credential was found in staging."},{"area":"Google Contacts","status":"missing","detail":"No googleContactsOAuth2Api credential was found in staging."}],"steps":[{"id":"local-baseline","title":"Confirm local baseline","status":"ready","ownerApprovalRequired":false,"action":"Run local verification and check the operator dashboard before any staging operation.","evidenceToRecord":"`npm run verify` result and current commit hash.","linkedEndpoint":"/operator-dashboard","stopCondition":"Local verification fails or the working tree contains unrelated changes."},{"id":"credential-create-or-select","title":"Create or select staging credentials","status":"owner-action-required","ownerApprovalRequired":true,"action":"Create or identify exact staging credentials: telegramApi: My Main Agent Telegram Bot; gmailOAuth2: robot@unsiyyat.com Gmail; googleCalendarOAuth2Api: robot@unsiyyat.com Google Calendar; googleContactsOAuth2Api: robot@unsiyyat.com Google Contacts.","evidenceToRecord":"Credential names, credential types, account identity confirmation, and owner confirmation.","linkedEndpoint":"/credential-setup-checklist","stopCondition":"A credential belongs to the wrong bot, mailbox, calendar, contact account, or production environment."},{"id":"credential-binding-dry-run","title":"Run confirmed credential binding dry-run","status":"blocked","ownerApprovalRequired":false,"action":"Run `npm run bind:confirmed-staging-credentials` without apply.","evidenceToRecord":"Dry-run output showing all expected credentials found and no active target workflows.","linkedEndpoint":"/credential-setup-checklist","stopCondition":"Dry-run reports missing credentials or any target workflow is active."},{"id":"staging-backup-window","title":"Prepare owner-approved staging backup","status":"blocked","ownerApprovalRequired":true,"action":"Create a fresh staging n8n database backup and export target workflow JSON immediately before apply.","evidenceToRecord":"Backup path, timestamp, size, host, workflow export path, and restore operator.","linkedEndpoint":"/staging-backup-checklist","stopCondition":"Backup or restore path is missing, stale, or points to production."},{"id":"credential-binding-apply","title":"Apply staging credential binding","status":"blocked","ownerApprovalRequired":true,"action":"Run the confirmed binding script with apply only after backup and inactive workflow checks.","evidenceToRecord":"Apply command, timestamp, target workflow inactive status, and post-apply audit result.","linkedEndpoint":"/credential-setup-checklist","stopCondition":"Owner approval is absent, workflows are active, or production is targeted."},{"id":"staging-fixtures","title":"Run synthetic staging smoke fixtures","status":"blocked","ownerApprovalRequired":true,"action":"Run fixtures in order: Telegram text, Telegram voice, mail read-only, mail draft-only, calendar read-only, contacts read-only.","evidenceToRecord":"Fixture id, operator, expected result, forbidden outcomes checked, and audit event id.","linkedEndpoint":"/staging-test-fixtures","stopCondition":"Any fixture produces a forbidden outcome or requires non-test private data."},{"id":"controlled-adapter-live","title":"Enable controlled n8n adapter live path","status":"future","ownerApprovalRequired":true,"action":"Implement live calls only after credentials, smoke tests, operator auth, and audit durability are ready.","evidenceToRecord":"Adapter implementation commit, approval policy, timeout behavior, and audit trace.","linkedEndpoint":"/n8n-adapter-plan","stopCondition":"Live execution would start without durable audit, approval id, or tested staging credentials."},{"id":"production-cutover","title":"Review production cutover","status":"future","ownerApprovalRequired":true,"action":"Review production cutover only after staging passes and rollback is confirmed.","evidenceToRecord":"Owner approval, backup/restore proof, rollback path, staging pass record, and deployment target.","linkedEndpoint":"/product-readiness","stopCondition":"Any staging, backup, runtime safety, auth, audit, adapter, or owner approval gate remains open."