CRP-SPEC-016: Gateway Service Specification¶
Document: CRP-SPEC-016
Title: Context Relay Protocol (CRP) - Gateway as a Managed Service
Version: 3.0.0
Status: Draft
Author: Constantinos Vidiniotis, AutoCyber AI Pty Ltd
Contact: contact@crprotocol.io
Date: 2026-05-25
License: CC BY 4.0 (specification text)
Prerequisites: CRP-SPEC-001 through CRP-SPEC-015
Abstract¶
This document specifies CRP Gateway as a managed service offering - the hosted reverse proxy operated by AutoCyber AI Pty Ltd that implements the full CRP protocol stack. While CRP-SPEC-001 through CRP-SPEC-015 define the protocol, this document defines the product: the public API surface, onboarding flow, free-tier and paid-tier quotas, document ingestion API, AI system registration, tenant provisioning, and the day-one user experience from account creation to first governed AI call.
This is the document that closes the gap between "protocol is specified" and "developers can actually use it without manual integration work."
Table of Contents¶
- Service Architecture
- Public API Endpoints
- Onboarding Flow
- Tenant Provisioning
- AI System Registration
- API Key Management
- Free Tier Quotas
- Paid Tier Quotas
- Document Ingestion API
- Provider Routing Configuration
- Default Safety Policies
- Service Discovery
- Rate Limiting
- SLA Tiers
- Security Posture
- References
1. Service Architecture¶
1.1 Hosted Endpoint Topology¶
CRP Gateway is operated as a multi-region managed service with the following endpoint structure:
gateway.crprotocol.io ← Primary entrypoint (DNS-routed to nearest region)
├── eu.gateway.crprotocol.io ← EU region (Frankfurt + Dublin)
├── au.gateway.crprotocol.io ← Australia region (Sydney + Melbourne)
├── us.gateway.crprotocol.io ← US region (Virginia + Oregon)
└── uk.gateway.crprotocol.io ← UK region (London)
Customers MUST select a region during account provisioning. The CRP-Compliance-Data-Residency header enforces region-locked processing.
1.2 Service Components¶
┌────────────────────────────────────────────────────────────────┐
│ CRP Gateway Service │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────────┐ │
│ │ API Frontend │ │ DPE Workers │ │ CKF Storage Layer │ │
│ │ (TLS, auth) │ │ (DPE + RQA) │ │ (vector + graph) │ │
│ └──────────────┘ └──────────────┘ └────────────────────┘ │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌────────────────────┐ │
│ │ Provider │ │ Audit Stream │ │ Comply Webhook │ │
│ │ Key Vault │ │ (HMAC chain) │ │ Dispatcher │ │
│ └──────────────┘ └──────────────┘ └────────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────┘
2. Public API Endpoints¶
2.1 Inference Endpoints (OpenAI-compatible)¶
The Gateway exposes OpenAI-compatible endpoints so existing client SDKs work with a single base URL change:
| Endpoint | Method | Purpose |
|---|---|---|
/v1/chat/completions | POST | Standard chat completion - OpenAI-compatible |
/v1/completions | POST | Legacy completion - OpenAI-compatible |
/v1/embeddings | POST | Embedding generation - passes through with audit logging only |
/v1/models | GET | Lists available models (provider-mapped) |
2.2 CRP-Native Endpoints¶
| Endpoint | Method | Purpose |
|---|---|---|
/crp/v3/dispatch | POST | Direct CRP dispatch with full strategy control |
/crp/v3/session/{id} | GET | Retrieve session state (requires session token) |
/crp/v3/session/{id} | DELETE | Terminate session, finalise audit chain |
/crp/v3/sessions/{id}/dag | GET | Retrieve Window DAG for the session |
/crp/v3/verify-chain | POST | Verify HMAC chain integrity for an audit trail |
2.3 Knowledge Management Endpoints¶
| Endpoint | Method | Purpose |
|---|---|---|
/crp/v3/ckf/documents | POST | Upload document for ingestion into CKF |
/crp/v3/ckf/documents | GET | List ingested documents |
