Skip to main content
Every strict package declares a permissionBoundary. The default posture is read-only, no BudsCollab filesystem access, no network access, and only declared exported data classes. Required fields:
  • budscollabLocalFilesystemAccess: always false.
  • externalAppLocalFilesystemAccess: none or user-selected-repo.
  • exportedDataClasses: sanitized data classes the package may return to the host.
  • networkAccess: none or declared-origins.
  • writePolicy: read-only or confirmed-writes-with-audit.
  • auditLog: required or not-required.
Read-only packages must use writePolicy: "read-only". Packages with write or mutating tools must use confirmed-writes-with-audit and auditLog: "required". Custom renderers also need a renderer boundary. Use json-render-only for the safe default lane. Use isolated-external-renderer only when the artifact needs custom rendering and has declared origins plus sandbox isolation.