{"requestHost":"onering.space","resolvedApiBaseUrl":"https://api-production-39ea.up.railway.app","usesLocalDefaultApiBaseUrl":false,"vercelEnv":"production","vercelUrl":"one-ring-pwrqqjkch-isbell-capital.vercel.app","vercelGitCommitSha":"ef7d8d355a5947f68054ff450eb9ca619d6be033","apiReleaseTruthStatus":"ok","apiRequestHostMatchesResolvedBaseUrl":true,"apiReleaseTruthError":null,"expectedApiRailwayEnvironmentName":"production","apiRailwayEnvironmentMatchesExpected":true,"expectedApiAuthMode":"google_oidc","apiAuthModeMatchesExpected":true,"expectedProductionSignalProviderMode":"google_calendar_gmail","apiSignalProviderMatchesExpected":true,"apiNextSignalProviderCandidateConfigured":null,"apiNextSignalProviderSetupBatch":null,"apiNextSignalProviderCandidateRolloutSequence":null,"apiNextSignalProviderMonitoredSurfaceLabel":null,"apiNextSignalProviderDefaultExclusions":[],"apiNextSignalProviderProofVectorId":null,"apiNextSignalProviderProofSurfaces":[],"apiNextSignalProviderProofVariantKeys":[],"apiNextSignalProviderFollowOnCandidateMode":null,"apiNextSignalProviderFollowOnCandidateConfigured":null,"apiNextSignalProviderFollowOnSetupBatch":null,"apiNextSignalProviderFollowOnRolloutSequence":null,"apiNextSignalProviderFollowOnMonitoredSurfaceLabel":null,"apiNextSignalProviderFollowOnDefaultExclusions":[],"apiNextSignalProviderFollowOnProofVectorId":null,"apiNextSignalProviderFollowOnProofSurfaces":[],"apiNextSignalProviderFollowOnProofVariantKeys":[],"apiPairingExpectationStatus":"ready","apiProductionCutoverStatus":"active_sources_stale","apiNextSignalProviderExpectationStatus":"cutover_not_ready","operatorAlertDeliveryGate":{"status":"blocked_by_surface_only_delivery","statusLabel":"Blocked by unconfigured external delivery target","summary":"Executive operator alerts still stop at surfaced routing because no governed external paging or messaging target is fully configured yet.","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":30,"escalateToRoleKeys":["holding.executive"],"likelyCause":"The runtime does not yet carry both a supported external delivery channel and a human-readable target label for the governed executive alert families.","nextRecoveryAction":"Set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_CHANNEL, ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_TARGET_LABEL, and the required channel-specific secret for the chosen operator-owned target. For Slack webhook delivery, set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_SLACK_WEBHOOK_URL, then run ./scripts/exercise-executive-operator-alert-delivery.sh and verify with ./scripts/check-executive-operator-alert-delivery.sh --expect ready.","proofSurfaceKeys":["hosted_release_truth","api_release_truth"],"coveredEventTypes":["executive.signal_source.auth_invalid","executive.signal_source.degraded","executive.signal_source.unavailable","executive.surface.unavailable","executive.alert_delivery.unavailable","executive.release_truth.drift_detected","executive.release_truth.cutover_degraded","executive.release_truth.unavailable","executive.deploy.skew_detected"],"deliveryEvidenceSummary":"Treat external executive alert delivery as ready only after the governed target is fully configured, ./scripts/exercise-executive-operator-alert-delivery.sh records a successful live drill, the last proven timestamp is no older than 168 hours, and ./scripts/check-executive-operator-alert-delivery.sh --expect ready passes against hosted and API release truth.","deliveryProofCommands":["./scripts/exercise-executive-operator-alert-delivery.sh","./scripts/check-executive-operator-alert-delivery.sh --expect ready"],"runbookPath":"docs/external-operator-alert-delivery-runbook-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168},"sourceRecoveryGate":{"status":"blocked_by_auth_invalid","statusLabel":"Blocked by invalid credentials","summary":"Production recovery remains blocked because Google Calendar and Gmail cannot refresh with valid upstream credentials or delegated grants.","blockedSourceKeys":["google_calendar","gmail"],"blockedSourceDisplayNames":["Google Calendar","Gmail"],"ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active credentials or delegated grants for Google Calendar and Gmail, redeploy the API if the runtime env changed, then verify recovery with ./scripts/check-executive-source-recovery.sh --source google_calendar and ./scripts/check-executive-source-recovery.sh --source gmail before treating production executive output as trustworthy again.","proofSurfaceKeys":["hosted_release_truth","api_release_truth","executive_queue","executive_briefing"],"recoveryEvidenceSummary":"Treat Google Calendar and Gmail as recovered only when hosted and API /release-truth both show trustworthy source truth for the blocked source set and authenticated queue plus briefing both return healthy status for Google Calendar and Gmail.","recoveryProofCommands":["./scripts/check-executive-source-recovery.sh --source google_calendar","./scripts/check-executive-source-recovery.sh --source gmail"],"runbookPath":"docs/executive-ingestion-runbook-v1.md#live-source-diagnosis-and-recovery-packs","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet."