{
  "task": "HRMS_FEISHU_READONLY_TOKEN_PROVIDER_AND_REFRESH_ENDPOINT_BLOCKER_REVIEW_PACK_Z5A",
  "generated_at": "2026-06-03T16:41:11+08:00",
  "recommended_repairs": [
    {
      "repair": "Token cache refresh / provider usability remediation",
      "gate": "FEISHU_READONLY_TOKEN_CACHE_REFRESH_GATE",
      "requirements": [
        "metadata-only refresh or manual provider check",
        "do not output token/secret",
        "verify readonly scope and write_scope_detected=false",
        "verify provider_usable=true and ttl_seconds>0"
      ]
    },
    {
      "repair": "Safe refresh-dry-run endpoint code apply",
      "gate": "FEISHU_READONLY_REFRESH_DRY_RUN_ENDPOINT_CODE_APPLY_GATE",
      "requirements": [
        "POST /api/feishu-readonly-snapshot/refresh-dry-run",
        "dry_run mode only",
        "write only three snapshot tables",
        "forbid master data writes",
        "public output counts/status/run_id only",
        "source_run_id required",
        "privacy guardrails and row_count validation required",
        "failure gate required"
      ]
    }
  ],
  "do_not_do_in_repair": [
    "do not call Feishu write APIs",
    "do not import employees",
    "do not create permission_subject",
    "do not write master data",
    "do not output raw token/secret or employee identifiers"
  ]
}