{"ok":true,"generatedAt":"2026-05-30T11:55:52.587Z","demoKind":"hosted_operator_seed_state","noExternalPublishingPerformed":true,"workspaceId":"default","workspaces":{"defaultWorkspaceId":"default","selectedWorkspaceId":"default","selectorMode":"public_demo","workspaces":[{"id":"default","name":"APCP Default","slug":"agent-publish-control-plane","description":"Primary control-plane demo workspace.","createdAt":"2026-05-16T00:00:00.000Z","updatedAt":"2026-05-30T11:55:52.587Z"},{"id":"creator-studio","name":"Creator Studio","slug":"creator-studio","description":"Human-readable content routing demo workspace.","createdAt":"2026-05-16T00:00:00.000Z","updatedAt":"2026-05-30T11:55:52.587Z"},{"id":"release-lab","name":"Release Lab","slug":"release-lab","description":"Code, release, and hosted execution demo workspace.","createdAt":"2026-05-16T00:00:00.000Z","updatedAt":"2026-05-30T11:55:52.587Z"}]},"demoManifestId":"demo-apcp-universal-router","sourcePath":"content/papers/apcp-universal-publishing-router.md","manifestPath":"publish/apcp-universal-publishing-router.manifest.json","operatorConsoleUrl":"/demo/operator","manifests":{"workspaceId":"default","manifests":[{"id":"demo-apcp-universal-router","artifact":{"kind":"article","sourcePath":"content/papers/apcp-universal-publishing-router.md","contentType":"text/markdown; charset=utf-8","sourceFormat":"md","version":"demo-hosted-operator","sha256":"demo-sha256-redacted","executable":false,"risk":"medium"},"approval":{"status":"required","requestedAt":"2026-05-30T11:41:52.587Z","requestedBy":"demo-agent","reason":"Public publication and distribution require human approval."},"review":{"profile":"public_content","authority":"human_required","requiredChecks":["source_exists","hash_recorded","human_approval","public_preview"],"aiReviewer":"apcp-demo-agent","aiRecommendation":{"status":"recommended","confidence":0.82,"rationale":"The article is human-readable public content with a clear canonical path and assisted distribution targets.","reviewedAt":"2026-05-30T11:39:52.587Z"},"notes":["Seeded demo state for the hosted operator console.","No external publishing, token reads, queue writes, or provider setup writes were performed."]},"targets":[{"channelId":"here-now-drive","mode":"handoff","status":"published","artifactPath":"projects/agent-publish-control-plane/demo/apcp-universal-publishing-router.md"},{"channelId":"here-now-sites","mode":"deploy","status":"approval_required"},{"channelId":"kurka-labs-papers","mode":"deploy","status":"approval_required"},{"channelId":"github-release","mode":"distribute","status":"approval_required"},{"channelId":"medium-post","mode":"distribute","status":"manual_required"},{"channelId":"linkedin-post","mode":"distribute","status":"manual_required"},{"channelId":"x-thread","mode":"distribute","status":"manual_required"}],"updatedAt":"2026-05-30T11:55:52.587Z"}]},"events":{"workspaceId":"default","events":[{"id":"demo-event-sync-completed","workspaceId":"default","manifestId":"demo-apcp-universal-router","channelId":"publish-run","status":"completed","type":"publish_run.completed","actor":"hosted-queue","source":"demo","createdAt":"2026-05-30T11:53:52.587Z","message":"Hosted-safe manifest sync preview completed.","metadata":{"runId":"demo-run-hosted-sync","executionBoundary":"hosted_safe"}},{"id":"demo-event-waiting-local","workspaceId":"default","manifestId":"demo-apcp-universal-router","channelId":"publish-run","status":"waiting_local","type":"publish_run.waiting_local","actor":"hosted-queue","source":"demo","createdAt":"2026-05-30T11:51:52.587Z","message":"Hosted queue marked the public publish run as waiting for a local executor.","metadata":{"runId":"demo-run-public-release","executionBoundary":"local_required"}},{"id":"demo-event-approval-required","workspaceId":"default","manifestId":"demo-apcp-universal-router","channelId":"approval","status":"required","type":"approval.required","actor":"demo-agent","source":"demo","createdAt":"2026-05-30T11:41:52.587Z","message":"Human approval is required before public publication or distribution."