TuneVault Oracle Health Check — Security Commands Reference
============================================================
Generated: 2026-05-11
Proxy version: 3.2.1
Source: https://tunevault.app/security/commands
Read-only: YES — all queries are SELECT only, no writes.

============================================================
SECTION 0: REQUIRED ORACLE GRANTS
============================================================

-- Core catalog access (covers DBA_*, V$*, GV$* views)
GRANT SELECT_CATALOG_ROLE TO tunevault_user;
GRANT CREATE SESSION TO tunevault_user;

-- Alert log access (NOT covered by SELECT_CATALOG_ROLE)
GRANT SELECT ON V_$DIAG_ALERT_EXT TO tunevault_user;

-- EBS Apps schema (skip on non-EBS Oracle databases)
GRANT SELECT ON APPS.FND_CONCURRENT_QUEUES TO tunevault_user;
GRANT SELECT ON APPS.FND_CONCURRENT_QUEUES_VL TO tunevault_user;
GRANT SELECT ON APPS.FND_SVC_COMPONENTS TO tunevault_user;
GRANT SELECT ON APPS.FND_CONCURRENT_REQUESTS TO tunevault_user;
GRANT SELECT ON APPS.WF_NOTIFICATIONS TO tunevault_user;
GRANT SELECT ON APPS.WF_ERROR TO tunevault_user;
GRANT SELECT ON APPS.FND_OAM_METVAL TO tunevault_user;

============================================================
SECTION 1: SQL QUERIES (all SELECT, no writes)
============================================================

--- INSTANCE & VERSION ---

-- Instance information (V$DATABASE, V$INSTANCE, V$PARAMETER)
SELECT d.NAME, i.INSTANCE_NAME, i.HOST_NAME, i.VERSION,
  d.PLATFORM_NAME, TO_CHAR(i.STARTUP_TIME, 'YYYY-MM-DD HH24:MI:SS'),
  ROUND(SYSDATE - i.STARTUP_TIME),
  (SELECT VALUE FROM v$parameter WHERE name = 'cpu_count'),
  ROUND((SELECT TO_NUMBER(VALUE)/1024/1024/1024 FROM v$parameter WHERE name = 'sga_target'), 1),
  ROUND((SELECT TO_NUMBER(VALUE)/1024/1024/1024 FROM v$parameter WHERE name = 'pga_aggregate_target'), 1),
  (SELECT TO_NUMBER(VALUE) FROM v$parameter WHERE name = 'db_block_size')
FROM v$database d, v$instance i;

-- Version banner (V$VERSION)
SELECT BANNER FROM V$VERSION WHERE ROWNUM = 1;

--- STORAGE ---

-- Tablespace usage (DBA_TABLESPACE_USAGE_METRICS, DBA_TABLESPACES, DBA_DATA_FILES)
SELECT ts.TABLESPACE_NAME, ROUND(um.USED_SPACE * ts.BLOCK_SIZE / 1024/1024/1024, 1),
  ROUND(um.TABLESPACE_SIZE * ts.BLOCK_SIZE / 1024/1024/1024, 1),
  ROUND(um.USED_PERCENT, 1),
  CASE WHEN df.autoext > 0 THEN 1 ELSE 0 END
FROM DBA_TABLESPACE_USAGE_METRICS um
JOIN DBA_TABLESPACES ts ON ts.TABLESPACE_NAME = um.TABLESPACE_NAME
LEFT JOIN (SELECT TABLESPACE_NAME, SUM(CASE WHEN AUTOEXTENSIBLE='YES' THEN 1 ELSE 0 END) AS autoext
           FROM DBA_DATA_FILES GROUP BY TABLESPACE_NAME) df
  ON df.TABLESPACE_NAME = um.TABLESPACE_NAME
ORDER BY um.USED_PERCENT DESC;

-- Undo stats (V$UNDOSTAT)
SELECT UNDOBLKS, TXNCOUNT, MAXQUERYLEN, MAXCONCURRENCY,
  TUNED_UNDORETENTION, EXPIREDBLKS, UNEXPIREDBLKS, ACTIVEBLKS
FROM V$UNDOSTAT WHERE ROWNUM = 1 ORDER BY END_TIME DESC;

