{"ok":true,"meta":{"generatedAt":"2026-06-30T13:23:05.972Z"},"data":{"version":"tzv3-vip-club-audit-policy-v1","endpoint":"/api/club/audit-policy","command":"npm run club:audit","script":"scripts/tzv3-club-audit.mjs","handoffEndpoint":"/api/club/handoff-policy","policyEndpoint":"/api/club/policy","verificationEndpoint":"/api/club/verify","requiredEnvironment":["VIP_CLUB_WEBHOOK_URL","VIP_CLUB_WEBHOOK_TOKEN"],"configured":false,"expectedPolicy":{"provider":"external-webhook","configured":true,"webhookSignatureAlgorithm":"hmac-sha256","idempotencyHeader":"x-idempotency-key","eventHeader":"x-artesc-event","timestampHeader":"x-artesc-timestamp","signatureHeader":"x-artesc-signature","subscriptionEnabled":false,"localContactStorageAllowed":false},"noWriteChecks":["GET /api/club/audit-policy","GET /api/club/handoff-policy","GET /api/club/policy","Verify the handoff policy reports expected receiver headers, HMAC verification, idempotency, and no ticket creation.","Verify the deployed policy reports an external webhook and signed HMAC forwarding.","Verify subscription/payment flow remains disabled before legal/payment approval.","Do not POST /api/club/verify during audit; that endpoint creates real workflow tickets when configured."],"productionReady":false,"productionBlockers":["VIP_CLUB_WEBHOOK_URL","VIP_CLUB_WEBHOOK_TOKEN"],"safety":{"mode":"read-only","writes":false,"printsSecrets":false,"note":"The VIP Club audit only reads deployed policy and handoff endpoints. It never submits verification requests and never prints webhook URL or token values."}}}