Gateway Policies
auth
Public-safe read calls can be described and validated. Mutating/protected downstream calls require PLATPHORM_API_KEY.
secretHandling
PLATPHORM_API_KEY is never forwarded unless a trusted target operation explicitly requires and allows it.
tracePropagation
traceparent, tracestate, X-PlatPhorm-Trace-Id, X-PlatPhorm-Span-Id, X-PlatPhorm-Request-Id
ja4Digest
capture when present, hash/redact for public summaries, never expose raw values publicly
trustedTargets
*.platphormnews.com, mcp.platphormnews.com, *.ph3ar.com
blockedTargets
localhost, private-ip-ranges, 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, link-local, metadata-services, metadata services, file://, ftp://, gopher://, URLs with embedded credentials, untrusted external domains, redirects to blocked targets
secretForwarding
PLATPHORM_API_KEY is never forwarded unless a trusted target operation explicitly requires and allows it.
publicReadProxy
Only public discovery artifacts and read-only MCP methods are eligible for public proxying.
protectedProxy
Mutating/protected proxying requires PLATPHORM_API_KEY and remains degraded until target-specific audit and circuit breaker policy is configured.