/crp/v3/ckf/documents/{id} | DELETE | Remove document (GDPR Art. 17 erasure) |
/crp/v3/ckf/facts | GET | Query CKF facts (admin/audit only) |
/crp/v3/ckf/state | GET | Get current CKF ETag and statistics |
2.4 Admin Endpoints (account holder only)¶
| Endpoint | Method | Purpose |
|---|---|---|
/crp/v3/admin/systems | POST | Register an AI system |
/crp/v3/admin/systems/{id} | PATCH | Update system registration |
/crp/v3/admin/keys | POST | Provision a new API key |
/crp/v3/admin/keys/{id} | DELETE | Revoke an API key |
/crp/v3/admin/policies | PUT | Set default Safety Policy for an AI system |
/crp/v3/admin/quotas | GET | Get current quota usage |
2.5 Well-Known URIs¶
| URI | Purpose |
|---|---|
/.well-known/crp-gateway.json | Gateway capability advertisement (per RFC 8615) |
/.well-known/security.txt | Security disclosure contact (RFC 9116) |
The crp-gateway.json document SHALL contain:
{
"crp_version": "3.0.0",
"conformance_level": "full",
"endpoints": {
"inference": "https://gateway.crprotocol.io/v1",
"crp_native": "https://gateway.crprotocol.io/crp/v3"
},
"providers_supported": ["openai", "anthropic", "gemini", "azure-openai", "bedrock", "ollama"],
"regions": ["eu", "au", "us", "uk"],
"max_loop_depth": 5,
"max_fan_out": 10,
"max_dag_nodes": 50
}
3. Onboarding Flow¶
3.1 The Critical Day-One Experience¶
The onboarding flow is designed to take a developer from "found by GitHub scan" to "first governed AI call working" in under 5 minutes.
┌────────────────────────────────────────────────────────────┐
│ Step 1: Account creation (< 60 seconds) │
│ - Email + password OR OAuth (GitHub, Google, Microsoft) │
│ - Region selection │
│ - Implicit free-tier provisioning │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ Step 2: Provider key configuration (< 60 seconds) │
│ - Paste OpenAI/Anthropic/etc. key into vault │
│ - OR select "BYOK in code" (provider key in client app) │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ Step 3: System registration (< 60 seconds) │
│ - Name your AI system ("my-chatbot") │
│ - Select domain (general, medical, financial, etc.) │
│ - Auto-classifies EU AI Act risk level │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ Step 4: API key issuance (instant) │
│ - crp_gw_free_<32 chars> │
│ - Code snippet generated showing one-line integration │
└────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────────────────────┐
│ Step 5: First call (< 60 seconds) │
│ - Developer changes base_url in their app │
│ - First call goes through Gateway │
│ - Headers emitted, audit event recorded │
│ - Visible in Comply dashboard immediately │
└────────────────────────────────────────────────────────────┘
3.2 Onboarding Banner: Zero-CKF Notification¶
On every Gateway response during the first 24 hours OR before any CKF facts have been ingested, the Gateway MUST emit:
This tells the developer (and any inspecting tooling) that the gateway is operating in safety-only mode and full context-grounding features will activate once documents are ingested.
This is the critical UX signal that prevents day-one confusion when CRP-Safety-Attribution: PARAMETRIC appears on responses (correctly, since there's nothing to ground against yet).
3.3 Pre-Populated Signup from GitHub Scan¶
When the signup URL contains ?source=github-scan query parameters, the onboarding flow is pre-populated:
https://comply.crprotocol.io/signup?source=github-scan&provider=openai&framework=langchain&finding_count=3
Pre-populates: - Provider selection (Step 2) - Suggested domain based on framework (Step 3) - Suggested system name from repository name - Shows scan findings in the welcome dashboard
This converts the GitHub Action funnel from "create account from scratch" to "confirm what we already know."
