Skip to content

Onboarding config bootstrap + classifier-driven auto-distribution (cred + memory, R1–R4) #207

Closed
Closed
Onboarding config bootstrap + classifier-driven auto-distribution (cred + memory, R1–R4)#207
Labels
area/brokerBroker server, cap-token issuance, OIDC issuancearea/daemonagentkeys-daemon (sidecar) workarea/uiParent-control UI, vendor onboarding portal, audit dashboardenhancementNew feature or request
@hanwencheng

Description

@hanwencheng
hanwencheng
opened on Jun 6, 2026

Context

Productionizes the onboarding + auto-distribution flow on top of the landed Config substrate. The spine is designed in #178 (classifier-service: COMPILE/TAG, catalog, flywheel, determinism guardrail); the encrypted, master-only DataClass::Config home is landed in #201 (Phases 0–5). This issue is the product/onboarding view + four refinements (R1–R4).

The flow

  1. Config init — two entry points (both write config/policy.enc + config/memory-taxonomy.enc):
    • A · default preset — role/region-aware curated taxonomy (the parent-control "init default" path).
    • B · NL → COMPILE — user types a sentence; classifier COMPILEs it into taxonomy + policy. (This is where COMPILE happens explicitly.)
  2. POST /v1/master/memory/plant stays test-only (CI/demo seed); production authors the taxonomy via COMPILE/default and classifies memory on write.
  3. Agent connect → vendor-default classifier → auto-distribution — the classifier TAGs the agent's surface (memory namespaces it reads + cred services it uses) and proposes scopes; master confirms (sensitivity-gated) → setScope.
  4. New cred minted → auto-categorize (catalog + telemetry prior) → master pickscred:<service> grant.

Cred and memory follow the SAME pattern (universal-gate-pattern): classify → propose scope → master-confirm → setScope → deterministic gate. Only the resource axis differs (memory → namespace / read; cred → service-category / fetch).

Work items (each independently shippable; ship in order)

  • 1A default-preset bootstrap — ~10 role/region presets; ship the DEFAULT as the rich adult profile: an adult with kids, runs a business, has IoT home appliances, in a relationship (wife, parents), does investment. Writes a real authored taxonomy (replaces the plant-derived stand-in). (apps/parent-control + daemon)
  • classifier-service worker — COMPILE + TAG (docs(plan): classifier-service — NL → deterministic authorization for the fleet (#147) #178 §15.6); new agentkeys-worker-classify.
  • CapOp::Classify + /v1/cap/classify — broker cap.rs + worker verify.rs (2-crate enum add); data-class-bound.
  • 1B NL → COMPILE onboarding UI — sentence in → compiled grants shown → confirm-as-is + adjust later (one K11 confirm; editable after). (apps/parent-control)
  • Connect-time auto-distribute (propose → confirm) — sensitivity-tiered: safe categories auto-confirm + daily review; sensitive (payment, creds, access-control, health) → explicit K11 per grant; batched into one gesture for a reviewed set. (daemon + parent-control)
  • Category catalog + vendor overlays (R2) — ClearSigningCatalog-shape distribution (bundled → registry → community); vendor overlays are signed + bounded by the catalog sensitivity floor.
  • Cred auto-categorize (step 4) — catalog + (later) telemetry prior; master picks the category.
  • Agent memory inheritance + pick (R3) — the W4 item: agent inherits master namespaces, master curates per-namespace; sensitive namespaces explicit pick; read under the agent's own cap.

Resolved decisions (2026-06)

  1. Default presets: ~10 role/region presets; the default = the adult-with-kids / business / IoT-home / relationship(wife,parents) / investment profile.
  2. COMPILE review UX: confirm-as-is + adjust later.
  3. Telemetry: opt-in — tracked separately (see the linked telemetry enhancement issue).
  4. Vendor-overlay trust: signed + sensitivity floor.

Security invariants (load-bearing — spec §3)

  1. Determinism guardrail — classifier emits tags/policy, never allow/deny; no model on the gate hot path.
  2. Auto-distribute = propose → confirm — sensitive categories require explicit K11; the sensitivity tier comes from the catalog, NOT the vendor/telemetry prior.
  3. Tag the entity (real service id), not the agent's/vendor's narrative.
  4. Telemetry + vendor priors carry CATEGORIES, never GRANTS — catalog ≠ policy; grants stay in encrypted Config.

Acceptance

  • Default preset writes a real authored taxonomy (not plant-derived).
  • An NL sentence COMPILEs to reviewable grants behind one K11 confirm.
  • Agent connect proposes memory + cred scopes; sensitive ones gated, safe ones in the daily review.
  • A new cred is categorized from the catalog; master picks.
  • Negative test (CLAUDE.md test-discipline): an UNCONFIRMED sensitive category produces NO scope grant.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/brokerBroker server, cap-token issuance, OIDC issuancearea/daemonagentkeys-daemon (sidecar) workarea/uiParent-control UI, vendor onboarding portal, audit dashboardenhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions