# Boundary & Risk Card Project: amitpatole/verel ## Doramagic Trial Decision Current decision: ready for pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and rollback. ## What The User Can Do Now - Read the Human Manual first to understand purpose and main workflows. - Copy the Prompt Preview for a pre-install trial. This checks interaction feel, not real execution. - Test the official Quick Start command in an isolated environment before using a primary machine. ## What Not To Do Yet - Do not treat Prompt Preview output as an actual project run. - Do not treat metadata-only validation as sandbox install validation. - Do not write unverified capabilities as supported, tested, or safe to install. - Do not provide production data, private files, real secrets, or primary configuration directories on first use. ## Pre-install Checklist - Host AI match: mcp_host, claude, chatgpt - Official install entry state: official entry found - Verification location: temporary directory, temporary host, or container required - Rollback readiness: required - API keys, network access, file writes, or host configuration changes: treat as high risk until confirmed - Install command, actual output, and failure logs: must be recorded ## Current Blockers - No blockers. ## Project-specific Pitfalls - Security or permission risk requires verification (high): Developers may expose sensitive permissions or credentials: verel doctor: report installed extras and key presence - Installation risk requires verification (medium): Developers may fail before the first successful local run: Add a Rust toolchain (cargo test + clippy) to the CI graders - Installation risk requires verification (medium): Upgrade or migration may change expected behavior: v0.28.0 — quorum reads: a point read survives the leader being down - Installation risk requires verification (medium): Upgrade or migration may change expected behavior: v0.29.0 — security hardening: full attack-surface audit + red-team - Installation risk requires verification (medium): Upgrade or migration may change expected behavior: v0.29.1 — security: 3-round adversarial red-team ## Risk And Permission Notes - no_demo: medium ## Evidence Gaps - No structured evidence gaps found.