fred-runtime 3.1.0__tar.gz → 3.3.0__tar.gz

{fred_runtime-3.1.0 → fred_runtime-3.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: fred-runtime
-Version: 3.1.0
+Version: 3.3.0
 Summary: Runtime adapters and infrastructure wiring for Fred v2 agents.
 Author-email: Thales <noreply@thalesgroup.com>
 License: Apache-2.0
@@ -12,8 +12,8 @@ Classifier: Programming Language :: Python :: 3 :: Only
 Classifier: Operating System :: OS Independent
 Requires-Python: <3.13,>=3.12
 Description-Content-Type: text/markdown
-Requires-Dist: fred-core>=3.1.0
-Requires-Dist: fred-sdk>=3.1.0
+Requires-Dist: fred-core>=3.4.0
+Requires-Dist: fred-sdk>=3.3.0
 Requires-Dist: alembic>=1.18.4
 Requires-Dist: deepagents>=0.4.11
 Requires-Dist: httpx>=0.28.1

{fred_runtime-3.1.0 → fred_runtime-3.3.0}/fred_runtime/app/agent_app.py

@@ -61,7 +61,10 @@ from fred_core.kpi import KPIMiddleware
 from fred_core.kpi.kpi_writer_structures import KPIActor
 from fred_core.logs.log_setup import log_setup
 from fred_core.logs.memory_log_store import RamLogStore
+from fred_core.security.models import AuthorizationError
 from fred_core.security.oidc import get_keycloak_client_id, get_keycloak_url
+from fred_core.security.rebac.rebac_engine import TeamPermission
+from fred_core.security.rebac.rebac_factory import rebac_factory
 from fred_core.security.structure import KeycloakUser
 from fred_sdk.contracts.context import (
     AgentInvocationRequest,
@@ -75,9 +78,7 @@ from fred_sdk.contracts.context import (
 from fred_sdk.contracts.eval import EvalStep, EvalTrace
 from fred_sdk.contracts.execution import (
     ExecutionGrantAction,
-    ExecutionGrantViolation,
     RuntimeExecuteRequest,
-    validate_execution_grant,
 )
 from fred_sdk.contracts.models import (
     AgentTuning,
@@ -961,6 +962,7 @@ async def _resolve_agent_instance(
     registry: Mapping[str, ReActAgentDefinition | GraphAgentDefinition],
     access_token: str | None,
     control_plane_url: str | None,
+    team_id: str | None = None,
 ) -> _ResolvedExecutionTarget:
     """
     Resolve a direct or managed execution target into a concrete definition.
@@ -979,11 +981,15 @@ async def _resolve_agent_instance(
 
     if request.agent_id is not None:
         definition = registry.get(request.agent_id)
-        if definition is None:
+        # Direct agent_id execution takes no grant, so it is the enforcement point
+        # for agent visibility: a non-public agent (AgentDefinition.public=False) is
+        # internal — it may only be executed through a managed instance (whose
+        # enrollment is admin-gated), never directly by id. Treat it as unknown so
+        # its existence is not even confirmed. See AGENT-VISIBILITY-RFC §3.1.
+        if definition is None or not getattr(definition, "public", True):
             raise HTTPException(
                 status_code=status.HTTP_404_NOT_FOUND,
-                detail=f"Unknown agent_id: {request.agent_id!r}. "
-                f"Known agents: {list(registry.keys())}",
+                detail=f"Unknown agent_id: {request.agent_id!r}.",
             )
         if request.inline_tuning:
             available_mcp_servers = _available_mcp_servers_for_definition(definition)
@@ -1012,8 +1018,20 @@ async def _resolve_agent_instance(
             ),
         )
 
+    # Team-scoped resolution (RUNTIME-07 rev. 2). The pod resolves the instance's
+    # template + tuning from the control-plane binding scoped to the caller's team
+    # (ReBAC-gated, store.get_for_team) — the replacement for the signed grant.
+    # The end user has already been authorized at this pod (Keycloak + OpenFGA).
+    if team_id is None:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=(
+                "Managed agent instance execution requires a team context "
+                "(runtime_context.team_id)."
+            ),
+        )
     url = (
-        f"{control_plane_url.rstrip('/')}/agent-instances/"
+        f"{control_plane_url.rstrip('/')}/teams/{team_id}/agent-instances/"
         f"{request.agent_instance_id}/runtime"
     )
     headers = {"Authorization": f"Bearer {access_token}"} if access_token else None
@@ -1086,84 +1104,239 @@ def _make_user_dependency(
         return _dep_noop
 