-- Undo tablespace size (DBA_DATA_FILES, DBA_TABLESPACES, DBA_FREE_SPACE)
SELECT d.TABLESPACE_NAME, SUM(d.BYTES)/1073741824, SUM(d.BYTES - NVL(f.FREE_BYTES,0))/1073741824,
  ROUND(SUM(d.BYTES - NVL(f.FREE_BYTES,0))/SUM(d.BYTES)*100,1), t.RETENTION
FROM DBA_DATA_FILES d JOIN DBA_TABLESPACES t ON t.TABLESPACE_NAME=d.TABLESPACE_NAME
LEFT JOIN (SELECT FILE_ID, SUM(BYTES) AS FREE_BYTES FROM DBA_FREE_SPACE GROUP BY FILE_ID) f
  ON f.FILE_ID=d.FILE_ID
WHERE t.CONTENTS='UNDO' GROUP BY d.TABLESPACE_NAME, t.RETENTION;

-- Temp tablespace free space (DBA_TEMP_FREE_SPACE)
SELECT TABLESPACE_NAME, ROUND(TABLESPACE_SIZE/1073741824,2),
  ROUND(FREE_SPACE/1073741824,2),
  ROUND((TABLESPACE_SIZE-FREE_SPACE)/NULLIF(TABLESPACE_SIZE,0)*100,1)
FROM DBA_TEMP_FREE_SPACE;

-- Top temp-consuming sessions (V$TEMPSEG_USAGE)
SELECT s.SID, s.SERIAL#, s.USERNAME, ROUND(s.BLOCKS*8192/1048576,1), s.TABLESPACE
FROM V$TEMPSEG_USAGE s ORDER BY s.BLOCKS DESC FETCH FIRST 10 ROWS ONLY;

-- Top 10 segments by size (DBA_SEGMENTS)
SELECT OWNER, SEGMENT_NAME, SEGMENT_TYPE, ROUND(SUM(BYTES)/1073741824,2)
FROM DBA_SEGMENTS
WHERE OWNER NOT IN ('SYS','SYSTEM','DBSNMP','SYSMAN','OUTLN','MDSYS','ORDSYS','XDB','CTXSYS','WMSYS','EXFSYS')
GROUP BY OWNER, SEGMENT_NAME, SEGMENT_TYPE ORDER BY 4 DESC FETCH FIRST 10 ROWS ONLY;

-- Offline datafiles (DBA_DATA_FILES)
SELECT COUNT(*), COUNT(CASE WHEN STATUS='OFFLINE' THEN 1 END)
FROM DBA_DATA_FILES WHERE STATUS NOT IN ('AVAILABLE','ONLINE');

-- Recycle bin size (DBA_RECYCLEBIN)
SELECT COUNT(*), ROUND(SUM(SPACE)*8192/1073741824,2) FROM DBA_RECYCLEBIN;

--- MEMORY (SGA/PGA) ---

-- SGA size (V$SGA)
SELECT ROUND(SUM(VALUE)/1024/1024/1024,1) FROM V$SGA;

-- Buffer cache hit ratio (V$SYSSTAT)
SELECT ROUND((1-(phys.VALUE/(db_gets.VALUE+con_gets.VALUE)))*100,1)
FROM (SELECT VALUE FROM V$SYSSTAT WHERE NAME='physical reads') phys,
     (SELECT VALUE FROM V$SYSSTAT WHERE NAME='db block gets') db_gets,
     (SELECT VALUE FROM V$SYSSTAT WHERE NAME='consistent gets') con_gets;

-- Library cache hit ratio (V$LIBRARYCACHE)
SELECT ROUND(SUM(PINS-RELOADS)/NULLIF(SUM(PINS),0)*100,1) FROM V$LIBRARYCACHE;

-- Dictionary cache hit ratio (V$ROWCACHE)
SELECT ROUND(SUM(GETS-GETMISSES)/NULLIF(SUM(GETS),0)*100,1) FROM V$ROWCACHE;

-- Shared pool free % (V$SGASTAT)
SELECT ROUND(free_bytes.val/total_bytes.val*100,1)
FROM (SELECT SUM(BYTES) AS val FROM V$SGASTAT WHERE POOL='shared pool' AND NAME='free memory') free_bytes,
     (SELECT SUM(BYTES) AS val FROM V$SGASTAT WHERE POOL='shared pool') total_bytes;

