Expand description
Process-wide authz hook installed at server startup.
Both the gateway /v1/messages middleware and the MCP RBAC middleware
consult global_hook to retrieve the active hook. After
install_from_governance_config runs the slot is always populated with
one of DenyAllHook, AllowAllHook, or WebhookHook — there is no
“uninstalled” path that callers can fall through.
install_from_governance_config is the single source of truth for both
the API server runtime and standalone MCP server binaries:
mode: webhookwith a non-emptyurl→WebhookHook(fail-closed).mode: disabled, or governance/authz absent →DenyAllHook.mode: unrestricted→AllowAllHook, but ONLY whenacknowledgementexactly equalsUNRESTRICTED_ACKNOWLEDGEMENT. Otherwise bootstrap fails.
Bootstrap ordering: this is called from AppContextBuilder::build after
the database pool is created so the audit sink can write to
governance_decisions.