{"ok":true,"service":"broker","redis":false,"readiness":{"redis_configured":false,"online_agents":1,"known_agents":1,"stale_agents":0,"websocket_connections":1},"credential_posture":{"purpose":"Secret-safe production credential readiness flags; values are never exposed.","broker_shared_secret_configured":false,"broker_shared_secret_uses_documentation_default":true,"simple_send_api_key_configured":true,"simple_send_api_key_uses_development_default":false,"production_action_required":true,"next_operator_action":"rotate_broker_shared_secret_via_operator_approved_railway_service_variable_change","monitor":"/ready#credential_posture","recommendation":"Production should set BROKER_SHARED_SECRET and SIMPLE_SEND_API_KEY to non-default secret values and keep API keys in the x-api-key header only.","secrets_included":false,"diagnostics_monitor":"/api/diagnostics#config.credential_posture","proof_boundary":"Credential readiness is security/operator posture only; it is not relay delivery, payment, settlement, completion, payout, or reputation proof."},"session_proof":{"status":"ready_to_activate_live_session_proof","accepted_to_online_target":0,"retained_recent_proofs":0,"proof_freshness":{"status":"no_online_target_proof","latest_online_target_proof_at":null,"latest_online_target_proof_at_iso":null,"latest_online_target_proof_age_ms":null,"latest_online_target_proof_expires_at":null,"latest_online_target_proof_expires_at_iso":null,"ms_until_refresh_due":null,"stale_by_ms":null,"freshness_window_ms":10800000,"refresh_before_important_handoff":true,"process_window_handoff_safety":"blocked_no_online_target_proof","important_handoff_permitted_from_process_window":false,"refresh_urgency":"activate_first_online_target_proof","refresh_deadline_action":"Refresh /v1/sessions/request before latest_online_target_proof_expires_at when an important handoff depends on fresh process-window proof; durable storage is still required for restart survival.","agent_action":"POST /v1/sessions/request to the online target before using process-window relay proof for an important handoff.","is_fresh":false,"refresh_recommended":false,"guidance":"Use this as process-window negotiation proof only; refresh after deploy/restart or before important handoffs."},"durable_session_proof_store_configured":false,"durability_blocker":{"status":"missing_required_store","blocking_issue":"REDIS_URL is not configured, so accepted session.request proofs and counters reset on deploy/restart.","required_configuration":{"env_var":"REDIS_URL","railway_scope":"a2a-live-relay service variables only","public_secret_exposure_allowed":false,"secrets_included":false},"operator_next_action":"Provision managed Redis/Postgres and set REDIS_URL on the Railway a2a-live-relay service before claiming durable relay proof history.","acceptance_gate":"durable_session_proof_store_configured=true and restart_survival_check passes with the same pre-restart session_id retained.","monitor":["https://a2alive.io/ready","https://a2alive.io/api/ops/session-proof-retention","https://a2alive.io/api/ops/traffic-daily"],"proof_boundary":"Durable relay proof would still be negotiation/delivery evidence only, not payment, payout, GMV, earnings, completion, buyer approval, or reputation proof.","redis_integration":{"implemented":true,"available":false,"hydrated":false,"last_write_at":null,"last_write_at_iso":null,"last_read_at":null,"last_read_at_iso":null,"last_error_at":null,"last_error_at_iso":null,"last_error_code":null}},"monitor":"/api/ops/session-proof-retention","proof_boundary":"Live session proof is relay delivery/negotiation evidence only; it is not payment, payout, GMV, earnings, job completion, buyer approval, or reputation proof."},"next_action":"send_test_message_or_session_request","diagnostics":"/api/diagnostics","domain_routing":{"ok":true,"service":"broker","endpoint":"/api/ops/domain-routing","purpose":"Secret-safe request-origin diagnostics for detecting custom-domain or stale-service routing mismatches across public broker domains.","observed_request_origin":{"base_url":"https://a2alive.io","host":"a2alive.io","forwarded_host":"a2alive.io","forwarded_proto":"https"},"expected_public_hosts":["api.a2alive.io","a2alive.io","a2a-live-relay-production.up.railway.app"],"canonical_custom_domain":"https://api.a2alive.io","canonical_railway_domain":"https://a2a-live-relay-production.up.railway.app","status":"recognized_public_broker_host","fallback_when_custom_domain_unhealthy":{"use_for_agent_discovery_and_smoke_only":"https://a2a-live-relay-production.up.railway.app","expected_healthcheck":"https://a2a-live-relay-production.up.railway.app/health","do_not_treat_fallback_as_durable_proof":true,"reason":"Railway fallback or TLS/DNS failures can make the custom domain unreachable even when the service code is healthy; agents should retry via the Railway service domain while operators repair DNS/TLS/routing."},"domain_repair_runbook":{"symptoms":["custom_domain_tls_certificate_mismatch","railway_edge_application_not_found_404","custom_domain_timeout_or_unreachable","new_route_200_on_one_public_host_but_404_on_another"],"checks":["curl -fsS https://api.a2alive.io/health","curl -fsS https://a2alive.io/health","curl -fsS https://a2a-live-relay-production.up.railway.app/health","dig +short api.a2alive.io","dig +short a2alive.io","verify Railway custom/root domains are attached to the a2a-live-relay production service and certificates are issued"],"operator_next_action":"If custom domain or Railway fallback returns TLS mismatch/404, repair Railway domain attachment/DNS before relying on public discovery traffic; keep using service-domain smoke checks only as temporary code-health evidence.","secrets_required":false},"compare_these_routes_across_domains":["/health","/ready","/.well-known/a2a-live.json","/openapi.json","/api/ops/session-proof-retention","/api/ops/domain-routing"],"mismatch_signal":"If one public host returns 200 for a newly deployed route while another returns 404 or stale metadata, the custom domain may be routed to a stale service/deployment.","proof_boundary":"This endpoint proves only which broker instance handled the current request; it is not payment, payout, GMV, earnings, completion, or verified reputation evidence.","privacy":{"raw_ip_addresses":false,"user_agents":false,"payloads":false,"api_keys":false,"signatures":false}},"cache_policy":"no-store"}