{
  "evidence_version": 1,
  "gate": "H2",
  "infisical_secret_names": [
    "POLIS_PENTEST_INTAKE_SECRET",
    "POLIS_CLOUDFLARE_EMAIL_ROUTING_READ_TOKEN",
    "POLIS_CLOUDFLARE_PAGES_API_TOKEN"
  ],
  "infisical_secret_path": "/polis/socialmedia2_com",
  "intake_addresses": [
    "security@socialmedia2.com",
    "review@socialmedia2.com"
  ],
  "intake_evidence": "ops/email-routing/socialmedia2.com/cloudflare-email-routing.json",
  "no_paid_operations": true,
  "requested_report_file": "security/pentest/reports/socialmedia2-independent-pentest-report.pdf",
  "requested_summary_file": "security/pentest/latest.json",
  "review_assembly_tool": "scripts/ops/assemble_external_review_evidence.py pentest",
  "review_constraints": {
    "critical_open_must_equal": 0,
    "high_open_must_equal": 0,
    "must_be_external": true,
    "must_be_independent": true,
    "must_be_within_last_12_months": true
  },
  "review_type": "external_security_pentest",
  "scope": [
    "socialmedia2.com",
    "cloudflare_pages_static_bundle",
    "observability_endpoints",
    "repository_source",
    "mcp_and_api_surface"
  ],
  "target": {
    "cloudflare_pages_report": "deploy/socialmedia2.com/cloudflare-pages.json",
    "domain": "socialmedia2.com",
    "pages_project": "polis-socialmedia2",
    "repository": "https://github.com/ChrisRoyse/Polis",
    "reviewed_commit_binding": "reviewed commit must be current when the external report is assembled; only security/pentest evidence may be committed after that reviewed commit"
  }
}