# Ticket: Boundary Enforcement

## Ticket Information

- **ID**: TICKET-044
- **Title**: Boundary Enforcement
- **Type**: Feature
- **Priority**: High
- **Status**: Backlog
- **Track**: Safety/Memory
- **Milestone**: Milestone 3 - Memory, Reminders, Safety
- **Created**: 2024-01-XX

## Description

Implement boundary enforcement:
- Separate credentials and config (different .env files, service accounts, key stores)
- Network-level separation (dedicated containers/namespaces, firewall rules)
- Prevent family agent from reaching work repos
- Static policy checks (lint/CI rules rejecting cross-access merges)

## Acceptance Criteria

- [ ] Separate credentials/config for family vs work
- [ ] Network separation implemented
- [ ] Firewall rules preventing cross-access
- [ ] Static policy checks (lint/CI)
- [ ] Family agent cannot access work repos
- [ ] Policy violations caught automatically

## Technical Details

Separation strategies:
- Config: separate .env files, key stores
- Network: containers, namespaces, VLANs
- Firewall: block family agent from work repo paths
- CI: lint rules checking for cross-access code

## Dependencies

- TICKET-002 (repo structure)
- TICKET-003 (safety constraints)
- TICKET-004 (architecture)

## Related Files

- `home-voice-agent/safety/boundaries/` (to be created)
- `.github/workflows/policy-check.yml` (to be created)

## Notes

Can proceed in parallel with most tool work. Critical for safety.