@vectros-ai/blueprints 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -3,6 +3,22 @@
3
3
  All notable changes to `@vectros-ai/blueprints` are documented here.
4
4
  This project adheres to [Semantic Versioning](https://semver.org).
5
5
 
6
+ ## 0.6.3 — 2026-07-01
7
+
8
+ ### Added
9
+
10
+ - **`agentic-sdlc` now declares an `editor` role for the human owner.** `bootstrap`
11
+ provisions a scoped key for your *agent*, but doesn't join *you* — so a blueprint's
12
+ context doesn't appear in the data-plane app until your own user is granted access
13
+ there. The blueprint now ships a reusable `editor` role at **parity with the service
14
+ key** (`records:r/c/u`, `search:r`, `schemas:r`, `inference:r`, `documents:r/c`,
15
+ `folders:r/c`; no delete, no control-plane), which `bootstrap` creates in the context.
16
+ Bind it to your user once to browse and curate the KB in the app:
17
+ `vectros access grant --principal usr_<your-user-id> --context agentic-sdlc --role editor`
18
+ (or via the admin app's Access → Contexts → Profiles). The guide and walkthrough
19
+ document the one-time join, and the package README now documents the top-level
20
+ `roles` format field (previously undocumented — no bundled blueprint used it).
21
+
6
22
  ## 0.6.2 — 2026-06-29
7
23
 
8
24
  ### Changed
package/README.md CHANGED
@@ -115,6 +115,16 @@ The `accessProfile.dataScope` value lists accept a **`null` sentinel** — e.g.
115
115
  (owner-less / shared) records. Omitting `null` restricts the key to the listed
116
116
  owners only.
117
117
 
118
+ A blueprint may also declare top-level **`roles`** — a map of `roleId` → ordered
119
+ scope clauses (each an `allowedActions` list with an optional `dataScope`). Unlike
120
+ `accessProfile` (which scopes the service-principal key `bootstrap` mints), roles
121
+ are reusable, identity-agnostic rules you bind to a principal *after* bootstrap with
122
+ `vectros access grant --principal <p> --role <roleId>`. `bootstrap` provisions the
123
+ declared roles in the context but binds them to no one. The bundled `agentic-sdlc`
124
+ ships an `editor` role for this — join your own user to the context so you can
125
+ browse and curate the knowledge base in the app. Role clauses pass the same
126
+ data-plane scope gate as `accessProfile`.
127
+
118
128
  All of the above are **optional and backward-compatible** — a blueprint that
119
129
  omits them parses and provisions exactly as before.
120
130
 
package/dist/index.js CHANGED
@@ -1065,6 +1065,18 @@ var codingAgentMemory = {
1065
1065
  var coding_agent_memory_default = codingAgentMemory;
1066
1066
 
1067
1067
  // src/blueprints/agentic-sdlc.ts
1068
+ var DATA_PLANE_ACTIONS = [
1069
+ "records:r",
1070
+ "records:c",
1071
+ "records:u",
1072
+ "search:r",
1073
+ "schemas:r",
1074
+ "inference:r",
1075
+ "documents:r",
1076
+ "documents:c",
1077
+ "folders:r",
1078
+ "folders:c"
1079
+ ];
1068
1080
  var agenticSdlc = {
1069
1081
  name: "agentic-sdlc",
1070
1082
  version: "1.0.0",
@@ -1718,23 +1730,25 @@ var agenticSdlc = {
1718
1730
  ]
1719
1731
  }
1720
1732
  ],
1721
- // Least-privilege, data-plane only. r/c/u records + search + schema discovery +
1722
- // inference:r (grounded recall over the document bodies) + document/folder r/c
1723
- // (the content artifacts are documents). NO :d — knowledge is superseded/retired
1724
- // via a status flip, so the trail of how the team's thinking evolved stays intact.
1733
+ // Least-privilege, data-plane only. The scope of the `ssk_*` key the bootstrap
1734
+ // mints for THIS blueprint's service principal (the MCP/API runtime). See
1735
+ // DATA_PLANE_ACTIONS above for the action set + rationale.
1725
1736
  accessProfile: {
1726
- allowedActions: [
1727
- "records:r",
1728
- "records:c",
1729
- "records:u",
1730
- "search:r",
1731
- "schemas:r",
1732
- "inference:r",
1733
- "documents:r",
1734
- "documents:c",
1735
- "folders:r",
1736
- "folders:c"
1737
- ]
1737
+ allowedActions: DATA_PLANE_ACTIONS
1738
+ },
1739
+ // A reusable `editor` role for the HUMAN owner — DISTINCT from `accessProfile`
1740
+ // (which scopes only the service-principal key). `bootstrap` provisions this
1741
+ // role in the context but binds it to no one; the owner joins themselves so the
1742
+ // data-plane app (app.vectros.ai) shows their KB — its switcher lists only
1743
+ // contexts the signed-in user holds an active access profile in, and bootstrap
1744
+ // grants the human none by default. Bind it after bootstrap with:
1745
+ // vectros access grant --principal usr_<your-user-id> --context agentic-sdlc --role editor
1746
+ // (or the admin app's Access > Contexts > agentic-sdlc > Profiles > Create).
1747
+ // Editor PARITY with the service key (same DATA_PLANE_ACTIONS) so a human
1748
+ // curator can browse AND write/correct the KB; still no :d and no control-plane
1749
+ // action, so the scope gate accepts it exactly like the accessProfile.
1750
+ roles: {
1751
+ editor: [{ allowedActions: DATA_PLANE_ACTIONS }]
1738
1752
  },
1739
1753
  servicePrincipal: {
1740
1754
  externalId: "agentic-sdlc",