feat(arch): Add Guard Rails capability-based permission system design

Guard Rails complement Quality Rails by controlling what agents can do: - Capability-based permissions (resource:action pattern) - Read/organize/draft allowed by default - Execute/admin require explicit grants - Human-in-the-loop approval for sensitive actions Examples: email (read/draft ✅, send ❌), git (commit ✅, force push ❌) Also: - Add .admin-credentials and .env.bak.* to .gitignore Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 00:25:53 -06:00
parent 98f80eaf51
commit 8c8d065cc2
2 changed files with 457 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -33,6 +33,10 @@ Thumbs.db
 .env.development.local
 .env.test.local
 .env.production.local
+.env.bak.*
+
+# Credentials (never commit)
+.admin-credentials

 # Testing
 coverage