Web Console: Workflow policy and guardrail configuration visibility (Phase 3) #646

Open
opened 2026-07-10 14:41:24 -05:00 by jcwalker3 · 0 comments
Owner

Problem statement

Policy and guardrails live in code, profiles, docs, and skills. Operators cannot see active workflow policy/guardrail configuration from the console without reading the repo tree.

User and operational impact

Misconfigured sessions; unclear why a gate failed; slow controller triage.

Scope

  • Read-only projection of active policies: role separation, lease rules, worktree rules, merge confirmation, redaction, contamination, allocator policy summaries.
  • Source attribution (file/module/doc) without exposing secrets.
  • Diff vs documented defaults where feasible.

Explicit non-goals

  • No policy editing in this issue (see dedicated edit/rollback issue).
  • No weakening of gates via UI toggles.

Required implementation investigation

docs/safety-model.md, profiles config shape, task_capability_map.py, gates, #633, #631, skills workflows.

Proposed architecture or implementation direction

Policy inventory builder scanning known modules/docs into redacted JSON; HTML tables with source links.

Security and workflow-safety requirements

Never display token values; RBAC for config visibility if sensitive.

Acceptance criteria

  1. Console lists major guardrails with source pointers.
  2. Secrets redacted.
  3. Tests ensure sample secrets never appear.
  4. Docs explain read-only nature.

Required tests

Redaction tests; inventory completeness smoke tests.

Observability and audit requirements

Optional access audit for config views.

Dependencies and linkage

Canonical issue state

STATE: ready-for-author
WHO_IS_NEXT: author
NEXT_ACTION: Implement read-only policy visibility
NEXT_PROMPT: Author policy inventory view; PR; stop

Required final evidence

PR with inventory, tests, docs.

Required final response and handoff expectations

Brief PR → reviewer.

## Problem statement Policy and guardrails live in code, profiles, docs, and skills. Operators cannot **see** active workflow policy/guardrail configuration from the console without reading the repo tree. ## User and operational impact Misconfigured sessions; unclear why a gate failed; slow controller triage. ## Scope * Read-only projection of active policies: role separation, lease rules, worktree rules, merge confirmation, redaction, contamination, allocator policy summaries. * Source attribution (file/module/doc) without exposing secrets. * Diff vs documented defaults where feasible. ## Explicit non-goals * No policy editing in this issue (see dedicated edit/rollback issue). * No weakening of gates via UI toggles. ## Required implementation investigation `docs/safety-model.md`, profiles config shape, `task_capability_map.py`, gates, #633, #631, skills workflows. ## Proposed architecture or implementation direction Policy inventory builder scanning known modules/docs into redacted JSON; HTML tables with source links. ## Security and workflow-safety requirements Never display token values; RBAC for config visibility if sensitive. ## Acceptance criteria 1. Console lists major guardrails with source pointers. 2. Secrets redacted. 3. Tests ensure sample secrets never appear. 4. Docs explain read-only nature. ## Required tests Redaction tests; inventory completeness smoke tests. ## Observability and audit requirements Optional access audit for config views. ## Dependencies and linkage * Parent: #631 · Soft-depends: #632, #633 · Related: #630 ## Canonical issue state ```text STATE: ready-for-author WHO_IS_NEXT: author NEXT_ACTION: Implement read-only policy visibility NEXT_PROMPT: Author policy inventory view; PR; stop ``` ## Required final evidence PR with inventory, tests, docs. ## Required final response and handoff expectations Brief PR → reviewer.
jcwalker3 added the type:featurestatus:readyworkflow-hardeningdashboardsafety labels 2026-07-10 14:41:24 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#646