},{"id":"demo-event-target-plan","workspaceId":"default","manifestId":"demo-apcp-universal-router","channelId":"target-plan","status":"planned","type":"target_plan.created","actor":"demo-agent","source":"demo","createdAt":"2026-05-30T11:39:52.587Z","message":"Planner selected private handoff, canonical publishing, release distribution, and assisted social drafts.","metadata":{"targetCount":7}}]},"publishRuns":{"workspaceId":"default","publishRuns":[{"id":"demo-run-public-release","workspaceId":"default","manifestId":"demo-apcp-universal-router","commandKind":"use-case","command":"npm run demo:article-flow -- --dry-run","status":"waiting_local","message":"Public publish flow needs the local executor for filesystem and provider-profile work.","actor":"hosted-queue","manifestPath":"publish/apcp-universal-publishing-router.manifest.json","artifact":"content/papers/apcp-universal-publishing-router.md","approval":"required","owner":"local-operator","attemptCount":1,"retryCount":0,"terminal":false,"claimedAt":"2026-05-30T11:46:52.587Z","failureReason":"Controlled publish use-case execution needs local adapters and provider profiles.","createdAt":"2026-05-30T11:46:52.587Z","updatedAt":"2026-05-30T11:51:52.587Z","metadata":{"executionBoundary":"local_required","demo":true}},{"id":"demo-run-hosted-sync","workspaceId":"default","manifestId":"demo-apcp-universal-router","commandKind":"sync","command":"npm run publish:sync -- publish/apcp-universal-publishing-router.manifest.json","status":"completed","message":"Hosted-safe manifest sync preview completed without external publishing.","actor":"hosted-queue","manifestPath":"publish/apcp-universal-publishing-router.manifest.json","artifact":"content/papers/apcp-universal-publishing-router.md","approval":"required","owner":"hosted-queue","attemptCount":1,"retryCount":0,"terminal":true,"claimedAt":"2026-05-30T11:46:52.587Z","terminalAt":"2026-05-30T11:53:52.587Z","createdAt":"2026-05-30T11:46:52.587Z","updatedAt":"2026-05-30T11:53:52.587Z","metadata":{"executionBoundary":"hosted_safe","demo":true}},{"id":"demo-run-distribution-drafts","workspaceId":"default","manifestId":"demo-apcp-universal-router","commandKind":"drafts","command":"npm run publish:drafts -- demo-apcp-universal-router","status":"requested","message":"Distribution drafts are ready to be generated for assisted destinations.","actor":"demo-agent","manifestPath":"publish/apcp-universal-publishing-router.manifest.json","artifact":"content/papers/apcp-universal-publishing-router.md","approval":"required","attemptCount":0,"retryCount":0,"terminal":false,"createdAt":"2026-05-30T11:36:52.587Z","updatedAt":"2026-05-30T11:36:52.587Z","metadata":{"executionBoundary":"local_required","demo":true}}]},"auditLogs":{"workspaceId":"default","auditLogs":[{"id":"demo-audit-publish-run-waiting-local","workspaceId":"default","actorId":"hosted-queue","action":"publish_run.waiting_local","resourceType":"publish_run","resourceId":"demo-run-public-release","message":"Hosted queue marked the public publish run as waiting for a local executor.","createdAt":"2026-05-30T11:51:52.587Z","metadata":{"authorization":{"actorId":"hosted-queue","actorSource":"fallback","workspaceId":"default","role":"operator","authSource":"cloudflare_access_service_membership","permissions":["workspace:read","publish_run:write"],"tokenAuthenticated":false,"accessAuthenticated":true,"accessHeadersTrusted":true,"membershipResolved":true,"membership":{"id":"default:demo-service","userId":"demo-service","role":"operator"}}}},{"id":"demo-audit-approval-required","workspaceId":"default","actorId":"demo-agent","action":"approval.required","resourceType":"manifest","resourceId":"demo-apcp-universal-router","message":"Human approval requested before public distribution.","createdAt":"2026-05-30T11:41:52.587Z","metadata":{"authorization":{"actorId":"demo-agent","actorSource":"fallback","workspaceId":"default","role":"owner","authSource":"manifest_write_token","permissions":["workspace:read","approval:write"],"tokenAuthenticated":true,"accessAuthenticated":false,"accessHeadersTrusted":false,"membershipResolved":false}}},{"id":"demo-audit-target-plan","workspaceId":"default","actorId":"demo-agent","action":"target_plan.created","resourceType":"manifest","resourceId":"demo-apcp-universal-router","message":"Planner selected destinations for the demo article.","createdAt":"2026-05-30T11:39:52.587Z","metadata":{"targetCount":7}}]},"accessReadiness":{"ok":true,"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","noExternalPublishingPerformed":true,"status":"membership_seeded","trustGate":{"flag":"AUTH_TRUST_ACCESS_HEADERS=true","enabled":false,"boundary":"Enable only after Cloudflare Access protects /operator and private /v1/workspaces* API routes."},"membershipSummary":{"total":3,"accessReady":2,"humanAccessReady":1,"serviceAccessReady":1,"localOnly":1,"roleCounts":{"owner":1,"admin":1,"operator":1}},"membershipSeedingPlan":{"planned":2,"alreadyPresent":0,"totalCandidates":2,"hasHumanSeed":true,"hasServiceSeed":true},"memberships":[{"id":"default:system","userId":"system","userDisplayName":"System","role":"owner","accessReady":false,"identityTypes":["local_system_fallback"],"guidance":"Seed a real Access identity for this role before relying on Access membership resolution."