You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When a run has multiple actors (run.actors.length > 1), block write-classified operations against external services where the classification exists. Reads continue; conversational output (Slack replies) is unaffected. A blocked write surfaces as a fail-closed pause/explanation, not a silent skip.
Rationale
Interim hardening between #773 Track 1 (provenance, landed) and Track 2 (point-of-action authority checks with consent-as-attribution). In a multi-actor run, a write may have been shaped by an actor other than the credential-bound run actor. Until the per-operation consent flow exists, the cheapest deterministic posture is: multi-actor → no external writes. This is a scoped revival of the "read-only downgrade" idea #773 rejected as a turn policy replacement — as a temporary write gate keyed on runtime-owned run.actors it is deterministic, simple, and unbypassable by prompt content.
Note the interaction with #780 (act as Junior where possible): writes executed under Junior's own service identity have no cross-actor credential conflict by construction. Decide whether the gate applies only to user-delegated credential writes (recommended starting point) or to all external writes in multi-actor runs (more conservative; revisit after #780 lands).
Implementation sketch
Enforcement point: the credential grant layer already classifies read vs write (grant classification in credential-hooks / sandbox egress — see the Audit actor/instruction provenance across plugins #773 audit notes). Gate: run.actors.length > 1 → deny write-classified grants; emit a clear, user-visible reason so the model can explain and suggest a single-actor retry (or wait for Track 2 consent).
run.actors must reach the credential/grant decision point as runtime-owned context (never inferred from prompt text) — extends the identity context bundle per policies/context-bound-systems.md.
Spec: add to specs/multi-actor-runs.md (as the first authority-consumer contract) and cross-reference specs/credential-injection.md.
Tests: integration — multi-actor run attempting a write-classified grant is denied with the fail-closed reason; single-actor run unaffected; reads unaffected. Eval only if the model-facing explanation behavior needs proving.
Policy
When a run has multiple actors (
run.actors.length > 1), block write-classified operations against external services where the classification exists. Reads continue; conversational output (Slack replies) is unaffected. A blocked write surfaces as a fail-closed pause/explanation, not a silent skip.Rationale
Interim hardening between #773 Track 1 (provenance, landed) and Track 2 (point-of-action authority checks with consent-as-attribution). In a multi-actor run, a write may have been shaped by an actor other than the credential-bound run actor. Until the per-operation consent flow exists, the cheapest deterministic posture is: multi-actor → no external writes. This is a scoped revival of the "read-only downgrade" idea #773 rejected as a turn policy replacement — as a temporary write gate keyed on runtime-owned
run.actorsit is deterministic, simple, and unbypassable by prompt content.Note the interaction with #780 (act as Junior where possible): writes executed under Junior's own service identity have no cross-actor credential conflict by construction. Decide whether the gate applies only to user-delegated credential writes (recommended starting point) or to all external writes in multi-actor runs (more conservative; revisit after #780 lands).
Implementation sketch
run.actors.length > 1→ deny write-classified grants; emit a clear, user-visible reason so the model can explain and suggest a single-actor retry (or wait for Track 2 consent).run.actorsmust reach the credential/grant decision point as runtime-owned context (never inferred from prompt text) — extends the identity context bundle perpolicies/context-bound-systems.md.specs/multi-actor-runs.md(as the first authority-consumer contract) and cross-referencespecs/credential-injection.md.Related
Part of the #773 follow-up set: case-specific consumers of
run.actors.