# Boundary & Risk Card

Project: microsoft/agent-lightning

## Doramagic Trial Decision

Current decision: it can enter pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and reversible configuration.

## What The User Can Do Now

- Read the Human Manual first to understand the project purpose and main workflows.
- Use Prompt Preview for pre-install exploration; it validates interaction shape, not real execution.
- Run official Quick Start commands only inside an isolated environment, not a primary setup.

## Do Not Do Yet

- Do not treat Prompt Preview as a real project execution result.
- Do not treat metadata-only validation as sandbox installation validation.
- Do not describe unverified capabilities as supported, working, or safe to install.
- Do not provide production data, private files, real secrets, or primary host configuration on first trial.

## Pre-Install Checklist

- Host AI match: chatgpt
- Official installation entry status: official entry point found
- Isolated temporary directory, temporary host, or container validation: required
- Configuration rollback path: required
- API keys, network access, file access, or host configuration changes: treat as high risk until confirmed
- Installation command, actual output, and failure logs: must be recorded

## Current Blockers

- No blockers.

## Project-Specific Pitfalls

- 能力判断依赖假设 (medium): 假设不成立时，用户拿不到承诺的能力。 Suggested check: 将假设转成下游验证清单。
- 维护活跃度未知 (medium): 新项目、停更项目和活跃项目会被混在一起，推荐信任度下降。 Suggested check: 补 GitHub 最近 commit、release、issue/PR 响应信号。
- 下游验证发现风险项 (medium): 下游已经要求复核，不能在页面中弱化。 Suggested check: 进入安全/权限治理复核队列。
- 存在安全注意事项 (medium): 用户安装前需要知道权限边界和敏感操作。 Suggested check: 转成明确权限清单和安全审查提示。
- 存在评分风险 (medium): 风险会影响是否适合普通用户安装。 Suggested check: 把风险写入边界卡，并确认是否需要人工复核。

## Risk And Permission Notes

- no_demo: medium

## Evidence Gaps

- No structured evidence gaps are currently visible.