Skip to content

Commit a8300f2

Browse files
authored
docs(architecture): sandbox tier — workload-trust runc+gVisor floor (#163)
* arch(next/v1): §02 add "Sandbox tier — workload-driven selection" sub-section (E1) Adds the workload-trust-profile axis as a first-class §02 concept ahead of the catalogue rows that reference it. Three named profiles: - trusted_operator (solo / dev) → runc - internal_workforce (vetted employees) → gVisor (v1 hardened default) - untrusted (unknown actors) → microVM (post-v1, #161; not deployable v1 GA) Cites Anthropic Self-Hosted Sandboxes (May 2026) as the published multi-provider precedent. Forward-links NFR-SEC-38/39 (enforceability, landing in the next commit) and AP-13 (anti-pattern, landing with the row edits). * arch(next/v1): §02 reframe tier rows; add NFR-SEC-38/39; AP-13; drop tech-name leaks Row edits (E2-E11) + new rows (N1/N2) + new anti-pattern (AP-13): - E2 NFR-PERF-03: cold-start target generalised to hardened tier; per-tier baselines in PERF-07/08/09. - E3 NFR-PERF-09: explicitly gated on microVM tier shipping (#161); not enforced in v1. - E4 NFR-SEC-02: dropped "microVM-default" framing; gVisor v1 hardened default; microVM hardware-virt post-v1; tier-appropriate escape resistance with seccomp BPF + Landlock + cap-drop in every tier. - E5 NFR-SEC-29: broker binding substrate matches tier (loopback/UDS on runc and gVisor; vsock CID + JWT scope on microVM post-v1). - E6 NFR-SEC-35: KVM precondition limited to microVM tier; Helm pre-install probe ≤2 s with clear error on KVM-absent host; CI test on KVM-absent runner. - E7 NFR-FLEX-02: runtime ladder reframed (runc + gVisor v1; microVM post-v1, Firecracker named as example, Kata as one packaging option). - E8 NFR-FLEX-06: same egress invariant qualified by microVM tier ship. - E9 NFR-FLEX-09: dropped Kata+RKE2 / bare-VM Firecracker tech names. - E10 AP-13 (new): picking sandbox tier by data classification is forbidden; trust profile picks tier, data class governs custody / retention / residency. Backed by vale lint rule landing in next commit. - E11: pruned remaining "minimal-capability shelf" / "full-capability shelf" occurrences inside §02 (NFR-SEC-03 only). - E12: Open Question 5 parenthetical clarifies microVM is post-v1. New rows: - NFR-SEC-38: workload-trust profile declaration is a deployment-time invariant; mismatch is admission-time hard error; untrusted profile is NOT deployable in v1 GA (admission rejects with pointer to #161). - NFR-SEC-39: tier-downgrade alarm via audit event `config.trust_profile.downgraded`; SIEM-bridge HIGH; SOAR webhook ≤30s. Both new rows ship as commitments; implementation lands when control-plane code exists. * arch(next/v1): vale rule AP-13 — block "(NPI|RESTRICTED|CONFIDENTIAL) → microVM" phrasing Enforces §02 anti-pattern AP-13 at the prose level: data classification does not pick the sandbox substrate. Trust profile picks the tier; data class governs custody / retention / residency. Standalone file rather than appended to banned-phrases.yml because vale existence rules share message/level per-file; AP-13 needs its own message pointing the author to the §02 anchor. * arch(next/v1): Layer 3 shelf→tier rename; multi-tenant invariant in trust-profile terms (L1-L14) Aligns Layer 3 with the §02 workload-trust-driven tier model. - L1: §2 Compute plane row reframed in tier terms (runc / gVisor / microVM) with forward link to the new §02 "Sandbox tier" sub-section. - L3: §4 multi-tenant invariant rewritten in trust-profile terms — bare runc multi-tenant forbidden; gVisor as v1 default; microVM post-v1. - L4: T0 tier-table label "single-tenant minimal-capability" → "solo / dev / single-operator". - L5, L11, L13, L14: shelf → tier renames in §3, §6, §8, §9, §10, §12 (key custody, audit sink, signer narrative, Open question 4). - L6, L7, L8: §3 actor-table "Optional?" cells use tier names instead of shelf labels. - L9: §6 data-class-gating sentence reframed — trust profile picks the tier; data class still picks BYOK + customer-managed audit sink. AP-13 is the load-bearing forbidder of data-class-driven substrate selection. - L10: §8 table column headers renamed (Solo / dev tier vs Hardened tier and above). - L12: §8.1 signer paragraph renamed to tier vocabulary. last-reviewed bumped to 2026-05-27. * arch(next/v1): drop competitor-listing slop from §02 sandbox-tier sub-section The "Anthropic Self-Hosted Sandboxes — Cloudflare microVM, Daytona container, Modal gVisor, Vercel container" line was AI-slop preamble citing a competitor product launch as if it justified our design. §02 is a normative NFR catalogue, not a press-release. Evidence stays in the RESEARCH artifact. * arch(next/v1): slop sweep on §02 sub-section + tier NFR rows + Layer 3 invariant Removes self-praise, forward-references, and duplication introduced by the prior commits in this PR: - §02 sub-section gVisor row drops "Production precedent at AI scale: OpenAI, Modal, Anthropic, Google App Engine" — competitor listing in a normative NFR catalogue is marketing, not requirement. - §02 sub-section drops "Honest v1 deployability" header + the re-articulation paragraph (the table already says what the trust profile is and what tier it maps to). - §02 sub-section drops forward references to NFR-SEC-38/39 + AP-13 — reader sees those below; preamble pointing forward is slop. - NFR-SEC-02 drops "Runtime brand pick within a tier is a component-spec decision" — already covered by NFR-FLEX-02. - NFR-SEC-38 / NFR-SEC-39 row cells compressed; same load-bearing content. - AP-13 drops "Enforced at the prose level by a vale rule on ..." — anti-pattern is normative, the implementation note belongs in the vale rule itself. - Layer 3 §2 Compute plane row drops "(see ...)" preamble before the §02 link. - Layer 3 §4 multi-tenant invariant drops v1/post-v1 narrative — that already lives in §02 + §2 zone table. * arch(next/v1): fix CRIT F-01 self-contradiction + WARN F-02 matrix count + INFO F-05 back-link Code-review findings from REVIEW-PR-163-code.md: - F-01 (CRIT): Layer 3 §6 line 110 was internally contradictory — it asserted "CONFIDENTIAL+ workloads require the hardened tier (gVisor)..." (the data-class→tier mapping AP-13 forbids) and immediately added "Tier selection is workload-trust-driven, not data-class-driven (forbidden by AP-13)". Rewritten so data class drives custody / audit sink / residency obligations and trust profile drives the tier. - F-02 (WARN): NFR-SEC-38 admission-matrix count "6 valid v1 + 3 rejected v1" was ambiguous. Now spells out: 6 cells valid by pairing rules (3 require post-v1 microVM); 3 cells rejected by pairing; v1 GA deployable = 3; v1 GA rejected = 6 (3 pairing + 3 microVM-not-shipped). - F-05 (INFO): NFR-SEC-38 had no back-link to AP-13; added one clause. * arch(next/v1): plan-check WARN fixes — restore #161 link + AP-13 concrete example Plan-check findings from PLAN-CHECK-PR-163.md: - PC-1 (WARN): Layer 3 §4 multi-tenant invariant lost the direct #161 link in the slop sweep; reader now needs §02→sub-section→#161 (2 hops). Restored one inline [#161]. - PC-2 (WARN): AP-13 example was dropped in the slop sweep; without it the anti-pattern is abstract. Added the minimal concrete form ("NPI → microVM" / "PUBLIC → runc") that names the forbidden phrasing without re-introducing the long description.
1 parent 3e6ae98 commit a8300f2