}],"ownerApprovalRequiredBefore":["Selecting or creating credentials tied to real external accounts.","Creating staging backups immediately before apply.","Applying staging credential bindings.","Running any live-read, draft-write, or side-effecting smoke fixture.","Implementing or enabling live n8n workflow execution.","Touching production, production credentials, production data, DNS, or hosting variables."],"stopConditions":["Any command points to production unexpectedly.","A required credential is missing or has the wrong account identity.","A target workflow is active before credential binding or smoke tests.","A backup, workflow export, or restore path is missing before apply.","A smoke fixture needs non-test private data or produces a forbidden outcome."]},"testFixtures":{"environment":"staging","productionTouched":false,"workflowActivationAllowed":false,"liveExecutionAllowed":false,"purpose":"Provide synthetic operator inputs and expected outcomes for owner-approved staging smoke tests after credentials are ready.","fixtures":[{"id":"fixture-telegram-text-safe","smokeStepId":"telegram-text-route","title":"Telegram text direct-answer fixture","workflowKey":"main","channel":"telegram-text","risk":"side-effecting","requiredCredentialAreas":["Telegram","OpenAI","Tavily"],"ownerApprovalRequired":true,"sampleOperatorInput":"Test route only. Reply with one short sentence and do not use mail, calendar, or contacts.","expectedResult":"The approved test chat receives one short response and no tool workflow is called.","forbiddenOutcomes":["No mail lookup.","No calendar lookup.","No contact lookup.","No production chat."],"status":"blocked-by-credentials","blockers":["Telegram credential is not available"]},{"id":"fixture-telegram-voice-safe","smokeStepId":"telegram-voice-route","title":"Telegram voice transcription fixture","workflowKey":"main","channel":"telegram-voice","risk":"side-effecting","requiredCredentialAreas":["Telegram","OpenAI"],"ownerApprovalRequired":true,"sampleOperatorInput":"Voice transcript: test voice route only, answer in one short sentence.","expectedResult":"The voice text is transcribed and answered only in the approved test chat.","forbiddenOutcomes":["No mail lookup.","No calendar lookup.","No contact lookup.","No production chat."],"status":"blocked-by-credentials","blockers":["Telegram credential is not available"]},{"id":"fixture-mail-read-only","smokeStepId":"mail-read-only-search","title":"Mail read-only fixture","workflowKey":"mail","channel":"operator-api","risk":"live-read","requiredCredentialAreas":["Gmail","OpenAI"],"ownerApprovalRequired":true,"sampleOperatorInput":"Find messages with subject marker TEST-MMA-READONLY and summarize only. Do not draft, label, reply, or send.","expectedResult":"The mail agent returns a summary or a not-found result without modifying the mailbox.","forbiddenOutcomes":["No draft.","No reply.","No send.","No label change.","No archive/delete."],"status":"blocked-by-credentials","blockers":["Gmail credential is not available"]},{"id":"fixture-mail-draft-only","smokeStepId":"mail-draft-only-reply","title":"Mail draft-only fixture","workflowKey":"mail","channel":"operator-api","risk":"draft-write","requiredCredentialAreas":["Gmail","OpenAI"],"ownerApprovalRequired":true,"sampleOperatorInput":"Prepare a draft reply to subject marker TEST-MMA-DRAFT with the text: Test received. Do not send.","expectedResult":"The mail agent prepares only a draft or draft plan and sends nothing.","forbiddenOutcomes":["No send.","No label change.","No archive/delete.","No reply without draft confirmation."],"status":"blocked-by-credentials","blockers":["Gmail credential is not available"]},{"id":"fixture-calendar-read-only","smokeStepId":"calendar-read-only-lookup","title":"Calendar read-only fixture","workflowKey":"calendar","channel":"operator-api","risk":"live-read","requiredCredentialAreas":["Google Calendar","OpenAI"],"ownerApprovalRequired":true,"sampleOperatorInput":"Check the approved test calendar on 2026-06-02 for TEST-MMA-READONLY. Do not create, update, or delete events.","expectedResult":"The calendar agent returns matching test-calendar availability or a not-found result without writes.","forbiddenOutcomes":["No event creation.","No event update.","No event deletion.","No invite send."],"status":"blocked-by-credentials","blockers":["Google Calendar credential is not available"]},{"id":"fixture-contacts-read-only","smokeStepId":"contacts-read-only-lookup","title":"Contacts