docs: plain-language explainer of the AH / Tool Hub / gateways stack

Plain-terms companion to integration-architecture.md: Automation Hub as the
internal action warehouse, Tool Hub as the smart front desk (progressive
disclosure + per-user permission filtering + audit) running as a central
service, and where the MCP Gateway (Arcade, per-user OAuth for outside tools)
and AI Gateway (config-only model toll booth) plug into existing seams.
Source-verified against servicetitan/tool-hub + automation-hub @ master.

STATUS.md

@@ -1,23 +1,24 @@
 # STATUS — "you are here" handoff
 
 Each lane owns its own section. Update yours; don't touch others'. Keep it terse.
-Last full-repo update: 2026-06-22.
+Last full-repo update: 2026-06-18 (scaffold).
 
 ## Category 1 — Functional MCP Gateway Capability
 - Owner: ztaylor
-- Status: **SCORED (draft 4/5)** — `categories/cat1-functional/criteria-section-1.md`, awaiting user paste into the Google Doc.
-- Last live-state check: 2026-06-22
-- Result: protocol/curation/mixed/dynamic-reg/zero-config-clients all PASS; per-user execution proven (`whoami` A→A/B→B); Claude Code connected via Arcade-Headers AND Entra OAuth. One finding: per-user tool-LIST scoping is gateway-wide, not native (→ cat-3/separate gateways).
-- Fixtures (reusable): gateway `zeb-gateway-test`; ref server `arcade-eval-ref` (lib/mcp_server) registered via cloudflared quick tunnel (EPHEMERAL — re-establish for cat-9; see LIVE-POC).
+- Status: in progress (scaffold done; executing per `~/repos/docs/arcade-eval-plan.md`)
+- Last live-state check: —
+- Notes: cat-1 lane = this session. Per-user tests via `user_id` headers (real Entra SSO → cat 2).
 
 ## Category 2 — Delegated Authorization and Identity
 - Owner: — (security cluster: Dane / Chandu)
-- Status: not started (criteria stub seeded) — **but cat-1 work already generated strong evidence; see LIVE-POC "Known behaviors".**
-- Notes: holds the Entra/Okta SSO login → identity-mapping test. Open finding: User Source keys user_id on opaque Entra `sub`, mismatching the dashboard email → blocks downstream OAuth consent bind (fix: map User Source to the email claim). Google provider redirect-uri/secret issue was resolved 2026-06-22.
+- Status: not started (criteria stub seeded)
+- Notes: holds the Entra/Okta SSO login → identity-mapping test (a teammate can be User B).
 
 ## Category 3 — Tool-Level Access Control and Policy
-- Owner: — (security cluster)
-- Status: not started (criteria stub seeded)
+- Owner: trachakonda
+- Status: in progress — B1 (curr-state) + B5 (enforcement/bypass) DONE; B2/B3/B4 + per-user B1 pending dashboard + Contextual Access.
+- Last live-state check: 2026-06-18 (apps/arcade #2383 steady; dashboard 200). Noted: otel-collector + jaeger now deployed (cat-5) → trace store for B6.
+- Notes: Engine is the enforcement point (ungranted tool rejected there); one gateway = gateway-wide tool list (A==B), not per-user. Bypass: public-isolated for in-cluster worker (ClusterIP); tunnel custom servers = documented boundary. Blocked on dashboard for Contextual Access (input-block/output-redact) + per-user grants.
 
 ## Category 4 — Connector Coverage and Custom Server Development
 - Owner: — (adopt/operate cluster)
@@ -25,9 +26,8 @@ Last full-repo update: 2026-06-22.
 
 ## Category 5 — Auditability and Observability
 - Owner: ztaylor
-- Status: **NEXT — start here in a fresh session** (invoke skill `arcade-gateway-eval`; read this + LIVE-POC; run live-state check). See `categories/cat5-auditability/NOTES.md` for the plan.
-- Last live-state check: —
-- Notes: metrics → **Grafana/Mimir** (NOT ELK); logs → ELK (Vector). Engine OTLP currently **dropped** — collector `arcade-otel-collector:4318` doesn't resolve. First task = OTEL collector → Prometheus/Mimir remediation (with the user; touches `k8s-backstage-v2/apps/arcade`). Full evidence + remediation shapes in LIVE-POC "Observability".
+- Status: not started (criteria stub seeded)
+- Notes: metrics → Grafana/Mimir (NOT ELK); engine OTLP currently dropped (no collector). See LIVE-POC.
 
 ## Category 6 — Security and Compliance
 - Owner: — (security cluster)