4. Tenant Provisioning¶
4.1 Tenant Isolation Model¶
Every account is provisioned as an isolated tenant with:
| Resource | Isolation Mechanism |
|---|---|
| CKF storage | Per-tenant namespace; separate HNSW indexes |
| Audit chain | Per-tenant HMAC master key; separate session HMAC keys |
| API keys | Per-tenant key prefix; scope-bound |
| Provider credentials | Encrypted in per-tenant vault; never shared |
| Comply evidence | Per-tenant evidence database |
| Quota counters | Per-tenant; never aggregated across tenants |
4.2 Tenant Provisioning Steps¶
- Account record created in identity store
- Tenant HMAC master key generated via HSM/KMS
- CKF namespace created with empty HNSW index
- Default AI system registered (placeholder, replaced in Step 3 of onboarding)
- Free-tier API key issued
- Comply evidence database initialised
- Welcome event written to audit chain
All steps MUST complete atomically. Failed provisioning rolls back all resources.
5. AI System Registration¶
5.1 Why Registration Matters¶
The EU AI Act classifies risk based on the deployment domain, not the LLM response content. A medical diagnosis assistant and a recipe suggestion bot may produce similar text, but they have radically different risk classifications. The Gateway MUST know which type of AI system is making the call to assign the correct CRP-Compliance-EU-AI-Act value.
5.2 System Registration Schema¶
{
"system_id": "sys_chatbot_prod_v1",
"name": "Customer Support Chatbot",
"description": "Public-facing customer support assistant",
"domain": "general_information",
"intended_purpose": "Answer customer questions about our products",
"deployment_context": "public",
"high_risk_indicators": {
"involves_employment_decisions": false,
"involves_credit_decisions": false,
"involves_medical_decisions": false,
"involves_law_enforcement": false,
"involves_critical_infrastructure": false,
"involves_biometric_id": false,
"involves_education_access": false
},
"users_classification": "general_public",
"personal_data_processing": false,
"automated_decision_making": false,
"default_safety_policy": "profile=public-facing",
"data_residency": "EU"
}
5.3 Automatic EU AI Act Classification¶
From the registration, the Gateway computes the EU AI Act risk class:
if any high_risk_indicator == true:
eu_ai_act_class = "HIGH"
elif domain in ["biometric_id", "social_scoring"]:
eu_ai_act_class = "UNACCEPTABLE"
elif personal_data_processing == true OR automated_decision_making == true:
eu_ai_act_class = "LIMITED"
else:
eu_ai_act_class = "MINIMAL"
This value is emitted as CRP-Compliance-EU-AI-Act on every call from this system.
5.4 Domain Catalog¶
The Gateway maintains a catalog of supported domains:
| Domain | Default Risk | Default Safety Policy Profile |
|---|---|---|
general_information | LIMITED | public-facing |
customer_support | LIMITED | public-facing |
developer_tooling | MINIMAL | developer |
creative_writing | MINIMAL | developer |
medical | HIGH | medical |
financial | HIGH | financial |
legal | HIGH | medical (strict equivalent) |
employment | HIGH | medical (strict equivalent) |
education | HIGH | medical (strict equivalent) |
government_services | HIGH | medical (strict equivalent) |
critical_infrastructure | HIGH | medical (strict equivalent) |
biometric_id | UNACCEPTABLE | - (blocked) |
social_scoring | UNACCEPTABLE | - (blocked) |
6. API Key Management¶
6.1 Key Format¶
Examples:
crp_gw_free_eu_4f8a9b2c1d3e5f60718293a4b5c6d7e8
crp_gw_pro_au_9b1c2d3e4f5061728394a5b6c7d8e9f0
crp_gw_business_us_a1b2c3d4e5f60718293a4b5c6d7e8f9
crp_gw_ent_eu_<custom>
The tier prefix is informational only - actual quota enforcement uses the billing record, not the key prefix.
6.2 Key Scoping¶
Each key can be scoped to:
| Scope | Description |
|---|---|
system_id | Key only works for calls from this AI system |
ip_allowlist | Key only accepted from specific IPs (CIDR) |
referer_allowlist | Key only accepted with matching Origin/Referer headers |
policy_tier | Key can only set Safety Policy at or below this tier |
max_loop_depth | Key cannot use loop depths above this value |
6.3 Key Rotation¶
Keys can be rotated without service interruption:
- Create new key via
/crp/v3/admin/keys - Both keys active simultaneously
- Update client applications to new key
- Revoke old key once traffic has migrated
- Audit trail records both key usages - full traceability of which key made which calls
7. Free Tier Quotas¶
7.1 Free Tier Limits¶
The free tier is designed to be genuinely useful, not a teaser - sufficient for production small-scale use and full feature evaluation.
| Resource | Free Tier Limit |
|---|---|
| AI calls per day | 100 |
| AI calls per month | 2,000 |
| Concurrent sessions | 5 |
| Maximum window depth (continuation) | 3 |
| Maximum fan-out width | 3 |
| Maximum loop depth (agentic) | 2 |
| CKF document storage | 50 MB |
| CKF facts (total) | 5,000 |
| Audit history retention | 30 days |
| Comply evidence retention | 30 days |
| Team seats | 1 |
| Provider keys in vault | 2 |
| Registered AI systems | 1 |
| Safety Policy: profile=medical | Disabled (requires Pro) |
| CRP Visualise sessions | 5 per month |
| Auditor sharing | Disabled (requires Business) |
| Webhook reports (CRP-Safety-Report-URI) | 100/day |
| SLA | None (best effort) |
7.2 What Works Fully on Free Tier¶
Every safety and provenance feature is fully enabled on the free tier:
| Feature | Free Tier |
|---|---|
| Full DPE pipeline (all 13 stages) | ✓ Full |
| All 58 CRP headers | ✓ Full |
| HMAC audit chain | ✓ Full |
| Safety Policy enforcement | ✓ Full |
| EU AI Act classification | ✓ Full |
| GDPR PII detection | ✓ Full |
| ISO 42001 control mapping | ✓ Full |
| Reflexive dispatch | ✓ Full |
| Agentic dispatch | ✓ Up to loop_depth=2 |
| Cross-window coherence (Stage 6) | ✓ Full |
| Repetition detection (Stage 7) | ✓ Full |
| Completeness verification (Stage 8) | ✓ Full |
| Flow & continuity (Stage 9) | ✓ Full |
| CRP-Safety-Stop-Inject | ✓ Full |
| Comply audit evidence pack | ✓ Full |
The free tier is a complete CRP implementation, simply quota-limited.
