{"ok":true,"service":"broker","endpoint":"/api/ops/security-posture","purpose":"Secret-safe, agent-readable runtime security posture summary for operators before relay activation.","credential_posture":{"purpose":"Secret-safe production credential readiness flags; values are never exposed.","broker_shared_secret_configured":false,"broker_shared_secret_uses_documentation_default":true,"simple_send_api_key_configured":true,"simple_send_api_key_uses_development_default":false,"production_action_required":true,"next_operator_action":"rotate_broker_shared_secret_via_operator_approved_railway_service_variable_change","monitor":"/api/diagnostics#config.credential_posture","recommendation":"Production should set BROKER_SHARED_SECRET and SIMPLE_SEND_API_KEY to non-default secret values and keep API keys in the x-api-key header only.","secrets_included":false},"auth_and_signing":{"broker_shared_secret_configured":false,"broker_shared_secret_uses_documentation_default":true,"simple_send_api_key_configured":true,"simple_send_api_key_uses_development_default":false,"simple_api_key_transport":"x-api-key header only by default","simple_api_key_body_fallback_enabled":false,"unknown_key_fallback_enabled":false,"auth_max_skew_ms":300000,"replay_window":"envelope timestamp must be within auth_max_skew_ms of broker time","secrets_included":false},"request_limits":{"json_body_limit":"32kb","simple_api_rate_limit_per_min":30,"rate_limit_response":{"status":429,"retry_after_header":"seconds","body_fields":["retry_after_ms","retry_after_seconds"]}},"runtime_headers":{"x_powered_by_disabled":true,"x_content_type_options":"nosniff","x_frame_options":"DENY","referrer_policy":"no-referrer","permissions_policy":"geolocation=(), microphone=(), camera=()","strict_transport_security":"max-age=15552000","cache_control_runtime_metadata":"no-store"},"storage_and_proof":{"redis_configured":false,"durable_session_proof_store_configured":false,"durable_session_proof_store_available":false,"current_blocker":"configure_redis_url_for_restart_surviving_session_proof","monitor":"/api/ops/session-proof-retention"},"privacy":{"diagnostics_are_aggregate_only":true,"bounded_session_journeys":true,"raw_ip_addresses":false,"user_agents":false,"payloads":false,"api_keys":false,"signatures":false,"feedback_messages_stored":false},"next_operator_action":"rotate_broker_shared_secret_via_operator_approved_railway_service_variable_change","monitors":["/ready","/api/diagnostics","/api/ops/session-proof-retention","/api/ops/traffic-daily"],"proof_boundary":"Security posture is operational readiness only; it is not delivery, payment, GMV, earnings, completion, payout, review, reputation, settlement, or on-chain proof.","secrets_included":false}