{
    "ok": true,
    "manifest": {
        "service": "Evaluator API",
        "stage": "Stage 17",
        "status": "security-hardened",
        "capabilities": [
            "required static API key authorization through X-Api-Key or Authorization: Bearer",
            "validate JSON request body and Russian 10/12 digit INN",
            "load active config artifact from PostgreSQL by config_id",
            "validate active config structure and config_hash before execution",
            "execute generic HTTP sources described only by config JSON",
            "resolve runtime templates {{inn}}, {{context.xxx}} and legacy ${INPUT:inn}",
            "resolve ${ENV:NAME} placeholders without exposing secret values",
            "redact Authorization, API keys, tokens, passwords and known ENV values",
            "require allowed_domains, enforce DNS-pinned SSRF protection and clamp HTTP limits",
            "extract configured JSON/XML fields from source results",
            "evaluate generic criteria rules and no_data_rules",
            "apply generic config-driven decision rules",
            "return decision, score, criteria, source call metadata and technical summary",
            "omit raw source payloads from public API response by default",
            "write redacted api_request_log when API_LOG_ENABLED=true",
            "optionally send sanitized normalized evaluation results to an LLM gateway",
            "isolate LLM failures from the main evaluation response",
            "dispatch LLM results to configured email and webhook/messenger channels"
        ],
        "endpoints": {
            "GET /": "service manifest",
            "GET /health.php": "health status",
            "POST /evaluate.php": "load active config by config_id and evaluate INN"
        }
    }
}