---
name: m9-gateway-wan-progress
description: M9 cross-node Gateway WAN user-msg (REQ-MSG-6) — PR #9 doyle gate PASS, merge-ready; T5 int deferred required-before-lecturn
metadata: 
  node_type: memory
  type: project
  originSessionId: 6b7355ca-c59b-4b57-a4e8-b248ce4673c6
---

**M9 cross-node Gateway WAN user-msg** (doyle directive 2026-06-13, operator GO). Branch `m9-gateway-wan` stacked on m9-user-surfaces. Doc stage was doyle's (commit 30fea7f). I (todlando) own impl/unit. **REQ-MSG-6** minted [doc,impl,unit] all green; REQ-EP-6 retitled (WAN residual no longer deferred).

**Impl COMPLETE, PR #9 open** (base m9-user-surfaces, CI-vehicle pattern like PR #8). 4 commits: T1 Instance.endpoint_type (0b79951) → T2 advertise populate from info.json state (0f84e25) → T3+T4 receive_wan origin resolve + unit matrix (1588525) + REQ-mint (6f720d6). T5 twohost int **SKIPPED** (unit matrix + existing wanmsg wire fail-closed test cover it; flagged in PR for doyle).

Local sweep ALL GREEN: workspace tests 0-fail, clippy -D clean, --no-default-features builds, xtask check OK, traceable EXIT=0. **PR #9 CI GREEN both runners** (first Linux RED was a transient Broker::bind socket flake in applyhost test — unrelated, cleared on rerun). **doyle PINGED for his gate** (posture-adherence = no smuggled extra gate beyond "is advertised type gateway", additive/N-1 Instance, proven-node keying not wire `from`, the matrix). Awaiting his stamp → then Wave 3 / next beat.

**Ratified posture (deviation=STOP):** subnet membership IS the trust boundary; NO defense against an in-subnet member forging the gateway type; proven-node keying is correctness not trust. Don't re-introduce the vetoed per-node "user-surface trust set".

**Mechanism:** Instance.endpoint_type (additive serde-default, rides epoch lease, no new channel) ← advertise_local stamps perch's own info.json `state` ← receive_wan resolves via RegistryHost::instances_of keyed by QUIC-proven origin_node, flips origin_user_backed. Absent type → fail-closed re-stamp.

**GATE PASS ✓ — doyle cleared PR #9 gateway-wan 2026-06-13** (read impl whole, re-ran origin_user_backed_matrix 1/0 + wanmsg 3/0 + xtask: posture-faithful, no smuggled gate, proven-node keying confirmed, production wiring real not stub). PR #9 merge-ready (operator/release-gated). **TRACKED CONDITION (non-blocking, logged commit 58f034f):** T5 twohost HONORED-path int (Gateway advert A → honored at B; agent → re-stamped) REQUIRED-BEFORE-LECTURN — on REQ-MSG-6 (activate `int` when adding) + ROADMAP. M9 milestone: G1 ✓ G2 ✓ gateway-wan ✓.

SEQUENCING: PR #8 (Wave 2 G2) — **G2 FULLY CLOSED ✓ by doyle 2026-06-13** (CI green both runners after disk-full fix, see [[hfenduleam-disk-full-ci]]; his substance PASS + reconcile_driver_structurally_excludes_live_role green). Wave 2 stamped; OPERATOR owns merge-to-main per release model. **PR #9 now under doyle's gate review** (he pulled it, back shortly).