From 233bfc986b83e291c10d0214ddc16682e595f9cb Mon Sep 17 00:00:00 2001
From: echobt <mathis.massimino+echo@cortex.foundation>
Date: Wed, 11 Feb 2026 07:56:59 +0000
Subject: [PATCH] fix(broker): allow term-llm-reviewer image tag in build
 policy

Add term-llm-reviewer: prefix to the allowed image tags list alongside
term-compiler: and ghcr.io/ prefixes. This fixes the policy violation
error when building LLM reviewer images for agent evaluation.
---
 crates/secure-container-runtime/src/broker.rs | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/crates/secure-container-runtime/src/broker.rs b/crates/secure-container-runtime/src/broker.rs
index 21d1e87c..3c86c226 100644
--- a/crates/secure-container-runtime/src/broker.rs
+++ b/crates/secure-container-runtime/src/broker.rs
@@ -876,9 +876,12 @@ impl ContainerBroker {
         use bollard::image::BuildImageOptions;
 
         // Verify policy allows building this tag
-        // For now, only allow term-compiler images or specific tags
+        // Allow term-compiler, term-llm-reviewer, and ghcr.io images
         // This is a basic check, could be expanded in SecurityPolicy
-        if !tag.starts_with("term-compiler:") && !tag.starts_with("ghcr.io/") {
+        if !tag.starts_with("term-compiler:")
+            && !tag.starts_with("term-llm-reviewer:")
+            && !tag.starts_with("ghcr.io/")
+        {
             let err = format!("Image tag not allowed: {}", tag);
             self.audit(
                 AuditAction::ImageBuild,