From f9bd8505c94648fcc1921fb37bb67e09a8dd0ed2 Mon Sep 17 00:00:00 2001 From: Ed_ Date: Thu, 18 Jun 2026 14:41:26 -0400 Subject: [PATCH] docs(tier2): workflow.md hard bans - AppData denied (no exception) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Updated conductor/workflow.md ยง'Tier 2 Autonomous Sandbox' hard bans table. The 'File access outside Tier 2 clone + app-data dir' row now says: 'File access outside Tier 2 clone (AppData, Temp, Documents, etc. all denied at the OpenCode * level + targeted *AppData\\\\* deny)'. Per the user's 2026-06-18 'NEVER USE APPDATA' directive. Refs: conductor/tracks/tier2_no_appdata_20260618 --- conductor/workflow.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conductor/workflow.md b/conductor/workflow.md index 614566db..dcb882a0 100644 --- a/conductor/workflow.md +++ b/conductor/workflow.md @@ -383,7 +383,7 @@ The Tier 2 autonomous mode is the unattended execution mode for tracks. See `doc | `git checkout*` (any form) | `permission.bash` deny rule | n/a | `post-checkout` hook logs the checkout | | `git restore*` (any form) | `permission.bash` deny rule | n/a | n/a | | `git reset*` (any form) | `permission.bash` deny rule | n/a | n/a | -| File access outside Tier 2 clone + app-data dir | `permission.read`/`write` path allowlist | Windows restricted token + ACLs | n/a | +| File access outside Tier 2 clone (AppData, Temp, Documents, etc. all denied at the OpenCode `*` level + targeted `*AppData\\*` deny) | `permission.read`/`write` path allowlist | Windows restricted token + ACLs | n/a | ### Review and merge workflow (user-side)