read-only fixture","workflowKey":"contacts","channel":"operator-api","risk":"live-read","requiredCredentialAreas":["Google Contacts","OpenAI"],"ownerApprovalRequired":true,"sampleOperatorInput":"Look up the approved test contact named TEST MMA Contact. Do not create or update contacts.","expectedResult":"The contacts agent returns the test contact or a not-found result without changing contacts.","forbiddenOutcomes":["No contact creation.","No contact update.","No merge.","No delete."],"status":"blocked-by-credentials","blockers":["Google Contacts credential is not available"]}],"rules":["Use only approved staging credentials and approved test chats, mail markers, calendars, and contacts.","Run fixtures in the same order as the staging smoke plan.","Record audit metadata before every live-read, draft-write, or side-effecting test.","Stop immediately if a fixture produces a forbidden outcome.","Keep workflows inactive unless the owner separately approves activation."],"stopConditions":["Any required staging credential is still missing.","The operator cannot confirm that the input uses synthetic test data.","A fixture would touch production chat, mailbox, calendar, or contacts.","The expected result cannot be verified without reading private live data beyond the test marker.","The workflow attempts a forbidden outcome."]},"backupChecklist":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"backupExecutionAllowed":false,"credentialBindingAllowed":false,"purpose":"Preflight checklist for the backup that must exist before any owner-approved staging credential binding apply step.","steps":[{"id":"git-clean","title":"Confirm local code state is committed","status":"required","detail":"Run local verification and keep a commit hash for the exact product shell used during the operation.","evidenceToRecord":"Git commit hash and `npm run verify` result."},{"id":"workflows-inactive","title":"Confirm target workflows are inactive","status":"required","detail":"Credential binding must not run if any target workflow is active.","evidenceToRecord":"Inactive status for main, mail, calendar, and contacts workflows."},{"id":"credential-dry-run","title":"Run confirmed credential binding dry-run","status":"required","detail":"Dry-run must find all expected credentials before any apply step is considered.","evidenceToRecord":"`npm run bind:confirmed-staging-credentials` output."},{"id":"database-backup","title":"Create staging n8n database backup","status":"blocked-until-owner-approval","detail":"Create a fresh staging database backup immediately before applying credential bindings.","evidenceToRecord":"Backup path, timestamp, size, and host where it is stored."},{"id":"workflow-export","title":"Export target workflow JSON","status":"blocked-until-owner-approval","detail":"Export the current staging workflow definitions before applying any binding changes.","evidenceToRecord":"Export path and workflow ids included in the export."},{"id":"restore-path","title":"Record restore path","status":"manual-record","detail":"Rollback should be deactivation plus restoring exported workflow JSON before any database restore is considered.","evidenceToRecord":"Restore operator, restore target, and rollback decision point."}],"verificationCommands":["git status --short --branch","npm run verify","npm run bind:confirmed-staging-credentials","ssh apps-01-cloud 'cd /srv/stacks/n8n && docker compose ps'","curl -sS http://127.0.0.1:8787/operator-dashboard"],"stopConditions":["Any target workflow is active.","Credential dry-run still reports missing credentials.","Backup path or restore path is not recorded.","Owner has not approved the staging backup and binding apply window.","Any command points to production instead of staging."]