-- PGA stats (V$PGASTAT, V$PARAMETER, V$SQL_WORKAREA_HISTOGRAM)
SELECT ROUND((SELECT TO_NUMBER(VALUE)/1024/1024/1024 FROM v$parameter WHERE name='pga_aggregate_target'),1),
  ROUND((SELECT VALUE/1024/1024/1024 FROM V$PGASTAT WHERE NAME='total PGA allocated'),1),
  ROUND((SELECT VALUE/1024/1024/1024 FROM V$PGASTAT WHERE NAME='maximum PGA allocated'),1),
  (SELECT VALUE FROM V$PGASTAT WHERE NAME='over allocation count'),
  ROUND((SELECT VALUE FROM V$PGASTAT WHERE NAME='cache hit percentage'),1)
FROM DUAL;

-- OS memory & CPU via Oracle (V$OSSTAT)
SELECT STAT_NAME, VALUE FROM V$OSSTAT
WHERE STAT_NAME IN ('NUM_CPUS','IDLE_TIME','BUSY_TIME','USER_TIME','SYS_TIME',
  'IOWAIT_TIME','PHYSICAL_MEMORY_BYTES','FREE_MEMORY_BYTES');

--- PERFORMANCE ---

-- Top 10 SQL by elapsed time (V$SQL)
SELECT SQL_ID, SUBSTR(SQL_TEXT,1,500), EXECUTIONS, ROUND(ELAPSED_TIME/1000000,1),
  ROUND(CPU_TIME/1000000,1), BUFFER_GETS, DISK_READS, ROWS_PROCESSED,
  CASE WHEN EXECUTIONS>0 THEN ROUND(ELAPSED_TIME/EXECUTIONS/1000,2) ELSE 0 END,
  CASE WHEN EXECUTIONS>0 THEN ROUND(BUFFER_GETS/EXECUTIONS) ELSE 0 END,
  PLAN_HASH_VALUE
FROM V$SQL
WHERE EXECUTIONS>0 AND ELAPSED_TIME>0
  AND PARSING_SCHEMA_NAME NOT IN ('SYS','SYSTEM','DBSNMP','SYSMAN','OUTLN',
    'MDSYS','ORDSYS','EXFSYS','WMSYS','APPQOSSYS','DBSFWUSER')
  AND SQL_TEXT NOT LIKE '%v$%' AND SQL_TEXT NOT LIKE '%V$%'
  AND COMMAND_TYPE IN (2,3,6,7,189)
ORDER BY ELAPSED_TIME DESC FETCH FIRST 10 ROWS ONLY;

-- Top 15 wait events (V$SYSTEM_EVENT)
SELECT EVENT, WAIT_CLASS, TOTAL_WAITS, ROUND(TIME_WAITED/100,1),
  CASE WHEN TOTAL_WAITS>0 THEN ROUND((TIME_WAITED/100/TOTAL_WAITS)*1000,2) ELSE 0 END
FROM V$SYSTEM_EVENT
WHERE WAIT_CLASS NOT IN ('Idle') AND TOTAL_WAITS>0
ORDER BY TIME_WAITED DESC FETCH FIRST 15 ROWS ONLY;

-- Index health top 20 (DBA_INDEXES, DBA_IND_STATISTICS, V$PARAMETER)
SELECT i.OWNER, i.INDEX_NAME, i.TABLE_NAME,
  ROUND(s.LEAF_BLOCKS*(SELECT TO_NUMBER(VALUE) FROM v$parameter WHERE name='db_block_size')/1024/1024) AS size_mb,
  i.BLEVEL, s.LEAF_BLOCKS, i.CLUSTERING_FACTOR, NVL(s.PCT_DIRECT_ACCESS,100), i.STATUS,
  CASE WHEN i.STATUS!='VALID' THEN 'unusable' WHEN i.BLEVEL>4 THEN 'critical'
       WHEN NVL(s.PCT_DIRECT_ACCESS,100)<50 THEN 'critical'
       WHEN i.BLEVEL>3 THEN 'fragmented' WHEN NVL(s.PCT_DIRECT_ACCESS,100)<70 THEN 'fragmented'
       ELSE 'ok' END
FROM DBA_INDEXES i
LEFT JOIN DBA_IND_STATISTICS s ON s.OWNER=i.OWNER AND s.INDEX_NAME=i.INDEX_NAME AND s.PARTITION_NAME IS NULL
WHERE i.OWNER NOT IN ('SYS','SYSTEM','DBSNMP','SYSMAN','OUTLN','MDSYS','ORDSYS','EXFSYS',
  'WMSYS','XDB','CTXSYS','APPQOSSYS','DBSFWUSER','APEX_040000','APEX_040200','APEX_050000','FLOWS_FILES')
  AND i.INDEX_TYPE='NORMAL' AND NVL(s.LEAF_BLOCKS,0)>100
ORDER BY CASE WHEN i.STATUS!='VALID' THEN 1 WHEN i.BLEVEL>4 THEN 2
              WHEN i.BLEVEL>3 THEN 3 ELSE 4 END, s.LEAF_BLOCKS DESC NULLS LAST
FETCH FIRST 20 ROWS ONLY;