},"operatorAlerts":[{"key":"executive.signal_source.auth_invalid:google_calendar:api_release_truth","status":"active","eventType":"executive.signal_source.auth_invalid","severity":"critical","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"tenant","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":"google_calendar","observedSourceSystem":"google_calendar","summary":"Google Calendar is still serving the cached snapshot from 2026-04-03T20:43:27.077Z, but the active upstream credentials are now being rejected so refreshes cannot replace that snapshot.","likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active Google Calendar credentials for the monitored monitored executive calendar, then verify recovery with ./scripts/check-executive-source-recovery.sh --source google_calendar before treating current executive output as trustworthy again.","runbookPath":"docs/executive-ingestion-runbook-v1.md#google-calendar-live-diagnosis-and-recovery-pack","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"An active executive source with invalid upstream credentials or delegated grants is a critical operator-trust incident because recovery depends on explicit credential repair rather than passive retry."},{"key":"executive.signal_source.auth_invalid:gmail:api_release_truth","status":"active","eventType":"executive.signal_source.auth_invalid","severity":"critical","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"tenant","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":"gmail","observedSourceSystem":"gmail","summary":"Gmail is still serving the cached snapshot from 2026-04-04T21:42:06.617Z, but the active upstream credentials are now being rejected so refreshes cannot replace that snapshot.","likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active Gmail credentials for the monitored monitored work mailbox, then verify recovery with ./scripts/check-executive-source-recovery.sh --source gmail before treating current executive output as trustworthy again.","runbookPath":"docs/executive-ingestion-runbook-v1.md#gmail-live-diagnosis-and-recovery-pack","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"An active executive source with invalid upstream credentials or delegated grants is a critical operator-trust incident because recovery depends on explicit credential repair rather than passive retry."},{"key":"executive.alert_delivery.unavailable:api_release_truth","status":"active","eventType":"executive.alert_delivery.unavailable","severity":"warning","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"platform","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":30,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":null,"observedSourceSystem":null,"summary":"Executive operator alerts still stop at surfaced routing because no governed external paging or messaging target is fully configured yet.","likelyCause":"The runtime does not yet carry both a supported external delivery channel and a human-readable target label for the governed executive alert families.","nextRecoveryAction":"Set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_CHANNEL, ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_TARGET_LABEL, and the required channel-specific secret for the chosen operator-owned target. For Slack webhook delivery, set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_SLACK_WEBHOOK_URL, then run ./scripts/exercise-executive-operator-alert-delivery.sh and verify with ./scripts/check-executive-operator-alert-delivery.sh --expect ready.","runbookPath":"docs/external-operator-alert-delivery-runbook-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"Active executive incidents are still only visible on API and hosted surfaces because no governed external operator paging or messaging target is configured yet."