{"ok":true,"meta":{"generatedAt":"2026-06-30T13:21:39.721Z"},"data":{"version":"tzv3-secret-rotation-v1","endpoint":"/api/infrastructure/secret-rotation","command":"npm run secrets:rotation","script":"scripts/tzv3-secret-rotation.mjs","configured":true,"productionReady":false,"safety":{"mode":"read-only","writes":false,"network":false,"printsSecrets":false,"storesSecrets":false,"note":"This policy and CLI report only env names, categories, configured/placeholder booleans, rotation order, and audit commands. They never print, generate, persist, or transmit secret values."},"summary":{"generatedSecretCount":4,"ownerProviderCount":20,"publicDefaultCount":11,"requiredVariableCount":18,"configuredRequiredVariableCount":2,"missingRequiredVariableCount":16,"postRotationAuditCount":15},"generatedByArtesc":[{"name":"ADMIN_API_TOKEN","owner":"artesc-generated","sensitivity":"secret","requiredForProduction":true,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Protects admin write, seed, and moderation APIs.","configured":false,"placeholder":false},{"name":"ADMIN_SESSION_SECRET","owner":"artesc-generated","sensitivity":"secret","requiredForProduction":true,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Signs HttpOnly admin UI sessions.","configured":false,"placeholder":false},{"name":"TELEGRAM_WEBHOOK_SECRET","owner":"artesc-generated","sensitivity":"secret","requiredForProduction":true,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Authenticates Telegram live-status webhooks.","configured":false,"placeholder":false},{"name":"VIP_CLUB_WEBHOOK_TOKEN","owner":"artesc-generated","sensitivity":"secret","requiredForProduction":true,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Signs VIP Club verification forwarding.","configured":false,"placeholder":false}],"ownerProviderSupplied":[{"name":"NEXT_PUBLIC_SITE_URL","owner":"owner-provider","sensitivity":"public","requiredForProduction":true,"rotationSource":"owner/domain decision","reason":"Canonical HTTPS domain used by metadata, sitemap, and production audits.","configured":true,"placeholder":false},{"name":"DATABASE_URL","owner":"owner-provider","sensitivity":"credential","requiredForProduction":true,"rotationSource":"Supabase, Neon, or PostgreSQL provider","reason":"Production catalog, admin, status, review, and SEO persistence.","configured":false,"placeholder":false},{"name":"VIP_CLUB_WEBHOOK_URL","owner":"owner-provider","sensitivity":"endpoint","requiredForProduction":true,"rotationSource":"Telegram or verification workflow provider","reason":"External receiver for VIP Club verification tickets.","configured":false,"placeholder":false},{"name":"LEGAL_CONTACT_EMAIL","owner":"owner-provider","sensitivity":"contact","requiredForProduction":true,"rotationSource":"owner/legal inbox","reason":"Dedicated inbox for takedown, deletion, and data-subject requests.","configured":false,"placeholder":false},{"name":"ELASTICSEARCH_URL","owner":"owner-provider","sensitivity":"endpoint","requiredForProduction":true,"rotationSource":"Elastic Cloud","reason":"Production instant search endpoint.","configured":false,"placeholder":false},{"name":"ELASTICSEARCH_API_KEY","owner":"owner-provider","sensitivity":"credential","requiredForProduction":true,"rotationSource":"Elastic Cloud","reason":"Server-side search API key.","configured":false,"placeholder":false},{"name":"UPSTASH_REDIS_REST_URL","owner":"owner-provider","sensitivity":"endpoint","requiredForProduction":true,"rotationSource":"Upstash Redis","reason":"Production search cache and rate-limit state endpoint.","configured":false,"placeholder":false},{"name":"UPSTASH_REDIS_REST_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":true,"rotationSource":"Upstash Redis","reason":"Production Redis REST token.","configured":false,"placeholder":false},{"name":"NEXT_PUBLIC_MEDIA_CDN_URL","owner":"owner-provider","sensitivity":"public","requiredForProduction":true,"rotationSource":"CDN/R2 