Skip to content

fix(migration): update outbound_capabilities §3 to Sprint 23 P1 default-open semantics (#242 forward-link)#68

Merged
suzuke merged 1 commit into
mainfrom
fix/migration-outbound-capabilities-default-open
May 4, 2026
Merged

fix(migration): update outbound_capabilities §3 to Sprint 23 P1 default-open semantics (#242 forward-link)#68
suzuke merged 1 commit into
mainfrom
fix/migration-outbound-capabilities-default-open

Conversation

@suzuke

@suzuke suzuke commented Apr 27, 2026

Copy link
Copy Markdown
Owner

Summary

Cross-team Sprint 23 P1 PR #242 on agend-terminal merged 12:34:05Z and reversed the Sprint 22 P0 fail-closed default for InstanceConfig.outbound_capabilities to default-open per operator philosophy ("absent ≡ all permitted"). Phase A follow-up PR #65's §3 content is now stale on three load-bearing points; this PR corrects them.

Three changes (per dev-impl-1 + dev-lead)

1. Tri-state framing reverse

2. FATAL log expectation removed

The gate_outbound_for_agent warning logic was removed in #242 along with the original fail-closed default. The "Symptom when key is absent" subsection (with the tracing::error! line and the mutex-guarded HashSet rate-limit description) is removed entirely.

3. general auto-inject paragraph removed

Built-in coordinators now inherit default-open like every other instance — no special [reply, react, edit, inject_provenance] injection. The forward link to bootstrap::fleet_normalize::auto_create_general (which may be refactored upstream per #242) is no longer cited.

Threat-model distinction made explicit (per ts-lead spec)

The new §3.3 heading is "…with a deliberately-different default than user_allowlist" and the section now includes a 2-row alignment table contrasting the two gates:

Gate Scope Default Threat model
channel.user_allowlist (High-friction #1) per-channel, channel ingress fail-closed open default is one credential leak away from internet-driven fleet abuse; silent operator regression possible
outbound_capabilities per-instance, per-op outbound default-open closed default forces over-specification without a corresponding cascade-attack risk

Operator reading the doc sees the deliberate design split, not an inconsistency. The two gates are aligned with dev-team's same intent — both retain their original threat-model defaults.

Migration action

outbound_capabilities is now optional for operator-authored instances; the YAML example in the section shows three patterns:

worker-a:
  # outbound_capabilities omitted — defaults to all ops permitted (TS-equivalent)
worker-b:
  outbound_capabilities: [reply, react]      # explicitly restrict to these ops only
worker-c:
  outbound_capabilities: []                  # explicit lockdown

Scope (per ts-lead constraints)

  • ✅ §3 outbound_capabilities row (High-friction Opencode Reply Not Delivered to Telegram #3)
  • ✅ §3 Rust-only fields table cell (also part of §3)
  • ⚠️ Other sections (§1, §6, §7) intentionally NOT touched — will surface stale references to ts-lead in the report for a follow-up decision.
  • Forward link to docs/MIGRATION-OUTBOUND-CAPS.md preserved (upstream already updated per dev-impl-1 to reflect Sprint 23 P1 semantics).

Stats

  • 2 files changed, 48 insertions(+), 40 deletions(-) (deletions of stale FATAL/auto-inject paragraphs + addition of decision matrix + threat-model alignment table)
  • 1:1 zh-TW mirror

Reviewer dispatch

🤖 Generated with Claude Code

…lt-open semantics (#242 forward-link)

Cross-team Sprint 23 P1 PR #242 on agend-terminal merged 12:34:05Z and
reversed the Sprint 22 P0 fail-closed default for
`InstanceConfig.outbound_capabilities` to default-open per operator
philosophy ("absent ≡ all permitted"). Phase A follow-up PR #65's §3
content is now stale on three points; this PR corrects them.

Three changes (per dev-impl-1 m-20260427120947207036-102 +
dev-lead m-20260427123428908163-123):

1. Tri-state framing reverse. Old §3.3 row asserted absent → FATAL
   warn-but-permit one daemon cycle (Sprint 22 P0) → hard parse error
   (Sprint 23). New row: absent → all ops permitted (default-open).
   The full decision matrix is now: absent → all permitted, listed →
   only listed permitted, [] → all rejected.

2. Remove FATAL log expectation. The `gate_outbound_for_agent` warning
   logic was removed in #242 along with the original fail-closed
   default. The "Symptom when key is absent" subsection (with the
   `tracing::error!` line and the mutex-guarded HashSet rate-limit
   description) is removed entirely.

3. Remove `general` auto-inject paragraph. Built-in coordinators now
   inherit default-open like every other instance — no special
   `[reply, react, edit, inject_provenance]` injection. The forward
   link to `bootstrap::fleet_normalize::auto_create_general` (which
   may be refactored upstream per #242) is no longer cited.

Threat-model distinction made explicit (per ts-lead spec). The §3.3
section now opens with a heading change ("…with a deliberately-different
default than `user_allowlist`") and includes a 2-row alignment table
contrasting the two gates:

- `channel.user_allowlist` (per-channel, channel ingress) → fail-closed.
  An open default is one credential leak away from internet-driven
  fleet abuse; silent operator regression is possible.
- `outbound_capabilities` (per-instance, per-op outbound) → default-open.
  Closed default would force every operator-defined instance to
  declare every op without a corresponding cascade-attack risk;
  over-specification.

Operator reading the doc now sees the deliberate design split, not an
inconsistency.

Forward link to docs/MIGRATION-OUTBOUND-CAPS.md preserved (upstream
already updated per dev-impl-1 to reflect Sprint 23 P1 semantics).

Stats: 2 files / +48 / -40 (deletions of stale FATAL/auto-inject
paragraphs + addition of decision matrix + threat-model alignment
table). Scope strictly §3 outbound_capabilities row + Rust-only fields
table cell — other sections (§1, §6, §7) intentionally not touched
per ts-lead constraints; will surface remaining stale references to
ts-lead in the report for a follow-up decision.

EN line 218-254 + zh-TW line 216-252 reworded; EN line 304 + zh-TW
line 306 (Rust-only fields table cell) updated to default-open.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@suzuke suzuke merged commit 2e38b5f into main May 4, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant