diff --git a/swarm-common/obsidian-vault/will/will-shared-zap/Projects/Atlas/Gateway Approval Runbook.md b/swarm-common/obsidian-vault/will/will-shared-zap/Projects/Atlas/Gateway Approval Runbook.md index fbc675b..9b3d076 100644 --- a/swarm-common/obsidian-vault/will/will-shared-zap/Projects/Atlas/Gateway Approval Runbook.md +++ b/swarm-common/obsidian-vault/will/will-shared-zap/Projects/Atlas/Gateway Approval Runbook.md @@ -65,6 +65,17 @@ If approval is not exact, block or ask again. - Prefer Will approval for Tier 3 actions. - Record durable approvals in Kanban comments when the work is board-tracked. +## Agent blast-radius checklist + +Before enabling or running a gateway-triggered agent action that changes state, state the blast radius explicitly: + +- [ ] Filesystem scope: exact paths/repos/vaults the agent may read/write; everything else is out of scope. +- [ ] Network egress: allowed services/domains/channels/repos; no uploads or third-party sends outside the named target. +- [ ] Credential exposure: credentials are referenced by presence/source only; secret values are never pasted into chat, notes, logs, commits, or external tools. +- [ ] Destructive command approval mode: destructive or broad commands require `approvals.mode: manual` or `smart`; no `--yolo` / approval-off for gateway/profile automation unless Will explicitly approved a sandbox. +- [ ] Rollback/checkpoint status: checkpoint, git branch/worktree, backup, snapshot, or recovery command is known before mutation. +- [ ] Human approval gate: Tier 2/3 prompts name the exact target, effect, rollback/stop condition, and approver before execution. + ## Message templates ### Tier 2 approval request diff --git a/swarm-common/obsidian-vault/will/will-shared-zap/Templates/Atlas Artifacts/runbook.md b/swarm-common/obsidian-vault/will/will-shared-zap/Templates/Atlas Artifacts/runbook.md index ec99fe6..9ced16c 100644 --- a/swarm-common/obsidian-vault/will/will-shared-zap/Templates/Atlas Artifacts/runbook.md +++ b/swarm-common/obsidian-vault/will/will-shared-zap/Templates/Atlas Artifacts/runbook.md @@ -31,6 +31,17 @@ When and why to use this runbook. - Tier: read-only | low-risk write | medium-risk ops | high-risk/destructive. - Approval needed before: ... +## Agent blast-radius checklist + +Complete this before running an agent workflow, specialist task, cron job, webhook, or gateway-triggered action that can change state. + +- [ ] Filesystem scope: exact allowed paths/repos/vaults are named; out-of-scope paths are explicitly off-limits. +- [ ] Network egress: allowed external services, APIs, domains, channels, or repositories are named; uploads/exfiltration are blocked unless explicitly approved. +- [ ] Credential exposure: required credentials are referenced by source/location only; secret values must not be printed, copied into notes, committed, or sent to third parties. +- [ ] Destructive command approval mode: risky commands require `approvals.mode: manual` or `smart`; `--yolo` / approval-off is limited to an intentional sandbox and never assumed for gateway/profile automation. +- [ ] Rollback/checkpoint status: filesystem checkpoint, git branch/worktree, backup, snapshot, or explicit recovery plan exists before mutation. +- [ ] Human approval gate: Tier 2/3 actions name the exact target, expected effect, rollback/stop condition, and approver before execution. + ## Step-by-step procedure 1. Do the first action. @@ -61,6 +72,7 @@ When and why to use this runbook. ## Runbook-specific review checklist - [ ] Commands are exact and safe for the stated environment. +- [ ] Agent blast-radius checklist is filled out for any state-changing agent workflow. - [ ] Credentials are referenced but not exposed. - [ ] Verification and rollback/recovery are actionable. - [ ] Last tested date is present.