},{"id":"default:demo-operator","userId":"demo.operator@example.invalid","userEmail":"demo.operator@example.invalid","userDisplayName":"Demo Operator","role":"admin","accessReady":true,"identityTypes":["access_user_email"],"guidance":"This membership can match a Cloudflare Access user email, Access user id, or service-token client id."},{"id":"default:demo-ci-service","userId":"cloudflare-access-service:demo-ci-service-token","userDisplayName":"Demo CI Service Token","role":"operator","accessReady":true,"identityTypes":["access_service_token"],"guidance":"This membership can match a Cloudflare Access user email, Access user id, or service-token client id."}],"identityFormats":[{"purpose":"Human operator by email","example":"operator@example.com","resolvesThrough":"users.email or workspace_memberships.user_id"},{"purpose":"Cloudflare Access user id","example":"cloudflare-access-user:<id>","resolvesThrough":"workspace_memberships.user_id"},{"purpose":"Access service token","example":"cloudflare-access-service:<client-id>","resolvesThrough":"workspace_memberships.user_id"}],"nextActions":["Review Access-ready memberships before enabling header trust.","Keep owner/admin memberships narrow; operators can usually use the operator role.","Use Service Auth memberships for CLI, MCP, and CI callers.","Leave AUTH_TRUST_ACCESS_HEADERS disabled until Cloudflare Access protects the private route set."],"externalMutationRequired":true},"membershipSeedingPlan":{"ok":true,"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","noExternalPublishingPerformed":true,"externalMutationRequired":true,"implemented":false,"purpose":"Plan membership seed rows before enabling Cloudflare Access membership resolution.","requested":{"humanEmail":"operator@example.com","serviceTokenClientId":"apcp-cli-or-mcp-service-token","includeService":true},"summary":{"planned":2,"alreadyPresent":0,"totalCandidates":2,"hasHumanSeed":true,"hasServiceSeed":true},"seeds":[{"id":"default:operator@example.com","workspaceId":"default","kind":"human_email","userId":"operator@example.com","userEmail":"operator@example.com","userDisplayName":"Cloudflare Access Operator","role":"admin","status":"planned","alreadyPresent":false,"reason":"Human operators can resolve through cf-access-authenticated-user-email.","dryRunSql":"INSERT users and workspace_memberships rows with this user id/email through an approved migration, seed task, or admin workflow."},{"id":"default:cloudflare-access-service:apcp-cli-or-mcp-service-token","workspaceId":"default","kind":"service_token","userId":"cloudflare-access-service:apcp-cli-or-mcp-service-token","userDisplayName":"Cloudflare Access Service Token","role":"operator","status":"planned","alreadyPresent":false,"reason":"Service Auth callers give CLI, MCP, and CI automation an auditable Access identity.","dryRunSql":"INSERT users and workspace_memberships rows with this user id/email through an approved migration, seed task, or admin workflow."}],"artifacts":{"warnings":["Review before running. These artifacts are generated for operator approval and are not executed by APCP.","Replace placeholder humanEmail=operator@example.com with an approved Cloudflare Access operator email.","Replace placeholder serviceTokenClientId=apcp-cli-or-mcp-service-token with the approved Cloudflare Access service-token client id.","Apply only after the Cloudflare Access application and policies are approved.","Keep AUTH_TRUST_ACCESS_HEADERS disabled until /operator and private /v1/* routes are protected by Cloudflare Access."],"d1Sql":"-- APCP membership seed plan\n\n-- Generated read-only by /v1/workspaces/:workspaceId/membership-seeding-plan.\n\n-- Replace placeholders and review with the operator before running.\n\n-- WARNING: Review before running. These artifacts are generated for operator approval and are not executed by APCP.\n\n-- WARNING: Replace placeholder humanEmail=operator@example.com with an approved Cloudflare Access operator email.\n\n-- WARNING: Replace placeholder serviceTokenClientId=apcp-cli-or-mcp-service-token with the approved Cloudflare Access service-token client id.\n\n-- WARNING: Apply only after the Cloudflare Access application and policies are approved.\n\n-- WARNING: Keep AUTH_TRUST_ACCESS_HEADERS disabled until /operator and private /v1/* routes are protected by Cloudflare Access.