-- Resource limits (V$RESOURCE_LIMIT)
SELECT RESOURCE_NAME, CURRENT_UTILIZATION, MAX_UTILIZATION, INITIAL_ALLOCATION, LIMIT_VALUE
FROM V$RESOURCE_LIMIT
WHERE RESOURCE_NAME IN ('sessions','processes','enqueue_locks','enqueue_resources',
  'dml_locks','temporary_table_locks','transactions','max_rollback_segments');

-- Session counts and blocked sessions (V$SESSION)
SELECT COUNT(*), COUNT(CASE WHEN STATUS='ACTIVE' AND TYPE='USER' THEN 1 END),
  COUNT(CASE WHEN TYPE='USER' THEN 1 END) FROM V$SESSION;
SELECT COUNT(*) FROM V$SESSION WHERE BLOCKING_SESSION IS NOT NULL AND STATUS='ACTIVE';
SELECT COUNT(*), ROUND(MAX((SYSDATE-SQL_EXEC_START)*1440),1) FROM V$SESSION
WHERE STATUS='ACTIVE' AND TYPE='USER' AND SQL_EXEC_START IS NOT NULL
  AND (SYSDATE-SQL_EXEC_START)*1440>5;

-- Disk sort and full table scan ratios (V$SYSSTAT)
SELECT d.VALUE, m.VALUE FROM (SELECT VALUE FROM V$SYSSTAT WHERE NAME='sorts (disk)') d,
  (SELECT VALUE FROM V$SYSSTAT WHERE NAME='sorts (memory)') m;
SELECT s.VALUE, i.VALUE FROM (SELECT VALUE FROM V$SYSSTAT WHERE NAME='table scans (long tables)') s,
  (SELECT VALUE FROM V$SYSSTAT WHERE NAME='table fetch by rowid') i;

-- Invalid objects (DBA_OBJECTS)
SELECT COUNT(*), COUNT(CASE WHEN OBJECT_TYPE IN ('PACKAGE BODY','PACKAGE') THEN 1 END),
  COUNT(CASE WHEN OBJECT_TYPE='PROCEDURE' THEN 1 END),
  COUNT(CASE WHEN OBJECT_TYPE='VIEW' THEN 1 END),
  COUNT(CASE WHEN OBJECT_TYPE='TRIGGER' THEN 1 END)
FROM DBA_OBJECTS WHERE STATUS='INVALID'
  AND OWNER NOT IN ('SYS','SYSTEM','DBSNMP','SYSMAN','OUTLN','MDSYS','ORDSYS','XDB',
    'CTXSYS','WMSYS','EXFSYS','APPQOSSYS','DBSFWUSER','OJVMSYS','DVSYS','LBACSYS');

-- Stale statistics (DBA_TAB_STATISTICS)
SELECT COUNT(*), COUNT(CASE WHEN LAST_ANALYZED IS NULL THEN 1 END)
FROM DBA_TAB_STATISTICS WHERE STALE_STATS='YES'
  AND OWNER NOT IN ('SYS','SYSTEM','DBSNMP','SYSMAN','OUTLN','MDSYS','ORDSYS','XDB','CTXSYS','WMSYS','EXFSYS');

-- SCN headroom (V$DATABASE)
SELECT CURRENT_SCN,
  ROUND((TO_NUMBER(SYSDATE-TO_DATE('01-01-1988','DD-MM-YYYY'))*24*3600*16384*1024-CURRENT_SCN)/(24*3600*16384),0)
FROM V$DATABASE;

