A design question from outside the model-supply-chain world, so apologies if the tracker isn't the right home for it, and I'm happy to take it to the OpenSSF Slack instead if that fits better.
We're drafting a manifest format called tome.yaml that bundles AI instruction files (CLAUDE.md, AGENTS.md, .cursorrules, SKILL.md skills) into one portable unit with a lockfile and a security block. The security block declares what the bundle is allowed to do (read files, network, exec, secrets), denies by default, and if you omit the block entirely you get deny-all.
The thing we can't work out from theory is whether a strict default actually holds once authors are under real pressure to ship, or whether it quietly erodes into people pasting the minimum permission stanza needed to silence the validator without ever thinking about it. You've shipped deny-by-default at the model-supply-chain layer for longer than we have, so this is a community whose experience I'd trust over our own guesses.
So I'd appreciate hearing whether the strict default actually held in production, when in the lifecycle pressure to relax it first appeared, and what kept declarations deliberate rather than reflexive: lint, review, public visibility of what was being granted, something else, or simply nothing because it just worked out.
Two sentences of real experience would be massively appreciated. The full request for comment with three other open questions is collected here: tomevault-io/companyos#1, and the spec is at https://tomevault.io/docs/tome-yaml.
A design question from outside the model-supply-chain world, so apologies if the tracker isn't the right home for it, and I'm happy to take it to the OpenSSF Slack instead if that fits better.
We're drafting a manifest format called tome.yaml that bundles AI instruction files (CLAUDE.md, AGENTS.md, .cursorrules, SKILL.md skills) into one portable unit with a lockfile and a security block. The security block declares what the bundle is allowed to do (read files, network, exec, secrets), denies by default, and if you omit the block entirely you get deny-all.
The thing we can't work out from theory is whether a strict default actually holds once authors are under real pressure to ship, or whether it quietly erodes into people pasting the minimum permission stanza needed to silence the validator without ever thinking about it. You've shipped deny-by-default at the model-supply-chain layer for longer than we have, so this is a community whose experience I'd trust over our own guesses.
So I'd appreciate hearing whether the strict default actually held in production, when in the lifecycle pressure to relax it first appeared, and what kept declarations deliberate rather than reflexive: lint, review, public visibility of what was being granted, something else, or simply nothing because it just worked out.
Two sentences of real experience would be massively appreciated. The full request for comment with three other open questions is collected here: tomevault-io/companyos#1, and the spec is at https://tomevault.io/docs/tome-yaml.