7.3 What's Restricted on Free Tier¶
| Restriction | Reason |
|---|---|
| Volume (calls/day, /month) | Cost control |
| Continuation depth (3 vs 5) | Server resource control |
| Audit retention (30 days) | Storage cost |
| Industry profiles (medical, financial) | These are regulated industries with higher liability - Pro+ required |
| Auditor sharing | Enterprise feature |
| Multi-region deployment | Single region only |
8. Paid Tier Quotas¶
8.1 Pro Tier ($149/month)¶
| Resource | Pro Limit |
|---|---|
| AI calls per month | Included: 50,000 / Then: $0.003 per call |
| Concurrent sessions | 50 |
| Maximum window depth | 5 |
| CKF storage | 5 GB |
| CKF facts | 500,000 |
| Audit retention | 1 year |
| Team seats | 5 |
| Registered systems | Unlimited |
| Industry profiles | All available |
| SLA | 99.5% uptime |
8.2 Business Tier ($499/month)¶
| Resource | Business Limit |
|---|---|
| AI calls per month | Included: 250,000 / Then: $0.002 per call |
| Concurrent sessions | 250 |
| Maximum window depth | Unlimited (within max_dag_nodes=50) |
| CKF storage | 50 GB |
| CKF facts | 5,000,000 |
| Audit retention | 5 years |
| Team seats | 20 |
| Auditor seats | 5 |
| CRP Visualise | Included |
| Multi-region | Available |
| SLA | 99.9% uptime |
8.3 Enterprise Tier (Custom)¶
- Dedicated Gateway instance (single-tenant infrastructure)
- On-premises or private cloud deployment
- Custom regulatory mapping
- Unlimited everything
- 99.99% uptime SLA
- 24/7 support
- Quarterly compliance review
- EU AI Act authority submission support
- CRP Certification program access
9. Document Ingestion API¶
9.1 Document Upload¶
POST /crp/v3/ckf/documents
Authorization: Bearer crp_gw_<key>
Content-Type: multipart/form-data
file: <binary>
metadata: {
"title": "EU AI Act Final Text",
"source_uri": "https://eur-lex.europa.eu/...",
"importance_baseline": 0.90,
"tags": ["regulation", "eu-ai-act"],
"ttl": "P5Y"
}
Response:
{
"document_id": "doc_a7f3b2c1d4e5",
"status": "ingesting",
"estimated_facts": 412,
"ckf_etag_will_change": true
}
9.2 Supported Formats¶
| Format | Notes |
|---|---|
| Including OCR for scanned PDFs | |
| DOCX | Word documents |
| MD | Markdown |
| HTML | Web content (sanitised) |
| TXT | Plain text |
| JSON | Structured data - keys treated as fact identifiers |
| CSV | Tabular data - rows treated as fact candidates |
9.3 Ingestion Pipeline (Asynchronous)¶
- Document uploaded → stored in tenant's document store
- Async job triggered: chunking, fact extraction, embedding
- Facts added to HNSW index (immediate but unreflected in ETag until step 5)
- Leiden community detection triggered if batch ≥ 50 new facts
- CKF state hash updated →
CRP-Context-ETaginvalidated for all clients
Progress is queryable via GET /crp/v3/ckf/documents/{id}.
9.4 Source Authority Levels¶
Documents can be tagged with authority levels that affect importance weighting:
| Authority | Default Importance Boost |
|---|---|
regulatory | +0.10 |
peer-reviewed | +0.05 |
official-documentation | 0.00 (baseline) |
community | -0.05 |
unverified | -0.10 |
10. Provider Routing Configuration¶
10.1 Provider Selection per Call¶
The Gateway selects the LLM provider via three mechanisms (in priority order):
- Model name routing:
model: "gpt-4o"→ OpenAI;model: "claude-sonnet-4"→ Anthropic;model: "gemini-2.0-pro"→ Google - Default provider: If no model specified, uses the tenant's configured default
- Failover provider: If primary provider fails (5xx, timeout), automatically fails over to configured backup
10.2 Provider Vault¶
Each tenant's provider credentials are stored in an encrypted vault:
{
"providers": [
{
"id": "openai_primary",
"type": "openai",
"key_encrypted": "<AES-256-GCM ciphertext>",
"models_allowed": ["gpt-4o", "gpt-4o-mini"],
"rate_limit_override": null,
"is_default": true
},
{
"id": "anthropic_primary",
"type": "anthropic",
"key_encrypted": "<AES-256-GCM ciphertext>",
"models_allowed": ["claude-sonnet-4", "claude-haiku-4-5"],
"is_default": false
}
],
"default_provider_id": "openai_primary",
"failover_provider_id": "anthropic_primary"
}
10.3 BYOK Mode¶
Customers MAY choose "BYOK in client" - provider keys stay in their application; the Gateway forwards calls using the customer-provided key on each request:
POST /v1/chat/completions
Authorization: Bearer crp_gw_<key>
CRP-Provider-Key: <customer-provided OpenAI key>
In BYOK mode, the Gateway does not vault the provider key but still applies all CRP features (DPE, headers, audit, Comply integration).
