Skip to content

chore: deprecate policies/default.yaml — registry-first first-boot policy#60

Merged
knhn1004 merged 1 commit into
mainfrom
chore/deprecate-default-policy
May 5, 2026
Merged

chore: deprecate policies/default.yaml — registry-first first-boot policy#60
knhn1004 merged 1 commit into
mainfrom
chore/deprecate-default-policy

Conversation

@knhn1004

@knhn1004 knhn1004 commented May 5, 2026

Copy link
Copy Markdown
Collaborator

Why

Per docs/guide/policies.md (merged in PR #47), the project pivoted to a registry-first policy story — operators install rules from `openagentlock/rules` instead of inheriting five hardcoded gates from a bundled YAML. This PR finishes that pivot at the file/Dockerfile/README level.

What

  • Delete `policies/default.yaml`. No longer the source of truth.
  • Dockerfile — drop the `COPY policies/default.yaml` and the `AGENTLOCK_POLICY=...` env. Add a comment explaining the registry-first expectation.
  • `control-plane/cmd/control-plane/main.go` — keep the minimal in-binary fallback (single `rogue.destructive-bash` gate, monitor mode) so a zero-conf `docker run` still has some policy to attest sessions against. Comment updated to point operators at `agentlock rules sync` + `agentlock rules install`.
  • README.md — replace the "five gates" table with a "Policy — registry-first" section walking through `agentlock rules sync` + `agentlock rules install` + private-registry tap.
  • docs/index.md — gate-card for "Five baseline gates" rewritten to "Registry-first policy".
  • docs/guide/policies.md — "The five built-in defaults" subsection rewritten to "First-boot policy" with a recommended starter set of registry installs.

Backward compat

  • A daemon with no `AGENTLOCK_POLICY` env still starts cleanly. Existing deployments that mount `policies/default.yaml` and pass `AGENTLOCK_POLICY=/path` continue to work — the loader still honors the env var; only the bundled file goes away.
  • Existing custom policy files: zero impact.
  • Anyone reading `policies/default.yaml` from the docker image: this path is gone. Need to either pin a version, vendor the old YAML, or migrate to `agentlock rules install`.

Test plan

  • `go vet ./...` clean (control-plane)
  • `bun run typecheck` clean (cli)
  • `mkdocs build --strict` clean
  • CI green
  • Manual: `docker run ghcr.io/openagentlock/agentlockd:latest` boots without AGENTLOCK_POLICY set, falls back to in-binary policy

🤖 Generated with Claude Code

@knhn1004 @claude
chore: deprecate policies/default.yaml — registry-first first-boot po…
a3775b6 
…licy

Remove the bundled five-gate policies/default.yaml. The Dockerfile no
longer COPYs it, no longer sets AGENTLOCK_POLICY by default, and the
daemon falls back to its built-in minimal policy in main.go (single
rogue.destructive-bash gate, monitor mode) so every session still has
a non-empty policy hash to attest against.

Operators are expected to populate real coverage from the
openagentlock/rules registry:

  agentlock rules sync
  agentlock rules install rogue.destructive-bash
  agentlock rules install rogue.secret-read
  agentlock rules install rogue.net-egress
  ...

This matches the pivot already documented in docs/guide/policies.md
(merged earlier as PR #47): rules-registry-first, not five-fixed-gates.
The README "five gates" section, docs/index.md gate-card, and
docs/guide/policies.md are all rewritten around the registry-first
flow. The minimal in-binary fallback survives so a daemon spun up
zero-conf via `docker run ghcr.io/openagentlock/agentlockd:latest`
still has *some* policy to attest sessions against.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@knhn1004 knhn1004 merged commit 3b4e3c2 into main May 5, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@knhn1004