fix(hcg-policy): cover wired POST /cartridge/:name/sse (Phase E §1.5)

[hyperpolymath]

Summary

Re-verifies config/gateway-policy-boj-example.yaml against the live BojRest.Router for HCG tier-2 rollout (Phase E §1.5 prereq, standards#100). The wired POST /cartridge/:name/sse route — elixir/lib/boj_rest/router.ex line 130, called out in ADR-0013 §6 and the STATE entry 2026-05-18 ("boj-rest SSE: POST /cartridge/:name/sse on the same single Cowboy listener + trust-gated dispatch") — was absent from the example policy. Silent surface drift since contract v1.0; exactly the risk Phase A flagged.

• Adds cartridge-sse-post rule (regex ^/cartridge/[A-Za-z0-9_.-]+/sse$, POST, authenticated) alongside cartridge-invoke-post. Same BojRest.Router.check_trust/3 gate, same per-cartridge auth.method requirement, streaming envelope around a single dispatch.
• Updates the example-policy "Surface source" header to record the 2026-05-28 re-verification and point at the new rule.
• Ticks the §1.5 surface-coverage checkbox on docs/integration/hcg-tier2-rollout-runbook.md with the re-verification date; flags live-policy promotion as the remaining work before §3.1.

The unrelated top-level /sse GET rule (declared-not-yet-wired, openapi.yaml only) is left in place — different path, different verb, different surface.

What this PR does NOT do

• Does not close standards#100. Phase E still has: gateway smoke-test against this policy (§1.5 next box); live-policy promotion (config/gateway-policy-boj.yaml); §1.4 !OWNER: block; Phase D-4 baseline (bench/baseline.json _status still "scaffold-placeholder" upstream — gates the perf-regression CI alert); staging soak (§2.3); production rollout (§3); §6.4 Trustfile flip.
• Does not change runtime behaviour (config-only).

Test plan

• Policy YAML re-parses (python3 -c "import yaml; yaml.safe_load(open('config/gateway-policy-boj-example.yaml'))"); 27 → 28 routes; global_verbs still [GET, POST].
• Both sse-get (top-level, declared-not-yet-wired) and cartridge-sse-post (per-cartridge, wired) appear as distinct rules under the parsed governance.routes list.
• All seven routes wired in BojRest.Router (/.well-known/boj-node-pubkey, /health, /menu, /cartridges, /cartridge/:name, /cartridge/:name/invoke, /cartridge/:name/sse) now have a matching policy entry.
• Future (separate session, Phase E §2.1): stand the gateway up against this policy, confirm POST /cartridge/:name/sse with X-Trust-Level: authenticated proxies through and with X-Trust-Level: untrusted returns 403. Out of scope for this PR; that flips the §1.5 smoke-test checkbox, not this one.

Refs hyperpolymath/standards#100
Refs hyperpolymath/standards#91

🤖 Generated with Claude Code

---

Generated by Claude Code

[github-actions]

🔍 Hypatia Security Scan

Findings: 179 issues detected

Severity	Count
🔴 Critical	17
🟠 High	123
🟡 Medium	39

⚠️ Action Required: Critical security issues found!

View findings

[
  {
    "reason": "Stale AI session file -- delete",
    "type": "stale",
    "file": "GEMINI.md",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "medium"
  },
  {
    "reason": "Issue in abi-drift.yml",
    "type": "unknown",
    "file": "abi-drift.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in container-publish.yml",
    "type": "unknown",
    "file": "container-publish.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence