governance: add dynamic tool controls and gateway ingest

[davidahmann]

Problem

Gait needed fail-closed governance for dynamic/unknown tool surfaces and stronger runtime safety at resume boundaries.

Changes

• Added classification-first policy matching for unknown tools:
  • rule matchers for endpoint_class, discovery_method, and tool_annotations
  • explicit default action handling for unmatched tools
  • schema + CLI type updates to support first-class annotation criteria
• Added MCP gateway integration ingest mode:
  • new gait gateway ingest --source [kong|docker|mintmcp] --log-path <path> command
  • new core/gateway ingest pipeline that normalizes access logs and emits deterministic policy enforcement proof records
• Added policy re-evaluation and identity revalidation on job resume:
  • resume path reloads current policy and revalidates identity before continuation
  • emits proof/journal evidence for policy version transition and identity status
• Updated MCP intent plumbing so ToolAnnotations are preserved and matchable for policy enforcement.
• Upgraded github.com/Clyra-AI/proof dependency to v0.4.4.
• Updated docs and schemas to reflect new policy and runtime behavior.

Validation

• gait doctor --json
• make prepush-full
• make test-uat-local

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b36198795f

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Preserve bound identity on resume

The resume path currently allows callers to replace a job's previously bound identity by passing a different --identity, because it unconditionally writes state.Identity = identity when a non-empty value is provided. This lets a revoked identity be bypassed by swapping in a new identity at resume time (for example, job was submitted as agent.alice, revocation list blocks agent.alice, caller resumes with agent.bob), which defeats the intended identity revalidation control.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Default missing discovery method to unknown

normalizeDiscoveryMethod returns an empty string when discovery_method is omitted, so rules matching discovery_method: [unknown] never match intents that don't explicitly set this field. In practice many adapters omit discovery metadata, so a policy that tries to explicitly catch unknown tools via unknown can be silently bypassed and fall back to the default verdict instead.

Useful? React with 👍 / 👎.