Cross-Runtime Integration Demo

Policy-first · Eval-second · chains Admin Policy Engine (Phase 2a) and Feature Flags Service (Phase 2a+) in the browser

Local / Dev only

This is a DEMO page · not a backend service. The browser calls two already-running A-owned local services sequentially: first POST /api/policy/sensitive/check (or GET /access/check), and only if that returns allow does it call GET /api/flags/eval. No auth · no audit sink · no mutation · no persistence. If either service is not running, the panel below surfaces a connection error honestly.
Start each service with bash docs/runtime/admin-control-plane-service/run.sh (port 8090) and bash docs/runtime/feature-flags-service/run.sh (port 8080).

Flow overview

Step 1 · Local Derive sensitivity registry.json lookup

→

Step 2 · Policy Policy precheck POST /api/policy/sensitive/check
GET /api/policy/access/check

→

Step 3 · Flags Flag eval (gated) GET /api/flags/eval

Service base URLs

A · Admin Policy Engine POST /api/policy/sensitive/check · GET /api/policy/access/check

unknown · click Check

B · Feature Flags Service GET /api/flags/eval · POST /api/flags/eval/batch

unknown · click Check

Request context

Presets:

flag_key actor_role actor_user_id actor_tenant_id target_tenant_id target_user_id requested_action tier env approval_refs (comma-sep) now_iso (optional pin)

Sensitivity profile

sensitive_flag

—

requires_approval

—

rollout_stage

—

precheck required

—

Policy + Flag panels

A · Policy precheck

not run —

Run the chain to see the policy decision · reasons · required approvers · approval matrix row · trace.

B · Flag eval

not run —

Runs only if the policy precheck returns allow or is skipped for non-sensitive flags.

Combined result

—

Awaiting input · pick a preset or fill the form above

can_proceed_to_eval · flag_eval_status · policy_gate_status

Combined trace will appear here after the chain runs.

⚠ Honest limits · what this demo deliberately does NOT do

Item	Status	Why deferred	Next logical phase
JWT / IdP verification	`deferred`	IdP integration out of scope · dev headers only	Admin Phase 2b + FF Phase 2b
Approval store backing	`deferred`	approval_refs trusted as-presented · no Postgres	Admin Phase 2b
Flag flip / transition API	`deferred`	eval-only · no mutation path	FF Phase 2c
WORM audit sink (ptt.audit.trail)	`deferred`	Kafka topic + producer not wired	Admin Phase 2b+
Redis cache / pubsub invalidation	`deferred`	cache layer not built	FF Phase 2a+ infra
Production auth	`deferred`	dev-mode only · localhost binding	Phase 2b
Admin mutation UI / Kanban	`deferred`	decision service does not mutate	Admin Phase 3
Real rollout persistence	`deferred`	registry.json file-backed only	FF Phase 2c
Server-side orchestrator service	`not attempted`	browser chain sufficient for demo	when gateway layer consolidates