{"ok":true,"meta":{"generatedAt":"2026-06-30T13:17:27.211Z"},"data":{"version":"tzv3-admin-security-audit-policy-v1","endpoint":"/api/admin/security-audit-policy","command":"npm run admin:audit","script":"scripts/tzv3-admin-audit.mjs","requiredEnvironment":["ADMIN_API_TOKEN","ADMIN_SESSION_SECRET"],"endpoints":{"session":"/api/admin/session","auditPolicy":"/api/admin/audit/policy","protectedAuditRead":"/api/admin/audit","protectedProfileContract":"/api/admin/profiles","adminConsole":"/admin","profileEditor":"/admin/profiles"},"expectedPolicy":{"sessionTransport":"httpOnly-signed-cookie","sessionCookieName":"artesc_admin_session","sessionTtlSeconds":43200,"cookieHttpOnly":true,"cookieSameSite":"Lax","cookieSecureInProduction":true,"browserStorageTokenPersistence":false,"apiHeaderFallbackAllowedForScripts":true,"adminUiNoindex":true,"protectedEndpointsRejectAnonymous":true,"auditRequiresAdminToken":true,"recordedActions":["profile.upsert","profile.delete","catalog.seed","review.submit","review.publish","review.unpublish"]},"noWriteChecks":["GET /api/admin/security-audit-policy","GET /api/admin/session","GET /api/admin/audit/policy","GET /admin","GET /admin/profiles","GET /api/admin/audit without credentials and expect 401/403/503, never 2xx.","GET /api/admin/profiles without credentials and expect 401/403/503, never 2xx.","Do not POST /api/admin/session, /api/admin/profiles, /api/admin/seed, /api/admin/reviews, or /api/admin/content-review during audit."],"productionReady":false,"productionBlockers":["ADMIN_API_TOKEN","ADMIN_SESSION_SECRET"],"safety":{"mode":"read-only","writes":false,"printsSecrets":false,"note":"The admin audit only reads session, policy, public admin shell, and anonymous rejection boundaries. It does not create sessions, mutate profiles, seed data, moderate reviews, or print admin tokens."}}}