 
-def _validate_grant_user_correlation(
+async def _authorize_execution_or_raise(
     request: RuntimeExecuteRequest,
     authenticated_user: KeycloakUser | None,
     container: PodApplicationContext,
 ) -> None:
     """
-    Enforce the bearer-token / grant user_id correlation check.
-
-    Why this exists:
-    - The security report requires that user_id in the Keycloak bearer token
-      matches user_id in the ExecutionGrant.
-    - Without this check, a valid token for user A combined with a grant
-      issued for user B would be accepted by structural grant validation alone.
-    - This is the check that makes the dual-auth model meaningful.
-
-    How to use it:
-    - Call after validate_execution_grant and only when an ExecutionGrant is
-      present (managed execution path).
-    - Pass the KeycloakUser from Depends(get_current_user), or None when
-      security is disabled (dev mode).
-
-    Raises HTTPException 403 when the token user_id and grant user_id disagree.
+    Pod-side OpenFGA authorization for one execution request (RUNTIME-07 rev. 2).
+
+    The pod is the execution authority. Identity is proven by the Keycloak JWT
+    (`authenticated_user`); authorization is decided HERE, per request, by an
+    OpenFGA check on the team the caller is acting in. This is the model already
+    homologated on `main` (agentic-backend), re-instantiated per pod — it replaces
+    the control-plane-signed grant, which is being removed.
+
+    Behaviour:
+    - security disabled (no authenticated user) → skip (dev/local).
+    - ReBAC engine absent or disabled (Noop) → skip (identity-only dev posture);
+      the C3 profile guarantees an enabled engine in classified deployments.
+    - otherwise require the caller to hold `CAN_READ` on the requested team — the
+      same relation the control-plane required before it would mint a grant. The
+      team is caller-supplied but safe: OpenFGA only authorizes teams the user
+      actually holds a relation to. Authorization and denial are both audited;
+      any OpenFGA denial fails closed (403).
+
+    Covers execute, execute/stream, evaluate AND resume — every path funnels
+    through this call, so no half-authenticated session is possible.
+
+    Direct template execution (`agent_id`) is **forbidden under the c3 profile**
+    (RUNTIME-07 F-D); in dev/non-c3 it stays identity-only. Managed execution
+    (`agent_instance_id`) requires a team and an OpenFGA grant whenever ReBAC is
+    active; a missing team then fails closed.
     """
     if authenticated_user is None:
-        # Security disabled (dev mode) — skip correlation check.
+        # Security disabled (dev mode) — no identity to authorize.
         return
-    grant = request.execution_grant
-    if grant is None:
-        # Direct template execution — no grant to correlate.
+    profile = getattr(get_runtime_context().config, "security_profile", None)
+
+    # Direct template execution (agent_id): no team scope, no managed instance.
+    if request.agent_id is not None:
+        if profile == "c3":
+            _emit_audit_event(
+                container,
+                "warning",
+                "direct_execution_forbidden",
+                user_id=authenticated_user.uid,
+                agent_id=request.agent_id,
+            )
+            raise HTTPException(
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=(
+                    "direct agent_id execution is not permitted under the c3 "
+                    "security profile; use a managed agent instance"
+                ),
+            )
+        # dev / non-c3: identity-only (no team to authorize against).
         return
-    if grant.user_id != authenticated_user.uid:
+
+    # Managed execution (agent_instance_id).
+    rebac = get_runtime_context().config.rebac_engine
+    if rebac is None or not rebac.enabled:
+        # ReBAC not active (Noop / unconfigured) — identity-only dev posture. The
+        # c3 profile guarantees an enabled engine in production (fail-closed).
+        return
+    team_id = request.effective_team_id()
+    if team_id is None:
         _emit_audit_event(
             container,
             "warning",
-            "grant_user_mismatch",
-            grant_user_id=grant.user_id,
-            token_user_id=authenticated_user.uid,
+            "managed_execution_without_team",
+            user_id=authenticated_user.uid,
+            agent_instance_id=request.agent_instance_id,
         )
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail=(
-                f"grant user_id {grant.user_id!r} does not match "
-                f"authenticated user {authenticated_user.uid!r}"
+                "managed agent instance execution requires a team context "
+                "(runtime_context.team_id)"
             ),
         )
+    try:
+        await rebac.check_user_team_permission_or_raise(
+            authenticated_user, TeamPermission.CAN_READ, team_id
+        )
+    except AuthorizationError as exc:
+        _emit_audit_event(
+            container,
+            "warning",
+            "rebac_denied",
+            user_id=authenticated_user.uid,
+            team_id=team_id,
+            agent_instance_id=request.agent_instance_id,
+            reason=str(exc),
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=(
+                f"user {authenticated_user.uid!r} is not authorized for "
+                f"team {team_id!r}"
+            ),
+        ) from exc
     _emit_audit_event(
         container,
         "info",
-        "grant_user_correlated",
+        "rebac_authorized",
         user_id=authenticated_user.uid,
+        team_id=team_id,
         agent_instance_id=request.agent_instance_id,
     )
 