\n\nBEGIN TRANSACTION;\n\nINSERT INTO users (id, email, display_name, created_at, updated_at)\nVALUES ('operator@example.com', 'operator@example.com', 'Cloudflare Access Operator', '2026-05-30T11:55:52.587Z', '2026-05-30T11:55:52.587Z')\nON CONFLICT(id) DO UPDATE SET email = excluded.email, display_name = excluded.display_name, updated_at = excluded.updated_at;\n\nINSERT INTO users (id, email, display_name, created_at, updated_at)\nVALUES ('cloudflare-access-service:apcp-cli-or-mcp-service-token', NULL, 'Cloudflare Access Service Token', '2026-05-30T11:55:52.587Z', '2026-05-30T11:55:52.587Z')\nON CONFLICT(id) DO UPDATE SET email = excluded.email, display_name = excluded.display_name, updated_at = excluded.updated_at;\n\nINSERT INTO workspace_memberships (id, workspace_id, user_id, role, created_at, updated_at)\nVALUES ('default:operator@example.com', 'default', 'operator@example.com', 'admin', '2026-05-30T11:55:52.587Z', '2026-05-30T11:55:52.587Z')\nON CONFLICT(workspace_id, user_id) DO UPDATE SET role = excluded.role, updated_at = excluded.updated_at;\n\nINSERT INTO workspace_memberships (id, workspace_id, user_id, role, created_at, updated_at)\nVALUES ('default:cloudflare-access-service:apcp-cli-or-mcp-service-token', 'default', 'cloudflare-access-service:apcp-cli-or-mcp-service-token', 'operator', '2026-05-30T11:55:52.587Z', '2026-05-30T11:55:52.587Z')\nON CONFLICT(workspace_id, user_id) DO UPDATE SET role = excluded.role, updated_at = excluded.updated_at;\n\nCOMMIT;","rollbackSql":"-- APCP membership seed rollback\n\n-- Review before running. This removes only the planned membership rows and removes planned users only if no membership references remain.\n\nDELETE FROM workspace_memberships WHERE id IN ('default:operator@example.com', 'default:cloudflare-access-service:apcp-cli-or-mcp-service-token');\n\nDELETE FROM users WHERE id IN ('operator@example.com', 'cloudflare-access-service:apcp-cli-or-mcp-service-token') AND id NOT IN (SELECT user_id FROM workspace_memberships);","json":{"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","warnings":["Review before running. These artifacts are generated for operator approval and are not executed by APCP.","Replace placeholder humanEmail=operator@example.com with an approved Cloudflare Access operator email.","Replace placeholder serviceTokenClientId=apcp-cli-or-mcp-service-token with the approved Cloudflare Access service-token client id.","Apply only after the Cloudflare Access application and policies are approved.","Keep AUTH_TRUST_ACCESS_HEADERS disabled until /operator and private /v1/* routes are protected by Cloudflare Access."],"users":[{"id":"operator@example.com","email":"operator@example.com","displayName":"Cloudflare Access Operator"},{"id":"cloudflare-access-service:apcp-cli-or-mcp-service-token","displayName":"Cloudflare Access Service Token"}],"workspaceMemberships":[{"id":"default:operator@example.com","workspaceId":"default","userId":"operator@example.com","role":"admin"},{"id":"default:cloudflare-access-service:apcp-cli-or-mcp-service-token","workspaceId":"default","userId":"cloudflare-access-service:apcp-cli-or-mcp-service-token","role":"operator"}]},"suggestedFilenames":{"d1Sql":"default-membership-seeds.sql","rollbackSql":"default-membership-seeds.rollback.sql","json":"default-membership-seeds.json"},"copyCommands":{"stagingDryRun":"npm run publish:seed-artifacts:apply -- https://agent-publish-control-plane-staging.fkurka.workers.dev default <human-email> <access-user-id> <service-token-client-id>","stagingExecute":"npm run publish:seed-artifacts:apply -- https://agent-publish-control-plane-staging.fkurka.workers.dev default <human-email> <access-user-id> <service-token-client-id> -- --execute --env staging","productionBlocked":"Production D1 mutation is intentionally blocked by publish:seed-artifacts:apply."}},"nextActions":["Review the planned membership seeds, replace placeholder identifiers, then apply them through an approved migration or admin workflow.","Replace placeholder values before saving or executing any seed artifact.","Use human email or Access user id memberships for operators.","Use cloudflare-access-service:<client-id> memberships for CLI, MCP, and CI callers.","Run npm run publish:access-readiness after seeding and before enabling AUTH_TRUST_ACCESS_HEADERS=true."]