You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Bound the remaining local owner/operator compatibility grants so product_config.plan and product_config.apply are not granted as wildcard product/context access by default.
Current Status
Done.
PR #1068 (Scope local operator product config grants) merged into main at 2026-05-31T18:51:26Z with merge commit ba4bcaf312952f7583eda0581fedc84077dac69b.
Remaining cleanup is local worktree hygiene only: GitHub could not delete the checked-out local branch because the worktree still exists. No product behavior is blocked by that.
Finish Line
Routine local owner/operator product_config.plan/apply grants are scoped to explicitly configured products/contexts instead of wildcard defaults.
Local admin remains the explicit escalation path for broader repair/administrative scopes where still needed.
Tests or static assertions catch accidental reintroduction of wildcard local owner product_config.plan/apply grants.
Docs/plans describe the bounded compatibility posture.
Acceptance Criteria
scripts/deploy/ensure-authz-grants.sh no longer posts wildcard local owner product_config.plan/apply grants as a default deploy behavior.
Any replacement scope is either derived from existing Launchplane-owned product/seed material or from explicit environment configuration; missing config fails closed or skips with clear evidence rather than silently granting wildcard access.
Purpose
Bound the remaining local owner/operator compatibility grants so
product_config.planandproduct_config.applyare not granted as wildcard product/context access by default.Current Status
Done.
PR #1068 (
Scope local operator product config grants) merged intomainat 2026-05-31T18:51:26Z with merge commitba4bcaf312952f7583eda0581fedc84077dac69b.What changed:
product_config.plan/product_config.applygrants with scoped product/context grants.*/*.LAUNCHPLANE_LOCAL_OPERATOR_PRODUCT_CONFIG_SCOPES_JSONfor explicit operator override scopes.Validation:
git diff --checkshellcheck scripts/deploy/ensure-authz-grants.shuv run --extra dev ruff check tests/test_product_onboarding.pyuv run python -m unittest tests.test_product_onboardingRemaining cleanup is local worktree hygiene only: GitHub could not delete the checked-out local branch because the worktree still exists. No product behavior is blocked by that.
Finish Line
product_config.plan/applygrants are scoped to explicitly configured products/contexts instead of wildcard defaults.product_config.plan/applygrants.Acceptance Criteria
scripts/deploy/ensure-authz-grants.shno longer posts wildcard local ownerproduct_config.plan/applygrants as a default deploy behavior.Recovery Notes
Parent: #1049. Related umbrella: #1041.