bot-bottle/docs/decisions/0002-agent-identity-claimed-not-vouched.md

ADR 0002: Agent-set git identity is claimed, not vouched

• Status: Accepted
• Date: 2026-05-28
• Deciders: didericis

Context

PRD 0027 lifts git.user (name/email) to the agent layer, so an agent file may declare its own commit identity. Agent files can live in $CWD/.bot-bottle/agents/ — i.e. they can be supplied by a cloned, less-trusted repository. That raises the question of whether a repo-supplied agent setting its own git identity is a security concern, and whether agent identity should be gated differently for $CWD agents than for $HOME agents.

This record exists because the decision is a trust posture worth finding on its own, separate from the feature PRD that introduced it. The full analysis lives in PRD 0027; the decision is summarized here.

Decision

Allow agents to set git.user, and treat an agent-declared identity as claimed, not vouched. No $CWD-vs-$HOME gating on the identity field. git.remotes stays bottle-only (home-only).

Consequences

• A cloned repo's agent file can present any commit author name/email, including one that reads like a real person's. This is accepted: git authorship is not a credential (push auth is the bottle's remote key/token), is already forgeable from inside the bottle at runtime (git config user.email …), and was never a trust anchor.
• If attribution integrity ever matters, the answer is commit signing (SSH/GPG), not the author field — so this decision closes no door that was open.
• git.remotes is deliberately not lifted to the agent layer: it carries credentials and host trust (IdentityFile, KnownHostKey) and remains a bottle-only, home-only concern.
• Revisit if a future change ever makes commit identity load-bearing (e.g. enforced signing keyed on author), at which point gating $CWD-supplied identities would matter.

Links

• PRD 0027 (docs/prds/0027-agent-git-user-identity.md) — full trust analysis and schema.
• Issue #94, PR #95 — the feature this decision was made for.