3 files changed

Lines changed: 52 additions & 25 deletions

File tree

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
# SPDX-License-Identifier: FSL-1.1-Apache-2.0
2+
# Copyright (c) 2025 Open Computer Use Contributors
3+
#
4+
# AP-13 enforcement: data classification does not pick the sandbox substrate.
5+
# Per docs/architecture/manifesto/02-nfrs.md "Anti-pattern rows" AP-13.
6+
7+
extends: existence
8+
message: "AP-13 (manifesto/02-nfrs.md): data classification does not pick the sandbox substrate. Trust profile picks the tier; data class governs custody / retention / residency."
9+
level: error
10+
ignorecase: true
11+
raw:
12+
- '\b(NPI|RESTRICTED|CONFIDENTIAL)\s+(?:→|requires|->)\s+(?:microVM|hardware-virt)\b'

docs/architecture/02-trust-boundaries.md

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33

44
---
55
status: proposed
6-
last-reviewed: 2026-05-25
6+
last-reviewed: 2026-05-27
77
owner: "@Wide-Moat/architects"
88
applies-to: next/v1
99
---
@@ -24,7 +24,7 @@ Measurable targets are in [`02-nfrs.md`](manifesto/02-nfrs.md); component intern
2424
|---|---|---|---|
2525
| 1 | **Control plane** | Orchestrator + RPC surface + session lifecycle + MCP server. Single instance per deployment. Holds no outbound path to upstream; all upstream traffic originates in the Compute plane and traverses the Egress trust-edge. The Control plane is not a model proxy. | [NFR-IC-04](manifesto/02-nfrs.md) |
2626
| 2 | **Credential broker** | Per-VM secrets-injection service. Host-side. Bound to loopback / vsock / UDS. Holds real upstream creds; guest never does. | [NFR-SEC-23](manifesto/02-nfrs.md) |
27-
| 3 | **Compute plane** | Session sandbox, one per session, lifecycle bound to session. Container substrate on the minimal-capability shelf; microVM substrate on the full-capability shelf. Guest agent is PID 1. Cross-session network reachability disabled per [NFR-SEC-22](manifesto/02-nfrs.md); per-tenant network isolation is a deployment property of this zone. | [NFR-SEC-02](manifesto/02-nfrs.md) |
27+
| 3 | **Compute plane** | Session sandbox, one per session, lifecycle bound to session. Runtime tier per [§02 "Sandbox tier — workload-driven selection"](manifesto/02-nfrs.md): `runc` for solo / dev; `gVisor` for v1 hardened; microVM (hardware-virt) for post-v1. Guest agent is PID 1. Cross-session network reachability disabled per [NFR-SEC-22](manifesto/02-nfrs.md); per-tenant network isolation is a deployment property of this zone. | [NFR-SEC-02](manifesto/02-nfrs.md) |
2828
| 4 | **Egress trust-edge** | Single outbound path. Network-bound egress identity per [NFR-SEC-27](manifesto/02-nfrs.md) — request arrival from the sandbox is the identity. Transparent pass-through by default; MITM with customer CA opt-in (DLP-ICAP is a configuration of MITM, not a third mode). MCP allow-list enforcement sits here. AI-guardrail / prompt-content policy is customer's own AI gateway, not ours ([NFR-COMP-26](manifesto/02-nfrs.md) revisit). | [NFR-SEC-05](manifesto/02-nfrs.md) |
2929
| 5 | **Audit pipeline** | Durable bus + hash-chained store + bridges to customer sinks. Retention floor, RPO, and tamper-evidence differ from Control plane, so it is its own zone. Compute-time metering emits as audit events on this pipeline. | [NFR-SEC-03](manifesto/02-nfrs.md) |
3030

@@ -47,9 +47,9 @@ Outbound endpoints behind the egress policy — LLM upstream, customer MCP serve
4747
| Actor | Boundary it crosses | Contract | Optional? |
4848
|---|---|---|---|
4949
| MCP client (the thing that calls our MCP server) | client → Control plane | MCP authorization spec, audience-validated tokens | required |
50-
| Customer IdP (SAML / OIDC) | IdP → Control plane | relying-party (we are RP) | required on full shelf |
51-
| Customer SIEM | Audit pipeline → SIEM | OCSF schema + bridge transport (transports per [NFR-MAINT-AUDIT-SCHEMA](manifesto/02-nfrs.md)) | optional bridge — file-system sink on minimal shelf |
52-
| Customer KMS / HSM | Credential broker / Audit pipeline → KMS | PKCS#11 + KMIP | optional — full shelf only; minimal shelf uses host-local keys |
50+
| Customer IdP (SAML / OIDC) | IdP → Control plane | relying-party (we are RP) | required on the hardened tier and above |
51+
| Customer SIEM | Audit pipeline → SIEM | OCSF schema + bridge transport (transports per [NFR-MAINT-AUDIT-SCHEMA](manifesto/02-nfrs.md)) | optional bridge — file-system sink on the solo / dev tier |
52+
| Customer KMS / HSM | Credential broker / Audit pipeline → KMS | PKCS#11 + KMIP | optional — hardened tier and above only; solo / dev tier uses host-local keys |
5353
| Customer outbound proxy | Egress trust-edge → customer proxy | chained-proxy contract | optional |
5454
| Customer DLP-ICAP service | Egress trust-edge → ICAP | ICAP req-mod + resp-mod | optional — engaged only in MITM-inspecting mode |
5555
| SOAR (incident automation) | Control plane ↔ SOAR | signed webhook + admin API | optional |
@@ -60,12 +60,12 @@ Outbound endpoints behind the egress policy — LLM upstream, customer MCP serve
6060

