docs(adr): ADR-017 autonomous swarm security model #24

Merged

navigator merged 1 commit from feature/adr-017-swarm-security into main

2026-05-24 15:11:12 -03:00

navigator commented

2026-05-24 14:42:06 -03:00

Owner

Summary

Records the trust boundary and operational limits of the FluidPop autonomous swarm before it goes live. Status: Proposed — flips to Accepted once Marcos approves via Telegram.

The ADR covers:

Trust boundary — anyone with write access to Fluid org ≈ shell access to navigator on the agent host. The swarm amplifies execution rate, not surface.
Author identity — all swarm commits author as FluidPop Swarm <swarm@pop.coop>; reviewer remains fluidpop-bot. Branch protection (author ≠ reviewer) holds.
Whitelist of accepted authors per role (Dispatcher only acts on navigator/fluidpop-bot/FluidPop Swarm issues; Approver only merges ^auto/ PRs from FluidPop Swarm/navigator).
Off-limits paths — .git/hooks/pre-commit (installed by install-swarm.sh) rejects any swarm-authored commit touching infra/forgejo/**, .forgejo/workflows/**, infra/ops/agents/**, infra/ops/{telegram-claude-bridge,notify-telegram,runner-monitor}.*, docs/decisions/ADR-0??.md (when Accepted), LICENSE.md, CHANGELOG.md, PLAN.md.
Caps — MAX_CONCURRENT_RESOLVERS=2, 6 merges/h, 12 open queued issues, 4h resolver wall-clock, circuit breaker 5×30min.
Escalation tripwire — post-mortem parser scans stream.jsonl for any tool call touching off-limits paths → quarantine + high-pri Telegram.
Revocation — /swarm pause all via Telegram; full stop via uninstall-swarm.sh; token rotation under 10 min RTO.

Governance hold

This PR touches docs/decisions/. The PR Approver will not auto-merge it — instead it pings Telegram high and waits for human-approved label.

To approve from phone: reply to the bridge with approve PR 24 (the bridge labels it, next Approver tick merges).

Test plan

Marcos reads ADR and confirms blast-radius wording is acceptable
If acceptable: apply human-approved via Telegram reply, merge proceeds
Future PRs #25-#27 land the implementation (lib + roles + install hooks)

## Summary Records the trust boundary and operational limits of the FluidPop autonomous swarm before it goes live. Status: **Proposed** — flips to **Accepted** once Marcos approves via Telegram. The ADR covers: - **Trust boundary** — anyone with write access to `Fluid` org ≈ shell access to `navigator` on the agent host. The swarm amplifies execution *rate*, not *surface*. - **Author identity** — all swarm commits author as `FluidPop Swarm <swarm@pop.coop>`; reviewer remains `fluidpop-bot`. Branch protection (author ≠ reviewer) holds. - **Whitelist of accepted authors** per role (Dispatcher only acts on `navigator`/`fluidpop-bot`/`FluidPop Swarm` issues; Approver only merges `^auto/` PRs from `FluidPop Swarm`/`navigator`). - **Off-limits paths** — `.git/hooks/pre-commit` (installed by `install-swarm.sh`) rejects any swarm-authored commit touching `infra/forgejo/**`, `.forgejo/workflows/**`, `infra/ops/agents/**`, `infra/ops/{telegram-claude-bridge,notify-telegram,runner-monitor}.*`, `docs/decisions/ADR-0??.md` (when Accepted), `LICENSE.md`, `CHANGELOG.md`, `PLAN.md`. - **Caps** — `MAX_CONCURRENT_RESOLVERS=2`, 6 merges/h, 12 open queued issues, 4h resolver wall-clock, circuit breaker 5×30min. - **Escalation tripwire** — post-mortem parser scans `stream.jsonl` for any tool call touching off-limits paths → quarantine + high-pri Telegram. - **Revocation** — `/swarm pause all` via Telegram; full stop via `uninstall-swarm.sh`; token rotation under 10 min RTO. ## Governance hold This PR touches `docs/decisions/`. The PR Approver will not auto-merge it — instead it pings Telegram `high` and waits for `human-approved` label. To approve from phone: reply to the bridge with `approve PR 24` (the bridge labels it, next Approver tick merges). ## Test plan - [ ] Marcos reads ADR and confirms blast-radius wording is acceptable - [ ] If acceptable: apply `human-approved` via Telegram reply, merge proceeds - [ ] Future PRs #25-#27 land the implementation (lib + roles + install hooks)

navigator added 1 commit

2026-05-24 14:42:06 -03:00

docs(adr): ADR-017 autonomous swarm security model

build / scalafmt-check (pull_request) Successful in 3s

Details

build / sbt-compile (pull_request) Successful in 3s

Details

build / shell-lint (pull_request) Successful in 8s

Details

build / scalafmt-check (push) Successful in 3s

Details

build / sbt-compile (push) Successful in 3s

Details

build / shell-lint (push) Successful in 9s

Details

d82ac7d35d

Records the trust boundary, accepted-author whitelist, off-limits paths,
caps, and escalation tripwire for the 4-role autonomous swarm
(Operator, Issue Opener, Resolver Dispatcher, PR Approver) that will be
installed in subsequent PRs.

Status: Proposed. Flips to Accepted once Marcos confirms via Telegram
(reply "approve PR <N>" applies the human-approved label that the PR
Approver gates governance-path merges on).

Cross-link: ADR-016 (bot reviewer identity), FUTURE ADR-018 (resolver
sandbox), FUTURE ADR-019 (server-side push block).