From 87dbc421cd26f6c26d624e46db22fc7bd89af196 Mon Sep 17 00:00:00 2001
From: Egutierrez <egutierrez@dead.dd>
Date: Sun, 7 Jun 2026 12:49:19 +0200
Subject: [PATCH] chore(flags): flip bus-auth to enforce and bus-tls on (target
 state)

Declares the project's target rollout: bus-auth enforce, bus-tls enabled.
Flags are declarative; the operator activates them at deploy via membershipd
--bus-auth/--tls-cert/--tls-key. CLI defaults stay off so dev and tests run
unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 dev/feature_flags.json | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/dev/feature_flags.json b/dev/feature_flags.json
index 3027207..8fc10d1 100644
--- a/dev/feature_flags.json
+++ b/dev/feature_flags.json
@@ -1,19 +1,19 @@
 {
   "flags": {
     "bus-auth": {
-      "enabled": false,
-      "state": "off",
+      "enabled": true,
+      "state": "enforce",
       "issue": "0001",
-      "description": "Signed control-plane auth + NATS nkey auth. Rollout: off -> soft (verify+log, allow) -> enforce (reject). 'enabled' mirrors state!=off.",
+      "description": "Signed control-plane auth + NATS nkey auth. Rollout: off -> soft (verify+log, allow) -> enforce (reject). 'enabled' mirrors state!=off. Server opts in via membershipd --bus-auth; clients via client.Connect(caPath).",
       "added": "2026-06-07",
-      "enabled_at": null
+      "enabled_at": "2026-06-07"
     },
     "bus-tls": {
-      "enabled": false,
+      "enabled": true,
       "issue": "0001",
-      "description": "TLS on the NATS data plane using the project's self-signed CA (deploy/tls/). When enabled the server presents its cert and clients pin the CA.",
+      "description": "TLS on the NATS data plane using the project's self-signed CA (deploy/tls/). Server opts in via membershipd --tls-cert/--tls-key; clients pin ca.crt via client.Connect(caPath).",
       "added": "2026-06-07",
-      "enabled_at": null
+      "enabled_at": "2026-06-07"
     }
   }
 }