public delivery decision","reason":"Public media origin for catalog and schedule provider handoff.","configured":false,"placeholder":false},{"name":"CLOUDFLARE_R2_BUCKET","owner":"owner-provider","sensitivity":"endpoint","requiredForProduction":true,"rotationSource":"Cloudflare R2","reason":"Production media bucket.","configured":false,"placeholder":false},{"name":"CLOUDFLARE_R2_ACCESS_KEY_ID","owner":"owner-provider","sensitivity":"credential","requiredForProduction":true,"rotationSource":"Cloudflare R2","reason":"R2 access key id for production media operations.","configured":false,"placeholder":false},{"name":"CLOUDFLARE_R2_SECRET_ACCESS_KEY","owner":"owner-provider","sensitivity":"credential","requiredForProduction":true,"rotationSource":"Cloudflare R2","reason":"R2 secret access key for production media operations.","configured":false,"placeholder":false},{"name":"WEB_VITALS_ENDPOINT_URL","owner":"owner-provider","sensitivity":"endpoint","requiredForProduction":true,"rotationSource":"analytics or internal Web Vitals sink","reason":"Production browser field metrics endpoint.","configured":false,"placeholder":false},{"name":"OPENAI_API_KEY","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"approved LLM provider","reason":"Optional admin-reviewed SEO copy and Smart Match provider.","configured":false,"placeholder":false},{"name":"GOOGLE_TRANSLATE_API_KEY","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"approved translation provider","reason":"Optional production translation provider.","configured":false,"placeholder":false},{"name":"SCHEDULE_API_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"ready-made schedule provider","reason":"Optional server-to-server schedule API token when iframe/widget is not enough.","configured":false,"placeholder":false},{"name":"MEDIA_AI_PROVIDER_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"approved media enhancement provider","reason":"Optional media enhancement provider token.","configured":false,"placeholder":false},{"name":"WEB_VITALS_ENDPOINT_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"analytics or internal Web Vitals sink","reason":"Optional bearer token for Web Vitals forwarding.","configured":false,"placeholder":false},{"name":"PWA_PUSH_PROVIDER_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"approved PWA push provider","reason":"Optional provider token for explicit favorites push opt-in.","configured":false,"placeholder":false},{"name":"CLOUDFLARE_API_TOKEN","owner":"owner-provider","sensitivity":"credential","requiredForProduction":false,"rotationSource":"Cloudflare","reason":"Optional token for DNS, WAF, and mirror audits.","configured":false,"placeholder":false}],"publicDefaults":[{"name":"NEXT_PUBLIC_SCHEDULE_URL","owner":"public-default","sensitivity":"public","requiredForProduction":true,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Public link to the ready-made schedule iframe.","defaultValue":"https://australia-wlkk.vercel.app/scheduling/embed?site=artesc&lang=en","configured":true,"placeholder":false},{"name":"NEXT_PUBLIC_SCHEDULE_PROJECT_URL","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Ready-made schedule project origin.","defaultValue":"https://australia-wlkk.vercel.app","configured":false,"placeholder":false},{"name":"NEXT_PUBLIC_SCHEDULE_EMBED_URL","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Ready-made schedule iframe endpoint without query params.","defaultValue":"https://australia-wlkk.vercel.app/scheduling/embed","configured":false,"placeholder":false},{"name":"NEXT_PUBLIC_SCHEDULE_WIDGET_URL","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Ready-made schedule widget script endpoint.","defaultValue":"https://australia-wlkk.vercel.app/api/scheduling/widget","configured":false,"placeholder":false},{"name":"NEXT_PUBLIC_SCHEDULE_SITE","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Schedule tenant key expected