feat(egress): add gateway proto contracts

[casey-brooks]

Summary

• Add agynio.api.egress.v1 proto contracts for egress rules, rule matchers/effects/header injection, attachments, external CRUD, and internal lookup/reference-check RPCs.
• Add EgressRulesGateway facade proto for the externally exposed methods only.
• Extend runner workload contracts with inline-file mounts, StartWorkloadRequest.inline_files, and workload NetworkPolicy.
• Add runner cluster CIDR fields and the internal Secrets ResolveSecretExists RPC required by the egress gateway v1 architecture.

Repo discovery

• API protos: agynio/api
• Gateway routing follow-up repo: agynio/gateway

Closes #143

Validation

• buf build
• buf lint
• buf breaking --against '.git#branch=main'
• git diff --check

[github-actions]

The latest Buf updates on your PR. Results from workflow buf-pr / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Jun 3, 2026, 7:57 AM

[casey-brooks]

Test & Lint Summary

Commands run locally:

• buf build
• buf lint
• buf breaking --against '.git#branch=main'
• git diff --check

Results:

• Tests/checks: 4 passed, 0 failed, 0 skipped.
• Linting: passed with no errors.

[noa-lucent]

Found two blocking API-shape issues: the egress rule and attachment public response messages expose OpenZiti implementation IDs that the architecture marks as internal and not returned through the Gateway. Please adjust the public/internal DTO split before merge.

[casey-brooks]

Update: internal-only egress fields

Addressed Noa's requested change:

• Removed openziti_service_id from public EgressRule responses.
• Removed openziti_dial_policy_id from public EgressRuleAttachment responses.
• Added internal wrapper messages for service-only responses that need OpenZiti resource identifiers.
• Kept EgressRulesGateway methods returning only public resource messages.

Test & Lint Summary

Commands run locally:

• buf build
• buf lint
• buf breaking --against '.git#branch=main'
• git diff --check

Results:

• Tests/checks: 4 passed, 0 failed, 0 skipped.
• Linting: passed with no errors.

[casey-brooks]

Ready for Noa re-review.

I pushed a follow-up fix that removes the OpenZiti implementation identifiers from the PR diff entirely:

• Removed openziti_service_id
• Removed openziti_dial_policy_id
• Removed the internal wrapper messages that still exposed those symbols in the shared proto package

Verification:

• gh pr diff 144 -R agynio/api | rg "openziti_service_id|openziti_dial_policy_id|InternalEgress" returns no matches.

Test & Lint Summary

Commands run locally:

• buf build
• buf lint
• buf breaking --against '.git#branch=main'
• git diff --check

Results:

• Tests/checks: 4 passed, 0 failed, 0 skipped.
• Linting: passed with no errors.

[noa-lucent]

Re-review complete. The OpenZiti implementation IDs have been removed from the public egress rule and attachment messages, and the previous threads are resolved. The updated proto surface matches the Phase 1 API contract.

[rowan-stein]

Noa approved and buf checks are green. Ready to merge when a maintainer is available.

[rowan-stein]

Architecture update (agynio/architecture commit af3940d) removes per-workload NetworkPolicy and runner CIDR fields. This PR currently includes runner network_policy + cluster_*_cidr additions; those parts need to be removed/adjusted to match updated docs. Leaving this comment for tracking; will follow up with a patch in this PR.

[casey-brooks]

Updated PR 144 for architecture commit af3940d.

Changes pushed:

• Removed StartWorkloadRequest.network_policy.
• Removed the NetworkPolicy message.
• Removed runner CIDR fields from Runner, RegisterRunnerRequest, and UpdateRunnerRequest.
• Removed InlineFileMount / inline_file_mounts from ContainerSpec because they were only needed by the removed per-workload policy/mount selection approach.
• Kept StartWorkloadRequest.inline_files and the egress protos.

Verification:

• The PR diff has no matches for network_policy, NetworkPolicy, cluster_pod_cidr, cluster_service_cidr, additional_excluded_cidrs, InlineFileMount, inline_file_mounts, openziti_service_id, openziti_dial_policy_id, or InternalEgress.

Test & Lint Summary

Commands run locally:

• nix run nixpkgs#buf -- build
• nix run nixpkgs#buf -- lint
• nix run nixpkgs#buf -- breaking --against '.git#branch=main'
• git diff --check

Results:

• Tests/checks: 4 passed, 0 failed, 0 skipped.
• Linting: passed with no errors.

[noa-lucent]

The network_policy and runner CIDR removals are aligned with architecture commit af3940d, but the update also removed the per-container inline file mount selector. The architecture still defines inline files as per-container, so the runner contract needs that field restored while keeping NetworkPolicy/CIDR fields out.

[casey-brooks]

Updated PR 144 for Noa's latest review.

Changes pushed:

• Restored the per-container inline-file selector:
  • InlineFileMount
  • ContainerSpec.inline_file_mounts
• Kept StartWorkloadRequest.inline_files.
• Confirmed NetworkPolicy / network_policy and runner CIDR fields remain absent.

Verification:

• PR diff includes InlineFileMount, inline_file_mounts, and inline_files.
• PR diff has no matches for network_policy, NetworkPolicy, cluster_pod_cidr, cluster_service_cidr, additional_excluded_cidrs, openziti_service_id, openziti_dial_policy_id, or InternalEgress.

Test & Lint Summary

Commands run locally:

• nix run nixpkgs#buf -- build
• nix run nixpkgs#buf -- lint
• nix run nixpkgs#buf -- breaking --against '.git#branch=main'
• git diff --check

Results:

• Tests/checks: 4 passed, 0 failed, 0 skipped.
• Linting: passed with no errors.

[noa-lucent]

Re-review complete. The per-container inline file mount selector has been restored, while the per-workload NetworkPolicy and runner CIDR fields remain removed. Previous feedback is resolved and CI is green.

[rowan-stein]

Status: updated per architecture af3940d (no per-workload NetworkPolicy), restored per-container inline file mounts. Noa approved and buf checks are green. Ready for maintainer merge.

[rowan-stein]

Ping: PR is approved (Noa) + buf green and aligned with architecture update (af3940d). Merge is still blocked by branch policy from my account. Requesting a maintainer merge when available.