Add API documentation for Route Policies

- Add comprehensive Route Policies API documentation
  - Create, get, list, update, delete endpoints
  - Complete filtering documentation (guids, route_guids, space_guids, sources, source_guids)
  - Include parameter documentation (route, app, space, organization, source)
  - Practical use case examples for common scenarios
  - Validation rules and permission matrices

- Update Domains documentation
  - Add enforce_route_policies and route_policies_scope fields
  - Document immutability of enforcement settings
  - Add example for creating identity-aware domain

- Update index.html.md to include route_policies resources

Route policies enable identity-aware routing by controlling which
Cloud Foundry apps, spaces, or organizations can access routes on
domains with enforce_route_policies enabled. GoRouter enforces these
access controls using mutual TLS (mTLS).

Author: rkoster

docs/v3/source/includes/api_resources/_domains.erb

@@ -87,6 +87,37 @@
           "href": "https://api.example.org/routing/v1/router_groups/5806148f-cce6-4d86-7fbd-aa269e3f6f3f"
         }
       }
+    },
+    {
+      "guid": "9b2f3d89-3f89-4f05-8188-8a2b298c79d5",
+      "created_at": "2026-04-21T10:15:30Z",
+      "updated_at": "2026-04-21T10:15:30Z",
+      "name": "apps.identity",
+      "internal": false,
+      "router_group": null,
+      "supported_protocols": ["http"],
+      "enforce_route_policies": true,
+      "route_policies_scope": "org",
+      "metadata": {
+        "labels": {},
+        "annotations": {}
+      },
+      "relationships": {
+        "organization": {
+          "data": null
+        },
+        "shared_organizations": {
+          "data": []
+        }
+      },
+      "links": {
+        "self": {
+          "href": "https://api.example.org/v3/domains/9b2f3d89-3f89-4f05-8188-8a2b298c79d5"
+        },
+        "route_reservations": {
+          "href": "https://api.example.org/v3/domains/9b2f3d89-3f89-4f05-8188-8a2b298c79d5/route_reservations"
+        }
+      }
     }
   ]
 }

docs/v3/source/includes/api_resources/_route_policies.erb

@@ -0,0 +1,131 @@
+<% content_for :single_route_policy do | metadata={} | %>
+{
+  "guid": "a4ad8bc1-67a6-4ffa-95b7-f8cf04ad7d4f",
+  "created_at": "2026-04-21T10:15:30Z",
+  "updated_at": "2026-04-21T10:15:30Z",
+  "source": "cf:app:d76446a1-f429-4444-8797-be2f78b75b08",
+  "metadata": {
+    "labels": <%= metadata.fetch(:labels, {}).to_json(space: ' ', object_nl: ' ')%>,
+    "annotations": <%= metadata.fetch(:annotations, {}).to_json(space: ' ', object_nl: ' ')%>
+  },
+  "relationships": {
+    "route": {
+      "data": {
+        "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+      }
+    },
+    "app": {
+      "data": {
+        "guid": "d76446a1-f429-4444-8797-be2f78b75b08"
+      }
+    },
+    "space": {
+      "data": null
+    },
+    "organization": {
+      "data": null
+    }
+  },
+  "links": {
+    "self": {
+      "href": "https://api.example.org/v3/route_policies/a4ad8bc1-67a6-4ffa-95b7-f8cf04ad7d4f"
+    },
+    "route": {
+      "href": "https://api.example.org/v3/routes/89b32bd6-688f-4424-b94f-2e2c86495a5f"
+    }
+  }
+}
+<% end %>
+
+<% content_for :paginated_list_of_route_policies do |base_url| %>
+{
+  "pagination": {
+    "total_results": 3,
+    "total_pages": 2,
+    "first": {
+      "href": "https://api.example.org<%= base_url %>?page=1&per_page=2"
+    },
+    "last": {
+      "href": "https://api.example.org<%= base_url %>?page=2&per_page=2"
+    },
+    "next": {
+      "href": "https://api.example.org<%= base_url %>?page=2&per_page=2"
+    },
+    "previous": null
+  },
+  "resources": [
+    {
+      "guid": "a4ad8bc1-67a6-4ffa-95b7-f8cf04ad7d4f",
+      "created_at": "2026-04-21T10:15:30Z",
+      "updated_at": "2026-04-21T10:15:30Z",
+      "source": "cf:app:d76446a1-f429-4444-8797-be2f78b75b08",
+      "metadata": {
+        "labels": {},
+        "annotations": {}
+      },
+      "relationships": {
+        "route": {
+          "data": {
+            "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+          }
+        },
+        "app": {
+          "data": {
+            "guid": "d76446a1-f429-4444-8797-be2f78b75b08"
+          }
+        },
+        "space": {
+          "data": null
+        },
+        "organization": {
+          "data": null
+        }
+      },
+      "links": {
+        "self": {
+          "href": "https://api.example.org/v3/route_policies/a4ad8bc1-67a6-4ffa-95b7-f8cf04ad7d4f"
+        },
+        "route": {
+          "href": "https://api.example.org/v3/routes/89b32bd6-688f-4424-b94f-2e2c86495a5f"
+        }
+      }
+    },
+    {
+      "guid": "f2b5d8c3-92a1-4e3f-b847-9c8f1d2e3a4b",
+      "created_at": "2026-04-21T11:20:45Z",
+      "updated_at": "2026-04-21T11:20:45Z",
+      "source": "cf:space:3fa85f64-5717-4562-b3fc-2c963f66afa6",
+      "metadata": {
+        "labels": {},
+        "annotations": {}
+      },
+      "relationships": {
+        "route": {
+          "data": {
+            "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+          }
+        },
+        "app": {
+          "data": null
+        },
+        "space": {
+          "data": {
+            "guid": "3fa85f64-5717-4562-b3fc-2c963f66afa6"
+          }
+        },
+        "organization": {
+          "data": null
+        }
+      },
+      "links": {
+        "self": {
+          "href": "https://api.example.org/v3/route_policies/f2b5d8c3-92a1-4e3f-b847-9c8f1d2e3a4b"
+        },
+        "route": {
+          "href": "https://api.example.org/v3/routes/89b32bd6-688f-4424-b94f-2e2c86495a5f"
+        }
+      }
+    }
+  ]
+}
+<% end %>

