Skip to content

Phase A — http-capability-gateway↔BoJ contract, policy workflow, example spec#74

Closed
hyperpolymath wants to merge 3 commits into
mainfrom
phase-a/hcg-contract
Closed

Phase A — http-capability-gateway↔BoJ contract, policy workflow, example spec#74
hyperpolymath wants to merge 3 commits into
mainfrom
phase-a/hcg-contract

Conversation

@hyperpolymath

@hyperpolymath hyperpolymath commented May 17, 2026

Copy link
Copy Markdown
Owner

Phase A — Contract Definition (weeks 1–2)

First materially-advancing PR of the http-capability-gateway tier-2 wiring
programme. Delivers all three Phase A artefacts from
docs/integration/http-capability-gateway-plan.md. Documentation only — no
gateway or BoJ code changed; the build is unaffected (plan acceptance
criterion: "No code changes to gateway or BoJ gnosis handler").

Deliverables

  • A1 docs/integration/http-capability-gateway-boj-contract.md — the
    normative gateway↔BoJ HTTP contract. Resolves the Phase A transport
    indecision     risk (staging = TCP loopback :7700; production = Unix socket
    preferred, TCP fallback), enumerates the forwarded-header set, and states
    the X-Trust-Level trusted-proxy invariant as RFC-2119 MUSTs handed to
    Phase C as seam-test obligations. Fail-closed error/circuit-breaker
    semantics documented.
  • A2 docs/integration/http-capability-gateway-policy-workflow.md — where
    the Verb Governance Spec lives (config/gateway-policy.yaml, this repo),
    the authorship + review + openapi-coupling gate, the validation procedure,
    the k9-svc rolling-redeploy hot-reload path, and the global_verbs
    default-public sharp edge with BoJ's default-deny mitigation.
  • A3 config/gateway-policy-boj-example.yaml — a DSL v1 worked example
    derived route-by-route from docs/specification/openapi.yaml, conforming
    to the schema in the integration audit §2. Example/fixture only; no service
    loads it.

Scope note

This session's GitHub tool scope is restricted to hyperpolymath/boj-server
and hyperpolymath/http-capability-gateway; hyperpolymath/standards is not
reachable from here, so the standards issues could not be read or commented
on directly. Phase A lands entirely in boj-server per the plan, so the work
itself is unaffected; the issue references below are recorded for tracking.

Refs hyperpolymath/standards#91
Closes hyperpolymath/standards#96

🤖 Generated with Claude Code

Generated by Claude Code

@hyperpolymath @claude
docs(integration): Phase A — gateway↔BoJ contract, policy workflow, e…
817bde0 
…xample Verb Governance Spec

Phase A of the http-capability-gateway tier-2 wiring programme
(ADR 0004 / docs/integration/http-capability-gateway-plan.md).

A1: docs/integration/http-capability-gateway-boj-contract.md — the
    normative HTTP contract between the gateway (front) and BoJ's
    unified Zig API gnosis handler (back): transport, port allocation,
    forwarded headers, the X-Trust-Level trusted-proxy invariant, and
    error/circuit-breaker semantics.
A2: docs/integration/http-capability-gateway-policy-workflow.md —
    the Verb Governance Spec authoring, review, load, and hot-reload
    workflow.
A3: config/gateway-policy-boj-example.yaml — a DSL v1 example policy
    derived from docs/specification/openapi.yaml, conforming to the
    schema documented in the integration audit §2.

Documentation only. No gateway or BoJ code changed; the example
policy is not loaded by any running service. Build is unaffected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@hyperpolymath hyperpolymath marked this pull request as ready for review May 18, 2026 04:29
@github-actions

github-actions Bot commented May 18, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 28 issues detected

Severity Count
🔴 Critical 17
🟠 High 4
🟡 Medium 7

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Stale AI session file -- delete",
    "type": "stale",
    "file": "GEMINI.md",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "medium"
  },
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath @claude
fix(integration): move Phase A example policy to configs/ (repo conve…
91f8410 
…ntion)

The estate repo-structure governance gate rejects a new top-level
`config/` directory: boj-server's established convention is the
existing `configs/` (plural) directory (see configs/config.ncl). The
integration plan named the path `config/` (singular); this adapts to
the real tree per the plan's documented Phase A "surface drift" risk.

- configs/gateway-policy-boj-example.yaml (was config/...)
- doc references in the A1 contract and A2 workflow updated to configs/
- A2 §1 gains an explicit path note recording the plan-vs-repo
  correction

Documentation only; no code changed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@hyperpolymath Claude

hyperpolymath commented May 18, 2026

Copy link
Copy Markdown
Owner Author

Scope/attribution note (automated CI triage).

This PR is documentation-only: two Markdown files under docs/integration/ and one example YAML. It adds no .ts, package.json, or workflow files.

None of the 28 Hypatia findings are introduced by this PR — all are pre-existing, repo-wide conditions that report on every PR and would fail identically on main:

  • GEMINI.md, removed quality.yml/security-policy.yml (intentionally consolidated per .github/workflows/governance.yml's own header), and the @main-pinned governance-reusable.yml — all pre-existing root/CI state, untouched here.
  • The 6 banned_language_file criticals are pre-existing cartridges/*/adapter/mod.ts adapters, out of scope for this Phase A documentation lane.

The one diff-attributable nit — a stray top-level config/ directory not matching the repo's existing configs/ convention — has been fixed in 91f8410 (moved to configs/, doc references updated). The governance / Language / package anti-pattern policy gate appears to fail on the pre-existing TypeScript cartridge adapters, not on anything in this diff; that is a pre-existing repo-wide red and is not addressed here.

🤖 Generated with Claude Code

Generated by Claude Code

@hyperpolymath Claude

hyperpolymath commented May 18, 2026

Copy link
Copy Markdown
Owner Author

Programme coordination — http-capability-gateway tier-2 wiring (Refs hyperpolymath/standards#91)

A second programme session checked the channel and is standing down for this run to avoid duplication. Status:

Next action: once #74's CI is green and the branch is updated against main, it can be squash-merged to close standards#96; the next session then advances Phase B (#97 — mTLS primary X-Trust-Level path).

Scope note: hyperpolymath/standards is outside this session's GitHub tool scope, so the canonical progress comment could not be posted on standards#91 directly — recording it here on the Phase A PR instead.

🤖 Generated with Claude Code

Generated by Claude Code

@hyperpolymath hyperpolymath enabled auto-merge (squash) May 18, 2026 07:45
@hyperpolymath

hyperpolymath commented May 18, 2026

Copy link
Copy Markdown
Owner Author

Superseded by #78 (commit b733860), the canonical Phase A — http-capability-gateway↔BoJ contract + policy authoring workflow + example spec — already merged to main on 2026-05-18. This PR is an earlier draft of the same deliverable: it carries the pre-rename policy-workflow.md (renamed to policy-authoring.md in #78), a stray duplicate configs/ directory, and an older contract revision. Merging it would regress main. Closing as superseded; HCG Phase A is complete per the standards#91 lane (next: #97 mTLS).

auto-merge was automatically disabled May 18, 2026 10:06

Pull request was closed

@hyperpolymath hyperpolymath deleted the phase-a/hcg-contract branch May 18, 2026 10:06
@github-actions

github-actions Bot commented May 18, 2026

Copy link
Copy Markdown

🔍 Hypatia Security Scan

Findings: 28 issues detected

Severity Count
🔴 Critical 17
🟠 High 4
🟡 Medium 7

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Stale AI session file -- delete",
    "type": "stale",
    "file": "GEMINI.md",
    "action": "delete",
    "rule_module": "root_hygiene",
    "severity": "medium"
  },
  {
    "reason": "Issue in quality.yml",
    "type": "missing_workflow",
    "file": "quality.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "Issue in security-policy.yml",
    "type": "missing_workflow",
    "file": "security-policy.yml",
    "action": "create",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Action hyperpolymath/standards/.github/workflows/governance-reusable.yml@main needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "high"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  },
  {
    "reason": "TypeScript file detected -- banned language",
    "type": "banned_language_file",
    "file": "/home/runner/work/boj-server/boj-server/cartridges/hesiod-mcp/adapter/mod.ts",
    "action": "flag",
    "rule_module": "cicd_rules",
    "severity": "critical"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Phase A — Contract definition + policy-authoring workflow + example Verb Governance Spec

1 participant

@hyperpolymath