},"durableStoragePlan":{"environment":"local-design","productionTouched":false,"databaseMutationAllowed":false,"migrationApplyAllowed":false,"targetSelected":false,"summary":"Durable PostgreSQL storage is designed locally, but no database target has been selected and no migration has been applied.","migrations":[{"id":"001_control_plane","path":"db/migrations/001_control_plane.sql","purpose":"Create workflow_registry, audit_events, and approval_requests tables with indexes and privacy comments.","status":"local-file-ready","applyStatus":"not-applied"},{"id":"002_seed_workflow_registry","path":"db/migrations/002_seed_workflow_registry.sql","purpose":"Seed logical workflow ids, sanitized export paths, and risky action categories.","status":"local-file-ready","applyStatus":"not-applied"},{"id":"003_contact_capture_audit","path":"db/migrations/003_contact_capture_audit.sql","purpose":"Plan Contact Capture cases, audit events, approval packets, and verified result metadata.","status":"planned-only","applyStatus":"not-applied"},{"id":"004_contact_capture_case_store","path":"db/migrations/004_contact_capture_case_store.sql","purpose":"Plan redacted Contact Capture case snapshots, state history, and idempotency keys.","status":"planned-only","applyStatus":"not-applied"},{"id":"005_contact_capture_execution_results","path":"db/migrations/005_contact_capture_execution_results.sql","purpose":"Plan redacted Contact Capture execution result metadata, safe references, and notification readiness.","status":"local-file-ready","applyStatus":"not-applied"}],"tables":[{"name":"workflow_registry","purpose":"Map product workflow keys to staging and future production workflow ids.","privacy":"No secrets; stores workflow metadata and risky action categories."},{"name":"audit_events","purpose":"Persist action audit metadata for planned or blocked requests.","privacy":"Stores message length and SHA-256 fingerprint, never raw message text."},{"name":"approval_requests","purpose":"Persist approval queue state and operator decision metadata.","privacy":"Stores message length and SHA-256 fingerprint, never raw message text."},{"name":"contact_capture_case_snapshots","purpose":"Future latest-state store for redacted Contact Capture pipeline snapshots.","privacy":"Stores state, fingerprints, field presence, and hashed references; never raw contact values."},{"name":"contact_capture_case_state_history","purpose":"Future append-only state history for Contact Capture scanner, review, approval, and execution gates.","privacy":"Stores state metadata and safe references only; never raw images or n8n execution payloads."},{"name":"contact_capture_case_idempotency","purpose":"Future idempotency-key ledger for retry-safe durable case writes.","privacy":"Stores idempotency keys and record fingerprints only."},{"name":"contact_capture_execution_results","purpose":"Future append-only result metadata store for verified or blocked Contact Capture executions.","privacy":"Stores safe references, counts, readiness, and fingerprints; never raw contact values or execution payloads."}],"preconditions":["Choose a product database target and owner-approved hosting environment.","Record database secret location outside Git.","Confirm backup and restore path for the chosen database target.","Run npm run verify before applying any migration.","Apply migrations first to a disposable or staging product database, not production."],"stopConditions":["No database target has been selected.","Database credentials would need to be committed or pasted into docs.","Backup and restore path is not documented.","Owner has not approved migration apply against a non-local database.","Any command points to production without explicit production approval."]},"operatorAuthPlan":{"environment":"local-runtime","productionTouched":false,"authConfigured":false,"approvalDecisionAuthRequired":true,"keyExposureAllowed":false,"summary":"Operator approval decisions are blocked until an operator key is configured in the runtime environment.","requiredHeaders":[{"name":"Authorization","purpose":"Send the operator bearer value with approval decision requests.","required":true},{"name":"X-Operator-Name","purpose":"Record the human or orchestrator identity that made the approval decision.","required":true}],"setupSteps":[{"id":"create-operator-key","title":"Create an operator key outside Git","status":"required","detail":"Generate and store the operator approval key in the runtime secret store, not in project files.","evidenceToRecord":"Secret store path or hosting variable name only; never the value."},{"id":"configure-runtime-env","title":"Configure the local or staging runtime","status":"required","detail":"Set the runtime operator key before approval decisions are accepted.","evidenceToRecord":"Runtime environment name and timestamp."