feat(platform): add phase6 durable store rbac contracts

[ActiveInAI]

Summary

Adds Phase 6 durable store boundary, runtime context, RBAC guards, tenant/project isolation, smoke coverage, frontend API Lab context headers, OpenAPI contracts, and handoff documentation.

Scope

• Adds runtime request context with tenant, project, actor, roles, request id, and correlation id.
• Adds permission guard skeleton for generation, artifact, registry, viewer command, and knowledge operations.
• Hardens generation, artifact, registry, knowledge source, and viewer command flows through context and RBAC checks.
• Preserves in-memory store boundary while preparing durable store replacement points.
• Adds deterministic pagination and cross-tenant/project isolation tests.
• Updates OpenAPI with context headers, 403 response, RequestContext, PermissionDecision, RuntimeStoreCapabilities, and examples.
• Updates API Lab to send context headers and display 403 errors.
• Adds smoke-rbac.sh and shared context smoke support.
• Adds Phase 6 handoff docs.

Validation

• cargo fmt --all -- --check
• cargo clippy --all-targets --all-features -- -D warnings
• cargo test --all-targets --all-features
• cargo build --release --bin insomeos-gateway
• npx --yes @redocly/cli@2.30.0 lint openapi.yaml
• npx --yes @openapitools/openapi-generator-cli@2.23.0 generate -i openapi.yaml -g typescript-fetch -o /tmp/architoken-sdk-ts
• ./scripts/smoke-all.sh
• bun run lint
• bun run typecheck
• bun run test
• bun run build
• git diff --check

OpenAPI

Redocly passes with 1 existing localhost dev server warning.

Boundary

Still in-memory skeleton. No real model API, no DB migration, no infra change, no proprietary loader/SDK/EXE.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 4e9e42b2c7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Normalize profile names before selecting runtime profile

Treating INSOMEOS_PROFILE as case-sensitive here means values like PRODUCTION or Production fall into the default Development branch, which re-enables weak fallback (dev-tenant/dev-project/dev-actor/admin) and accepts missing runtime context in production deployments. Any environment that sets uppercase/mixed-case profile names will silently bypass the stricter Phase 6 RBAC/context requirements.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Accumulate repeated roles query parameters

This parser overwrites input.roles on each roles occurrence instead of accumulating values, so a request like ?roles=engineer&roles=reviewer ends up with only the last role. That yields incorrect permission decisions for clients using repeated query params (which your role parsing API explicitly supports), producing unexpected 403s or missing intended privileges.

Useful? React with 👍 / 👎.