},"accessActivationStatus":{"ok":true,"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","noExternalPublishingPerformed":true,"externalMutationRequired":true,"phase":"membership_seeded","phases":["pre_activation","seed_artifacts_ready","membership_seed_pending","membership_seeded","access_edge_observed","trust_ready","trust_enabled"],"current":{"phase":"membership_seeded","label":"Membership seeded","detail":"At least one workspace membership can resolve from a Cloudflare Access identity."},"readyForAccessTrust":false,"trustGate":{"flag":"AUTH_TRUST_ACCESS_HEADERS=true","enabled":false,"boundary":"Enable only after Cloudflare Access protects /operator and private /v1/workspaces* API routes."},"routeProtection":{"planReady":true,"operatorShellProtected":"not_observed_by_worker","currentRequestAccessAuthenticated":false,"protectedRoutePatterns":[{"path":"/operator","reason":"Operator shell can reveal private API entry points even when data still requires tokens."},{"path":"/operator/intake","reason":"Protected staging intake can submit real user material and must sit behind the operator perimeter."},{"path":"/v1/workspaces*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/events","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/publish-runs*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/operator-submissions","reason":"Private workspace, manifest, event, provider, or publish-run API surface."},{"path":"/v1/manifests*","reason":"Private workspace, manifest, event, provider, or publish-run API surface."}],"publicDemoRoutes":["/demo","/demo/technical","/demo/walkthrough","/demo/readiness","/demo/changelog","/demo/visual-qa","/demo/auth","/demo/operator"],"note":"The Worker can report the Access route plan and current request attribution; the CLI activation-status command adds the external /operator protection probe."},"seedArtifacts":{"valid":false,"validation":{"ok":false,"checks":[{"id":"artifacts_present","ok":true,"message":"D1 SQL, rollback SQL, and structured seed JSON are present."},{"id":"placeholder_values","ok":false,"message":"Replace placeholder Access identities before seed execution.","placeholders":["operator@example.com","apcp-cli-or-mcp-service-token","operator@example.com","cloudflare-access-service:apcp-cli-or-mcp-service-token"]},{"id":"workspace_ids_match","ok":true,"message":"Every planned membership targets the requested workspace."},{"id":"roles_valid","ok":true,"message":"Every planned membership uses a known role."},{"id":"structured_counts_match","ok":true,"message":"Structured artifact rows match pending planned seeds."},{"id":"rollback_present","ok":true,"message":"Rollback SQL is available for planned seed rows."}],"blockers":["Replace placeholder Access identities before seed execution."]},"planned":2,"alreadyPresent":0,"warnings":["Review before running. These artifacts are generated for operator approval and are not executed by APCP.","Replace placeholder humanEmail=operator@example.com with an approved Cloudflare Access operator email.","Replace placeholder serviceTokenClientId=apcp-cli-or-mcp-service-token with the approved Cloudflare Access service-token client id.","Apply only after the Cloudflare Access application and policies are approved.","Keep AUTH_TRUST_ACCESS_HEADERS disabled until /operator and private /v1/* routes are protected by Cloudflare Access."],"suggestedFilenames":{"d1Sql":"default-membership-seeds.sql","rollbackSql":"default-membership-seeds.rollback.sql","json":"default-membership-seeds.json"}},"membership":{"total":3,"accessReady":2,"humanAccessReady":1,"serviceAccessReady":1,"localOnly":1,"roleCounts":{"owner":1,"admin":1,"operator":1}},"timeline":[{"phase":"pre_activation","label":"Pre-activation","status":"complete","detail":"Access is planned, but seed artifacts or identity decisions still need operator review."},{"phase":"seed_artifacts_ready","label":"Seed artifacts ready","status":"complete","detail":"Seed artifacts validate locally and can be reviewed before any D1 mutation."},{"phase":"membership_seed_pending","label":"Membership seed pending","status":"complete","detail":"Valid seed rows are planned and waiting for an approved D1 migration or admin workflow."},{"phase":"membership_seeded","label":"Membership seeded","status":"current","detail":"At least one workspace membership can resolve from a Cloudflare Access identity."},{"phase":"access_edge_observed","label":"Access edge observed","status":"pending","detail":"The current request path shows Cloudflare Access attribution at the Worker boundary."},{"phase":"trust_ready","label":"Trust ready","status":"pending","detail":"Memberships and Access edge protection are observed; the trust flag is the remaining approval boundary."