ticket: approve profile launch policy scope
This commit is contained in:
parent
77892b94f2
commit
dcbdf251d7
|
|
@ -0,0 +1,20 @@
|
|||
Approve implementation review for Ticket 00001KV11DHGZ.
|
||||
|
||||
Scope reviewed: implementation commit 21bf009a plus ticket report commit 77892b94 against base cdb12af9.
|
||||
|
||||
Evidence:
|
||||
- Builtin role profile resources no longer contain `scope` or `delegation_scope`; reusable profile data retains role/model/prompt/feature/tool policy only.
|
||||
- Fresh profile launch scope is applied in `crates/pod/src/entrypoint.rs` by launch policy after profile resolution. Default/Companion launches receive direct workspace write scope with `.worktree` write denied and delegation gets workspace read plus `.worktree` write. Orchestrator ticket-role launches receive direct root read and delegation root read plus `.worktree` write, with no root workspace write delegation.
|
||||
- `SpawnPod` profile/inherit handling continues to replace child direct scope with the explicit delegated child scope and resets child delegation unless explicitly provided; profile/default scope does not leak into child direct authority.
|
||||
- Pod metadata restore uses saved manifest snapshots when present, so saved scope/delegation are preserved instead of being overwritten by current profile/default launch policy.
|
||||
- One-file manifest loading still rejects missing/empty concrete `scope.allow`; the retained user-profile scope compatibility path is separated from builtin role authority and is overwritten by launch/delegation policy on fresh role launches.
|
||||
|
||||
Validation performed:
|
||||
- `cargo test -p manifest --quiet`
|
||||
- Focused pod tests for normal startup launch policy, orchestrator launch policy, SpawnPod delegation scoping, and metadata snapshot restore.
|
||||
- `cargo test -p client ticket_role --quiet`
|
||||
- `cargo build -p yoi`
|
||||
- `cargo fmt --check`
|
||||
- `git diff --check cdb12af9..HEAD`
|
||||
|
||||
Result: approve. No blocking requirement or design-boundary concern found.
|
||||
|
|
@ -2,7 +2,7 @@
|
|||
title: 'Profile から concrete scope を外して launch policy で付与する'
|
||||
state: 'inprogress'
|
||||
created_at: '2026-06-13T17:45:32Z'
|
||||
updated_at: '2026-06-14T06:53:30Z'
|
||||
updated_at: '2026-06-14T07:00:13Z'
|
||||
assignee: null
|
||||
readiness: 'implementation_ready'
|
||||
risk_flags: ['scope', 'delegation-scope', 'profiles', 'launch-policy', 'orchestrator', 'spawnpod', 'restore']
|
||||
|
|
|
|||
|
|
@ -138,4 +138,32 @@ Residual risks / notes:
|
|||
- User Profile `scope` compatibility remains supported for now; future schema cleanup can remove or deprecate it explicitly if desired.
|
||||
|
||||
|
||||
---
|
||||
|
||||
<!-- event: review author: hare at: 2026-06-14T07:00:13Z status: approve -->
|
||||
|
||||
## Review: approve
|
||||
|
||||
Approve implementation review for Ticket 00001KV11DHGZ.
|
||||
|
||||
Scope reviewed: implementation commit 21bf009a plus ticket report commit 77892b94 against base cdb12af9.
|
||||
|
||||
Evidence:
|
||||
- Builtin role profile resources no longer contain `scope` or `delegation_scope`; reusable profile data retains role/model/prompt/feature/tool policy only.
|
||||
- Fresh profile launch scope is applied in `crates/pod/src/entrypoint.rs` by launch policy after profile resolution. Default/Companion launches receive direct workspace write scope with `.worktree` write denied and delegation gets workspace read plus `.worktree` write. Orchestrator ticket-role launches receive direct root read and delegation root read plus `.worktree` write, with no root workspace write delegation.
|
||||
- `SpawnPod` profile/inherit handling continues to replace child direct scope with the explicit delegated child scope and resets child delegation unless explicitly provided; profile/default scope does not leak into child direct authority.
|
||||
- Pod metadata restore uses saved manifest snapshots when present, so saved scope/delegation are preserved instead of being overwritten by current profile/default launch policy.
|
||||
- One-file manifest loading still rejects missing/empty concrete `scope.allow`; the retained user-profile scope compatibility path is separated from builtin role authority and is overwritten by launch/delegation policy on fresh role launches.
|
||||
|
||||
Validation performed:
|
||||
- `cargo test -p manifest --quiet`
|
||||
- Focused pod tests for normal startup launch policy, orchestrator launch policy, SpawnPod delegation scoping, and metadata snapshot restore.
|
||||
- `cargo test -p client ticket_role --quiet`
|
||||
- `cargo build -p yoi`
|
||||
- `cargo fmt --check`
|
||||
- `git diff --check cdb12af9..HEAD`
|
||||
|
||||
Result: approve. No blocking requirement or design-boundary concern found.
|
||||
|
||||
|
||||
---
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user