 
-def _expected_execution_action(
+async def _enforce_session_ownership(
     request: RuntimeExecuteRequest,
-) -> ExecutionGrantAction:
+    authenticated_user: KeycloakUser | None,
+    container: PodApplicationContext,
+) -> None:
     """
-    Resolve the required grant action for one runtime request.
-
-    Why this exists:
-    - managed HITL resumes must require `resume` grants while normal turns
-      require `execute`
-    - centralising that rule keeps both execute endpoints aligned
+    Private-per-owner session policy (RUNTIME-07 rev. 2, finding F-C).
+
+    Conversations are private to their owner. When security is enabled and the
+    request targets an EXISTING session, the authenticated user must own it. A
+    brand-new session is allowed (the caller becomes its owner). This blocks a
+    same-team user from continuing or resuming another user's private session by
+    guessing its `session_id` / `checkpoint_id` — the team OpenFGA check alone
+    would not catch an intra-team cross-user access.
+    """
+    if authenticated_user is None:
+        return  # security disabled (dev) — no identity to enforce
+    session_id = request.effective_session_id()
+    if not session_id:
+        return
+    history_store = get_runtime_context().config.history_store
+    if history_store is None:
+        return
+    if not await history_store.session_exists(session_id):
+        return  # new session — the caller becomes its owner
+    if await history_store.session_belongs_to_user(session_id, authenticated_user.uid):
+        return  # caller owns this session
+    _emit_audit_event(
+        container,
+        "warning",
+        "session_owner_mismatch",
+        user_id=authenticated_user.uid,
+        session_id=session_id,
+        agent_instance_id=request.agent_instance_id,
+    )
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail=f"session {session_id!r} does not belong to the authenticated user",
+    )
 
-    How to use it:
-    - call immediately before `validate_execution_grant(...)`
-    - pass the returned action as `expected_action`
 
-    Example:
-    - `expected_action = _expected_execution_action(request)`
+async def _authorize_and_resolve(
+    request: RuntimeExecuteRequest,
+    *,
+    authenticated_user: KeycloakUser | None,
+    container: PodApplicationContext,
+    registry: Mapping[str, ReActAgentDefinition | GraphAgentDefinition],
+    access_token: str | None,
+) -> tuple["_AgentExecuteRequest", _ResolvedExecutionTarget]:
     """
+    Shared pre-execution gate for execute / execute-stream / evaluate (and HITL
+    resume, which is a field on those endpoints) — RUNTIME-07 rev. 2.
 
