Foundry defaults: hard-signature profiles and unified default policy

[anand-testcompare]

Why This Exists

Current defaults still drift from real Foundry workflows, especially in compute-heavy repos. We need a policy model that is deterministic, easy to reason about, and easy to maintain.

Locked Decisions (For This Issue)

• Profile detection will use hard signatures only. No soft keyword scoring for classification.
• If no hard signature is found, use a single fallback profile: default.
• Remove the all vs unknown split and do not keep compatibility aliases.
• Tool policy is default-enable from discovered MCP tools, with only explicit deny rules.
• Maintain a complete inventory that includes both mcp_tool and platform_api entries.
• Fix inventory CSV formatting so it opens/loads consistently across common tools.

Scope

In scope:

• Replace heuristic scoring with hard-signature detection.
• Consolidate fallback behavior into one profile (default).
• Keep global agent.foundry.mode = "all" behavior when mode is unset.
• Centralize profile policy defaults in one obvious location.
• Keep setup/rescan output explicit about selected profile and profile source.
• Normalize inventory data files while preserving full API coverage (mcp_tool + platform_api).

Out of scope:

• Decision playbook authoring and docs guidance (tracked in Compute module playbook decision guide constraints and references #23).
• Platform API fallback CLI behavior (tracked in Platform API fallback CLI for unsupported tasks stream-first #28).
• Context7 source catalog workflow (tracked in Context7 source catalog for curated compute examples #29).

Success Criteria

• Hard-signature repos classify deterministically (for example Python transforms and known compute layouts).
• Repos without hard signatures resolve to default.
• all and unknown are removed from active profile selection, with no alias fallback.
• Generated tool defaults are broad-by-default with explicit deny-only policy.
• agent.foundry.mode is set to all only when missing, and explicit user mode is preserved.
• Inventory artifacts remain complete (both mcp_tool and platform_api) and parse cleanly.

High-Level Plan

1. Define hard-signature matcher set and precedence.
2. Replace profile taxonomy to use specific profiles + single default fallback.
3. Apply unified policy generation (default-enable + explicit denies) across setup/bootstrap/rescan.
4. Update command summaries to reflect new profile semantics.
5. Normalize inventory generation/output format and keep full API inventory.
6. Add focused regression coverage and run full verification gates.

Dependencies

• Related: Auto-download Palantir docs database on plugin install (post-install hook) #19 (independent docs bootstrap stream)
• Related: Compute module playbook decision guide constraints and references #23 (playbook/decision guide should reference final profile behavior)