From 3f529df367bb1b2f2ab1366c6756897ae4eefc85 Mon Sep 17 00:00:00 2001 From: "glm-5.2" Date: Sun, 21 Jun 2026 10:51:42 +0000 Subject: [PATCH] =?UTF-8?q?docs(architecture):=20update=20ADR-015=20scoped?= =?UTF-8?q?=20env=20API=20=E2=80=94=20resolved=20by=20ADR-022?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ADR-015 L171 said the scoped env API was 'a two-way door for implementation.' ADR-022 has now resolved it: ScopedOperationEnv with operation-level granularity (HashSet), not namespace-level. Update the stale text to point to the resolution. --- .../015-privilege-model-and-authority-context.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/architecture/decisions/015-privilege-model-and-authority-context.md b/docs/architecture/decisions/015-privilege-model-and-authority-context.md index 309e2b5..01cb1d4 100644 --- a/docs/architecture/decisions/015-privilege-model-and-authority-context.md +++ b/docs/architecture/decisions/015-privilege-model-and-authority-context.md @@ -168,11 +168,12 @@ but it only gives the sandbox `fs:read` (not `bash:exec`), because the sandbox runs untrusted LLM-generated code. This is the "privileges flow downstream" principle: the principal delegates a subset. -The specific API for declaring the scoped operation set (allowed-operations -list, allowed-namespaces, or a trait-based filter) is a two-way door for -implementation. The TypeScript `@alkdev/operations` `buildEnv()` used an -`allowedNamespaces` filter; the Rust implementation may be finer-grained -(operation-level, not just namespace-level) to be safe. +The specific API for declaring the scoped operation set is specified in +ADR-022: `ScopedOperationEnv { allowed_operations: HashSet }`, +operation-level granularity (not just namespace-level). This is finer-grained +than the TypeScript `@alkdev/operations` `buildEnv()` which used +`allowedNamespaces` — operation-level scoping is safer for the +parameterized-dispatch use case. ### 5. The three controls together