},{"id":"verify-approval-auth","title":"Verify approval auth behavior","status":"required","detail":"Check that missing auth fails and that valid operator headers can record a decision without starting workflow execution.","evidenceToRecord":"HTTP status codes for unauthenticated and authenticated approval decision checks."}],"verificationCommands":["npm run verify","curl -sS http://127.0.0.1:8787/operator-auth-plan","curl -sS http://127.0.0.1:8787/runtime-safety","curl -sS http://127.0.0.1:8787/product-readiness"],"stopConditions":["The operator key would need to be committed, pasted into docs, or shown in logs.","Approval decision requests are accepted without Authorization and X-Operator-Name headers.","A production runtime variable change is needed without explicit owner approval.","Workflow execution would start as part of an approval decision."]},"n8nAdapterPlan":{"environment":"local-design","productionTouched":false,"n8nBaseUrl":"https://n8n.qqq.az","productionTargetDetected":false,"apiKeyConfigured":false,"liveReadCallsEnabled":false,"liveExecutionImplemented":false,"liveExecutionAllowed":false,"workflowActivationAllowed":false,"summary":"The n8n adapter is still plan-only: it can describe targets and gates, but it cannot start live workflow execution.","modes":[{"id":"plan-only","status":"ready","purpose":"Build a target workflow plan without contacting n8n.","requirement":"No credentials, activation, or owner approval required."},{"id":"live-read-inspection","status":"blocked","purpose":"Read workflow metadata from staging n8n for approved inspection.","requirement":"Requires staging n8n API key, live-read flag, non-production target, and owner-approved inspection window."},{"id":"owner-approved-live","status":"not-implemented","purpose":"Execute a controlled workflow call after audit, approval, and smoke-test gates.","requirement":"Requires implementation work, durable audit storage, operator auth, staging smoke pass, and explicit owner approval."}],"workflowTargets":[{"key":"main","id":"-ttDaAFTtNUY7F2ki2tBG","name":"My Main  Agent","riskyActions":["telegram_reply","tool_delegation"]},{"key":"mail","id":"stJ-rEGPqqrDzZj952Kjg","name":"My main Mail Agent (robot@unsiyyat.com)","riskyActions":["email_send","email_reply","email_label"]},{"key":"calendar","id":"0irU8FhhyuCVfTvqYy5Fq","name":"My main Calendar Agent","riskyActions":["calendar_create","calendar_update","calendar_delete"]},{"key":"contacts","id":"_GfziU7DciaaNQtv6mGOk","name":"My main Contacts Agent","riskyActions":["contact_create","contact_update"]}],"implementationControls":["Use plan-only mode as the default path.","Record an audit event before any future live workflow call.","Require an approval request id for side-effecting or write-capable workflow calls.","Use short request timeouts and structured n8n client errors.","Keep workflow activation outside the adapter and behind owner approval.","Do not store raw private user message text in adapter logs."],"preconditions":["All staging credentials are available and bound while workflows remain inactive.","Staging smoke tests pass in order, starting with read-only checks.","Operator auth is configured in the runtime secret store.","Audit and approval state is durable or explicitly accepted as staging-only.","n8n target points to staging, not production."],"verificationCommands":["npm run verify","curl -sS http://127.0.0.1:8787/n8n-adapter-plan","curl -sS http://127.0.0.1:8787/n8n/execution-plan","curl -sS http://127.0.0.1:8787/runtime-safety"],"stopConditions":["The n8n target points to production without explicit owner approval.","Live execution would start without a durable audit event.","A side-effecting request has no approval request id.","Required staging credentials or smoke tests are still blocked.","Any workflow activation is required to test the adapter."]