Part of the metadata liveness audit umbrella #1878 (P0 security cluster).
Problem
Flow runAs never switches execution identity. The service-automation engine ignores it, so a flow declaring runAs: system does not elevate, and one declaring a restricted identity does not de-elevate. Steps execute as whatever the triggering context already was — a privilege-boundary surprise in both directions.
Decision required (enforce or remove)
- Enforce: have the engine establish the declared identity/permission context for the duration of the run (and restore it afterward), respecting
runAs: system vs a named principal.
- Remove: drop
runAs from FlowSchema if identity switching is not going to be implemented, and document that flows always run as the trigger's identity.
Evidence
docs/audits/2026-06-flowschema-property-liveness.md
service-automation engine (runAs unconsumed)
Part of the metadata liveness audit umbrella #1878 (P0 security cluster).
Problem
Flow
runAsnever switches execution identity. Theservice-automationengine ignores it, so a flow declaringrunAs: systemdoes not elevate, and one declaring a restricted identity does not de-elevate. Steps execute as whatever the triggering context already was — a privilege-boundary surprise in both directions.Decision required (enforce or remove)
runAs: systemvs a named principal.runAsfromFlowSchemaif identity switching is not going to be implemented, and document that flows always run as the trigger's identity.Evidence
docs/audits/2026-06-flowschema-property-liveness.mdservice-automationengine (runAs unconsumed)