},{"phase":"trust_enabled","label":"Trust enabled","status":"pending","detail":"The Worker is configured to trust Cloudflare Access headers."}],"blockers":["Replace placeholder Access identities before seed execution.","Cloudflare Access edge protection has not been observed by the current request."],"nextSafeCommand":"npm run publish:seed-artifacts:validate -- https://agent-publish-control-plane.fkurka.workers.dev default operator@example.com <access-user-id> apcp-cli-or-mcp-service-token","stopBoundary":"Creating Access applications, policies, service tokens, or secrets must be approved and run against the Cloudflare account.","reports":{"accessReadiness":{"ok":true,"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","noExternalPublishingPerformed":true,"status":"membership_seeded","trustGate":{"flag":"AUTH_TRUST_ACCESS_HEADERS=true","enabled":false,"boundary":"Enable only after Cloudflare Access protects /operator and private /v1/workspaces* API routes."},"membershipSummary":{"total":3,"accessReady":2,"humanAccessReady":1,"serviceAccessReady":1,"localOnly":1,"roleCounts":{"owner":1,"admin":1,"operator":1}},"membershipSeedingPlan":{"planned":2,"alreadyPresent":0,"totalCandidates":2,"hasHumanSeed":true,"hasServiceSeed":true},"memberships":[{"id":"default:system","userId":"system","userDisplayName":"System","role":"owner","accessReady":false,"identityTypes":["local_system_fallback"],"guidance":"Seed a real Access identity for this role before relying on Access membership resolution."},{"id":"default:demo-operator","userId":"demo.operator@example.invalid","userEmail":"demo.operator@example.invalid","userDisplayName":"Demo Operator","role":"admin","accessReady":true,"identityTypes":["access_user_email"],"guidance":"This membership can match a Cloudflare Access user email, Access user id, or service-token client id."},{"id":"default:demo-ci-service","userId":"cloudflare-access-service:demo-ci-service-token","userDisplayName":"Demo CI Service Token","role":"operator","accessReady":true,"identityTypes":["access_service_token"],"guidance":"This membership can match a Cloudflare Access user email, Access user id, or service-token client id."}],"identityFormats":[{"purpose":"Human operator by email","example":"operator@example.com","resolvesThrough":"users.email or workspace_memberships.user_id"},{"purpose":"Cloudflare Access user id","example":"cloudflare-access-user:<id>","resolvesThrough":"workspace_memberships.user_id"},{"purpose":"Access service token","example":"cloudflare-access-service:<client-id>","resolvesThrough":"workspace_memberships.user_id"}],"nextActions":["Review Access-ready memberships before enabling header trust.","Keep owner/admin memberships narrow; operators can usually use the operator role.","Use Service Auth memberships for CLI, MCP, and CI callers.","Leave AUTH_TRUST_ACCESS_HEADERS disabled until Cloudflare Access protects the private route set."],"externalMutationRequired":true},"membershipSeedingPlan":{"generatedAt":"2026-05-30T11:55:52.587Z","workspaceId":"default","requested":{"humanEmail":"operator@example.com","serviceTokenClientId":"apcp-cli-or-mcp-service-token","includeService":true},"summary":{"planned":2,"alreadyPresent":0,"totalCandidates":2,"hasHumanSeed":true,"hasServiceSeed":true},"nextActions":["Review the planned membership seeds, replace placeholder identifiers, then apply them through an approved migration or admin workflow.","Replace placeholder values before saving or executing any seed artifact.","Use human email or Access user id memberships for operators.","Use cloudflare-access-service:<client-id> memberships for CLI, MCP, and CI callers.","Run npm run publish:access-readiness after seeding and before enabling AUTH_TRUST_ACCESS_HEADERS=true."]}}},"providerReadiness":{"workspaceId":"default","providerConnections":[],"summary":{"configured":0,"local_only":5,"missing_setup":2,"assisted":4},"destinations":[{"destinationId":"cloudflare","label":"Cloudflare","mode":"deploy","adapterStatus":"planned","readiness":"missing_setup","reason":"Missing hosted setup for cloudflare.","providerRequirements":[{"provider":"cloudflare","authType":"api_token","requiredFor":["publish","sync","status","revoke"],"secretRefs":["CLOUDFLARE_API_TOKEN","Cloudflare Worker bindings"],"optional":false,"setup":"Use Cloudflare secrets, bindings, or CI secrets for hosted workflows.","status":"missing_setup","reason":"No usable hosted provider connection is configured.