},"workflowActivationGate":{"environment":"staging","stagingUrl":"https://n8n.qqq.az","productionTouched":false,"stagingMutationAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"productionCutoverAllowed":false,"status":"blocked","summary":"16 blockers prevent workflow activation.","targetWorkflows":[{"key":"main","name":"My Main  Agent","importedWorkflowId":"-ttDaAFTtNUY7F2ki2tBG","riskyActions":["telegram_reply","tool_delegation"],"activationAllowed":false},{"key":"mail","name":"My main Mail Agent (robot@unsiyyat.com)","importedWorkflowId":"stJ-rEGPqqrDzZj952Kjg","riskyActions":["email_send","email_reply","email_label"],"activationAllowed":false},{"key":"calendar","name":"My main Calendar Agent","importedWorkflowId":"0irU8FhhyuCVfTvqYy5Fq","riskyActions":["calendar_create","calendar_update","calendar_delete"],"activationAllowed":false},{"key":"contacts","name":"My main Contacts Agent","importedWorkflowId":"_GfziU7DciaaNQtv6mGOk","riskyActions":["contact_create","contact_update"],"activationAllowed":false}],"activationBlockers":["Telegram credential is not available: Seven telegramApi credentials exist in staging; owner must choose the bot identity for My Main Agent.","Gmail credential is not available: One gmailOAuth2 credential exists in staging; verify it matches robot@unsiyyat.com before binding.","Google Calendar credential is not available: No googleCalendarOAuth2Api credential was found in staging.","Google Contacts credential is not available: No googleContactsOAuth2Api credential was found in staging.","6 smoke-test steps are blocked by credentials.","Staging credentials: 4 required credential areas are not ready.","Staging smoke tests: 6 smoke-test steps are still blocked by credentials.","Audit and approval storage: Audit and approval state is currently in-memory and is suitable only for local/staging product work.","Operator authentication: Approval decisions currently accept a typed operator name and are not authenticated.","n8n execution adapter: The product shell plans and records actions but does not execute n8n workflows.","Contact Capture OCR provider: Contact Capture OCR provider remains default-off; live provider execution, HTTP runtime wiring, raw image handling, credential/token access, and post-OCR verification still require separate Strict Control approval.","Contact Capture duplicate-read adapter: Contact Capture duplicate-read adapter remains default-off; CONTACT_CAPTURE_DUPLICATE_READ_ADAPTER_ENABLED, adapter enablement, Google Contacts read runtime, credential/token access, exact-query/personFields review, post-read verification, and duplicate-result intake still require separate Strict Control approval.","Contact Capture durable result storage: Contact Capture durable result storage remains default-off; migration apply, runtime adapter switching, durable result writes, result repository persistence, completion proof, post-write verification, and notification handoff still require separate Strict Control approval.","Completion notification sender: Completion notification sender remains default-off; live transport wiring and post-send verification still require separate Strict Control approval.","Production cutover: A cutover plan exists and still requires explicit owner approval.","Telegram response node `Telegram1` has a suspicious chatId expression and must be verified in a test chat before activation."],"checks":[{"id":"credentials-bound","title":"Required credentials are bound","status":"blocked","detail":"Telegram, Gmail, Google Calendar, and Google Contacts credentials must be available and bound in staging.","evidenceToRecord":"Credential dry-run and post-apply audit output with all expected credentials found."},{"id":"smoke-tests-passed","title":"Staging smoke tests passed","status":"blocked","detail":"Telegram text, Telegram voice, mail, calendar, and contacts smoke tests must pass with test data only.","evidenceToRecord":"local-readiness-report; confirmed-credential-binding-dry-run; telegram-text-route; telegram-voice-route; mail-read-only-search; mail-draft-only-reply; calendar-read-only-lookup; contacts-read-only-lookup"},{"id":"backup-and-rollback","title":"Backup and rollback path is recorded","status":"owner-approval-required","detail":"Preflight checklist for the backup that must exist before any owner-approved staging credential binding apply step.","evidenceToRecord":"Backup path, workflow export path, restore operator, and rollback decision point."},{"id":"operator-guardrails","title":"Operator guardrails are ready","status":"blocked","detail":"Operator auth, durable audit, approval storage, adapter controls, and runtime safety must be production-ready.","evidenceToRecord":"Product readiness report with no blocked or hardening gates."