# System Constraints

These are non-negotiable guardrails.

---

## 1. Agent Is Authority

The agent:
- Owns filesystem enforcement
- Owns path normalization
- Owns write restrictions
- Owns upload allowlist
- Owns metadata

The API must NOT duplicate filesystem logic.

---

## 2. Runtime Root Sandbox

No operation may escape runtime root.

All paths:
- Cleaned
- Symlink-resolved
- Verified inside root

---

## 3. No Symlink Deployment Model

Uploads write directly to runtime.

No:
- staging folders
- symlink injection
- delayed deployment

---

## 4. Metadata Is Hidden

`.zlh_metadata.json`
`.zlh-shadow`

Must never be exposed via file APIs.

---

## 5. Upload Allowlist Only

Only:

- `mods/*.jar`
- `world/datapacks/*.zip`

Anything else → 403.

---

## 6. Delete Is Strictly Constrained

No recursive delete.
No directory delete.
One-level file only.

---

## 7. No Curated Inference

If metadata does not exist:
- `source: null`

Do not assume curated status.

---

## 8. Upload Transport

API upload must:
- Stream
- Not buffer entire file
- Not use fetch streaming
- Use raw piping

---

## 9. Timeouts

Upload route must use extended timeout.
Other file routes remain short.

---

## 10. Portal Does Not Enforce Security

Portal may validate for UX.
Agent enforces real policy.