From ddc6cabc2447123697ce6332285a07fd7b558b24 Mon Sep 17 00:00:00 2001
From: Egutierrez <egutierrez@dead.dd>
Date: Sun, 7 Jun 2026 12:23:23 +0200
Subject: [PATCH] feat(flags): declare bus-auth and bus-tls feature flags (off)

bus-auth carries the off -> soft -> enforce rollout state; bus-tls is a
boolean. Both start disabled so master keeps compiling and passing tests
while the auth/TLS code lands behind them across phases 0001a-0001e.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 dev/feature_flags.json | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 dev/feature_flags.json

diff --git a/dev/feature_flags.json b/dev/feature_flags.json
new file mode 100644
index 0000000..3027207
--- /dev/null
+++ b/dev/feature_flags.json
@@ -0,0 +1,19 @@
+{
+  "flags": {
+    "bus-auth": {
+      "enabled": false,
+      "state": "off",
+      "issue": "0001",
+      "description": "Signed control-plane auth + NATS nkey auth. Rollout: off -> soft (verify+log, allow) -> enforce (reject). 'enabled' mirrors state!=off.",
+      "added": "2026-06-07",
+      "enabled_at": null
+    },
+    "bus-tls": {
+      "enabled": false,
+      "issue": "0001",
+      "description": "TLS on the NATS data plane using the project's self-signed CA (deploy/tls/). When enabled the server presents its cert and clients pin the CA.",
+      "added": "2026-06-07",
+      "enabled_at": null
+    }
+  }
+}