fix(migration): update outbound_capabilities §3 to Sprint 23 P1 default-open semantics (#242 forward-link)#68
Merged
Conversation
…lt-open semantics (#242 forward-link)
Cross-team Sprint 23 P1 PR #242 on agend-terminal merged 12:34:05Z and
reversed the Sprint 22 P0 fail-closed default for
`InstanceConfig.outbound_capabilities` to default-open per operator
philosophy ("absent ≡ all permitted"). Phase A follow-up PR #65's §3
content is now stale on three points; this PR corrects them.
Three changes (per dev-impl-1 m-20260427120947207036-102 +
dev-lead m-20260427123428908163-123):
1. Tri-state framing reverse. Old §3.3 row asserted absent → FATAL
warn-but-permit one daemon cycle (Sprint 22 P0) → hard parse error
(Sprint 23). New row: absent → all ops permitted (default-open).
The full decision matrix is now: absent → all permitted, listed →
only listed permitted, [] → all rejected.
2. Remove FATAL log expectation. The `gate_outbound_for_agent` warning
logic was removed in #242 along with the original fail-closed
default. The "Symptom when key is absent" subsection (with the
`tracing::error!` line and the mutex-guarded HashSet rate-limit
description) is removed entirely.
3. Remove `general` auto-inject paragraph. Built-in coordinators now
inherit default-open like every other instance — no special
`[reply, react, edit, inject_provenance]` injection. The forward
link to `bootstrap::fleet_normalize::auto_create_general` (which
may be refactored upstream per #242) is no longer cited.
Threat-model distinction made explicit (per ts-lead spec). The §3.3
section now opens with a heading change ("…with a deliberately-different
default than `user_allowlist`") and includes a 2-row alignment table
contrasting the two gates:
- `channel.user_allowlist` (per-channel, channel ingress) → fail-closed.
An open default is one credential leak away from internet-driven
fleet abuse; silent operator regression is possible.
- `outbound_capabilities` (per-instance, per-op outbound) → default-open.
Closed default would force every operator-defined instance to
declare every op without a corresponding cascade-attack risk;
over-specification.
Operator reading the doc now sees the deliberate design split, not an
inconsistency.
Forward link to docs/MIGRATION-OUTBOUND-CAPS.md preserved (upstream
already updated per dev-impl-1 to reflect Sprint 23 P1 semantics).
Stats: 2 files / +48 / -40 (deletions of stale FATAL/auto-inject
paragraphs + addition of decision matrix + threat-model alignment
table). Scope strictly §3 outbound_capabilities row + Rust-only fields
table cell — other sections (§1, §6, §7) intentionally not touched
per ts-lead constraints; will surface remaining stale references to
ts-lead in the report for a follow-up decision.
EN line 218-254 + zh-TW line 216-252 reworded; EN line 304 + zh-TW
line 306 (Rust-only fields table cell) updated to default-open.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cross-team Sprint 23 P1 PR #242 on agend-terminal merged 12:34:05Z and reversed the Sprint 22 P0 fail-closed default for
InstanceConfig.outbound_capabilitiesto default-open per operator philosophy ("absent ≡ all permitted"). Phase A follow-up PR #65's §3 content is now stale on three load-bearing points; this PR corrects them.Three changes (per dev-impl-1 + dev-lead)
1. Tri-state framing reverse
None(absent) → FATAL warn-but-permit one daemon cycle (Sprint 22 P0) → hard parse error (Sprint 23).None(absent) → all ops permitted (default-open). Full decision matrix:[reply, react][]2. FATAL log expectation removed
The
gate_outbound_for_agentwarning logic was removed in #242 along with the original fail-closed default. The "Symptom when key is absent" subsection (with thetracing::error!line and the mutex-guardedHashSetrate-limit description) is removed entirely.3.
generalauto-inject paragraph removedBuilt-in coordinators now inherit default-open like every other instance — no special
[reply, react, edit, inject_provenance]injection. The forward link tobootstrap::fleet_normalize::auto_create_general(which may be refactored upstream per #242) is no longer cited.Threat-model distinction made explicit (per ts-lead spec)
The new §3.3 heading is "…with a deliberately-different default than
user_allowlist" and the section now includes a 2-row alignment table contrasting the two gates:channel.user_allowlist(High-friction #1)outbound_capabilitiesOperator reading the doc sees the deliberate design split, not an inconsistency. The two gates are aligned with dev-team's same intent — both retain their original threat-model defaults.
Migration action
outbound_capabilitiesis now optional for operator-authored instances; the YAML example in the section shows three patterns:Scope (per ts-lead constraints)
docs/MIGRATION-OUTBOUND-CAPS.mdpreserved (upstream already updated per dev-impl-1 to reflect Sprint 23 P1 semantics).Stats
Reviewer dispatch
ts-reviewer—full_review: writing quality, threat-model articulation clarity, anchor preservation, zh-TW parity, alignment with the existing High-friction feat: inject fleet context system prompt into CCD instances #1 / fix: prevent topic_id from being misused as reply thread_id #2 voice.dev-reviewer-2(cross-team) —scope_conformance: Sprint 23 P1 semantics fidelity vs PR #242 (decision matrix accuracy, removal-of-FATAL-log claim, removal-of-auto-inject claim), forward-link Sprint-23-P1-section validity.🤖 Generated with Claude Code