docs(integration): Phase E §1.4 prereq — BoJ-side observability spec (standards#100)#231
Merged
Merged
Conversation
…(standards#100)
Adds `docs/integration/boj-side-observability-spec.md` declaring the
four telemetry events, the five Prometheus metric names, and the
`BojRest.Router` instrumentation sites that back the §4.2 BoJ-side
signals the rollout-runbook §3.1 success criteria require.
Until BoJ emits these metrics, the rollback trigger §5.1 row 4
("BoJ access logs show X-Trust-Level from non-loopback peers") is
unobservable via Prometheus — the only signal path is BoJ structured
logs, which the runbook §4 dashboards do not consume.
Coordinated edits:
- `gateway-observability-spec.md` §3: drop the `!OWNER:` scaffold
qualifier on the BoJ-side templates; anchor each to the sister
spec's normative metric names instead. Bump 0.1 → 0.2.
- `hcg-tier2-rollout-runbook.md` §1.4: add the BoJ-side observability
prereq as an explicit stop-the-rollout checkbox; add the new spec
to Appendix B cross-references. Bump 0.7 → 0.8.
The actual `mix.exs` + `application.ex` + `router.ex` wiring is a
follow-up PR per the spec's §7 checklist; landing the contract first
gives that PR an unambiguous target without committing to the
implementation in the same change.
Refs hyperpolymath/standards#91
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 218 issues detected
View findings[
{
"reason": "Stale AI session file -- delete",
"type": "stale",
"file": "GEMINI.md",
"action": "delete",
"rule_module": "root_hygiene",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "missing_timeout_minutes",
"file": "scorecard-enforcer.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "Issue in scorecard-enforcer.yml",
"type": "scorecard_publish_with_run_step",
"file": "scorecard-enforcer.yml",
"action": "split_scorecard_publish_job",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in instant-sync.yml",
"type": "secret_action_without_presence_gate",
"file": "instant-sync.yml",
"action": "peter-evans/repository-dispatch",
"rule_module": "workflow_audit",
"severity": "high"
},
{
"reason": "Issue in codeql.yml",
"type": "codeql_missing_actions_language",
"file": "codeql.yml",
"action": "flag",
"rule_module": "workflow_audit",
"severity": "medium"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/academic-workflow-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/ephapax-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/bofig-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/fireflag-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
},
{
"reason": "TypeScript file detected -- banned language",
"type": "banned_language_file",
"file": "/home/runner/work/boj-server/boj-server/cartridges/sanctify-mcp/adapter/mod.ts",
"action": "flag",
"rule_module": "cicd_rules",
"severity": "critical"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
docs/integration/boj-side-observability-spec.md— the contract for the BoJ-side telemetry events and Prometheus metrics that the rollout-runbook §4.2 signals require, plus coordinated edits to the sister spec and the runbook.The gap this closes:
gateway-observability-spec.md§3 currently defers all BoJ-side templates to!OWNER: scaffoldedqualifiers, because BoJ has zero telemetry today (elixir/mix.exscarries no Prometheus dep,BojRest.Applicationmounts no exporter,BojRest.Routeremits no:telemetry.execute/3events). The rollout-runbook §3.1 success criterion 4 ("NoX-Trust-Levelmismatches in BoJ access logs") and rollback trigger §5.1 row 4 are consequently unobservable via Prometheus.What lands
New spec —
docs/integration/boj-side-observability-spec.mddeclares:[:boj_rest, :router, :decision],[:boj_rest, :router, :trust_level_present],[:boj_rest, :http, :response],[:boj_rest, :request, :received].gateway-observability-spec.md§3 PromQL templates expect.BojRest.Routerinstrumentation sites (§3) withfile:lineanchors againstelixir/lib/boj_rest/router.ex.mix.exsdep (:telemetry_metrics_prometheus_core ~> 1.2), supervisor child, and newBojRest.Telemetrymodule the wiring PR adds (§4)./metricsexposure policy implication (§5): the new endpoint MUST be governed by a newmetrics-getpolicy rule (internal+stealth-404) — leaking the BoJ scrape externally would defeatstealth_profiles. Thescripts/hcg-policy-smoke.shstealth canary list extends in the same wiring PR.Sister spec edit —
gateway-observability-spec.md:!OWNER: scaffoldedqualifier; anchor templates to the new sister spec.Runbook edit —
hcg-tier2-rollout-runbook.md:What does NOT land here
mix.exs/application.ex/router.exwiring. That's a follow-up PR following the spec's §7 checklist. Splitting the contract from the implementation lets the spec land independently and gives the wiring PR an unambiguous target.Trustfile.a2mltier_2_gateway(stillPENDING; flip is the last action per runbook §6.4).Scope of edits
docs/integration/boj-side-observability-spec.mddocs/integration/gateway-observability-spec.mddocs/integration/hcg-tier2-rollout-runbook.mdNo code, no schemas, no policy YAML touched.
Test plan
bash scripts/hcg-surface-drift-check.sh— passes (router/policy coverage unchanged).bash scripts/hcg-spec-coverage-check.sh— passes (openapi/policy coverage unchanged)..claude/CLAUDE.md).Channel discipline
Phase E is multi-PR by construction (#226, #228, #229, #230, hcg#38 are prior Phase E slices, none of which closed #100). Per runbook §6.5 (and the channel brief)
standards#100is joint-close-only by the owner. This PR therefore usesRefsnotCloses— same convention as the in-flight Phase E PR set.Refs hyperpolymath/standards#91
Refs hyperpolymath/standards#100
🤖 Generated with Claude Code
Generated by Claude Code