},{"id":"owner-activation-approval","title":"Owner approves activation window","status":"owner-approval-required","detail":"Workflow activation is a staging mutation and must be approved separately from credentials, backup, and smoke tests.","evidenceToRecord":"Owner name, approval timestamp, staging URL, workflow ids, rollback path, and expected activation window."}],"ownerApprovalFields":["owner name","approval timestamp","staging URL","workflow ids","test chat identity","backup path","workflow export path","rollback decision point","post-activation health check command"],"stopConditions":["Any required credential is missing, unbound, or points to the wrong account identity.","Any staging smoke test has not passed with approved test data.","Backup, workflow export, restore operator, or rollback path is missing.","Telegram replies cannot be constrained to the approved test chat.","Owner activation approval is missing or not specific to the staging activation window.","The target points to production or an unexpected n8n instance."]},"restorationCheckpoint":{"environment":"production","productionUrl":"https://n8n.2ai.az","productionTouched":true,"productionMutationAllowed":false,"stagingMutationAllowed":false,"credentialMutationAllowed":false,"bindingApplyAllowed":false,"workflowActivationAllowed":false,"liveSmokeAllowed":false,"status":"production-verified-result-guards-applied","currentStage":{"id":"verified-result-smoke-awaiting-owner-message","title":"Verified result smoke awaiting owner message","status":"awaiting-owner-telegram-test","ownerApprovalRequired":false,"summary":"Production My Main Agent and the Mail, Calendar, and Contacts subagent workflows are active. Verified-result guards are now installed on the main workflow and all three Google subagents, so write-action completion should only be reported after a structured ok=true and verified=true result. The remaining check is an owner-sent Telegram smoke message through Agent UNT.","linkedEndpoint":"/workflow-activation-gate"},"completedStageIds":["workflow-import-and-relink-analysis","local-product-guardrails","production-readonly-inspection","production-core-repair-applied","production-i2ai-credential-binding","production-workflow-activation","controlled-telegram-ping-smoke-test","production-agent-unt-contacts-diagnostic","production-contacts-entry-repair","production-subagent-activation","production-verified-result-guards"],"blockedStageIds":["verified-result-smoke-test-awaiting-owner-message"],"ownerApprovalStageIds":["verified-result-smoke-test"],"futureGateIds":["mail-calendar-contacts-write-smoke-tests","programmatic-product-wrapper","production-hardening-review"],"credentialBlockers":[],"nextSafeStep":"Ask the owner to send a controlled contacts smoke message to Agent UNT in Telegram, then inspect the new main and Contacts executions for verified-result guard output.","safeLocalCommands":["git status --short --branch && npm run verify","npm --silent run checkpoint","npm run guard:production-results","curl -sS http://127.0.0.1:8787/restoration-checkpoint","curl -sS https://n8n.2ai.az/healthz"],"ownerSessionEndpoint":"/credential-owner-session-bundle","ownerWorksheetEndpoint":"/credential-owner-worksheet","evidenceTemplateEndpoint":"/credential-evidence-validation-template","stopBefore":["Production write smoke tests, SSH host-key changes, DNS, hosting variables, or live production data work without a fresh explicit owner approval.","Creating or changing production credentials without the owner present in the n8n credential UI.","Credential values outside the n8n credential UI.","Additional production workflow repair, credential binding apply, guard apply with -- --apply, or side-effecting smoke tests without explicit owner approval.","Any command that targets an unexpected n8n instance."]