Cross-Runtime Integration 13 · Policy-first · Eval-second · integration surface between Admin Phase 2a + FF Phase 2a+

Phase statement ข้อกำหนดเฟส

Phase 2a + 2a+ of Admin and Feature Flags respectively have produced two runnable decision services. Each contract is clear in isolation but operators cannot see how they compose. This phase delivers a single page that wires both services together in the exact order they should be consumed — policy-first, then eval — with honest trace and honest deferred items. It does not open new runtime capability; it makes the existing capability legible.

Route rationale เหตุผลของ path

Per docs/planning/ia-governance.json:

· /runtime/* is A-owned · debug / scaffolding / integration surfaces belong here → chose /runtime/cross-runtime-integration/.
· /planning/* is A-owned · RFC / design / rationale belongs here → this page lives at /planning/cross-runtime-integration.html.
· Dashboard is a reserved naming term (hard rule #5) — this page uses "Integration Demo", not Dashboard.
· Main console stays at 6 top-level buttons (soft cap) → discoverability for this demo is via Index Portal + back-links from the 3 sibling surfaces.

IA rationale เหตุผลเชิง IA

The demo is a third-party consumer of the two services, not a fourth service. It intentionally stays at the "preview / debug / scaffolding" tier of the IA owner matrix (Runtime Phase Pack) and does not promote to Admin Portal, App, or a new sub-portal. When a production surface eventually wants to consume both services, the orchestration rules shown here (policy-first · eval-second · short-circuit on deny) become the reference sequence for middleware.

A-owned vs B-owned boundary เส้นแบ่ง ownership

File / route	Owner	Role in this demo
`docs/runtime/cross-runtime-integration/*`	A	new · demo surface + README + contract
`docs/planning/cross-runtime-integration.html`	A	new · this rationale
`docs/runtime/admin-control-plane-service/*`	A	unchanged · service consumed over HTTP
`docs/runtime/feature-flags-service/*`	A	unchanged · service consumed over HTTP
`docs/runtime/admin-control-plane/*.json`	A	unchanged · Phase 1 models loaded by policy service
`docs/runtime/feature-flags/registry.json`	A	unchanged · fetched by the demo page to derive sensitivity profile
`docs/kb/data/approval_matrix.json`	B	read-only · policy service references `row-sensitive-override`
`docs/kb/data/tenant_scope.json`	B	read-only · referenced via policy engine contract
`docs/kb/data/publish_workflow.json`	B	read-only · referenced via rollout_model

No B-owned file is written or reinterpreted by this phase. Cross-tenant write workflows are explicitly out of scope.

Input files ไฟล์ที่ demo ใช้

/runtime/admin-control-plane-service/policy_contract.json7 endpoints · envelope · engine_version

/runtime/admin-control-plane/access_policy.jsonmasked-by-default · 8 precedence rules

/runtime/admin-control-plane/role_registry.json12 roles · 4 categories

/runtime/admin-control-plane/assist_model.jsonview-as + assist modes · forbidden patterns

/runtime/feature-flags-service/http_contract.json4 endpoints · envelope · evaluator_version

/runtime/feature-flags/registry.json16 flags · 7 sensitive · 14 requires_approval

/runtime/cross-runtime-integration/demo_contract.jsonnew · orchestration contract for this demo

Orchestration sequence ลำดับการประสานงาน

Step A · Policy precheck

1. Derive sensitivity from registry.flags[].sensitive_flag / requires_approval
2. If sensitive → POST /api/policy/sensitive/check
3. Else if requires_approval → GET /api/policy/access/check
4. Else → skip (non-sensitive · non-gated)

→

Step B · Flag eval (gated)

5. Run only if policy allow OR skipped
6. GET /api/flags/eval?key=…
7. Surface evaluator trace verbatim
8. Render combined result + honest limits

