diff --git a/Repo-docs-GOVERNMENT-OPERATIONS-VISION.md b/Repo-docs-GOVERNMENT-OPERATIONS-VISION.md index f7d5c73..eb66c86 100644 --- a/Repo-docs-GOVERNMENT-OPERATIONS-VISION.md +++ b/Repo-docs-GOVERNMENT-OPERATIONS-VISION.md @@ -1,4 +1,4 @@ - + > Mirrored from `/mnt/DATA/git/govoplan-core/docs/GOVERNMENT_OPERATIONS_VISION.md`. > Origin: `repository`. @@ -141,6 +141,25 @@ explanations, two-person approval for destructive changes, versioned configuration history, rollback paths, audit events, and maintenance-mode guards. +The initial safety metadata contract lives in +`govoplan_core.core.configuration_safety`. It classifies known configuration +fields as UI-managed or deployment-managed, assigns risk levels, marks secret +handling as reference-only or env-only, and declares dry-run, policy +explanation, audit, approval, rollback-history, maintenance-mode, and RBAC +requirements. Admin UI editors should consume this metadata before exposing +powerful settings. + +The initial executable guardrail path is `plan_configuration_change(...)`, +exposed through: + +- `GET /api/v1/admin/configuration-safety` +- `POST /api/v1/admin/configuration-safety/plan` + +The planner reports missing scopes, dry-run requirements, maintenance-mode +requirements, two-person approval status, secret-reference violations, +rollback-history requirements, policy explanations, and audit event names before +an editor applies a high-impact configuration change. + ## Scalability GovOPlaN should be manually scalable first and automatically scalable where the