Platform contract: toolkit-bound file assets + agent file output
Why
Toolkits increasingly need to (a) attach a file at agent-configuration time and
(b) produce a file for the user at runtime. Today each feature invents its own
storage location, access rules, and download path. This issue defines that once,
as a reusable contract, and validates it with the PPT Filler epic as first consumer.
What this issue decides (the seam)
- Asset location — canonical path/namespace for a config-time toolkit asset,
built on the unified filesystem (the four roots), with the one-asset-per-agent
key convention.
- Permission model — who may upload/replace a toolkit asset, who may read it,
and who may read an agent's generated output (ReBAC-governed).
- Download authorization — generated output is returned as a signed,
short-TTL, session-authenticated LinkPart(kind="download").
What stays out of scope here
All PPT-specific logic — parsing, the placeholder grammar, the fill traversal,
the per-slide schema — lives in the consumer epic and is unchanged.
First consumer
The ToolkitAssetProcessor and ppt_filler work (#1830–#1834) consumes this
contract: its asset storage and runtime output resolve to the locations and
permissions defined here instead of defining their own.
Done when
Platform contract: toolkit-bound file assets + agent file output
Why
Toolkits increasingly need to (a) attach a file at agent-configuration time and
(b) produce a file for the user at runtime. Today each feature invents its own
storage location, access rules, and download path. This issue defines that once,
as a reusable contract, and validates it with the PPT Filler epic as first consumer.
What this issue decides (the seam)
built on the unified filesystem (the four roots), with the one-asset-per-agent
key convention.
and who may read an agent's generated output (ReBAC-governed).
short-TTL, session-authenticated
LinkPart(kind="download").What stays out of scope here
All PPT-specific logic — parsing, the placeholder grammar, the fill traversal,
the per-slide schema — lives in the consumer epic and is unchanged.
First consumer
The
ToolkitAssetProcessorandppt_fillerwork (#1830–#1834) consumes thiscontract: its asset storage and runtime output resolve to the locations and
permissions defined here instead of defining their own.
Done when
RUNTIME-EXECUTION-CONTRACT.md.
storage + download instead of ad-hoc phrasing.