From dcbdf251d77fc8847696802d0b8deadaff55014f Mon Sep 17 00:00:00 2001
From: Hare <kei.hiracchi.0928@gmail.com>
Date: Sun, 14 Jun 2026 16:01:14 +0900
Subject: [PATCH] ticket: approve profile launch policy scope

---
 .../artifacts/review-approve-21bf009a.md      | 20 +++++++++++++
 .yoi/tickets/00001KV11DHGZ/item.md            |  2 +-
 .yoi/tickets/00001KV11DHGZ/thread.md          | 28 +++++++++++++++++++
 3 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 .yoi/tickets/00001KV11DHGZ/artifacts/review-approve-21bf009a.md

diff --git a/.yoi/tickets/00001KV11DHGZ/artifacts/review-approve-21bf009a.md b/.yoi/tickets/00001KV11DHGZ/artifacts/review-approve-21bf009a.md
new file mode 100644
index 00000000..859e897c
--- /dev/null
+++ b/.yoi/tickets/00001KV11DHGZ/artifacts/review-approve-21bf009a.md
@@ -0,0 +1,20 @@
+Approve implementation review for Ticket 00001KV11DHGZ.
+
+Scope reviewed: implementation commit 21bf009a plus ticket report commit 77892b94 against base cdb12af9.
+
+Evidence:
+- Builtin role profile resources no longer contain `scope` or `delegation_scope`; reusable profile data retains role/model/prompt/feature/tool policy only.
+- Fresh profile launch scope is applied in `crates/pod/src/entrypoint.rs` by launch policy after profile resolution. Default/Companion launches receive direct workspace write scope with `.worktree` write denied and delegation gets workspace read plus `.worktree` write. Orchestrator ticket-role launches receive direct root read and delegation root read plus `.worktree` write, with no root workspace write delegation.
+- `SpawnPod` profile/inherit handling continues to replace child direct scope with the explicit delegated child scope and resets child delegation unless explicitly provided; profile/default scope does not leak into child direct authority.
+- Pod metadata restore uses saved manifest snapshots when present, so saved scope/delegation are preserved instead of being overwritten by current profile/default launch policy.
+- One-file manifest loading still rejects missing/empty concrete `scope.allow`; the retained user-profile scope compatibility path is separated from builtin role authority and is overwritten by launch/delegation policy on fresh role launches.
+
+Validation performed:
+- `cargo test -p manifest --quiet`
+- Focused pod tests for normal startup launch policy, orchestrator launch policy, SpawnPod delegation scoping, and metadata snapshot restore.
+- `cargo test -p client ticket_role --quiet`
+- `cargo build -p yoi`
+- `cargo fmt --check`
+- `git diff --check cdb12af9..HEAD`
+
+Result: approve. No blocking requirement or design-boundary concern found.
diff --git a/.yoi/tickets/00001KV11DHGZ/item.md b/.yoi/tickets/00001KV11DHGZ/item.md
index 662f1613..84ace02c 100644
--- a/.yoi/tickets/00001KV11DHGZ/item.md
+++ b/.yoi/tickets/00001KV11DHGZ/item.md
@@ -2,7 +2,7 @@
 title: 'Profile から concrete scope を外して launch policy で付与する'
 state: 'inprogress'
 created_at: '2026-06-13T17:45:32Z'
-updated_at: '2026-06-14T06:53:30Z'
+updated_at: '2026-06-14T07:00:13Z'
 assignee: null
 readiness: 'implementation_ready'
 risk_flags: ['scope', 'delegation-scope', 'profiles', 'launch-policy', 'orchestrator', 'spawnpod', 'restore']
diff --git a/.yoi/tickets/00001KV11DHGZ/thread.md b/.yoi/tickets/00001KV11DHGZ/thread.md
index c3e388e9..dad8d605 100644
--- a/.yoi/tickets/00001KV11DHGZ/thread.md
+++ b/.yoi/tickets/00001KV11DHGZ/thread.md
@@ -138,4 +138,32 @@ Residual risks / notes:
 - User Profile `scope` compatibility remains supported for now; future schema cleanup can remove or deprecate it explicitly if desired.
 
 
+---
+
+<!-- event: review author: hare at: 2026-06-14T07:00:13Z status: approve -->
+
+## Review: approve
+
+Approve implementation review for Ticket 00001KV11DHGZ.
+
+Scope reviewed: implementation commit 21bf009a plus ticket report commit 77892b94 against base cdb12af9.
+
+Evidence:
+- Builtin role profile resources no longer contain `scope` or `delegation_scope`; reusable profile data retains role/model/prompt/feature/tool policy only.
+- Fresh profile launch scope is applied in `crates/pod/src/entrypoint.rs` by launch policy after profile resolution. Default/Companion launches receive direct workspace write scope with `.worktree` write denied and delegation gets workspace read plus `.worktree` write. Orchestrator ticket-role launches receive direct root read and delegation root read plus `.worktree` write, with no root workspace write delegation.
+- `SpawnPod` profile/inherit handling continues to replace child direct scope with the explicit delegated child scope and resets child delegation unless explicitly provided; profile/default scope does not leak into child direct authority.
+- Pod metadata restore uses saved manifest snapshots when present, so saved scope/delegation are preserved instead of being overwritten by current profile/default launch policy.
+- One-file manifest loading still rejects missing/empty concrete `scope.allow`; the retained user-profile scope compatibility path is separated from builtin role authority and is overwritten by launch/delegation policy on fresh role launches.
+
+Validation performed:
+- `cargo test -p manifest --quiet`
+- Focused pod tests for normal startup launch policy, orchestrator launch policy, SpawnPod delegation scoping, and metadata snapshot restore.
+- `cargo test -p client ticket_role --quiet`
+- `cargo build -p yoi`
+- `cargo fmt --check`
+- `git diff --check cdb12af9..HEAD`
+
+Result: approve. No blocking requirement or design-boundary concern found.
+
+
 ---