feat: edge gateway service

gateway/docs/runtime.md

@@ -0,0 +1,59 @@
+# Runtime and Components
+
+The diagram below focuses on the deployed `galaxy/gateway` process and its
+runtime dependencies.
+
+```mermaid
+flowchart LR
+    subgraph Clients
+        Public["Public REST clients"]
+        Authd["Authenticated gRPC clients"]
+    end
+
+    subgraph Gateway["Edge Gateway process"]
+        PublicHTTP["Public HTTP listener\n/healthz /readyz /api/v1/public/auth/*"]
+        AuthGRPC["Authenticated gRPC listener\nExecuteCommand / SubscribeEvents"]
+        AdminHTTP["Optional admin HTTP listener\n/metrics"]
+        SessionSnap["In-memory session snapshot cache"]
+        Replay["Replay reservation client"]
+        PushHub["PushHub"]
+        SessSub["Session event subscriber"]
+        ClientSub["Client event subscriber"]
+        Telemetry["Logs, traces, metrics"]
+    end
+
+    Public --> PublicHTTP
+    Authd --> AuthGRPC
+    AuthGRPC --> SessionSnap
+    AuthGRPC --> Replay
+    AuthGRPC --> PushHub
+    SessSub --> SessionSnap
+    SessSub --> PushHub
+    ClientSub --> PushHub
+    PublicHTTP --> Telemetry
+    AuthGRPC --> Telemetry
+    AdminHTTP --> Telemetry
+
+    Redis["Redis\nsession records + replay keys + streams"]
+    AuthSvc["Auth / Session Service"]
+    Downstream["Downstream business services"]
+    Metrics["Prometheus / OTLP collectors"]
+
+    PublicHTTP -. public auth adapter .-> AuthSvc
+    SessionSnap --> Redis
+    Replay --> Redis
+    SessSub --> Redis
+    ClientSub --> Redis
+    AuthGRPC --> Downstream
+    Telemetry --> Metrics
+```
+
+Notes:
+
+- `cmd/gateway` refuses startup when Redis connectivity or the response signer
+  is misconfigured.
+- The admin listener is optional and serves only Prometheus text metrics.
+- Public auth routing stays available without an upstream adapter, but returns
+  `503 service_unavailable`.
+- Authenticated gRPC starts with an empty static router; `ExecuteCommand`
+  remains `UNIMPLEMENTED` until downstream routes are injected.