Problem/Motivation

The require_workspace setting is exposed as editable configuration via a settings form at /admin/config/content/entity-blueprint. With the addition of AI config editing tools (entity_blueprint_config), an LLM agent could disable workspace enforcement by modifying this config — effectively jailbreaking the workspace safety boundary that prevents direct-to-live content changes.

The setting has no legitimate reason to be toggled at runtime: if the workspaces module is enabled, content changes should always require an active workspace. Making this configurable introduces an unnecessary attack surface.

Comments

tim bozeman created an issue. See original summary.

tim bozeman’s picture

Status: Reviewed & tested by the community » Fixed

Now that this issue is closed, review the contribution record.

As a contributor, attribute any organization that helped you, or if you volunteered your own time.

Maintainers, credit people who helped resolve this issue.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.