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use Cloudflare secrets, bindings, or CI secrets for hosted workflows."],"recommendedConnectionStatus":"planned"}}]},{"destinationId":"r2-media","label":"Cloudflare R2 Media","mode":"handoff","adapterStatus":"working","readiness":"missing_setup","reason":"Missing hosted setup for cloudflare-r2.","providerRequirements":[{"provider":"cloudflare-r2","authType":"service_token","requiredFor":["upload_media","sync","status"],"secretRefs":["Cloudflare Worker R2 binding: ARTIFACTS"],"optional":false,"setup":"Bind the R2 bucket in wrangler.jsonc and keep account credentials in Cloudflare, not manifests.","status":"missing_setup","reason":"Cloudflare R2 ARTIFACTS binding is not available in this Worker environment.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Bind the R2 bucket in wrangler.jsonc and keep account credentials in Cloudflare, not manifests."],"recommendedConnectionStatus":"planned"}}]},{"destinationId":"github-release","label":"GitHub Release","mode":"distribute","adapterStatus":"working","readiness":"local_only","reason":"Execution depends on local operator profile setup for github.","providerRequirements":[{"provider":"github","authType":"local_profile","requiredFor":["publish","status"],"secretRefs":["gh auth token or GITHUB_TOKEN"],"optional":false,"setup":"Use gh auth or GitHub Actions secrets with release permissions. Do not commit tokens.","status":"local_only","reason":"No hosted provider connection is configured; local operator profile can execute this destination.","connectionStatus":"missing","localExecutionSupported":true,"validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use gh auth or GitHub Actions secrets with release permissions. Do not commit tokens."],"recommendedConnectionStatus":"needs_attention"}}]},{"destinationId":"github","label":"GitHub Source Ledger","mode":"handoff","adapterStatus":"working","readiness":"local_only","reason":"Execution depends on local operator profile setup for github.","providerRequirements":[{"provider":"github","authType":"local_profile","requiredFor":["sync","status"],"secretRefs":["gh auth token or GITHUB_TOKEN"],"optional":false,"setup":"Use gh auth or GitHub Actions secrets. Do not commit tokens.","status":"local_only","reason":"No hosted provider connection is configured; local operator profile can execute this destination.","connectionStatus":"missing","localExecutionSupported":true,"validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use gh auth or GitHub Actions secrets. Do not commit tokens."],"recommendedConnectionStatus":"needs_attention"}}]},{"destinationId":"here-now-drive","label":"here.now Drive","mode":"handoff","adapterStatus":"working","readiness":"local_only","reason":"Execution depends on local operator profile setup for here.now.","providerRequirements":[{"provider":"here.now","authType":"local_profile","requiredFor":["sync","upload_media","status"],"secretRefs":["here.now profile credentials outside this repo"],"optional":false,"setup":"Authenticate with here.now locally or through the hosted provider connection store.","status":"local_only","reason":"No hosted provider connection is configured; local operator profile can execute this destination.","connectionStatus":"missing","localExecutionSupported":true,"validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Authenticate with here.now locally or through the hosted provider connection store."],"recommendedConnectionStatus":"needs_attention"}}]},{"destinationId":"here-now-sites","label":"here.now Sites","mode":"deploy","adapterStatus":"working","readiness":"local_only","reason":"Execution depends on local operator profile setup for here.now.","providerRequirements":[{"provider":"here.now","authType":"local_profile","requiredFor":["publish","sync","status","revoke"],"secretRefs":["here.now profile credentials outside this repo"],"optional":false,"setup":"Authenticate with here.now locally or through the hosted provider connection store.","status":"local_only","reason":"No hosted provider connection is configured; local operator profile can execute this destination.","connectionStatus":"missing","localExecutionSupported":true,"validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Authenticate with here.now locally or through the hosted provider connection store."],"recommendedConnectionStatus":"needs_attention"}}]},{"destinationId":"kurka-labs-papers","label":"Kurka Labs Papers","mode":"deploy","adapterStatus":"working","readiness":"local_only","reason":"Execution depends on local operator profile setup for github-cloudflare-pages.","providerRequirements":[{"provider":"github-cloudflare-pages","authType":"local_profile","requiredFor":["publish","sync","status"],"secretRefs":["kurkalabs