-    return (
-        ExecutionGrantAction.RESUME
-        if request.resume_payload is not None
-        else ExecutionGrantAction.EXECUTE
+    The pod is the execution authority: there is NO control-plane-signed grant.
+    1. validate checkpoint/session access,
+    2. authorize the caller against OpenFGA on their team (identity = Keycloak JWT),
+    3. resolve the managed instance template + tuning from the control-plane,
+       team-scoped and ReBAC-gated (config only — never a secret or capability),
+    4. cross-check the resolved owner team against the caller's claimed team.
+
+    Returns the internal request plus the resolved execution target.
+    """
+    # F-B: identity is the validated Keycloak JWT, never the request body. Stamp
+    # user_id from the token and neutralize any body-supplied credentials — the pod
+    # uses the header bearer for downstream (knowledge-flow) calls and trusts no
+    # caller-provided user_id / access_token / refresh_token.
+    if authenticated_user is not None:
+        base_ctx = request.runtime_context or RuntimeContext()
+        request.runtime_context = base_ctx.model_copy(
+            # F-B: neutralize body-supplied tokens (not secrets — set to None).
+            update={
+                "user_id": authenticated_user.uid,
+                "access_token": access_token,
+                "refresh_token": None,  # nosec B105
+                "access_token_expires_at": None,  # nosec B105
+            }
+        )
+    await _validate_session_checkpoint_access(request)
+    await _enforce_session_ownership(request, authenticated_user, container)
+    await _authorize_execution_or_raise(request, authenticated_user, container)
+    internal_req = _to_internal_request(request)
+    target = await _resolve_agent_instance(
+        request=internal_req,
+        registry=registry,
+        access_token=access_token,
+        control_plane_url=get_runtime_context().config.control_plane_url,
+        team_id=request.effective_team_id(),
     )
+    _validate_resolved_team(request, target.team_id, container)
+    return internal_req, target
+
+
+def _validate_resolved_team(
+    request: RuntimeExecuteRequest,
+    resolved_team_id: str | None,
+    container: PodApplicationContext,
+) -> None:
+    """
+    Cross-check the resolved instance owner team against the caller's claim.
+
+    Team-scoped resolution already restricts the lookup to the caller's team, so a
+    mismatch should be impossible; this is defense-in-depth and an audit anchor.
+    Skipped for direct template execution (no team scope).
+    """
+    if resolved_team_id is None:
+        return
+    claimed = request.effective_team_id()
+    if claimed is not None and claimed != resolved_team_id:
+        _emit_audit_event(
+            container,
+            "warning",
+            "team_binding_mismatch",
+            claimed_team_id=claimed,
+            resolved_team_id=resolved_team_id,
+            agent_instance_id=request.agent_instance_id,
+        )
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=(
+                f"resolved owner team {resolved_team_id!r} does not match "
+                f"requested team {claimed!r}"
+            ),
+        )
 
 
 async def _validate_session_checkpoint_access(
@@ -1858,6 +2031,11 @@ async def _iterate_runtime_event_payloads(
         include_session_scope=ctx.get("include_session_scope"),
         include_corpus_scope=ctx.get("include_corpus_scope"),
         deep_search=ctx.get("deep_search"),
+        # The marketplace/library prompt selected for the conversation. The
+        # control-plane resolves the session's attached prompts into this scalar
+        # at prepare-execution and the frontend forwards it — but it was also
+        # silently dropped here, so no agent ever received a selected prompt.
+        context_prompt_text=ctx.get("context_prompt_text"),
     )
 
     binding = BoundRuntimeContext(
@@ -2061,7 +2239,9 @@ def _build_agent_router(
         return events[: max(1, limit)]
 
     @router.get("/templates")
-    async def list_agent_templates() -> list[_AgentTemplateSummary]:
+    async def list_agent_templates(
+        include_non_public: bool = False,
+    ) -> list[_AgentTemplateSummary]:
         """
         Return the executable agent templates registered in this pod.
 
@@ -2072,6 +2252,9 @@ def _build_agent_router(
 
         How to use it:
         - call from control-plane to aggregate template metadata across pods
+        - pass `include_non_public=true` to also list internal agents
+          (`AgentDefinition.public=False`) for tooling such as the self-test
+          harness; the default catalog hides them (see AGENT-VISIBILITY-RFC)
 
         Example:
         - `GET /fred/agents/v2/agents/templates`
@@ -2088,6 +2271,7 @@ def _build_agent_router(
                 available_mcp_servers=_available_mcp_servers_for_definition(definition),
             )
             for definition in registry.values()
+            if include_non_public or getattr(definition, "public", True)
         ]
 
     @router.get("/mcp-catalog")
@@ -2559,15 +2743,15 @@ def _build_agent_router(
 
         POST <configured base_url>/agents/execute
         Authorization: Bearer <user JWT>
-        Body: RuntimeExecuteRequest (agent_instance_id + execution_grant for managed exec)
+        Body: RuntimeExecuteRequest (agent_instance_id + runtime_context.team_id for managed exec)
         Response: application/json containing the terminal runtime payload
 
-        Security:
-        - For managed execution (agent_instance_id), an execution_grant issued by
-          control-plane is required. The runtime validates it structurally before
-          proceeding (expiry, field consistency, action).
-        - RBAC via Keycloak and REBAC via OpenFGA protect this endpoint.
-        - The runtime validates; control-plane decides access.
+        Security (RUNTIME-07 rev. 2 — the pod is the execution authority):
+        - Identity is the caller's Keycloak JWT (validated against Keycloak JWKS).
+        - Authorization is a pod-side OpenFGA check on runtime_context.team_id,
+          enforced per request. There is NO control-plane-signed grant.
+        - Managed instances resolve their template+tuning from the control-plane
+          team-scoped binding (config only).
 
