Summary
Carry forward the secure-by-default behavior from Corvus so the standalone product does not accidentally widen exposure while centralizing provider credentials.
Why this matters
This is one of the smallest independently shippable slices needed to make the parent issue real without mixing concerns or leaking product logic across layers.
Parent issue
DALLAY-291 Security hardening, observability, and acceptance validation for Rook v1
Scope
- deliver the parent issue slice described in the title
- keep contracts reusable by the other Rook surfaces where applicable
- add or update targeted validation for the new behavior
Acceptance criteria
References
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/auth/profiles.rstmp/2026-04-19-local-first-provider-gateway-prd-rfc.md §5, §15
Summary
Carry forward the secure-by-default behavior from Corvus so the standalone product does not accidentally widen exposure while centralizing provider credentials.
Why this matters
This is one of the smallest independently shippable slices needed to make the parent issue real without mixing concerns or leaking product logic across layers.
Parent issue
DALLAY-291 Security hardening, observability, and acceptance validation for Rook v1
Scope
Acceptance criteria
References
clients/agent-runtime/src/gateway/admin.rsclients/agent-runtime/src/auth/profiles.rstmp/2026-04-19-local-first-provider-gateway-prd-rfc.md §5, §15