6161
| Tier | Mechanism | Cross-tenant boundary | Where it sits |
6262
|---|---|---|---|
63-
| T0 logical | row-level filter; tenant_id column + app-side check | shared kernel, shared substrate | dev / single-tenant minimal-capability |
63+
| T0 logical | row-level filter; tenant_id column + app-side check | shared kernel, shared substrate | solo / dev / single-operator |
6464
| T1 namespace | namespace + network policy + role-based access control + resource quota | shared kernel, shared control plane | single-tenant agent execution, OR multi-tenant for non-agent-execution workloads only |
6565
| T2 VPC / VNet | per-tenant VPC, no peering | shared substrate, separate network | NPI baseline |
6666
| T3 dedicated cluster | dedicated control plane per tenant | separate control plane, shared substrate | common deployment shape for DORA-CIF workloads |
6767

68-
**Multi-tenant agent-execution invariant.** Where the Compute plane runs LLM-issued tool calls / code from more than one tenant on the same node, the substrate MUST be microVM (Compute plane "full-capability shelf" per §2 zone 3). The "non-NPI workloads" framing is not a safety argument — data classification does not change the container-escape attack surface for adversarial AI code. T1 namespace remains valid for single-tenant agent execution or for multi-tenant workloads that do not execute LLM-issued code (admin UIs, read-only dashboards, batch-data jobs).
68+
**Multi-tenant agent-execution invariant.** Where the Compute plane runs LLM-issued tool calls / code from more than one tenant on the same node, the substrate MUST be hardware-virt OR user-space-kernel — not bare `runc`. Bare `runc` multi-tenant agent execution is forbidden; adversarial agent-issued code is not bounded by data classification. The microVM tier is tracked at [#161](https://github.com/Wide-Moat/open-computer-use/issues/161). T1 namespace remains valid for single-tenant agent execution or for multi-tenant workloads that do not execute LLM-issued code (admin UIs, read-only dashboards, batch-data jobs).
6969

7070
Higher-isolation tiers (dedicated bare-metal node pool per tenant; customer-owned hardware in customer datacenter) are tracked in open question §12 item 1 ([#148](https://github.com/Wide-Moat/open-computer-use/issues/148)) as candidates for later promotion. Promote when a named workload requires them.
7171

@@ -107,7 +107,7 @@ Eight content-keyed classes. Per-tenant data residency ([NFR-COMP-13](manifesto/
107107
| **REGULATED-AUDIT** | NYDFS §500.6 audit trail | n/a | SOX-trail | Art. 30 records of processing | Art. 12 logs of high-risk AI | PCI Req 10 | 7 y default / 10 y configurable (see §10) |
108108
| **CRYPTO-KEYS / SECRETS** | implicit under §500.15(a) | implicit under Safeguards Rule | n/a | implicit | implicit | PCI Req 3.6 | rotation policy is the floor |
109109

110-
Minimal-capability default scope: PUBLIC + INTERNAL only. CONFIDENTIAL+ requires opt-in configuration (BYOK + customer-managed audit sink). Minimal-config is not a compliance posture.
110+
The default solo / dev deployment runs on `runc` under the `trusted_operator` workload profile, so its default content scope is PUBLIC + INTERNAL. CONFIDENTIAL+ content triggers data-class obligations — opt-in BYOK ([NFR-SEC-04](manifesto/02-nfrs.md)), customer-managed audit sink ([NFR-MAINT-AUDIT-SCHEMA](manifesto/02-nfrs.md)), residency pinning ([NFR-COMP-13](manifesto/02-nfrs.md)) — but does not pick the runtime tier (AP-13). The tier is picked by the deployment's `workload_trust_profile` per [§02 "Sandbox tier — workload-driven selection"](manifesto/02-nfrs.md).
111111

