Merge pull request 'fix: docs/BLAST-RADIUS.md + vault/SCHEMA.md: document blast-radius tier system (#440)' (#453) from fix/issue-440 into main

docs/BLAST-RADIUS.md

@@ -0,0 +1,25 @@
+# Vault blast-radius tiers
+
+## Tiers
+
+| Tier | Meaning | Dispatch path |
+|------|---------|---------------|
+| low | Revertable, no external side effects | Direct commit to ops main; no human gate |
+| medium | Significant but reversible | PR on ops repo; blocks calling agent until merged |
+| high | Irreversible or high-blast-radius | PR on ops repo; hard blocks |
+
+## Which agents are affected
+
+Vault-blocking applies to: predictor, planner, architect, deploy pipelines, releases, shipping.
+It does NOT apply to dev-agent — dev-agent work is always committed to a feature branch and
+revertable via git revert. Dev-agent never needs a vault gate.
+
+## Default tier
+
+Unknown formulas default to `high`. When adding a new formula, add it to
+`vault/policy.toml` (in ops repo, seeded during disinto init from disinto repo template).
+
+## Per-action override
+
+A vault action TOML may include `blast_radius = "low"` to override the policy tier
+for that specific invocation. Use sparingly — policy.toml is the authoritative source.

vault/SCHEMA.md

@@ -21,6 +21,7 @@ secrets = ["CLAWHUB_TOKEN"]
 model = "sonnet"
 tools = ["clawhub"]
 timeout_minutes = 30
+blast_radius = "low"       # optional: overrides policy.toml tier ("low"|"medium"|"high")
 ```
 
 ## Field Specifications
@@ -41,6 +42,7 @@ timeout_minutes = 30
 | `model` | string | `sonnet` | Override the default Claude model for this action |
 | `tools` | array of strings | `[]` | MCP tools to enable during execution |
 | `timeout_minutes` | integer | `60` | Maximum execution time in minutes |
+| `blast_radius` | string | _(from policy.toml)_ | Override blast-radius tier for this invocation. Valid values: `"low"`, `"medium"`, `"high"`. See [docs/BLAST-RADIUS.md](../docs/BLAST-RADIUS.md) |
 
 ## Secret Names