Follow-up to #97 (profile writeback). Plan §Security Rules requires: "profile materialization may request approval/sandbox/tool permissions, but Atrium/Centaur deployment policy wins; saved profiles must not bypass managed/admin restrictions."
Today there is only a policy-capped risk label — no actual clamping. A saved profile could set e.g. approval_policy=never or a permissive sandbox mode and it'd be written straight into the materialized config overlay.
Build: a config-driven deployment policy (ceilings for approval/sandbox + a permission allowlist); at version-create / runtimeOverlayFromManifest (surface/server/src/agent-profiles.ts), clamp those keys to the ceiling, record what was clamped, and set policy-capped only when a real clamp happened. Tests.
Follow-up to #97 (profile writeback). Plan §Security Rules requires: "profile materialization may request approval/sandbox/tool permissions, but Atrium/Centaur deployment policy wins; saved profiles must not bypass managed/admin restrictions."
Today there is only a
policy-cappedrisk label — no actual clamping. A saved profile could set e.g.approval_policy=neveror a permissive sandbox mode and it'd be written straight into the materialized config overlay.Build: a config-driven deployment policy (ceilings for approval/sandbox + a permission allowlist); at version-create /
runtimeOverlayFromManifest(surface/server/src/agent-profiles.ts), clamp those keys to the ceiling, record what was clamped, and setpolicy-cappedonly when a real clamp happened. Tests.