112112
Prompt content filtering, redaction, and AI-guardrail policy (PII masking, prompt-injection detection, jailbreak detection) are not our scope — that responsibility lives with the customer's AI gateway (commercial AI-gateway product or in-perimeter model with its own guardrails). Layer 3 routes the traffic and audits the egress event; what the gateway does with the prompt is its contract, not ours. [NFR-COMP-26](manifesto/02-nfrs.md) to be revisited in §02.
113113

@@ -138,7 +138,7 @@ Token taxonomy is canonical here and matches [`manifesto/02-nfrs.md`](manifesto/
138138
| **Generic internal token** | inter-component RPC (Control plane ↔ broker ↔ audit, host-side) | ≤ 60 min | host-side service-to-service | NFR-SEC-23 |
139139
| **Broker scoped-JWT** | per-resource (one filesystem prefix / one upstream API-key class) | ≤ 15 min | Compute plane consuming a brokered resource | NFR-SEC-29 |
140140

141-
| Property | Minimal-capability shelf | Full-capability shelf | §02 anchor |
141+
| Property | Solo / dev tier | Hardened tier and above (v1 gVisor; microVM post-v1) | §02 anchor |
142142
|---|---|---|---|
143143
| Inter-component identity | Host-local signing key bound to `container_name` | Workload identity from customer PKI per tenant | NFR-SEC-26 / NFR-SEC-09 |
144144
| Identity trust root | host-local signing key | HSM-rooted, FIPS 140-3 L3 | NFR-FLEX-04 |
@@ -150,19 +150,19 @@ Token taxonomy is canonical here and matches [`manifesto/02-nfrs.md`](manifesto/
150150

151151
NFR anchors for §8 (consolidated): see [NFR-SEC-04](manifesto/02-nfrs.md), [NFR-SEC-09](manifesto/02-nfrs.md), [NFR-SEC-10](manifesto/02-nfrs.md), [NFR-SEC-23](manifesto/02-nfrs.md), [NFR-SEC-26](manifesto/02-nfrs.md), [NFR-SEC-29](manifesto/02-nfrs.md), [NFR-SEC-37](manifesto/02-nfrs.md), [NFR-FLEX-04](manifesto/02-nfrs.md).
152152

153-
Minimal shelf: identity-binding ([NFR-SEC-09](manifesto/02-nfrs.md)) via host-local signing key on JWT ([NFR-SEC-26](manifesto/02-nfrs.md)); egress trust-store ([NFR-SEC-05](manifesto/02-nfrs.md)) via auto-generated self-signed CA. Full shelf: workload identities from customer PKI + customer-rooted CA.
153+
Solo / dev tier: identity-binding ([NFR-SEC-09](manifesto/02-nfrs.md)) via host-local signing key on JWT ([NFR-SEC-26](manifesto/02-nfrs.md)); egress trust-store ([NFR-SEC-05](manifesto/02-nfrs.md)) via auto-generated self-signed CA. Hardened tier and above: workload identities from customer PKI + customer-rooted CA.
154154

155155
### 8.1 Signer identity per boundary
156156

157-
Each token class has its own signer; signer identity ties to the workload that issues the token. Minimal-shelf signers are host-local keys; full-shelf signers are workload identities from the customer PKI. The full per-boundary table (six artifacts × four columns) lands with the PKI decision — tracked at §12 item 5 ([#152](https://github.com/Wide-Moat/open-computer-use/issues/152)).
157+
Each token class has its own signer; signer identity ties to the workload that issues the token. Solo / dev tier signers are host-local keys; hardened-tier-and-above signers are workload identities from the customer PKI. The full per-boundary table (six artifacts × four columns) lands with the PKI decision — tracked at §12 item 5 ([#152](https://github.com/Wide-Moat/open-computer-use/issues/152)).
158158

