Owner checks and model-facing config mutation constraints are tightened for safer operation.
Owner-command and gateway guardrails
Two important safety hardening changes:
- owner-enforced commands now require actual owner identity (or internal
operator.admin) - model-facing gateway config mutation paths are further constrained on trusted/sensitive settings
This reduces accidental privilege drift from permissive fallback paths or model-driven config edits.