// Browser page · policy-first · eval-second
sequence:
  browser → registry.json           // step 1 · local lookup
  browser → policy_service step 2
    POST /api/policy/sensitive/check   // sensitive flag path
      OR
    GET  /api/policy/access/check      // requires_approval (not sensitive) path
  policy_service → browser
    response: {decision, reasons, required_approvers, approval_matrix_row, trace}
  IF decision != allow → SHORT-CIRCUIT · skip step 3
  browser → flags_service    step 3 (only if allowed)
    GET /api/flags/eval?key={flag_key}&user={actor_user_id}&…
  flags_service → browser
    response: {value, source, stage, bucket, trace, evaluator_version}
  browser combines into single view step 4
    {policy_gate_status, can_proceed_to_eval, flag_eval_status, policy_result, flag_result, combined_trace, honest_limits}

Status labeling การติดป้ายสถานะ

· Runtime surface /runtime/cross-runtime-integration/ → Live (demo · local/dev only)
· Planning surface /planning/cross-runtime-integration.html → Live (v1 · this page)
· Each deferred item is explicitly labeled deferred — see the deferred matrix below and in the demo page itself
· No "production-ready" · "fully integrated" · "completed end-to-end" wording appears anywhere

Discoverability impact ผลกระทบต่อ discoverability

· New Index Portal entry idx-runtime-cross-integration at 04.04.00.00 (runtime tab)
· New planning entry idx-planning-cross-integration at 03.13.00.00
· 2 appendix entries (README + demo_contract) in runtime_artefacts group
· Back-links from /runtime/feature-flags-service/service.html, /runtime/admin-control-plane-service/service.html, and this planning page
· Fulltext index rebuilt to include the new surfaces
· No new main-console button (IA soft cap preserved)
· No new Operations Portal button (6 Ops sub-entries remain stable)

Deferred matrix รายการที่ยังไม่ทำ

Item	Deferred	Why	Next logical phase
JWT / IdP	`yes`	IdP integration out of scope for demo	Admin 2b + FF 2b
Approval store backing	`yes`	approval_refs trusted at face value	Admin 2b
Flag transition / flip API	`yes`	mutation path not scaffolded	FF 2c
Audit write / WORM sink	`yes`	Kafka `ptt.audit.trail` topic + producer not wired	Admin 2b+
Redis / cache invalidation	`yes`	cache layer deferred	FF 2a+ infra
Production auth	`yes`	dev-mode `X-PTT-*` only	Phase 2b
Admin mutation UI	`yes`	decision-only model	Admin 3
Real rollout persistence	`yes`	registry.json file-backed only	FF 2c
Server-side orchestration service	`not attempted`	browser chain sufficient for demo	gateway consolidation

Definition of Done · this demo only เกณฑ์จบของ demo นี้เท่านั้น

Done when:

Both services runnable locally · the demo page actually calls them in sequence
At least 2 canonical paths visible: DENY (sensitive no approval) + ALLOW (non-sensitive or approval-ref held)
Combined trace shows real POLICY/ and FLAGS/ lines from the two services verbatim
If either service is down, the page surfaces an error banner — no silent success
Demo contract + README + planning page exist; all deferred items explicit in UI + docs
New surfaces findable via Index Portal by cross runtime, runtime integration, policy first, eval second, orchestration demo, 04.04.00.00, 03.13.00.00
No B-owned file mutated · no reinterpretation of B contracts
No main-console button added · no Ops-portal button added · IA soft cap preserved

What this demo is NOT สิ่งที่ demo นี้ไม่ใช่

Explicit disclaimers:

Not a production runtime · not a full integration layer · not middleware
Not a new backend · no Python/Node process is added
Not an approval flow · approvals are inputs, not outputs
Not an admin console · no mutation surfaces anywhere
Not a flag flip tool · eval-only
Not a WORM / audit pipeline · stdout logs only per service
Not a cross-tenant write gateway · scopes respected from policy engine verbatim
Not a replacement for JWT · dev-mode headers only

Planning · Cross-Runtime Integration · v1 · 2026-04-19 · A-owned

→ Runtime demo · demo_contract.json · README.md · Admin planning · FF planning · IA Governance