-- Alert log errors last 24h (V$DIAG_ALERT_EXT) -- requires explicit GRANT SELECT ON V_$DIAG_ALERT_EXT
SELECT TO_CHAR(ORIGINATING_TIMESTAMP,'YYYY-MM-DD HH24:MI:SS'), MESSAGE_TEXT
FROM V$DIAG_ALERT_EXT
WHERE ORIGINATING_TIMESTAMP>SYSDATE-1
  AND (MESSAGE_TEXT LIKE 'ORA-%' OR MESSAGE_TEXT LIKE '%checkpoint%'
       OR MESSAGE_TEXT LIKE '%corruption%' OR MESSAGE_TEXT LIKE '%recovery%'
       OR MESSAGE_TEXT LIKE '%error%' OR MESSAGE_TEXT LIKE '%warning%'
       OR MESSAGE_TEXT LIKE '%TNS-%' OR MESSAGE_TEXT LIKE '%instance%'
       OR MESSAGE_TEXT LIKE 'Thread%')
ORDER BY ORIGINATING_TIMESTAMP DESC FETCH FIRST 200 ROWS ONLY;

--- BACKUP & RECOVERY ---

-- RMAN backup freshness (V$RMAN_BACKUP_JOB_DETAILS)
SELECT INPUT_TYPE, STATUS, TO_CHAR(START_TIME,'YYYY-MM-DD HH24:MI:SS'),
  TO_CHAR(END_TIME,'YYYY-MM-DD HH24:MI:SS'), ROUND((SYSDATE-END_TIME)*24,1),
  ROUND(OUTPUT_BYTES/1073741824,2), ELAPSED_SECONDS
FROM (SELECT *, ROW_NUMBER() OVER (PARTITION BY INPUT_TYPE ORDER BY END_TIME DESC) AS RN
      FROM V$RMAN_BACKUP_JOB_DETAILS WHERE STATUS='COMPLETED') WHERE RN=1;

-- FRA usage (V$RECOVERY_FILE_DEST, V$FLASH_RECOVERY_AREA_USAGE, V$ARCHIVED_LOG)
SELECT NAME, ROUND(SPACE_LIMIT/1073741824,2), ROUND(SPACE_USED/1073741824,2),
  ROUND(SPACE_RECLAIMABLE/1073741824,2), NUMBER_OF_FILES FROM V$RECOVERY_FILE_DEST;
SELECT FILE_TYPE, ROUND(PERCENT_SPACE_USED,1), ROUND(PERCENT_SPACE_RECLAIMABLE,1), NUMBER_OF_FILES
FROM V$FLASH_RECOVERY_AREA_USAGE ORDER BY PERCENT_SPACE_USED DESC;
SELECT ROUND(SUM(BLOCKS*BLOCK_SIZE)/1073741824,2) FROM V$ARCHIVED_LOG
WHERE COMPLETION_TIME>SYSDATE-1 AND STANDBY_DEST='NO';

-- Archivelog mode (V$DATABASE, V$INSTANCE, V$LOG_HISTORY, V$LOG, V$ARCHIVED_LOG)
SELECT LOG_MODE, ROUND((SYSDATE-STARTUP_TIME)*24) FROM V$DATABASE, V$INSTANCE;
SELECT TO_CHAR(COMPLETION_TIME,'YYYY-MM-DD HH24'), COUNT(*), ROUND(SUM(BLOCKS*BLOCK_SIZE)/1048576,1)
FROM V$ARCHIVED_LOG WHERE COMPLETION_TIME>SYSDATE-1 AND STANDBY_DEST='NO'
GROUP BY TO_CHAR(COMPLETION_TIME,'YYYY-MM-DD HH24') ORDER BY 1 DESC;
SELECT ROUND(COUNT(*)/24.0,1), COUNT(*) FROM V$LOG_HISTORY WHERE FIRST_TIME>SYSDATE-1;

-- Backup corruption (V$RMAN_STATUS, V$BACKUP_CORRUPTION, V$COPY_CORRUPTION)
SELECT COUNT(*), SUM(BLOCKS) FROM V$BACKUP_CORRUPTION;
SELECT COUNT(*), SUM(BLOCKS) FROM V$COPY_CORRUPTION;

--- SECURITY ---

-- Default-password accounts (DBA_USERS_WITH_DEFPWD)
SELECT COUNT(*) FROM DBA_USERS_WITH_DEFPWD WHERE ACCOUNT_STATUS='OPEN';