159159
## 9. Encryption matrix
160160

161-
Single invariant: inter-component traffic between Wide-Moat components is encrypted in transit ([NFR-SEC-37](manifesto/02-nfrs.md)). Tenant data at rest uses authenticated AES ([NFR-SEC-33](manifesto/02-nfrs.md)). Key custody on the minimal shelf is host-local; on the full shelf, HSM-rooted via PKCS#11 / KMIP per [NFR-FLEX-04](manifesto/02-nfrs.md). Per-tenant data residency ([NFR-COMP-13](manifesto/02-nfrs.md)) is enforced at Control-plane scheduling and Audit-pipeline routing — not an encryption boundary. The full per-boundary matrix (TLS version, at-rest cipher, key custody, rotation cadence) is component-spec material; it lands with each component spec.
161+
Single invariant: inter-component traffic between Wide-Moat components is encrypted in transit ([NFR-SEC-37](manifesto/02-nfrs.md)). Tenant data at rest uses authenticated AES ([NFR-SEC-33](manifesto/02-nfrs.md)). Key custody on the solo / dev tier is host-local; on the hardened tier and above, HSM-rooted via PKCS#11 / KMIP per [NFR-FLEX-04](manifesto/02-nfrs.md). Per-tenant data residency ([NFR-COMP-13](manifesto/02-nfrs.md)) is enforced at Control-plane scheduling and Audit-pipeline routing — not an encryption boundary. The full per-boundary matrix (TLS version, at-rest cipher, key custody, rotation cadence) is component-spec material; it lands with each component spec.
162162

163163
## 10. Audit zone — mandatory in code, pluggable in sinks
164164

165-
Audit pipeline is mandatory in code ([NFR-SEC-03](manifesto/02-nfrs.md) hash-chained; [NFR-REL-12](manifesto/02-nfrs.md) durable bus on critical path; [NFR-COMP-01](manifesto/02-nfrs.md) retention floor — 7 y default, 10 y configurable, machine-enforced by the Audit pipeline retention policy). Sinks are pluggable: file-system at the minimal-capability shelf; OCSF v1.x JSON bridges to customer SIEM as opt-in per [NFR-MAINT-AUDIT-SCHEMA](manifesto/02-nfrs.md).
165+
Audit pipeline is mandatory in code ([NFR-SEC-03](manifesto/02-nfrs.md) hash-chained; [NFR-REL-12](manifesto/02-nfrs.md) durable bus on critical path; [NFR-COMP-01](manifesto/02-nfrs.md) retention floor — 7 y default, 10 y configurable, machine-enforced by the Audit pipeline retention policy). Sinks are pluggable: file-system at the solo / dev tier; OCSF v1.x JSON bridges to customer SIEM as opt-in per [NFR-MAINT-AUDIT-SCHEMA](manifesto/02-nfrs.md).
166166

167167
The pipeline is drawn as our zone; sinks are external actors. The contract is the OCSF v1.x JSON schema plus bridge transport (see §12 Open question 3).
168168

@@ -188,5 +188,5 @@ Mapping is **indicative, not verbatim**. Verify every cell against the source te
188188
1. Cross-tenant isolation grading — [#148](https://github.com/Wide-Moat/open-computer-use/issues/148) — measurable target ("tenant A cannot observe tenant B side-channel") not yet in §02. Also tracks higher-isolation tiers (dedicated hardware, customer-owned cage) as candidates for promotion when a named workload requires them.
189189
2. Control-plane metadata-only gate — [#149](https://github.com/Wide-Moat/open-computer-use/issues/149) — DORA Art. 28(2)(c) requires a measurable gate that no customer payload crosses the Control plane.
190190
3. SIEM-bridge transport and backpressure — [#150](https://github.com/Wide-Moat/open-computer-use/issues/150) — pluggable-sink contract needs measurable transport and end-to-end backpressure target.
191-
4. Transparency-log publishing path — [#151](https://github.com/Wide-Moat/open-computer-use/issues/151) — submission path between Audit pipeline and the external transparency log (auth, retry, RPO if the log is unreachable), plus the prior question of "do we publish at all on minimal shelf".
191+
4. Transparency-log publishing path — [#151](https://github.com/Wide-Moat/open-computer-use/issues/151) — submission path between Audit pipeline and the external transparency log (auth, retry, RPO if the log is unreachable), plus the prior question of "do we publish at all on the solo / dev tier".
192192
5. PKI tool pick — [#152](https://github.com/Wide-Moat/open-computer-use/issues/152) — §8.1 names signer identity per boundary; the per-boundary signer table lands with the PKI ADR.

0 commit comments

Comments
 (0)