docs(architecture): rename trusted to internal, add OQ-17 abort cascade and OQ-18 privilege model
The 'trusted' flag on OperationContext was the wrong word — it implies a trust decision was made, but what actually happens is the call originated internally (from composition) not externally (from the wire). Renamed to 'internal' with clarified semantics: internal calls switch authority context to the handler's identity, not skip ACL. This prevents the privilege escalation vector where composition with 'trusted: true' bypassed all access control (buggy handler + parameterized dispatch). - Rename trusted -> internal across operation-registry.md, ADR-014 - Update OperationContext field description and LocalOperationEnv code - Add OQ-17: abort cascade for nested calls (call.aborted cascades to descendants, default abort-dependents, continue-running opt-in). One-way door on the protocol event schema; mechanism is a two-way door. - Add OQ-18: privilege model and authority context (internal = authority switch not ACL skip, External/Internal operation visibility, scoped composition env + handler identity). Needs agent crate in view. - Add abort cascade section and constraint to call-protocol.md - Update crates/call/README.md with OQ-17, OQ-18, and two new design principles - Update architecture README.md with OQ-17, OQ-18
This commit is contained in:
@@ -81,7 +81,7 @@ type is a two-way door — to be decided during implementation of the
|
||||
appear in `EventEnvelope` payloads.
|
||||
- Capabilities are injected at handler construction (the common case: a static
|
||||
decrypted API key held for the handler's lifetime) or scoped per-request for
|
||||
trusted-internal-only flows. They are never populated from call protocol
|
||||
internal-only flows. They are never populated from call protocol
|
||||
inputs.
|
||||
|
||||
**3. The call protocol carries no secret material.**
|
||||
|
||||
Reference in New Issue
Block a user