Skip to content

runtime: block write-classified operations in multi-actor runs (interim gate) #781

Description

@dcramer

Policy

When a run has multiple actors (run.actors.length > 1), block write-classified operations against external services where the classification exists. Reads continue; conversational output (Slack replies) is unaffected. A blocked write surfaces as a fail-closed pause/explanation, not a silent skip.

Rationale

Interim hardening between #773 Track 1 (provenance, landed) and Track 2 (point-of-action authority checks with consent-as-attribution). In a multi-actor run, a write may have been shaped by an actor other than the credential-bound run actor. Until the per-operation consent flow exists, the cheapest deterministic posture is: multi-actor → no external writes. This is a scoped revival of the "read-only downgrade" idea #773 rejected as a turn policy replacement — as a temporary write gate keyed on runtime-owned run.actors it is deterministic, simple, and unbypassable by prompt content.

Note the interaction with #780 (act as Junior where possible): writes executed under Junior's own service identity have no cross-actor credential conflict by construction. Decide whether the gate applies only to user-delegated credential writes (recommended starting point) or to all external writes in multi-actor runs (more conservative; revisit after #780 lands).

Implementation sketch

  • Enforcement point: the credential grant layer already classifies read vs write (grant classification in credential-hooks / sandbox egress — see the Audit actor/instruction provenance across plugins #773 audit notes). Gate: run.actors.length > 1 → deny write-classified grants; emit a clear, user-visible reason so the model can explain and suggest a single-actor retry (or wait for Track 2 consent).
  • run.actors must reach the credential/grant decision point as runtime-owned context (never inferred from prompt text) — extends the identity context bundle per policies/context-bound-systems.md.
  • Spec: add to specs/multi-actor-runs.md (as the first authority-consumer contract) and cross-reference specs/credential-injection.md.
  • Tests: integration — multi-actor run attempting a write-classified grant is denied with the fail-closed reason; single-actor run unaffected; reads unaffected. Eval only if the model-facing explanation behavior needs proving.
  • Supersession: when Audit actor/instruction provenance across plugins #773 Track 2 (point-of-action checks + consent) ships, this blanket gate relaxes into the per-operation conflict check.

Related

Part of the #773 follow-up set: case-specific consumers of run.actors.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions