Problem
Smooth operatives run inside hardware-isolated microVMs with adversarial surveillance — a strong security boundary at the OS level. However, there is currently no policy layer at the repository level to express rules like:
- "GitHub-issued agents may not modify files under security/ or .github/secrets/"
- "PRs from smooth operatives to production require 2 approvals"
- "Agents authenticated via the ci-bot token have read-only access"
- "Agent-orchestrated changes to Cargo.toml or package.json must be flagged for human review"
Smooth's security model focuses on host isolation (microVM, no Docker, no Node). Adding repository governance would close the gap between "the agent can't escape the VM" and "the agent can't push to main without policy approval."
Proposed feature
A policy file (.github/AGENTOWNERS or smoo-policy.yml) that smooth reads before allowing an operative to open a PR or push a branch. The policy model:
- Agent identity: mapped from the authentication token or OIDC claim used to start the session (th model login)
- File paths: glob patterns matching what the agent changed
- Target branch: where the agent is pushing to
- Decision: block / require_approval / allow (with block > require_approval > allow priority)
# .github/AGENTOWNERS — example
# Block changes to security-sensitive paths
security/** @smooth-operative/* block
.github/secrets/** @smooth-operative/* block
# Production branch requires human review
refs/heads/production @smooth-operative/* require_approval
# Dependency manifests need extra scrutiny
Cargo.toml @smooth-operative/* require_approval
package.json @smooth-operative/* require_approval
Why this fits smooth
Smooth positions itself as "security-first AI agent orchestration." The microsandbox handles infrastructure security — preventing host escape, network exfiltration, data leakage. Repository governance handles operational security — preventing unintended changes to production branches or sensitive files, regardless of how well the agent is sandboxed. These are complementary.
The th CLI already has a plugin architecture (th model, th up, th code). A th policy command or a --policy-file flag on th up would be a natural fit.
Problem
Smooth operatives run inside hardware-isolated microVMs with adversarial surveillance — a strong security boundary at the OS level. However, there is currently no policy layer at the repository level to express rules like:
Smooth's security model focuses on host isolation (microVM, no Docker, no Node). Adding repository governance would close the gap between "the agent can't escape the VM" and "the agent can't push to main without policy approval."
Proposed feature
A policy file (.github/AGENTOWNERS or smoo-policy.yml) that smooth reads before allowing an operative to open a PR or push a branch. The policy model:
Why this fits smooth
Smooth positions itself as "security-first AI agent orchestration." The microsandbox handles infrastructure security — preventing host escape, network exfiltration, data leakage. Repository governance handles operational security — preventing unintended changes to production branches or sensitive files, regardless of how well the agent is sandboxed. These are complementary.
The th CLI already has a plugin architecture (th model, th up, th code). A th policy command or a --policy-file flag on th up would be a natural fit.