|
| 1 | +--- |
| 2 | +phase: 16-write-guardrails |
| 3 | +plan: 01 |
| 4 | +subsystem: write-mode |
| 5 | +tags: [write-mode, guardrails, secrets, policy, rate-limit] |
| 6 | + |
| 7 | +# Dependency graph |
| 8 | +requires: |
| 9 | + - phase: 15-write-pipeline |
| 10 | + provides: Mention-driven PR pipeline |
| 11 | +provides: |
| 12 | + - Configurable write policy (allow/deny paths, secret scan, rate limit) |
| 13 | + - Enforcement before commit/push with clear user refusals |
| 14 | +affects: [mentions, workspace, config, ops] |
| 15 | + |
| 16 | +# Tech tracking |
| 17 | +tech-stack: |
| 18 | + added: [] |
| 19 | + patterns: |
| 20 | + - "Enforce guardrails in trusted code before commit/push" |
| 21 | + - "Deny wins over allow; allowPaths optional" |
| 22 | + - "Best-effort secret scan against staged diff" |
| 23 | + - "In-memory write request rate limiter keyed by installation+repo" |
| 24 | + |
| 25 | +key-files: |
| 26 | + created: [] |
| 27 | + modified: |
| 28 | + - src/execution/config.ts |
| 29 | + - src/jobs/workspace.ts |
| 30 | + - src/handlers/mention.ts |
| 31 | + - docs/runbooks/mentions.md |
| 32 | + |
| 33 | +key-decisions: |
| 34 | + - "Keep path pattern matching simple and deterministic (dir/, *.ext, exact)" |
| 35 | + - "Refuse policy violations with a concise reply (not a generic error)" |
| 36 | + |
| 37 | +# Metrics |
| 38 | +duration: 25 min |
| 39 | +completed: 2026-02-10 |
| 40 | +--- |
| 41 | + |
| 42 | +# Phase 16 Plan 01: Write Guardrails Summary |
| 43 | + |
| 44 | +**Added safety guardrails for mention-driven writes: path allow/deny policy, secret scan blocks, and basic rate limiting.** |
| 45 | + |
| 46 | +## Verification |
| 47 | + |
| 48 | +- `bun test` |
| 49 | + |
| 50 | +## Task Commits |
| 51 | + |
| 52 | +1. `c25ca1d4d2` feat(config): add write policy settings (paths, secrets, rate) |
| 53 | +2. `f760981d91` feat(write): enforce path policy, secret scan, and rate limiting |
0 commit comments