docs(roadmap): finalize S1 entry with CF e2e verification

hotlong · hotlong · commit 4220018d4238 · 2026-05-18T10:06:50.000+08:00
diff --git a/ROADMAP.md b/ROADMAP.md
@@ -56,7 +56,7 @@ Code that exists and matches the intended architecture. Do not regress these.
 | Studio Flow Viewer + Flow Test Runner + Flow Runs panel | [apps/studio/src/components/FlowViewer.tsx](apps/studio/src/components/FlowViewer.tsx) |
 | Automation: flow auto-discovery from ObjectQL registry | [packages/services/service-automation/src/plugin.ts](packages/services/service-automation/src/plugin.ts) |
 | **D1** ObjectOS metadata DB bridge removed - `MetadataPlugin` no longer registers `sys_metadata` / `sys_metadata_history` or auto-bridges ObjectQL to `DatabaseLoader` | [packages/metadata/src/plugin.ts](packages/metadata/src/plugin.ts) |
-| **S1** REST `requireAuth` gate (resolved 2026-05-18) — anonymous `/api/v1/data/*` returns 401 on multi-tenant ObjectOS hosts (CRUD + batch routes both gated). Auto-enabled by CLI when `tierEnabled('auth')`; force-enabled on `createObjectOSStack` since project artifacts own auth per-tenant. Verified live on crm.objectos.app / app.objectos.app — anonymous reads + writes now 401 (were leaking before). | [packages/rest/src/rest-server.ts](packages/rest/src/rest-server.ts), [packages/runtime/src/cloud/objectos-stack.ts](packages/runtime/src/cloud/objectos-stack.ts), [packages/cli/src/commands/serve.ts](packages/cli/src/commands/serve.ts) |
+| **S1** REST `requireAuth` gate + `resolveExecCtx` hostname routing (resolved 2026-05-18) — anonymous `/api/v1/data/*` returns 401 on multi-tenant ObjectOS hosts (CRUD + batch routes both gated). Auto-enabled when `tierEnabled('auth')`; force-enabled on `createObjectOSStack`. `resolveExecCtx` now mirrors `resolveProtocol`'s hostname→projectId mapping so authenticated users on hostname-routed projects can read their own org's data. **Verified live on crm.objectos.app**: anonymous=401, user A=200 (own org records), user B=200 (different org, isolated). Original CF "two accounts see same data" complaint closed. | [packages/rest/src/rest-server.ts](packages/rest/src/rest-server.ts), [packages/runtime/src/cloud/objectos-stack.ts](packages/runtime/src/cloud/objectos-stack.ts), [packages/cli/src/commands/serve.ts](packages/cli/src/commands/serve.ts) |
 
 ---
 
