docs(atlas): add agent blast-radius checklist
This commit is contained in:
William Valentin
+11
@@ -65,6 +65,17 @@ If approval is not exact, block or ask again.
|
||||
- Prefer Will approval for Tier 3 actions.
|
||||
- Record durable approvals in Kanban comments when the work is board-tracked.
|
||||
|
||||
## Agent blast-radius checklist
|
||||
|
||||
Before enabling or running a gateway-triggered agent action that changes state, state the blast radius explicitly:
|
||||
|
||||
- [ ] Filesystem scope: exact paths/repos/vaults the agent may read/write; everything else is out of scope.
|
||||
- [ ] Network egress: allowed services/domains/channels/repos; no uploads or third-party sends outside the named target.
|
||||
- [ ] Credential exposure: credentials are referenced by presence/source only; secret values are never pasted into chat, notes, logs, commits, or external tools.
|
||||
- [ ] Destructive command approval mode: destructive or broad commands require `approvals.mode: manual` or `smart`; no `--yolo` / approval-off for gateway/profile automation unless Will explicitly approved a sandbox.
|
||||
- [ ] Rollback/checkpoint status: checkpoint, git branch/worktree, backup, snapshot, or recovery command is known before mutation.
|
||||
- [ ] Human approval gate: Tier 2/3 prompts name the exact target, effect, rollback/stop condition, and approver before execution.
|
||||
|
||||
## Message templates
|
||||
|
||||
### Tier 2 approval request
|
||||
|
||||
@@ -31,6 +31,17 @@ When and why to use this runbook.
|
||||
- Tier: read-only | low-risk write | medium-risk ops | high-risk/destructive.
|
||||
- Approval needed before: ...
|
||||
|
||||
## Agent blast-radius checklist
|
||||
|
||||
Complete this before running an agent workflow, specialist task, cron job, webhook, or gateway-triggered action that can change state.
|
||||
|
||||
- [ ] Filesystem scope: exact allowed paths/repos/vaults are named; out-of-scope paths are explicitly off-limits.
|
||||
- [ ] Network egress: allowed external services, APIs, domains, channels, or repositories are named; uploads/exfiltration are blocked unless explicitly approved.
|
||||
- [ ] Credential exposure: required credentials are referenced by source/location only; secret values must not be printed, copied into notes, committed, or sent to third parties.
|
||||
- [ ] Destructive command approval mode: risky commands require `approvals.mode: manual` or `smart`; `--yolo` / approval-off is limited to an intentional sandbox and never assumed for gateway/profile automation.
|
||||
- [ ] Rollback/checkpoint status: filesystem checkpoint, git branch/worktree, backup, snapshot, or explicit recovery plan exists before mutation.
|
||||
- [ ] Human approval gate: Tier 2/3 actions name the exact target, expected effect, rollback/stop condition, and approver before execution.
|
||||
|
||||
## Step-by-step procedure
|
||||
|
||||
1. Do the first action.
|
||||
@@ -61,6 +72,7 @@ When and why to use this runbook.
|
||||
## Runbook-specific review checklist
|
||||
|
||||
- [ ] Commands are exact and safe for the stated environment.
|
||||
- [ ] Agent blast-radius checklist is filled out for any state-changing agent workflow.
|
||||
- [ ] Credentials are referenced but not exposed.
|
||||
- [ ] Verification and rollback/recovery are actionable.
|
||||
- [ ] Last tested date is present.
|
||||
|
||||
Reference in New Issue
Block a user