Skip to content

Commit 2bc52d6

Browse files
docs(#2802): standardize tier terminology with descriptive prefixes
Replace bare "Tier N" references across documentation, ADRs, problem docs, and agent prompts/skills with descriptive-prefix forms to eliminate ambiguity between the three distinct tier systems in this codebase: - "credential delivery tier" for the ADR 0025 four-tier credential model (tiers 1-4: prefetch, providers, REST server, host files) - "intent authorization tier" for the intent-representation.md four-tier change authorization model (tiers 0-3: standing rules, tactical, strategic, organizational) - "configuration tier" for the three-tier config inheritance model (upstream defaults, org config, per-repo overrides) Add a terminology convention entry to AGENTS.md documenting the three tier systems and the requirement to always use a descriptive prefix. Files updated across 28 docs, ADRs, problem docs, skills, and agent prompts. External tier references (e.g. "GitLab Free tier") are left unchanged. Plan docs with already-contextual "fallback tier" references are also unchanged. Note: pre-commit and make lint could not run due to sandbox network restrictions preventing shellcheck installation. The post-script runs an authoritative pre-commit check on the runner. Closes #2802
1 parent 1d4efff commit 2bc52d6

28 files changed

Lines changed: 156 additions & 144 deletions

AGENTS.md

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -144,3 +144,15 @@ least-frequently-run agents.
144144
- **CODEOWNERS files are always human-owned.** Agents cannot modify their own guardrails.
145145
- **The repo is the coordinator.** No coordinator agent — branch protection, CODEOWNERS, and status checks are the coordination layer.
146146
- **Organization-specific content is cordoned.** Core problem docs are general; applied considerations live in `docs/problems/applied/`.
147+
148+
## Terminology: tier conventions
149+
150+
The term "tier" is used in multiple distinct contexts across this codebase. Always use a descriptive prefix to avoid ambiguity:
151+
152+
| Prefix | Meaning | Defined in |
153+
|---|---|---|
154+
| **credential delivery tier** | The four-tier model for how agents receive credentials: (1) prefetch + post-process, (2) providers + L7, (3) host-side REST server, (4) host files | [ADR 0025](docs/ADRs/0025-provider-credential-delivery-for-sandboxed-agents.md) |
155+
| **intent authorization tier** | The four-tier model for change authorization: (0) standing rules, (1) tactical/issue, (2) strategic, (3) organizational | [intent-representation.md](docs/problems/intent-representation.md) |
156+
| **configuration tier** | The three-tier inheritance model for agent configuration: upstream defaults → org config → per-repo overrides | [ADR 0035](docs/ADRs/0035-layered-content-resolution.md) |
157+
158+
**Do not** use bare "Tier N" or "tier" without a prefix — the same number means different things in different contexts (e.g., "Tier 2" could be provider-based credential delivery or strategic intent authorization). External tier references (e.g., "GitLab Free tier", "GitHub plan tiers") are exempt from this convention.

docs/ADRs/0025-provider-credential-delivery-for-sandboxed-agents.md

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ Accepted (extends [ADR 0017](0017-credential-isolation-for-sandboxed-agents.md))
2424

2525
[ADR 0017](0017-credential-isolation-for-sandboxed-agents.md) established a two-tier credential isolation model: prefetch + post-process as the default, and a host-side REST server with L7 enforcement as the fallback. The REST server requires per-endpoint proxy code, input validation, response sanitization, and server lifecycle management — cost that scales linearly with each new external service. Two problems motivate extending the model: reducing the proxy maintenance burden for services where it is unnecessary, and formalizing how agents get fine-grained operation control over external APIs — not just credential isolation, but capability scoping.
2626