},{"key":"executive.release_truth.cutover_degraded:hosted_release_truth","status":"active","eventType":"executive.release_truth.cutover_degraded","severity":"warning","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"platform","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":30,"escalateToRoleKeys":["holding.executive"],"observedSurface":"hosted_release_truth","observedSourceKey":null,"observedSourceSystem":null,"summary":"Hosted /release-truth confirms the paired API is reachable and aligned, but production cutover remains degraded because the active source set is not currently trustworthy.","likelyCause":"The paired API is aligned, but one or more active sources are still serving stale cached snapshots outside the governed freshness window.","nextRecoveryAction":"Use the active source alerts and recovery packs on this surface to restore trustworthy source health, then verify recovery with ./scripts/check-executive-source-recovery.sh before treating the active vertical as cutover-ready again.","runbookPath":"docs/executive-ingestion-runbook-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","notes":"Cutover readiness degradation should stay visible on the hosted proof surface, but it must remain distinct from true hosted/API proof drift.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168},{"key":"executive.deploy.skew_detected:hosted_release_truth","status":"active","eventType":"executive.deploy.skew_detected","severity":"info","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"platform","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":null,"escalateToRoleKeys":[],"observedSurface":"hosted_release_truth","observedSourceKey":null,"observedSourceSystem":null,"summary":"Hosted web and the paired API are serving different commits, so proof-surface differences may reflect rollout skew rather than runtime failure.","likelyCause":"The hosted web and paired API have not been promoted together yet, or one surface is lagging the other during rollout.","nextRecoveryAction":"Confirm whether the current commit skew is intentional, then use hosted and API release-truth together before treating mismatches as product defects.","runbookPath":"docs/deployment-topology-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","notes":"Commit skew is informational by default, but it should stay visible so operators can separate rollout lag from genuine proof drift.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168}],"apiReleaseTruth":{"requestHost":"api-production-39ea.up.railway.app","service":"one-ring-api","authMode":"google_oidc","databaseConfigured":true,"executiveSignalProviderMode":"google_calendar_gmail","nextSignalProviderCandidateMode":null,"nextSignalProviderCandidateConfigured":null,"nextSignalProviderCandidateSetupBatch":null,"nextSignalProviderCandidateRolloutSequence":null,"nextSignalProviderCandidateMonitoredSurfaceLabel":null,"nextSignalProviderCandidateDefaultExclusions":[],"nextSignalProviderCandidateProofVectorId":null,"nextSignalProviderCandidateProofSurfaces":[],"nextSignalProviderCandidateProofVariantKeys":[],"nextSignalProviderFollowOnCandidateMode":null,"nextSignalProviderFollowOnCandidateConfigured":null,"nextSignalProviderFollowOnSetupBatch":null,"nextSignalProviderFollowOnRolloutSequence":null,"nextSignalProviderFollowOnMonitoredSurfaceLabel":null,"nextSignalProviderFollowOnDefaultExclusions":[],"nextSignalProviderFollowOnProofVectorId":null,"nextSignalProviderFollowOnProofSurfaces":[],"nextSignalProviderFollowOnProofVariantKeys":[],"executiveIngestionProviders":[{"key":"google_calendar","displayName":"Google Calendar","sourceSystem":"google_calendar","category":"calendar","rolloutStage":"live","setupBatch":"monitored_calendar_and_meeting_surfaces","rolloutSequence":1,"monitoredSurfaceLabel":"monitored executive calendar","defaultExclusions":[],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["calendar_time"],"featureFlagKey":null,"featureFlagEnabledByDefault":null,"proofVectorId":"google_calendar.prep_gap","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":[],"envConfigured":true,"activeModeSelected":true},{"key":"slack","displayName":"Slack","sourceSystem":"slack","category":"communication","rolloutStage":"live","setupBatch":"monitored_communication_surfaces","rolloutSequence":1,"monitoredSurfaceLabel":"monitored work channel","defaultExclusions":["personal