Add the run_id and manifest contract doc, reserve the reports/releases tree, record the decision in the execution log, and annotate the four release scripts with their planned manifest-based inputs.
Add the cross-service contract gate documentation, create the Phase 1 checklist, wire explicit contract-gate design slots into backend-verify and repo integrity scripts, and mark P1-D complete in the plan.
Add explicit rollback conditions and the compatibility-window README/ADR draft, record the rollback target in the execution log, and mark P1-C-07 and P1-C-08 complete in the plan.
Add the auth implementation convergence notes for gateway and supply-api, record the agreed rollout strategy in the execution log, and mark P1-C-01 through P1-C-06 complete in the master plan.
Add the token runtime schema alignment notes, record the keep-and-thread-through decision in the execution log, and mark P1-B analysis tasks complete in the master plan.
Update the supply-api and platform-token-runtime READMEs to reflect the single token authority model, record the changes in the execution log, and mark P1-A-07 and P1-A-08 complete in the master plan.
Record the OpenAPI vs canonical principal gap, add tenant_id to the introspection response contract, and make the gateway README explicit that non-dev environments must use remote introspection.
Record the current identity entry points in the execution log and update the minimal token runtime spec with a single authority rule and canonical principal fields. Mark P1-A-01 through P1-A-03 complete in the optimization plan so subsequent batches can continue from the verified baseline.
- Remove fabricated etcd/Kafka/AWS issues from TEST_ENVIRONMENT_ISSUES.md
(codebase contains zero references to these dependencies)
- Add Kafka/etcd/CloudWatch clarification: early design docs discuss
these but actual implementation uses none of them
- Add getEnvInt() for GATEWAY_PORT env variable support
- Add devtest stack scripts for local development
- Update verification report and repair plan status
- Expand TEST_ENVIRONMENT_ISSUES.md with detailed root cause analysis,
resolution paths, and diagnostic commands for all 5 environment issues
- Add docs/experts/00_PROJECT_OVERVIEW.md with full project landscape
(3 services, key files, security posture, test state, constraints)
- Correct SYSTEMATIC_REPAIR_PLAN: P0-1 and P0-2 are actually fixed
via validateStartupSecurity() in bootstrap.go (not residual issues)
- All P0/P1 fixes confirmed verified against source code
Return explicit errors from AlertAPI construction instead of panicking inside the library layer, and let main own process-level failure handling.
Also delete the unused config.MustLoad helper and lock the supported config loading paths with tests.
Add a single current machine-review source policy to active review and planning docs.
Mark legacy tok007 references as historical snapshots and point executable examples at the current review draft.
Rewrite module READMEs around the current verified run and test paths, tighten repo_integrity_check.sh with fact-source checks, update supply-api migration baseline, and remove the platform-token-runtime audit query placeholder response.
Add design, review, and production-readiness documents for the April remediation cycle.\nInclude supporting SQL and supply-api operational design notes so review conclusions and implementation guidance stay versioned together.
Finalize the audit design notes, record the token auth naming alignment, and refresh the 2026-04-11 gate snapshots against the latest stage validation evidence. The metrics snapshot intentionally keeps M-018 as FAIL because PHASE-07 remains deferred.