27-
OpenShell's native provider system addresses the first problem. Providers inject credentials as opaque placeholder tokens that the gateway proxy swaps for real values at the HTTP layer, so credentials never enter the sandbox. The `fullsend run` command already supports providers: the harness layer loads provider definitions from the agent's `providers/` directory, creates them on the gateway via `openshell provider create`, and passes them to sandbox creation — so the infrastructure for tiers 2 and 4 is operational today. Tier 3 (host-side REST server) is not yet implemented. L7 egress policies add two enforcement axes: HTTP method + path restrictions, and binary-level restrictions — the proxy identifies the calling binary via `/proc/pid/exe` and walks the process tree, so policies can restrict which executables may reach each endpoint (see [openshell-policy-bypass experiment](https://github.com/fullsend-ai/experiments/pull/5) for validation). Together, providers and L7 policies replace the REST server for services with static API key/token auth, with no custom proxy code.
27+
OpenShell's native provider system addresses the first problem. Providers inject credentials as opaque placeholder tokens that the gateway proxy swaps for real values at the HTTP layer, so credentials never enter the sandbox. The `fullsend run` command already supports providers: the harness layer loads provider definitions from the agent's `providers/` directory, creates them on the gateway via `openshell provider create`, and passes them to sandbox creation — so the infrastructure for credential delivery tiers 2 and 4 is operational today. Credential delivery tier 3 (host-side REST server) is not yet implemented. L7 egress policies add two enforcement axes: HTTP method + path restrictions, and binary-level restrictions — the proxy identifies the calling binary via `/proc/pid/exe` and walks the process tree, so policies can restrict which executables may reach each endpoint (see [openshell-policy-bypass experiment](https://github.com/fullsend-ai/experiments/pull/5) for validation). Together, providers and L7 policies replace the REST server for services with static API key/token auth, with no custom proxy code.
2828

2929
For fine-grained operation control beyond what L7 path filtering can express, two mechanisms complement providers. First, custom wrapper binaries baked into the OpenShell sandbox image (e.g. a `safe-push` that wraps `git push` and rejects force pushes) — placed on a read-only path via Landlock so the agent cannot modify them, with L7 binary filtering ensuring only the wrapper can reach the upstream service. Second, the host-side REST server from ADR 0017, which can inspect request bodies, restrict GraphQL operations, or transform responses. Both mechanisms provide operation-level control that providers and L7 path matching alone cannot.
3030

@@ -34,7 +34,7 @@ Not all services fit the provider model. Providers cannot inject credentials int
3434

3535
## Decision
3636

37-
Adopt a four-tier credential delivery model, extending ADR 0017's two-tier model:
37+
Adopt a four-tier credential delivery model, extending ADR 0017's two-tier credential delivery model:
3838

3939
1. **Prefetch + post-process** (unchanged from ADR 0017). Agent runs with zero credential access. Use for agents with fully enumerable inputs. This remains the default — the first question for any new agent is whether it can run without runtime credential access.
4040

@@ -44,14 +44,14 @@ Adopt a four-tier credential delivery model, extending ADR 0017's two-tier model
4444

4545
4. **Host files + L7 egress policies** (new explicit tier). Credential files are copied into the sandbox via the harness `host_files` mechanism. L7 policies restrict egress to only the necessary endpoints and binaries. Use when the provider placeholder model and REST server cannot work: services with file-based auth, multi-step OAuth2 flows, or in-sandbox cryptographic operations (e.g. GCP Vertex AI, where `google-auth-library` must read a service account JSON to sign JWTs locally). The security boundary is the network policy, not credential isolation — real credentials exist on the sandbox filesystem. This makes the single-responsibility agent model ([ADR 0020](0020-composable-single-responsibility-agents-with-individual-sandboxes.md)) especially important: the narrower the agent's responsibility and the fewer endpoints its policy permits, the smaller the attack surface if the agent is compromised.
4646

47-
Agent definitions should use the highest tier possible: prefer providers over REST servers, REST servers over host files. The decision tree for a new integration: can prefetch handle it, and is a deterministic input set sufficient (or does the agent need to explore dynamically at runtime)? → if prefetch suffices, use tier 1. Does the service use static token auth in headers? → use tier 2. Do credentials need to appear in request bodies or responses need transformation? → use tier 3. Does auth require credential files or in-sandbox cryptographic ops? → use tier 4.
47+
Agent definitions should use the highest credential delivery tier possible: prefer providers over REST servers, REST servers over host files. The decision tree for a new integration: can prefetch handle it, and is a deterministic input set sufficient (or does the agent need to explore dynamically at runtime)? → if prefetch suffices, use credential delivery tier 1. Does the service use static token auth in headers? → use credential delivery tier 2. Do credentials need to appear in request bodies or responses need transformation? → use credential delivery tier 3. Does auth require credential files or in-sandbox cryptographic ops? → use credential delivery tier 4.
4848

