Integration codex security review S-1.
KhiveRuntime::authorize(ns) at crates/khive-runtime/src/runtime.rs:359 is pub and mints a NamespaceToken for any namespace with NO gate consultation. When a real Gate impl ships (replacing AllowAllGate), this bypasses the policy decision the moment something like build_edge/link_many calls authorize() internally.
Multi-actor deployments need authorize() to consult the gate. OSS single-user is unaffected.
Integration codex security review S-1.
KhiveRuntime::authorize(ns)atcrates/khive-runtime/src/runtime.rs:359ispuband mints a NamespaceToken for any namespace with NO gate consultation. When a real Gate impl ships (replacing AllowAllGate), this bypasses the policy decision the moment something likebuild_edge/link_manycalls authorize() internally.Multi-actor deployments need authorize() to consult the gate. OSS single-user is unaffected.