fix: vault/classify.sh + vault/policy.toml: blast-radius classification engine (#437)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 19:35:33 +00:00 · 2026-04-08 19:35:33 +00:00 · 894c635783
commit 894c635783
parent dd07047635
4 changed files with 95 additions and 0 deletions
--- a/vault/policy.toml
+++ b/vault/policy.toml
@ -0,0 +1,30 @@
+# vault/policy.toml — Blast-radius tier classification for formulas
+#
+# Each formula maps to a tier: "low", "medium", or "high".
+# Unknown formulas default to "high" (default-deny).
+#
+# This file is a template. `disinto init` copies it to
+# $OPS_REPO_ROOT/vault/policy.toml where operators can override tiers
+# per-deployment without a disinto PR.
+
+[tiers]
+# Read-only / internal bookkeeping — no external side-effects
+groom-backlog       = "low"
+triage              = "low"
+reproduce           = "low"
+review-pr           = "low"
+
+# Create issues, PRs, or internal plans — visible but reversible
+dev                 = "medium"
+run-planner         = "medium"
+run-gardener        = "medium"
+run-predictor       = "medium"
+run-supervisor      = "medium"
+run-architect       = "medium"
+upgrade-dependency  = "medium"
+
+# External-facing or irreversible operations
+run-publish-site    = "high"
+run-rent-a-human    = "high"
+add-rpc-method      = "high"
+release             = "high"