by the ready-made schedule project.","defaultValue":"artesc","configured":true,"placeholder":false},{"name":"NEXT_PUBLIC_SCHEDULE_LANG","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Default iframe/widget language.","defaultValue":"en","configured":false,"placeholder":false},{"name":"SCHEDULE_AVAILABILITY_PATH","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Optional schedule API availability path.","defaultValue":"/availability","configured":false,"placeholder":false},{"name":"SCHEDULE_REQUEST_PATH","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Optional schedule API request path.","defaultValue":"/requests","configured":false,"placeholder":false},{"name":"ELASTICSEARCH_INDEX","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Default Elastic profile index.","defaultValue":"profiles","configured":false,"placeholder":false},{"name":"ELASTICSEARCH_SEARCH_PATH","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Default Elastic _search path template.","defaultValue":"/{index}/_search","configured":false,"placeholder":false},{"name":"SEARCH_CACHE_TTL_SECONDS","owner":"public-default","sensitivity":"public","requiredForProduction":false,"rotationSource":"npm run vercel:env:plan / npm run vercel:env:apply-known","reason":"Default Redis search cache TTL.","defaultValue":"60","configured":false,"placeholder":false}],"rotationOrder":[{"order":1,"command":"npm run source:audit","purpose":"Confirm the website source repository is GitHub parkourcafe/artesc before any env writes."},{"order":2,"command":"npm run ci:audit","purpose":"Confirm GitHub Actions has the no-write TZV3 CI quality gate before launch."},{"order":3,"command":"npm run vercel:link:audit","purpose":"Confirm the local Vercel link points to the Artesc website project before any env writes."},{"order":4,"command":"npm run secrets:rotation","purpose":"Review this no-write handoff contract and confirm categories before rotation."},{"order":5,"command":"npm run vercel:env:plan -- --scope selena-s-projects1","purpose":"Generate a copy/paste plan for public defaults and Artesc-generated secret names."},{"order":6,"command":"npm run vercel:env:apply-known -- --write --scope selena-s-projects1","purpose":"Apply only known public defaults and generated secrets after the linked website project is confirmed."},{"order":7,"command":"hosting provider UI/CLI","purpose":"Add owner/provider supplied endpoints, credentials, contact inboxes, and optional provider tokens without storing values in the repo."},{"order":8,"command":"post-rotation audits","purpose":"Run every postRotationAudits command before production launch."}],"postRotationAudits":["npm run source:audit","npm run ci:audit","npm run vercel:link:audit","npm run env:check:production","npm run vercel:env:audit -- --scope selena-s-projects1","npm run admin:audit","npm run telegram:handoff","npm run telegram:audit","npm run club:handoff","npm run club:audit","npm run search:audit","npm run media:audit","npm run vitals:audit","npm run origin:audit -- --require-production","npm run evidence:audit -- --require-production"],"productionBlockers":["ADMIN_API_TOKEN is missing or placeholder","ADMIN_SESSION_SECRET is missing or placeholder","TELEGRAM_WEBHOOK_SECRET is missing or placeholder","VIP_CLUB_WEBHOOK_TOKEN is missing or placeholder","DATABASE_URL is missing or placeholder","VIP_CLUB_WEBHOOK_URL is missing or placeholder","LEGAL_CONTACT_EMAIL is missing or placeholder","ELASTICSEARCH_URL is missing or placeholder","ELASTICSEARCH_API_KEY is missing or placeholder","UPSTASH_REDIS_REST_URL is missing or placeholder","UPSTASH_REDIS_REST_TOKEN is missing or placeholder","NEXT_PUBLIC_MEDIA_CDN_URL is missing or placeholder","CLOUDFLARE_R2_BUCKET is missing or placeholder","CLOUDFLARE_R2_ACCESS_KEY_ID is missing or placeholder","CLOUDFLARE_R2_SECRET_ACCESS_KEY is missing or placeholder","WEB_VITALS_ENDPOINT_URL is missing or placeholder"]}}