chat"],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["communication"],"featureFlagKey":"integrations.executive-ingestion.slack","featureFlagEnabledByDefault":false,"proofVectorId":"slack.customer_escalation","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":[],"envConfigured":false,"activeModeSelected":false},{"key":"gmail","displayName":"Gmail","sourceSystem":"gmail","category":"communication","rolloutStage":"live","setupBatch":"monitored_communication_surfaces","rolloutSequence":2,"monitoredSurfaceLabel":"monitored work mailbox","defaultExclusions":["personal or private mailboxes"],"capturePolicy":"work_account_only","ingestionPattern":"scheduled_pull","signalFamilies":["communication"],"featureFlagKey":"integrations.executive-ingestion.gmail","featureFlagEnabledByDefault":false,"proofVectorId":"gmail.awaiting_reply","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":["unread_important_sender","awaiting_reply","multiple_recent_replies"],"envConfigured":true,"activeModeSelected":true},{"key":"google_meet","displayName":"Google Meet","sourceSystem":"google_meet","category":"meeting","rolloutStage":"scaffolded","setupBatch":"monitored_calendar_and_meeting_surfaces","rolloutSequence":2,"monitoredSurfaceLabel":"monitored meeting follow-through surface","defaultExclusions":["private call capture"],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["workflow_state"],"featureFlagKey":"integrations.executive-ingestion.google-meet","featureFlagEnabledByDefault":false,"proofVectorId":"google_meet.follow_up_gap","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":["missing_follow_through_artifact"],"envConfigured":false,"activeModeSelected":false},{"key":"google_chat","displayName":"Google Chat","sourceSystem":"google_chat","category":"communication","rolloutStage":"scaffolded","setupBatch":"monitored_communication_surfaces","rolloutSequence":3,"monitoredSurfaceLabel":"monitored workspace room","defaultExclusions":["private one-off conversations"],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["communication"],"featureFlagKey":"integrations.executive-ingestion.google-chat","featureFlagEnabledByDefault":false,"proofVectorId":"google_chat.exec_escalation","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":["workspace_room_escalation"],"envConfigured":false,"activeModeSelected":false},{"key":"google_drive_docs","displayName":"Google Drive / Docs","sourceSystem":"google_drive_docs","category":"document","rolloutStage":"scaffolded","setupBatch":"monitored_work_artifact_surfaces","rolloutSequence":1,"monitoredSurfaceLabel":"monitored shared drive or governed shared doc","defaultExclusions":["personal draft storage"],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["workflow_state"],"featureFlagKey":"integrations.executive-ingestion.google-drive-docs","featureFlagEnabledByDefault":false,"proofVectorId":"google_drive_docs.brief_gap","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":["stale_monitored_brief"],"envConfigured":false,"activeModeSelected":false},{"key":"google_tasks","displayName":"Google Tasks","sourceSystem":"google_tasks","category":"task","rolloutStage":"scaffolded","setupBatch":"monitored_work_artifact_surfaces","rolloutSequence":2,"monitoredSurfaceLabel":"monitored follow-through task list","defaultExclusions":["personal reminders"],"capturePolicy":"monitored_work_surface","ingestionPattern":"scheduled_pull","signalFamilies":["workflow_state"],"featureFlagKey":"integrations.executive-ingestion.google-tasks","featureFlagEnabledByDefault":false,"proofVectorId":"google_tasks.follow_up_gap","proofSurfaces":["release_truth","queue","briefing"],"proofVariantKeys":["due_follow_through_task"],"envConfigured":false,"activeModeSelected":false}],"executiveSignalSourceStatuses":[{"key":"slack","displayName":"Slack","sourceSystem":"slack","activeModeSelected":false,"envConfigured":false,"snapshotStatus":"not_applicable","snapshotRefreshedAt":null,"snapshotAgeSeconds":null,"snapshotMaxAgeSeconds":300,"failureClass":"none","lastFailureDetectedAt":null,"lastFailureMessage":null,"operatorState":"inactive","stateLabel":"Inactive","fallbackState":"not_in_use","currentBehavior":"Slack is not selected by the current provider mode, so its live snapshot is not part of the active executive read.","likelyCause":null,"nextRecoveryAction":"No recovery action is required. Select Slack in the provider mode before expecting live signals from this source.","recoveryPackLabel":"Slack live diagnosis and recovery pack","runbookPath":"docs/executive-ingestion-runbook-v1.md#slack-live-diagnosis-and-recovery-pack","recoveryEvidenceSummary":"Treat Slack as recovered only after hosted and API /release-truth both show trustworthy Slack source truth and authenticated queue plus briefing both return healthy