From d5338f9244bef881bdcfced8e36f680315962526 Mon Sep 17 00:00:00 2001
From: Hare <kei.hiracchi.0928@gmail.com>
Date: Sun, 21 Jun 2026 16:48:59 +0900
Subject: [PATCH] ticket: start plugin request review

---
 .yoi/tickets/00001KVMG8FTW/item.md   |  2 +-
 .yoi/tickets/00001KVMG8FTW/thread.md | 33 ++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/.yoi/tickets/00001KVMG8FTW/item.md b/.yoi/tickets/00001KVMG8FTW/item.md
index 6eb5fd49..0b1c1315 100644
--- a/.yoi/tickets/00001KVMG8FTW/item.md
+++ b/.yoi/tickets/00001KVMG8FTW/item.md
@@ -2,7 +2,7 @@
 title: 'Plugin: host_api.https を廃止して URL 権限ベースの host_api.request に統合する'
 state: 'inprogress'
 created_at: '2026-06-21T07:10:30Z'
-updated_at: '2026-06-21T07:48:07Z'
+updated_at: '2026-06-21T07:48:53Z'
 assignee: null
 readiness: 'implementation_ready'
 risk_flags: ['plugin', 'host-api', 'public-api', 'permissions', 'security', 'local-network', 'breaking-change']
diff --git a/.yoi/tickets/00001KVMG8FTW/thread.md b/.yoi/tickets/00001KVMG8FTW/thread.md
index 7a40d2bb..1e0c802b 100644
--- a/.yoi/tickets/00001KVMG8FTW/thread.md
+++ b/.yoi/tickets/00001KVMG8FTW/thread.md
@@ -199,3 +199,36 @@ Next action:
 - Route to read-only Reviewer Pod for acceptance review against the Ticket and IntentPacket。
 
 ---
+
+<!-- event: comment author: yoi-orchestrator at: 2026-06-21T07:48:53Z -->
+
+## Comment
+
+Review routing:
+
+Spawned read-only Reviewer Pod:
+- `yoi-reviewer-00001KVMG8FTW-r1`
+
+Review target:
+- Worktree: `/home/hare/Projects/yoi/.worktree/00001KVMG8FTW-plugin-request-host-api`
+- Branch: `impl/00001KVMG8FTW-plugin-request-host-api`
+- Baseline: `4cd4a06e`
+- Implementation commit: `962b7699 plugin: replace https host api with request grants`
+- Diff: `4cd4a06e..962b7699`
+
+Reviewer scope:
+- read-only `/home/hare/Projects/yoi`
+
+Reviewer focus:
+- Active API/docs/WIT/CLI naming uses request, not stale https names。
+- No compatibility alias remains for old `host_api.https` / `grants.https` unless explicitly justified。
+- Runtime authorization requires both manifest request target and enablement grant before network I/O。
+- Grant-only and missing-grant cases fail closed / diagnose clearly。
+- Local/private/loopback targets require explicit declaration and grant。
+- WebSocket/SSE/persistent stream behavior is rejected or explicitly unsupported by `request`。
+- Broad/arbitrary URL grants are visibly distinguished。
+- Existing public HTTPS use case still works through request naming。
+
+Orchestrator will wait for reviewer verdict before integration。
+
+---