11. Default Safety Policies¶
11.1 Per-System Default Policy¶
Each registered AI system has a default Safety Policy. If a request from this system does not include CRP-Safety-Policy, the default applies.
11.2 Tier-Based Default Profiles¶
| System Domain | Free Tier Default | Pro+ Default |
|---|---|---|
| general_information | warn-on CRITICAL; warn-on HIGH | profile=public-facing |
| developer_tooling | warn-on CRITICAL; require-quality S A B | profile=developer |
| medical | (not available on Free) | profile=medical |
| financial | (not available on Free) | profile=financial |
11.3 Policy Override Hierarchy¶
1. CRP-Safety-Policy in request header (highest priority)
2. Per-API-key configured policy
3. Per-AI-system default policy
4. Tenant-wide default policy
5. Gateway-wide default for the tier
12. Service Discovery¶
12.1 Well-Known Endpoint¶
Returns service capabilities (see §2.5).
12.2 Health Check¶
Returns service health status (200 OK if healthy, 503 if degraded). Includes: - Region status - Provider availability (OpenAI, Anthropic, etc.) - DPE pipeline status - CKF index status
12.3 Status Page¶
https://status.crprotocol.io provides public service status. Subscribers can receive incident notifications via webhook, email, or RSS.
13. Rate Limiting¶
13.1 Per-Key Rate Limits¶
| Tier | RPS (Requests Per Second) | Burst |
|---|---|---|
| Free | 2 | 5 |
| Pro | 20 | 50 |
| Business | 100 | 250 |
| Enterprise | Custom | Custom |
13.2 Rate Limit Response¶
When rate limited, the Gateway returns HTTP 429 with:
HTTP/1.1 429 Too Many Requests
Retry-After: 5
X-RateLimit-Limit: 20
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1748160300
CRP-Context-Protocol-Version: 3.0.0
13.3 Quota Exhaustion¶
When monthly quota is exhausted: - Free tier: HTTP 402 (Payment Required) with upgrade link - Pro+: Continues on overage pricing per the tier's per-call rate
14. SLA Tiers¶
| Tier | Uptime | Response Time SLA | Support Response |
|---|---|---|---|
| Free | None (best effort) | None | Community forum |
| Pro | 99.5% | p95 < 2s gateway overhead | Email, 48hr |
| Business | 99.9% | p95 < 1s gateway overhead | Email + chat, 4hr |
| Enterprise | 99.99% | p95 < 500ms gateway overhead | Phone + Slack, 24/7 |
Note: "Gateway overhead" excludes LLM provider latency. SLA covers only the time spent inside CRP Gateway processing.
15. Security Posture¶
15.1 Required Certifications (AutoCyber AI)¶
For Pro+ tier customers, AutoCyber AI Pty Ltd MUST maintain:
- SOC 2 Type II (US/AU customer requirement)
- ISO/IEC 27001 (EU customer requirement)
- ISO/IEC 42001 (CRP self-compliance - we build AI compliance, we are AI compliance)
15.2 Pen Testing¶
Annual third-party penetration testing of the Gateway service. Results summary available to Business+ customers under NDA.
15.3 Bug Bounty¶
Public bug bounty program at https://crprotocol.io/security/bounty covering: - Token forgery - HMAC chain bypass - Cross-tenant data access - Provider credential exposure - DPE evasion attacks
Critical vulnerabilities: $5,000 – $25,000. High: $1,000 – $5,000. Medium: $250 – $1,000.
16. References¶
- All CRP-SPEC-001 through CRP-SPEC-015
- RFC 8615 - Well-Known Uniform Resource Identifiers
- RFC 9116 - A File Format to Aid in Security Vulnerability Disclosure
Copyright © 2025–2026 AutoCyber AI Pty Ltd. Licensed under CC BY 4.0 (specification text). CRP™ is a trademark of AutoCyber AI Pty Ltd.