Council Review: Security Safe-by-Default Guardrails

Decision

Adopt a safe-by-default security baseline that preserves localhost functionality, and require explicit opt-in for high-risk behaviors through profile/config guardrails and targeted compatibility switches.

Evidence Reviewed

Findings

Seat Recommendation Confidence Blocking concern
Source-Grounded Archivist Prioritize remote hardening and transport controls first; evidence already shows warning-only behavior on key remote guardrail. 94% If behavior remains warning-only, operator error can become externally reachable exposure.
Data Model Architect Introduce explicit security profile metadata (safe local, secure remote, custom) and persist profile-derived settings as clear config state. 81% Overloading many boolean flags without profile semantics will keep drift risk high.
Retrieval Specialist Keep read-path functionality unaffected; hardening should target auth, transport, and write approvals without reducing retrieval/search usability. 86% Over-broad restrictions may degrade legitimate wiki retrieval and tool workflows.
Skeptical Reviewer Require proxy-trust and anti-forgery decisions to be test-backed before broad rollout; avoid assumptions based only on local-host behavior. 78% Reverse-proxy and browser threat-model gaps can invalidate local-only assumptions.
Synthesizer Sequence into two sprints: enforce remote+transport baseline first, then close proxy/CSRF/testing/documentation gaps with configurable opt-ins. 89% Must preserve existing localhost workflows and avoid breaking current runbooks.

Synthesis

Dissent

Acceptance Criteria

Open Questions