docs/v3/source/includes/resources/domains/_create.md.erb

@@ -15,6 +15,23 @@ curl "https://api.example.org/v3/domains" \
   }'
 ```
 
+```
+Example Request (Identity-Aware Domain)
+```
+
+```shell
+curl "https://api.example.org/v3/domains" \
+  -X POST \
+  -H "Authorization: bearer [token]" \
+  -H "Content-type: application/json" \
+  -d '{
+    "name": "apps.identity",
+    "internal": false,
+    "enforce_route_policies": true,
+    "route_policies_scope": "org"
+  }'
+```
+
 ```
 Example Response
 ```
@@ -41,6 +58,8 @@ Name     | Type     | Description
 | -----------              | --------                                         | ------------------------------------------------------------------------                                                                                                  | ------- |
 | **internal**             | _boolean_                                        | Whether the domain is used for internal (container-to-container) traffic, or external (user-to-container) traffic                                                        | false   |
 | **router_group.guid**    | _uuid_                                           | The desired router group guid. <br>_note: creates a `tcp` domain; cannot be used when `internal` is set to `true` or domain is scoped to an org_                         | null    |
+| **enforce_route_policies** | _boolean_                                      | When `true`, GoRouter enforces route policies for routes on this domain using mutual TLS (mTLS). **Immutable** after creation. Cannot be used with internal domains    | false   |
+| **route_policies_scope** | _string_                                         | Operator-defined boundary for allowed callers: `any`, `org`, or `space`. Required when `enforce_route_policies` is `true`. **Immutable** after creation                  |         |
 | **organization**         | [_to-one relationship_](#to-one-relationships)   | A relationship to the organization the domain will be scoped to; <br>_note: cannot be used when `internal` is set to `true` or domain is associated with a router group_ |         |
 | **shared_organizations** | [_to-many relationship_](#to-many-relationships) | A relationship to organizations the domain will be shared with <br>_Note: cannot be used without an organization relationship_                                           |         |
 | **metadata.labels**      | [_label object_](#labels)                        | Labels applied to the domain                                                                                                                                             |         |

docs/v3/source/includes/resources/domains/_object.md.erb

@@ -17,6 +17,8 @@ Example Domain object
 | **internal**              | _boolean_                                        | Whether the domain is used for internal (container-to-container) traffic
 | **router_group.guid**     | _uuid_                                           | The guid of the desired router group to route `tcp` traffic through; if set, the domain will only be available for `tcp` traffic
 | **supported_protocols**   | _list of strings_                                | Available protocols for routes using the domain, currently `http` and `tcp`
+| **enforce_route_policies** | _boolean_                                       | When `true`, GoRouter enforces route policies for routes on this domain. This field only appears in the response when set to `true`. **Immutable** after domain creation
+| **route_policies_scope**  | _string_                                         | Operator-defined boundary for allowed callers: `any`, `org`, or `space`. Required when `enforce_route_policies` is `true`. This field only appears when `enforce_route_policies` is `true`. **Immutable** after domain creation
 | **relationships.organization**          | [_to-one relationship_](#to-one-relationships)   | The organization the domain is scoped to; if set, the domain will only be available in that organization; otherwise, the domain will be globally available
 | **relationships.shared_organizations**  | [_to-many relationship_](#to-many-relationships) | Organizations the domain is shared with; if set, the domain will be available in these organizations in addition to the organization the domain is scoped to