         Architectural note:
         - This endpoint does not implement pod discovery or routing.
@@ -2576,42 +2760,14 @@ def _build_agent_router(
         auth = http_request.headers.get("Authorization", "")
         access_token = auth.removeprefix("Bearer ").strip() or None
 
-        expected_action = _expected_execution_action(request)
-
-        # Validate ExecutionGrant for managed execution paths
-        try:
-            validate_execution_grant(request, expected_action=expected_action)
-        except ExecutionGrantViolation as exc:
-            _emit_audit_event(
-                container,
-                "warning",
-                "grant_validation_failed",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-                reason=str(exc),
-            )
-            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(exc))
-        if request.execution_grant is not None:
-            _emit_audit_event(
-                container,
-                "info",
-                "grant_validated",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-            )
-        _validate_grant_user_correlation(request, authenticated_user, container)
-        await _validate_session_checkpoint_access(request)
-
         exchange_id = str(uuid4())
         turn_start = time.monotonic()
-        internal_req = _to_internal_request(request)
-        target = await _resolve_agent_instance(
-            request=internal_req,
+        internal_req, target = await _authorize_and_resolve(
+            request,
+            authenticated_user=authenticated_user,
+            container=container,
             registry=registry,
             access_token=access_token,
-            control_plane_url=get_runtime_context().config.control_plane_url,
         )
         payloads = [
             payload
@@ -2680,41 +2836,14 @@ def _build_agent_router(
         auth = http_request.headers.get("Authorization", "")
         access_token = auth.removeprefix("Bearer ").strip() or None
 
-        expected_action = _expected_execution_action(request)
-
-        try:
-            validate_execution_grant(request, expected_action=expected_action)
-        except ExecutionGrantViolation as exc:
-            _emit_audit_event(
-                container,
-                "warning",
-                "grant_validation_failed",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-                reason=str(exc),
-            )
-            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(exc))
-        if request.execution_grant is not None:
-            _emit_audit_event(
-                container,
-                "info",
-                "grant_validated",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-            )
-        _validate_grant_user_correlation(request, authenticated_user, container)
-        await _validate_session_checkpoint_access(request)
-
         exchange_id = str(uuid4())
         turn_start = time.monotonic()
-        internal_req = _to_internal_request(request)
-        target = await _resolve_agent_instance(
-            request=internal_req,
+        internal_req, target = await _authorize_and_resolve(
+            request,
+            authenticated_user=authenticated_user,
+            container=container,
             registry=registry,
             access_token=access_token,
-            control_plane_url=get_runtime_context().config.control_plane_url,
         )
         payloads = [
             payload
@@ -2779,7 +2908,7 @@ def _build_agent_router(
 
         POST <configured base_url>/agents/execute/stream
         Authorization: Bearer <user JWT>
-        Body: RuntimeExecuteRequest (agent_instance_id + execution_grant for managed exec)
+        Body: RuntimeExecuteRequest (agent_instance_id + runtime_context.team_id for managed exec)
         Response: text/event-stream, each `data:` line is a RuntimeEvent JSON
 
         Stream termination:
@@ -2807,40 +2936,12 @@ def _build_agent_router(
         auth = http_request.headers.get("Authorization", "")
         access_token = auth.removeprefix("Bearer ").strip() or None
 
-        expected_action = _expected_execution_action(request)
-
-        # Validate ExecutionGrant for managed execution paths
-        try:
-            validate_execution_grant(request, expected_action=expected_action)
-        except ExecutionGrantViolation as exc:
-            _emit_audit_event(
-                container,
-                "warning",
-                "grant_validation_failed",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-                reason=str(exc),
-            )
-            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=str(exc))
-        if request.execution_grant is not None:
-            _emit_audit_event(
-                container,
-                "info",
-                "grant_validated",
-                agent_instance_id=request.agent_instance_id,
-                user_id=request.effective_user_id(),
-                action=expected_action.value,
-            )
-        _validate_grant_user_correlation(request, authenticated_user, container)
-        await _validate_session_checkpoint_access(request)
-
-        internal_req = _to_internal_request(request)
-        target = await _resolve_agent_instance(
-            request=internal_req,
+        internal_req, target = await _authorize_and_resolve(
+            request,
+            authenticated_user=authenticated_user,
+            container=container,
             registry=registry,
             access_token=access_token,
-            control_plane_url=get_runtime_context().config.control_plane_url,
         )
         return StreamingResponse(
             _stream(
@@ -2942,6 +3043,16 @@ def create_agent_app(
             from fred_core.security.oidc import initialize_user_security
 