git remote auth","Cloudflare Pages GitHub integration"],"optional":false,"setup":"Use the Kurka Labs GitHub repo and Cloudflare Pages integration; keep credentials in GitHub/Cloudflare.","status":"local_only","reason":"No hosted provider connection is configured; local operator profile can execute this destination.","connectionStatus":"missing","localExecutionSupported":true,"validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use the Kurka Labs GitHub repo and Cloudflare Pages integration; keep credentials in GitHub/Cloudflare."],"recommendedConnectionStatus":"needs_attention"}}]},{"destinationId":"linkedin-post","label":"LinkedIn Post","mode":"distribute","adapterStatus":"assisted","readiness":"assisted","reason":"Destination is intentionally assisted: APCP can render drafts or handoff artifacts, while publication remains manual or future OAuth-backed work.","providerRequirements":[{"provider":"linkedin","authType":"oauth2","requiredFor":["publish","upload_media","status"],"secretRefs":["LINKEDIN_CLIENT_ID","LINKEDIN_CLIENT_SECRET","LINKEDIN_REFRESH_TOKEN"],"optional":true,"setup":"Use an approved LinkedIn OAuth app and store secrets outside manifests.","status":"assisted","reason":"Provider automation is optional because this destination can remain assisted/manual.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use an approved LinkedIn OAuth app and store secrets outside manifests."],"recommendedConnectionStatus":"planned"}}]},{"destinationId":"medium-post","label":"Medium Post","mode":"distribute","adapterStatus":"assisted","readiness":"assisted","reason":"Destination is intentionally assisted: APCP can render drafts or handoff artifacts, while publication remains manual or future OAuth-backed work.","providerRequirements":[{"provider":"medium","authType":"api_token","requiredFor":["publish","status"],"secretRefs":["MEDIUM_INTEGRATION_TOKEN"],"optional":true,"setup":"Store Medium integration tokens in Cloudflare secrets or a provider vault after account API access is confirmed.","status":"assisted","reason":"Provider automation is optional because this destination can remain assisted/manual.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Store Medium integration tokens in Cloudflare secrets or a provider vault after account API access is confirmed."],"recommendedConnectionStatus":"planned"}}]},{"destinationId":"substack-post","label":"Substack Post","mode":"distribute","adapterStatus":"assisted","readiness":"assisted","reason":"Destination is intentionally assisted: APCP can render drafts or handoff artifacts, while publication remains manual or future OAuth-backed work.","providerRequirements":[{"provider":"substack","authType":"oauth2","requiredFor":["publish","status"],"secretRefs":["SUBSTACK_ACCESS_TOKEN"],"optional":true,"setup":"Keep public posting assisted until an approved Substack API or OAuth path is configured.","status":"assisted","reason":"Provider automation is optional because this destination can remain assisted/manual.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Keep public posting assisted until an approved Substack API or OAuth path is configured."],"recommendedConnectionStatus":"planned"}}]},{"destinationId":"x-thread","label":"X Thread","mode":"distribute","adapterStatus":"assisted","readiness":"assisted","reason":"Destination is intentionally assisted: APCP can render drafts or handoff artifacts, while publication remains manual or future OAuth-backed work.","providerRequirements":[{"provider":"x","authType":"oauth2","requiredFor":["publish","upload_media","status"],"secretRefs":["X_CLIENT_ID","X_CLIENT_SECRET","X_REFRESH_TOKEN"],"optional":true,"setup":"Use an approved X API app/tier and store OAuth secrets outside manifests.","status":"assisted","reason":"Provider automation is optional because this destination can remain assisted/manual.","connectionStatus":"missing","validation":{"status":"not_started","summary":"No provider connection record exists yet.","checks":[{"id":"provider_connection","label":"Provider connection record","status":"fail","reason":"Create a non-secret provider setup record for this requirement."}],"nextActions":["Use an approved X API app/tier and store OAuth secrets outside manifests."],"recommendedConnectionStatus":"planned"}}]}]},"demoNarrative":["A public article enters APCP as a manifest-backed artifact.","APCP plans private handoff, canonical publishing, release distribution, and assisted social drafts.","Hosted sync is safe in the Worker; publish and draft work wait for local executor context."]}