{
  "id": "storage-token-directive-v1",
  "description": "Implement minimal cloud storage token UX in Factory app that is compatible with Google Cloud Storage and iCloud-style signed URLs.",
  "status": "draft",
  "owner": "platform",
  "context": {
    "backend": "Hypergraph API Gateway",
    "frontend": "Factory Next.js app",
    "auth": "X-API-Key issued by /api/v1/token"
  },
  "requirements": [
    "Expose UI to mint per-object storage tokens with provider, bucket, object path, TTL, permissions, and optional metadata.",
    "Call POST /api/v1/storage/token with X-API-Key; display returned token, expiry, and signed google/icloud URLs.",
    "Offer verify flow against POST /api/v1/storage/token/verify for debugging (optional).",
    "Keep tokens scoped and short-lived (default 1h) and hide secrets in client storage; never log API keys.",
    "Surface a factory route at /storage reachable from internal navigation."
  ],
  "api": {
    "create": {
      "method": "POST",
      "path": "/api/v1/storage/token",
      "headers": { "X-API-Key": "<gateway-token>" },
      "body": {
        "provider": "google|icloud|s3-compatible",
        "bucket": "string",
        "object_path": "string",
        "permissions": ["upload","download"],
        "ttl_seconds": 3600,
        "meta": { "source": "factory-app" }
      }
    },
    "verify": {
      "method": "POST",
      "path": "/api/v1/storage/token/verify",
      "headers": { "X-API-Key": "<gateway-token>" },
      "body": { "token": "<signed-token>" }
    }
  },
  "env": {
    "backend": [
      "STORAGE_SIGNING_KEY=<hmac-secret>",
      "STORAGE_TOKEN_TTL=3600"
    ]
  },
  "deliverables": [
    "Factory page /storage with form + results and minimal styling.",
    "Doc blurb in release notes referencing this directive and required env vars."
  ]
}