The Pitch
Choco HQ’s critical path just cleared its biggest spec-level blocker. Blocks C and E — the API gateway and auth stack — went from zero issues to 16 implementation-ready tickets in a single session, each traced back to OpenAPI specs, Protobuf contracts, and acceptance criteria. The three P1 security gaps that were flagged as enterprise adoption blockers now have scoped issues with checkboxes, not just requirements in a document.Key Messages
For engineering: The gateway routes 8 downstream services through a 6-layer middleware chain. Auth enforces a 6-role RBAC hierarchy with TOTP 2FA. Every issue references the exact proto RPC, OpenAPI path, and requirement ID — no ambiguity about what “done” looks like. For security/compliance: GAP-001 (2FA/MFA), GAP-002 (SAST/DAST), and GAP-003 (DDoS) are no longer open items in a rebaseline doc. They’re tracked issues in their respective block projects with testable acceptance criteria. The auth audit trail covers 23 event types including login failures, permission denials, and 2FA setup. For product: The three subscription tiers (Dark/Milk/White) are now enforced at two layers — Cloudflare edge and gateway Redis — with standard rate limit headers on every response. Enterprise customers get 10K req/min with full gRPC access; free tier gets 100 req/min REST-only.What’s Live
- Block C: 8 issues filed in choco-gateway + zero-point (Project #8)
- Block E: 6 issues filed in choco-auth + choco-gateway (Project #9)
- GAP-001: 2FA/MFA issue in Block E with TOTP, backup codes, admin enforcement
- GAP-002: SAST/DAST issue in Block H with Semgrep, gosec, OWASP ZAP
- GAP-003: DDoS protection issue in Block A with Cloudflare WAF + edge rate limiting
- Schema drift caught: Proto defines 6 RBAC roles; DB migration had 4 — flagged for migration before any code is written