diff --git a/config/gateway-policy-boj-example.yaml b/config/gateway-policy-boj-example.yaml index e1c97299..f8405024 100644 --- a/config/gateway-policy-boj-example.yaml +++ b/config/gateway-policy-boj-example.yaml @@ -23,6 +23,14 @@ # declared in openapi.yaml but not yet wired in router.ex are governed anyway # (contract §8) so they are not silently exposed when implemented. # +# Re-verified 2026-05-28 against `BojRest.Router` for HCG tier-2 rollout +# (Phase E §1.5 prereq, standards#100). Recorded drift since contract v1.0: +# the wired `POST /cartridge/:name/sse` route (router.ex line 130, ADR-0013 +# §6, STATE entry 2026-05-18) was absent from the example policy. Added below +# as `cartridge-sse-post` alongside `cartridge-invoke-post`. The unrelated +# top-level `/sse` GET rule (declared-not-yet-wired, openapi.yaml only) is +# left in place — different path, different verb, different surface. +# # --------------------------------------------------------------------------- # DEFAULT-DENY NOTE (must be confirmed in the Phase A manual verification) # --------------------------------------------------------------------------- @@ -120,6 +128,22 @@ governance: check_trust/3 requires internal/authenticated for cartridges whose auth.method is not `none`." + - path: "^/cartridge/[A-Za-z0-9_.-]+/sse$" + verbs: [POST] + exposure: "authenticated" + name: "cartridge-sse-post" + narrative: "Tool dispatch into a cartridge over Server-Sent Events + (text/event-stream: open → result|error → done; ADR-0013 §6, router.ex + line 130). Same `BojRest.Router.check_trust/3` gate as + cartridge-invoke-post, same per-cartridge auth.method requirement — + just a streaming response envelope around one dispatch. The handler + is bounded (single tool invocation framed by open/done), not + long-lived, so the proxy-timeout / circuit-breaker risk flagged on + sse-get is narrower here: bracketed by tool latency, not by stream + duration. Phase D benchmarks should still cover this path before the + live policy promotes it (Phase E §1.5 surface-drift verification, + standards#100)." + - path: "/graphql" verbs: [POST] exposure: "authenticated" diff --git a/docs/integration/hcg-tier2-rollout-runbook.md b/docs/integration/hcg-tier2-rollout-runbook.md index 4440f492..de41f614 100644 --- a/docs/integration/hcg-tier2-rollout-runbook.md +++ b/docs/integration/hcg-tier2-rollout-runbook.md @@ -81,7 +81,7 @@ These cannot be inferred from the code/contract; the owner must fill them before - [ ] Gateway Containerfile built and signed as a `.ctp` bundle via cerro-torre (plan §E1). - [ ] `container/gateway-deploy.k9.ncl` exists in the gateway repo (plan §E1). -- [ ] Gateway policy file in place: `config/gateway-policy-boj-example.yaml`, covering all BoJ surface routes (`/.well-known/boj-node-pubkey`, `/health`, `/menu`, `/cartridges`, `/cartridge/:name`, `/cartridge/:name/invoke`, plus any added since contract v1.0 — re-verify against `BojRest.Router` at rollout time). +- [x] Gateway policy file in place: `config/gateway-policy-boj-example.yaml`, covering all BoJ surface routes (`/.well-known/boj-node-pubkey`, `/health`, `/menu`, `/cartridges`, `/cartridge/:name`, `/cartridge/:name/invoke`, `/cartridge/:name/sse`, plus any added since contract v1.0). Re-verified 2026-05-28 against `BojRest.Router`; the `POST /cartridge/:name/sse` route (router.ex line 130, wired since the SSE landing — ADR-0013 §6, STATE entry 2026-05-18) was the only drift since contract v1.0 and is now governed by the `cartridge-sse-post` rule alongside `cartridge-invoke-post`. The live policy file (`config/gateway-policy-boj.yaml`, per the example header) is still to be promoted from this example before §3.1. - [ ] Gateway has been smoke-tested in isolation with the policy, returning expected allow/deny on each route. ---