docs(decisions): define Agent Access Plane #78

Merged

pdurlej merged 1 commit from codex/issues/76-agent-access-plane-adr into main

2026-05-05 07:21:53 +02:00

codex commented

2026-05-05 03:21:33 +02:00

Collaborator

Canary status: approve_merge — 6/6 OK; decision packet in /tmp/canary-output/PR-78/decision_packet.md

Canary Context Pack

Product story

The operator wants one controlled way to share AI/machine credentials with agents during bounded sessions, without pasting secrets into chat, scattering shell hacks, or mixing personal Bitwarden secrets with AI capabilities.

What changed

Adds ADR 0003 defining Agent Access Plane: product boundary, repo boundary, Infisical source-of-truth rule, capability-vs-secret model, delivery guardrails, per-agent identity posture, issue hierarchy, compliance evidence, and stop conditions.

Why it changed

#73 solved the immediate SSH delivery slice, but Oracle and product review showed it must not become another one-off credential path. #74 also needed a concrete platform vs iskra-openclaw boundary so future agent/secret/OpenClaw issues have an obvious home.

Files touched

decisions/0003-agent-access-plane.md

Relevant context

#76: new Agent Access Plane parent issue.
#74: repo boundary issue; this ADR resolves it.
#73 / PR #77: tactical Codex -> OpenClaw SSH-agent TTL slice.
#56: per-agent Forgejo/MCP identity split; now a child of the access-plane effort.
#64: Vault -> Infisical migration; dependency for where secrets live, not this parent.
#72: later safe CI/canary Infisical integration; ADR encodes no-argv/no-dotenv guardrails before that work proceeds.
pdurlej/iskra-openclaw#43: cross-platform secret architecture to migrate/split into platform policy plus OpenClaw runtime implementation.

Runtime evidence

N/A — ADR-only PR. Mechanical checks:

git diff --check HEAD~1 HEAD => pass.
rg leak-pattern scan on the ADR only returned forbidden examples used as guardrail text, not secret material.
wc -l decisions/0003-agent-access-plane.md => 285 lines.
Identity check: codex Forgejo+git doctor pass with --skip infisical --skip review --skip mcp.

Known constraints

This ADR does not implement #73, #56, #72, Agent Vault, or OpenClaw SecretRef.
Capability catalog examples are non-secret metadata, not enforcement.
Per-agent identities are required for new secret-bearing implementations, but not every future actor identity must be provisioned in this PR.

Explicit out-of-scope

Moving real secrets into Infisical.
Creating machine identity UUIDs or service tokens.
Touching runtime hosts, Forgejo Actions, or OpenClaw code.
Solving #56 implementation.
Closing #76; this ADR is one child milestone, not the parent completion.

Requested decision

Approve the product/repo/security boundary so #73, #56, #72 follow-ups, and OpenClaw SecretRef work stop inventing independent credential rules.

Merge blockers

If reviewers believe the boundary should live outside decisions/.
If the ADR permits a long-lived shared read-all identity.
If it blurs platform policy with OpenClaw runtime implementation.
If any guardrail conflicts with Charter §5 or ADR 0002 trust-boundary constraints.

Spec sources read

#76 — Agent Access Plane parent issue.
#74 — platform vs iskra-openclaw boundary proposal.
#73 — Codex SSH delivery first slice.
#56 — per-agent Forgejo/MCP identity gap.
#72 — CI/canary Infisical prompt and known unsafe patterns from review context.
#64 — Vault -> Infisical migration relationship.
pdurlej/iskra-openclaw#43 — 3-phase SecretRef / Agent Vault architecture.
PLATFORM_CHARTER.md §runtime state and service identities.
state/runtime-layout.md — runtime state boundary.
decisions/0002-ci-enforcement-canary.md — base/main trust boundary for future CI secret work.

Refs #76
Closes #74

Canary status: approve_merge — 6/6 OK; decision packet in /tmp/canary-output/PR-78/decision_packet.md ## Canary Context Pack ### Product story The operator wants one controlled way to share AI/machine credentials with agents during bounded sessions, without pasting secrets into chat, scattering shell hacks, or mixing personal Bitwarden secrets with AI capabilities. ### What changed Adds ADR 0003 defining Agent Access Plane: product boundary, repo boundary, Infisical source-of-truth rule, capability-vs-secret model, delivery guardrails, per-agent identity posture, issue hierarchy, compliance evidence, and stop conditions. ### Why it changed #73 solved the immediate SSH delivery slice, but Oracle and product review showed it must not become another one-off credential path. #74 also needed a concrete platform vs `iskra-openclaw` boundary so future agent/secret/OpenClaw issues have an obvious home. ### Files touched - `decisions/0003-agent-access-plane.md` ### Relevant context - #76: new Agent Access Plane parent issue. - #74: repo boundary issue; this ADR resolves it. - #73 / PR #77: tactical Codex -> OpenClaw SSH-agent TTL slice. - #56: per-agent Forgejo/MCP identity split; now a child of the access-plane effort. - #64: Vault -> Infisical migration; dependency for where secrets live, not this parent. - #72: later safe CI/canary Infisical integration; ADR encodes no-argv/no-dotenv guardrails before that work proceeds. - `pdurlej/iskra-openclaw#43`: cross-platform secret architecture to migrate/split into platform policy plus OpenClaw runtime implementation. ### Runtime evidence N/A — ADR-only PR. Mechanical checks: - `git diff --check HEAD~1 HEAD` => pass. - `rg` leak-pattern scan on the ADR only returned forbidden examples used as guardrail text, not secret material. - `wc -l decisions/0003-agent-access-plane.md` => 285 lines. - Identity check: codex Forgejo+git doctor pass with `--skip infisical --skip review --skip mcp`. ### Known constraints - This ADR does not implement #73, #56, #72, Agent Vault, or OpenClaw SecretRef. - Capability catalog examples are non-secret metadata, not enforcement. - Per-agent identities are required for new secret-bearing implementations, but not every future actor identity must be provisioned in this PR. ### Explicit out-of-scope - Moving real secrets into Infisical. - Creating machine identity UUIDs or service tokens. - Touching runtime hosts, Forgejo Actions, or OpenClaw code. - Solving #56 implementation. - Closing #76; this ADR is one child milestone, not the parent completion. ### Requested decision Approve the product/repo/security boundary so #73, #56, #72 follow-ups, and OpenClaw SecretRef work stop inventing independent credential rules. ### Merge blockers - If reviewers believe the boundary should live outside `decisions/`. - If the ADR permits a long-lived shared read-all identity. - If it blurs platform policy with OpenClaw runtime implementation. - If any guardrail conflicts with Charter §5 or ADR 0002 trust-boundary constraints. ## Spec sources read - #76 — Agent Access Plane parent issue. - #74 — platform vs `iskra-openclaw` boundary proposal. - #73 — Codex SSH delivery first slice. - #56 — per-agent Forgejo/MCP identity gap. - #72 — CI/canary Infisical prompt and known unsafe patterns from review context. - #64 — Vault -> Infisical migration relationship. - `pdurlej/iskra-openclaw#43` — 3-phase SecretRef / Agent Vault architecture. - `PLATFORM_CHARTER.md` §runtime state and service identities. - `state/runtime-layout.md` — runtime state boundary. - `decisions/0002-ci-enforcement-canary.md` — base/main trust boundary for future CI secret work. Refs #76 Closes #74

codex added 1 commit

2026-05-05 03:21:34 +02:00

docs(decisions): define agent access plane

canary-required / collect-diff (pull_request) Successful in 3s

Details

canary-required / canary (pull_request) Failing after 1s

Details

da69f41be2