             initialize_user_security(user_security)
+        if security is not None:
+            # Enforce the hardened profile (C3) at startup — fails closed.
+            from fred_core.security.oidc import apply_security_profile
+
+            apply_security_profile(security)
+        # Pod-side authorization engine (RUNTIME-07 rev. 2). The pod authorizes
+        # every execution against OpenFGA; a disabled/Noop engine (dev) means
+        # identity-only. Safe in all modes — the factory returns a Noop with a
+        # KeycloackDisabled admin client when user/m2m auth is off.
+        rebac_engine = rebac_factory(security) if security is not None else None
         chat_factory = _build_chat_model_factory(config)
         await container.initialize_sql()
         container.start_metrics_exporter()
@@ -2963,6 +3074,10 @@ def create_agent_app(
                     history_store=history_store,
                     mcp_configuration=config.get_mcp_configuration(),
                     control_plane_url=config.platform.control_plane_url,
+                    rebac_engine=rebac_engine,
+                    security_profile=(
+                        security.profile if security is not None else None
+                    ),
                     kpi_writer=container.get_kpi_writer(),
                 )
             )
@@ -3019,10 +3134,19 @@ def create_agent_app(
     app.include_router(api_router)
 
     if config.app.openai_compat:
+        # F-A: the OpenAI-compat surface executes by agent_id (direct template),
+        # which is forbidden under c3. Fail closed rather than expose it there.
+        if security is not None and security.profile == "c3":
+            raise RuntimeError(
+                "security.profile='c3' forbids the OpenAI-compat surface: "
+                "/v1/chat/completions executes by agent_id (direct template), "
+                "which is not permitted under c3. Set app.openai_compat=false."
+            )
         from .openai_compat_router import create_openai_compat_router
 
         openai_router = create_openai_compat_router(
-            registry, security_enabled=security_enabled
+            registry,
+            security_enabled=security_enabled,
         )
         app.include_router(openai_router, prefix="/v1")
         logger.info("[fred-runtime] OpenAI-compat endpoints enabled at /v1")

{fred_runtime-3.1.0 → fred_runtime-3.3.0}/fred_runtime/app/config.py

@@ -121,7 +121,7 @@ class PodAppConfig(BaseModel):
         ),
     )
     gcu_version: str | None = None
-    openai_compat: bool = True
+    openai_compat: bool = False
     """
     Enable the OpenAI-compatible /v1/chat/completions and /v1/models endpoints.
 
@@ -134,9 +134,12 @@ class PodAppConfig(BaseModel):
     citations, HITL) is carried in a top-level `fred` key on each SSE chunk
     and silently ignored by standard OpenAI clients.
 
-    Enabled by default — agent pods should be reachable from any OpenAI-
-    compatible client without explicit configuration.  Set to false in pods
-    that should not advertise an OpenAI surface (e.g. internal workers).
+    OFF by default (RUNTIME-07 rev. 2, finding F-A): this surface executes by
+    `agent_id` (direct template), which is forbidden under the c3 profile, and it
+    must be authorized per request. When enabled it is gated by the same Keycloak
+    JWT + pod-side OpenFGA check (requires the `X-Fred-Team-Id` header). The c3
+    profile FAILS CLOSED at startup if this surface is enabled (see
+    `apply_security_profile`). Enable only for dev / eval harnesses.
     """
 
 
@@ -288,7 +291,8 @@ class PodPlatformConfig(BaseModel):
 
     How to use it:
     - set `control_plane_url` when the pod should accept `agent_instance_id`
-      execution requests
+      execution requests (the pod resolves the instance's template+tuning from
+      the control-plane team-scoped binding)
 
     Example:
     - `PodPlatformConfig(control_plane_url="http://localhost:8222/control-plane/v1")`