@vectros-ai/blueprints 0.6.2 → 0.6.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.mjs CHANGED
@@ -1025,6 +1025,18 @@ var codingAgentMemory = {
1025
1025
  var coding_agent_memory_default = codingAgentMemory;
1026
1026
 
1027
1027
  // src/blueprints/agentic-sdlc.ts
1028
+ var DATA_PLANE_ACTIONS = [
1029
+ "records:r",
1030
+ "records:c",
1031
+ "records:u",
1032
+ "search:r",
1033
+ "schemas:r",
1034
+ "inference:r",
1035
+ "documents:r",
1036
+ "documents:c",
1037
+ "folders:r",
1038
+ "folders:c"
1039
+ ];
1028
1040
  var agenticSdlc = {
1029
1041
  name: "agentic-sdlc",
1030
1042
  version: "1.0.0",
@@ -1678,23 +1690,25 @@ var agenticSdlc = {
1678
1690
  ]
1679
1691
  }
1680
1692
  ],
1681
- // Least-privilege, data-plane only. r/c/u records + search + schema discovery +
1682
- // inference:r (grounded recall over the document bodies) + document/folder r/c
1683
- // (the content artifacts are documents). NO :d — knowledge is superseded/retired
1684
- // via a status flip, so the trail of how the team's thinking evolved stays intact.
1693
+ // Least-privilege, data-plane only. The scope of the `ssk_*` key the bootstrap
1694
+ // mints for THIS blueprint's service principal (the MCP/API runtime). See
1695
+ // DATA_PLANE_ACTIONS above for the action set + rationale.
1685
1696
  accessProfile: {
1686
- allowedActions: [
1687
- "records:r",
1688
- "records:c",
1689
- "records:u",
1690
- "search:r",
1691
- "schemas:r",
1692
- "inference:r",
1693
- "documents:r",
1694
- "documents:c",
1695
- "folders:r",
1696
- "folders:c"
1697
- ]
1697
+ allowedActions: DATA_PLANE_ACTIONS
1698
+ },
1699
+ // A reusable `editor` role for the HUMAN owner — DISTINCT from `accessProfile`
1700
+ // (which scopes only the service-principal key). `bootstrap` provisions this
1701
+ // role in the context but binds it to no one; the owner joins themselves so the
1702
+ // data-plane app (app.vectros.ai) shows their KB — its switcher lists only
1703
+ // contexts the signed-in user holds an active access profile in, and bootstrap
1704
+ // grants the human none by default. Bind it after bootstrap with:
1705
+ // vectros access grant --principal usr_<your-user-id> --context agentic-sdlc --role editor
1706
+ // (or the admin app's Access > Contexts > agentic-sdlc > Profiles > Create).
1707
+ // Editor PARITY with the service key (same DATA_PLANE_ACTIONS) so a human
1708
+ // curator can browse AND write/correct the KB; still no :d and no control-plane
1709
+ // action, so the scope gate accepts it exactly like the accessProfile.
1710
+ roles: {
1711
+ editor: [{ allowedActions: DATA_PLANE_ACTIONS }]
1698
1712
  },
1699
1713
  servicePrincipal: {
1700
1714
  externalId: "agentic-sdlc",