reporting-governance: harden artifact root boundary checks

2026-05-08 10:29:16 +08:00
parent 4f816a93a5
commit 8c7aca145e
4 changed files with 125 additions and 36 deletions
--- a/docs/architecture/agent-reporting-governance-plugin.md
+++ b/docs/architecture/agent-reporting-governance-plugin.md
@@ -227,6 +227,7 @@ Architectural meaning:
 - storage layer owns loading/package-artifact interpretation
 - runtime binding can be derived from the artifact rather than hardcoded entirely in docs
 - tests prove the artifact resolves into concrete script and runtime-artifact paths
+- `artifact_roots` enforcement is now two-layered for this slice: lexical boundary rejection plus realpath-level symlink escape rejection

 This is intentionally still a **minimal verifiable slice**, not the full deployment system.
 It proves the package boundary can own profile artifacts and bind them into runtime execution inputs.