 | **metadata.labels**       | [_label object_](#labels)                        | Labels applied to the domain

docs/v3/source/includes/resources/route_policies/_create.md.erb

@@ -0,0 +1,115 @@
+### Create a route policy
+
+```
+Example Request (Allow specific app)
+```
+
+```shell
+curl "https://api.example.org/v3/route_policies" \
+  -X POST \
+  -H "Authorization: bearer [token]" \
+  -H "Content-type: application/json" \
+  -d '{
+    "source": "cf:app:d76446a1-f429-4444-8797-be2f78b75b08",
+    "relationships": {
+      "route": {
+        "data": {
+          "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+        }
+      }
+    },
+    "metadata": {
+      "labels": { "team": "frontend" },
+      "annotations": { "description": "Allow frontend app to call backend API" }
+    }
+  }'
+```
+
+```
+Example Response
+```
+
+```http
+HTTP/1.1 201 Created
+Content-Type: application/json
+
+<%= yield_content :single_route_policy, {
+  labels: { "team" => "frontend" },
+  annotations: { "description" => "Allow frontend app to call backend API" }
+} %>
+```
+
+```
+Example Request (Allow all apps in a space)
+```
+
+```shell
+curl "https://api.example.org/v3/route_policies" \
+  -X POST \
+  -H "Authorization: bearer [token]" \
+  -H "Content-type: application/json" \
+  -d '{
+    "source": "cf:space:3fa85f64-5717-4562-b3fc-2c963f66afa6",
+    "relationships": {
+      "route": {
+        "data": {
+          "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+        }
+      }
+    }
+  }'
+```
+
+```
+Example Request (Allow any caller)
+```
+
+```shell
+curl "https://api.example.org/v3/route_policies" \
+  -X POST \
+  -H "Authorization: bearer [token]" \
+  -H "Content-type: application/json" \
+  -d '{
+    "source": "cf:any",
+    "relationships": {
+      "route": {
+        "data": {
+          "guid": "89b32bd6-688f-4424-b94f-2e2c86495a5f"
+        }
+      }
+    }
+  }'
+```
+
+#### Definition
+`POST /v3/route_policies`
+
+#### Required parameters
+
+| Name                     | Type                                             | Description
+| -----------              | --------                                         | -----------
+| **source**               | _string_                                         | The policy selector. Must be `cf:app:<uuid>`, `cf:space:<uuid>`, `cf:org:<uuid>`, or `cf:any`
+| **relationships.route**  | [_to-one relationship_](#to-one-relationships)   | The route this policy applies to
+
+#### Optional parameters
+
+| Name                     | Type                                             | Description
+| -----------              | --------                                         | -----------
+| **metadata.labels**      | [_label object_](#labels)                        | Labels applied to the route policy
+| **metadata.annotations** | [_annotation object_](#annotations)              | Annotations applied to the route policy
+
+#### Validation rules
+
+- The route's domain must have `enforce_route_policies` set to `true`
+- The route's domain must not be internal (internal routes bypass GoRouter)
+- The `source` must be unique per route (duplicate sources are rejected)
+- If the route already has a `cf:any` policy, no other sources can be added
+- If adding `cf:any`, the route must not have any existing policies
+- The source GUID is not validated at creation time (allows cross-org sharing)
+
+#### Permitted roles
+
+Role | Notes
+----- | ---
+Admin |
+Space Developer | Can create policies for routes in spaces they can write to

docs/v3/source/includes/resources/route_policies/_delete.md.erb

@@ -0,0 +1,31 @@
+### Delete a route policy
+
+```
+Example Request
+```
+
+```shell
+curl "https://api.example.org/v3/route_policies/a4ad8bc1-67a6-4ffa-95b7-f8cf04ad7d4f" \
+  -X DELETE \
+  -H "Authorization: bearer [token]"
+```
+
+```
+Example Response
+```
+
+```http
+HTTP/1.1 204 No Content
+```
+
+#### Definition
+`DELETE /v3/route_policies/:guid`
+
+Deleting a route policy removes the access control for that specific source. If this was the only policy on the route, the route will become inaccessible (no callers will be allowed) until new policies are added or a `cf:any` policy is created.
+
+#### Permitted roles
+
+Role | Notes
+----- | ---
+Admin |
+Space Developer | Can delete policies for routes in spaces they can write to