-- Dangerous PUBLIC grants (DBA_SYS_PRIVS)
SELECT COUNT(*) FROM DBA_SYS_PRIVS WHERE GRANTEE='PUBLIC'
  AND PRIVILEGE IN ('CREATE PROCEDURE','CREATE ANY PROCEDURE','CREATE ANY TRIGGER',
    'ALTER SYSTEM','ALTER DATABASE','DROP ANY TABLE','EXECUTE ANY PROCEDURE');

-- Schema-only open accounts (DBA_USERS)
SELECT COUNT(*) FROM DBA_USERS
WHERE ACCOUNT_STATUS='OPEN' AND AUTHENTICATION_TYPE='NONE' AND USERNAME NOT IN ('SYS','SYSTEM');

-- Password policy (DBA_PROFILES)
SELECT LIMIT FROM DBA_PROFILES WHERE PROFILE='DEFAULT' AND RESOURCE_NAME='PASSWORD_VERIFY_FUNCTION';

-- Audit trail setting (V$PARAMETER)
SELECT VALUE FROM V$PARAMETER WHERE NAME='audit_trail';

-- DBA-privileged users (DBA_SYS_PRIVS)
SELECT COUNT(DISTINCT GRANTEE) FROM DBA_SYS_PRIVS
WHERE PRIVILEGE='DBA' AND GRANTEE NOT IN ('SYS','SYSTEM','DBA','SYSMAN');

--- EBS / ORACLE APPLICATIONS (EBS environments only) ---

-- Concurrent Manager health (APPS.FND_CONCURRENT_QUEUES, APPS.FND_CONCURRENT_QUEUES_VL)
SELECT b.user_concurrent_queue_name, b.node_name, a.running_processes, a.max_processes
FROM apps.fnd_concurrent_queues a, apps.fnd_concurrent_queues_vl b
WHERE a.concurrent_queue_id = b.concurrent_queue_id;

-- Pending request count (APPS.FND_CONCURRENT_REQUESTS)
SELECT phase_code, COUNT(*) FROM APPS.FND_CONCURRENT_REQUESTS
WHERE phase_code IN ('P','R') GROUP BY phase_code;

-- WF components (APPS.FND_SVC_COMPONENTS)
SELECT component_type, component_name, component_status, startup_mode
FROM apps.fnd_svc_components WHERE component_type LIKE 'WF%' ORDER BY 1, 2;

-- Stuck WF notifications (APPS.WF_NOTIFICATIONS)
SELECT COUNT(*) FROM APPS.WF_NOTIFICATIONS
WHERE STATUS='OPEN' AND MAIL_STATUS='MAIL' AND BEGIN_DATE < SYSDATE - 1/24;

-- WF error queue depth (APPS.WF_ERROR)
SELECT COUNT(*) FROM APPS.WF_ERROR;

-- APPS_JDBC_URL from DB metadata (APPS.FND_OAM_METVAL)
SELECT METVAL_CLOB FROM APPS.FND_OAM_METVAL WHERE METNAME='APPS_JDBC_URL' AND ROWNUM=1;

============================================================
SECTION 2: OS COMMANDS
============================================================

Standard health checks: NONE
All OS-level metrics (CPU, memory, I/O wait) are read from Oracle's V$OSSTAT view
via the database connection — no shell commands required.

EBS-only command (conditional):
  adop -status -detail
  Conditions: EBS checks enabled AND APPS_PWD env var set AND adop binary on PATH.
  Parses: Session ID, Node, Phase, Status from adop's text output.
  If any condition is unmet, the check returns a warning without running the command.

============================================================
SECTION 3: NETWORK EGRESS FROM THE PROXY
============================================================

Host: tunevault.app
Port: 443 (HTTPS / TLS 1.2+)
Connections: 2 endpoints
  1. POST /api/proxy/healthcheck — delivers health check results (JSON metrics)
  2. GET  /api/proxy/version      — auto-update version check (every 6 hours)

Data sent to TuneVault:
  - Oracle performance metrics (tablespace usage, wait events, SQL stats, etc.)
  - Proxy version string (for update check)
  NOT sent: Oracle credentials, database schema, user data rows

Authentication: 64-hex API key in X-API-Key header (generated locally at install time)

No inbound connections from TuneVault.
No Cloudflare Tunnel or VPN required.
No data sent to any third party.

============================================================
END OF DOCUMENT
============================================================