Slack status. Verify with ./scripts/check-executive-source-recovery.sh --source slack.","recoveryProofCommand":"./scripts/check-executive-source-recovery.sh --source slack","requestTimeState":null,"requestTimeFailureClass":null,"requestTimeDiagnosisCode":null,"recoveryEvidenceState":"not_applicable","recoveryEvidenceStateLabel":"Not applicable"}],"executiveOperatorAlerts":[{"key":"executive.signal_source.auth_invalid:google_calendar:api_release_truth","status":"active","eventType":"executive.signal_source.auth_invalid","severity":"critical","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"tenant","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":"google_calendar","observedSourceSystem":"google_calendar","summary":"Google Calendar is still serving the cached snapshot from 2026-04-03T20:43:27.077Z, but the active upstream credentials are now being rejected so refreshes cannot replace that snapshot.","likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active Google Calendar credentials for the monitored monitored executive calendar, then verify recovery with ./scripts/check-executive-source-recovery.sh --source google_calendar before treating current executive output as trustworthy again.","runbookPath":"docs/executive-ingestion-runbook-v1.md#google-calendar-live-diagnosis-and-recovery-pack","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"An active executive source with invalid upstream credentials or delegated grants is a critical operator-trust incident because recovery depends on explicit credential repair rather than passive retry."},{"key":"executive.signal_source.auth_invalid:gmail:api_release_truth","status":"active","eventType":"executive.signal_source.auth_invalid","severity":"critical","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"tenant","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":"gmail","observedSourceSystem":"gmail","summary":"Gmail is still serving the cached snapshot from 2026-04-04T21:42:06.617Z, but the active upstream credentials are now being rejected so refreshes cannot replace that snapshot.","likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active Gmail credentials for the monitored monitored work mailbox, then verify recovery with ./scripts/check-executive-source-recovery.sh --source gmail before treating current executive output as trustworthy again.","runbookPath":"docs/executive-ingestion-runbook-v1.md#gmail-live-diagnosis-and-recovery-pack","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"An active executive source with invalid upstream credentials or delegated grants is a critical operator-trust incident because recovery depends on explicit credential repair rather than passive retry."},{"key":"executive.alert_delivery.unavailable:api_release_truth","status":"active","eventType":"executive.alert_delivery.unavailable","severity":"warning","audience":"platform_operations","audienceLabel":"Platform operations","tenantScope":"platform","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":30,"escalateToRoleKeys":["holding.executive"],"observedSurface":"api_release_truth","observedSourceKey":null,"observedSourceSystem":null,"summary":"Executive operator alerts still stop at surfaced routing because no governed external paging or messaging target is fully configured yet.","likelyCause":"The runtime does not yet carry both a supported external delivery channel and a human-readable target label for the governed executive alert families.","nextRecoveryAction":"Set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_CHANNEL, ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_TARGET_LABEL, and the required channel-specific secret for the chosen operator-owned target. For Slack webhook delivery, set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_SLACK_WEBHOOK_URL, then run ./scripts/exercise-executive-operator-alert-delivery.sh and verify with ./scripts/check-executive-operator-alert-delivery.sh --expect ready.","runbookPath":"docs/external-operator-alert-delivery-runbook-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168,"notes":"Active executive incidents are still only visible on API and hosted surfaces because no governed external operator paging or messaging target is configured yet."