},"runtimeSafety":{"status":"needs-attention","service":"my-main-mail-agent","n8nBaseUrl":"https://n8n.qqq.az","liveN8nReadCallsEnabled":false,"n8nApiKeyConfigured":false,"operatorAuthConfigured":false,"secretaryWebLiveEnabled":true,"secretaryWebAccessTokenConfigured":true,"secretaryN8nWebhookConfigured":true,"secretaryN8nWebhookSecretConfigured":true,"liveWorkflowExecutionImplemented":false,"productionTargetDetected":false,"blockers":["operator auth is not configured"],"notes":["n8n workflow execution is not implemented in this product shell","web live secretary calls use a separate n8n webhook bridge when explicitly enabled","approval decisions require operator auth","production changes require explicit owner approval"]},"productReadiness":{"readyForOwnerApprovedSmoke":false,"readyForProduction":false,"summary":"The product is not production-ready; clear blocked and hardening gates first.","gates":[{"id":"staging-credentials","title":"Staging credentials","status":"blocked","detail":"4 required credential areas are not ready.","nextAction":"Create or identify Telegram, Gmail, Google Calendar, and Google Contacts staging credentials."},{"id":"staging-smoke-tests","title":"Staging smoke tests","status":"blocked","detail":"6 smoke-test steps are still blocked by credentials.","nextAction":"Clear credential blockers before running Telegram, mail, calendar, or contacts tests."},{"id":"audit-and-approval-storage","title":"Audit and approval storage","status":"needs-hardening","detail":"Audit and approval state is currently in-memory and is suitable only for local/staging product work.","nextAction":"Add durable PostgreSQL-backed audit and approval tables before production."},{"id":"operator-auth","title":"Operator authentication","status":"needs-hardening","detail":"Approval decisions currently accept a typed operator name and are not authenticated.","nextAction":"Add authenticated operator identity before production approval flows."},{"id":"n8n-execution-adapter","title":"n8n execution adapter","status":"needs-hardening","detail":"The product shell plans and records actions but does not execute n8n workflows.","nextAction":"Add a controlled n8n adapter only after staging credentials and smoke tests are ready."},{"id":"contact-capture-ocr-provider","title":"Contact Capture OCR provider","status":"owner-approval-required","detail":"Contact Capture OCR provider remains default-off; live provider execution, HTTP runtime wiring, raw image handling, credential/token access, and post-OCR verification still require separate Strict Control approval.","nextAction":"Review the OCR live-window runbook before enabling feature flags, wiring the OCR adapter, accessing credentials, or executing a provider."},{"id":"contact-capture-duplicate-read-adapter","title":"Contact Capture duplicate-read adapter","status":"owner-approval-required","detail":"Contact Capture duplicate-read adapter remains default-off; CONTACT_CAPTURE_DUPLICATE_READ_ADAPTER_ENABLED, adapter enablement, Google Contacts read runtime, credential/token access, exact-query/personFields review, post-read verification, and duplicate-result intake still require separate Strict Control approval.","nextAction":"Review the duplicate-read live-window runbook before enabling CONTACT_CAPTURE_DUPLICATE_READ_ADAPTER_ENABLED, enabling the adapter, accessing credentials, or reading Google Contacts."},{"id":"contact-capture-durable-result-storage","title":"Contact Capture durable result storage","status":"owner-approval-required","detail":"Contact Capture durable result storage remains default-off; migration apply, runtime adapter switching, durable result writes, result repository persistence, completion proof, post-write verification, and notification handoff still require separate Strict Control approval.","nextAction":"Review the durable result storage live-window runbook before applying migrations, switching adapters, writing durable results, or claiming completion proof."},{"id":"completion-notification-sender","title":"Completion notification sender","status":"owner-approval-required","detail":"Completion notification sender remains default-off; live transport wiring and post-send verification still require separate Strict Control approval.","nextAction":"Review the Notification Sender Strict Control request before enabling feature flags, wiring Telegram/email transport, or sending notifications."},{"id":"production-cutover","title":"Production cutover","status":"owner-approval-required","detail":"A cutover plan exists and still requires explicit owner approval.","nextAction":"Review the cutover plan with the owner before touching production."}]},"approvalRequests":[],"auditEvents":[]}