4949
## Consequences
5050

5151
- Services with static token auth (GitHub, OpenAI, Anthropic) no longer require custom proxy endpoints, reducing per-service maintenance to provider YAML and L7 policy definitions.
52-
- The host-side REST server from ADR 0017 is retained for cases requiring request body credential injection or response transformation — its role narrows from "default fallback" to a specific tier.
52+
- The host-side REST server from ADR 0017 is retained for cases requiring request body credential injection or response transformation — its role narrows from "default fallback" to a specific credential delivery tier.
5353
- The `host_files` mechanism is formalized as the explicit fallback for file-based auth flows (GCP Vertex AI), documenting a pattern already present in the scaffold harness files.
54-
- L7 policy authoring remains security-critical across all tiers — providers reduce proxy code but do not reduce the need for correct path patterns, and a path pattern typo can over-permit access.
55-
- Custom wrapper binaries used for operation-level control (tier 2) must be placed on read-only paths enforced by Landlock; if the agent can modify the wrapper, the restriction is bypassed.
56-
- Agents using host files (tier 4) have real credentials on the sandbox filesystem; per-agent documentation must explicitly state that the security boundary is network-only.
57-
- Fullsend should provide validation tooling that checks agent harness definitions for compliance with this model — auditing L7 policies for free-text endpoints that could carry placeholders, verifying wrapper binaries are on read-only paths, and flagging tier mismatches — for both internal development and for users crafting new agents.
54+
- L7 policy authoring remains security-critical across all credential delivery tiers — providers reduce proxy code but do not reduce the need for correct path patterns, and a path pattern typo can over-permit access.
55+
- Custom wrapper binaries used for operation-level control (credential delivery tier 2) must be placed on read-only paths enforced by Landlock; if the agent can modify the wrapper, the restriction is bypassed.
56+
- Agents using host files (credential delivery tier 4) have real credentials on the sandbox filesystem; per-agent documentation must explicitly state that the security boundary is network-only.
57+
- Fullsend should provide validation tooling that checks agent harness definitions for compliance with this model — auditing L7 policies for free-text endpoints that could carry placeholders, verifying wrapper binaries are on read-only paths, and flagging credential delivery tier mismatches — for both internal development and for users crafting new agents.

docs/ADRs/0030-openshell-sandbox-interaction-model.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -118,9 +118,9 @@ loader that sources `.env.d/*.env`. Application configuration is delivered via
118118
are available only to pre/post scripts and never enter the sandbox.
119119

120120
**Credentials: providers reconciled on the gateway.** Credential delivery follows
121-
the four-tier model in
121+
the four-tier credential delivery model in
122122
[ADR 0025](0025-provider-credential-delivery-for-sandboxed-agents.md). For
123-
tiers that use OpenShell providers, the runner reconciles them before sandbox
123+
credential delivery tiers that use OpenShell providers, the runner reconciles them before sandbox
124124
creation: it loads provider definitions from the harness's `providers/`
125125
directory and calls `openshell provider create --name <n> --type <t>
126126
--credential <KEY>` for each one. Credentials use the bare-key form — secret
@@ -131,7 +131,7 @@ Providers are then attached to the sandbox via `--provider <name>` flags on
131131
real credentials at the HTTP proxy layer, so credentials never enter the
132132
sandbox. For auth flows incompatible with the provider placeholder model
133133
(e.g. GCP Vertex AI file-based auth), host files deliver credential files
134-
directly (tier 4).
134+
directly (credential delivery tier 4).
135135

136136
**Files and binaries: SCP + images (Options A + B).** Agent definitions, skills,
137137
host files, and security hooks are SCP'd during bootstrap. Tool binaries and

0 commit comments

Comments
 (0)