}],"executiveOperatorAlertDeliveryGate":{"status":"blocked_by_surface_only_delivery","statusLabel":"Blocked by unconfigured external delivery target","summary":"Executive operator alerts still stop at surfaced routing because no governed external paging or messaging target is fully configured yet.","ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator"],"escalateAfterMinutes":30,"escalateToRoleKeys":["holding.executive"],"likelyCause":"The runtime does not yet carry both a supported external delivery channel and a human-readable target label for the governed executive alert families.","nextRecoveryAction":"Set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_CHANNEL, ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_TARGET_LABEL, and the required channel-specific secret for the chosen operator-owned target. For Slack webhook delivery, set ONE_RING_EXECUTIVE_OPERATOR_ALERT_DELIVERY_SLACK_WEBHOOK_URL, then run ./scripts/exercise-executive-operator-alert-delivery.sh and verify with ./scripts/check-executive-operator-alert-delivery.sh --expect ready.","proofSurfaceKeys":["hosted_release_truth","api_release_truth"],"coveredEventTypes":["executive.signal_source.auth_invalid","executive.signal_source.degraded","executive.signal_source.unavailable","executive.surface.unavailable","executive.alert_delivery.unavailable","executive.release_truth.drift_detected","executive.release_truth.cutover_degraded","executive.release_truth.unavailable","executive.deploy.skew_detected"],"deliveryEvidenceSummary":"Treat external executive alert delivery as ready only after the governed target is fully configured, ./scripts/exercise-executive-operator-alert-delivery.sh records a successful live drill, the last proven timestamp is no older than 168 hours, and ./scripts/check-executive-operator-alert-delivery.sh --expect ready passes against hosted and API release truth.","deliveryProofCommands":["./scripts/exercise-executive-operator-alert-delivery.sh","./scripts/check-executive-operator-alert-delivery.sh --expect ready"],"runbookPath":"docs/external-operator-alert-delivery-runbook-v1.md","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet.","deliveryTargetChannel":null,"deliveryTargetChannelLabel":null,"deliveryTargetLabel":null,"deliveryProofState":"not_configured","deliveryProofStateLabel":"No external delivery target configured","deliveryLastProvenAt":null,"deliveryProofMaxAgeHours":168},"executiveSourceRecoveryGate":{"status":"blocked_by_auth_invalid","statusLabel":"Blocked by invalid credentials","summary":"Production recovery remains blocked because Google Calendar and Gmail cannot refresh with valid upstream credentials or delegated grants.","blockedSourceKeys":["google_calendar","gmail"],"blockedSourceDisplayNames":["Google Calendar","Gmail"],"ownerLabel":"Platform operations","notifyRoleKeys":["platform.operator","subsidiary.manager"],"escalateAfterMinutes":15,"escalateToRoleKeys":["holding.executive"],"likelyCause":"The upstream provider rejected the active credentials or delegated grant after at least one successful snapshot was stored.","nextRecoveryAction":"Restore or rotate the active credentials or delegated grants for Google Calendar and Gmail, redeploy the API if the runtime env changed, then verify recovery with ./scripts/check-executive-source-recovery.sh --source google_calendar and ./scripts/check-executive-source-recovery.sh --source gmail before treating production executive output as trustworthy again.","proofSurfaceKeys":["hosted_release_truth","api_release_truth","executive_queue","executive_briefing"],"recoveryEvidenceSummary":"Treat Google Calendar and Gmail as recovered only when hosted and API /release-truth both show trustworthy source truth for the blocked source set and authenticated queue plus briefing both return healthy status for Google Calendar and Gmail.","recoveryProofCommands":["./scripts/check-executive-source-recovery.sh --source google_calendar","./scripts/check-executive-source-recovery.sh --source gmail"],"runbookPath":"docs/executive-ingestion-runbook-v1.md#live-source-diagnosis-and-recovery-packs","deliveryState":"surface_only","deliveryStateLabel":"Surface-only routing","deliverySummary":"Governed notify roles and escalation targets are currently surfaced on API and hosted operator views only; no external paging or messaging target is configured yet."},"googleWorkspaceSourceAuthControl":null,"railwayEnvironmentName":"production","railwayServiceName":"api","railwayDeploymentId":"0786a17f-7910-445a-919a-85263e7c3c14","railwayGitCommitSha":"bdfd399e3f728b17e1107a92d76186780d2ae0c8","railwayGitCommitShaSource":"one_ring_runtime_git_sha","googleCalendarSnapshotStatus":"stale","googleCalendarSnapshotRefreshedAt":"2026-04-03T20:43:27.077Z","googleCalendarSnapshotAgeSeconds":4909680,"googleCalendarSnapshotMaxAgeSeconds":300}}