Skip to content

Commit 8b15b83

Browse files
authored
Merge pull request #58 from JRS1986/feature/governance-and-eval
Priorities 3, 4 & 7: MCP/skill governance, agent permissions, readiness benchmark
2 parents 2ac4c58 + ab14237 commit 8b15b83

12 files changed

Lines changed: 3065 additions & 0 deletions

File tree

CHANGELOG.md

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,36 @@ aims to follow [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
99

1010
### Added
1111

12+
- **Machine-readable agent permissions (`coding-scaffold permissions write`).** Writes
13+
`.coding-scaffold/agent-permissions.json` with the canonical permission shape — filesystem
14+
read/write/deny patterns, shell-command allowlist + approval-required list, network defaults,
15+
and MCP defaults. Idempotent; pass `--force` to regenerate. The `shell.allowed` list is
16+
lightly project-aware (Python projects get `pytest`/`ruff`, Node projects get `npm test`,
17+
etc.). See [Security / Machine-Readable Permissions](docs/wiki/Security.md#machine-readable-permissions-artifact).
18+
- **MCP governance (`coding-scaffold mcp policy init` / `scan` / `snapshot` / `diff`).**
19+
Reviewable team policy at `.coding-scaffold/mcp-policy.json`. The scanner inspects known
20+
MCP-config locations (`opencode.json`, `.claude/settings.json`) and flags remote servers,
21+
unpinned npm packages, risky launchers (curl-pipe-shell, sudo, bash -c), broad filesystem
22+
access (root / home), unapproved servers, denied servers, and review-required capabilities.
23+
`snapshot` + `diff` together let you commit a known-good state and detect drift in CI.
24+
`mcp diff` exits non-zero when anything changed. No commands are executed; no network
25+
calls. See [Security / MCP Governance](docs/wiki/Security.md#mcp-governance).
26+
- **Reviewable skill packs (`coding-scaffold skills new` / `lint` / `approve` / `export`).**
27+
Each skill lives at `.coding-scaffold/skills/<name>/` with `SKILL.md`, `manifest.json`,
28+
optional `scripts/` and `tests/`, and a `CHECKSUM` file frozen at approval time.
29+
`skills lint` flags broad "always use this" language, hidden-instruction phrases,
30+
undeclared capabilities (network / shell / credential), missing required sections, invalid
31+
manifest fields, placeholder owners, and drift since the recorded checksum.
32+
`skills export` bundles a skill into a `tar.gz` for sharing. See
33+
[Security / Skill Pack Governance](docs/wiki/Security.md#skill-pack-governance).
34+
- **Readiness benchmark (`coding-scaffold eval init` / `run` / `report`).** Deterministic
35+
checks that score how prepared a repo is for safe agentic coding: detectable build/test/lint
36+
signals, agent instructions present, policy pack present, non-empty deny list, PR template
37+
present, MCP policy present when MCP is detected, session-trace location available, context
38+
lint clean, and context budget under the limit. No model-intelligence benchmark — purely
39+
observable artifacts. `eval run` writes `.coding-scaffold/eval-report.json` and exits
40+
non-zero when any check fails, so it can gate CI. See
41+
[Team Rollout / Readiness Benchmark](docs/wiki/Team-Rollout.md#readiness-benchmark).
1242
- **Agent-context linter (`coding-scaffold context lint`).** Deterministic, heuristic-only
1343
checker for `AGENTS.md`, `CLAUDE.md`, `llms.txt`, and the `.coding-scaffold/` guidance
1444
docs. Flags vague rules without verifiers, dangerous shell recommendations

docs/wiki/Security.md

Lines changed: 74 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -118,6 +118,80 @@ Auditors should expect:
118118
- Sensitive runtime values (API keys, Azure endpoints/deployments) are not present in committed
119119
config; they live in `.env.local` and are resolved at agent-start time.
120120

121+
## Machine-Readable Permissions Artifact
122+
123+
`coding-scaffold permissions write` generates `.coding-scaffold/agent-permissions.json` — a
124+
canonical, machine-readable declaration of what the agent may touch:
125+
126+
```json
127+
{
128+
"filesystem": {
129+
"read": ["src/**", "tests/**", "docs/**", "..."],
130+
"write": ["src/**", "tests/**"],
131+
"deny": [".env", ".env.*", "secrets/**", "build/**", "dist/**", "..."]
132+
},
133+
"shell": {
134+
"allowed": ["pytest", "ruff", "..."],
135+
"requires_approval": ["rm", "git push", "curl", "wget", "docker", "kubectl"]
136+
},
137+
"network": "disabled_by_default",
138+
"mcp": {
139+
"remote_servers": "requires_approval",
140+
"unapproved_servers": "deny"
141+
}
142+
}
143+
```
144+
145+
The file is reviewable guidance, not enforcement. Coding tools (Claude Code, Codex, OpenCode,
146+
…) read it as authoritative configuration; actual enforcement is the tool's responsibility.
147+
The file is idempotent — re-running `permissions write` skips it unless `--force` is passed.
148+
149+
## MCP Governance
150+
151+
The scaffold ships a lightweight review helper for MCP servers (not a full security scanner):
152+
153+
```bash
154+
coding-scaffold mcp policy init # write .coding-scaffold/mcp-policy.json
155+
coding-scaffold mcp scan # report findings against the policy
156+
coding-scaffold mcp snapshot # checkpoint the current server set
157+
coding-scaffold mcp diff # report changes since the last snapshot
158+
```
159+
160+
`mcp scan` flags: remote servers, unpinned npm packages, risky launchers (curl-pipe-shell,
161+
sudo, bash -c), broad filesystem access (root or home), unapproved servers (when the policy
162+
has a non-empty approved list), denied servers (as errors), and review-required capabilities.
163+
164+
`mcp snapshot` + `mcp diff` together let you commit a known-good state and detect drift
165+
in CI. `mcp diff` exits non-zero when anything changed since the snapshot, so it can gate
166+
merges that quietly added a server.
167+
168+
## Skill Pack Governance
169+
170+
Reviewable skills live under `.coding-scaffold/skills/<name>/`:
171+
172+
```
173+
SKILL.md human-readable contract
174+
manifest.json machine-readable metadata (owner, version, risk_level, capabilities)
175+
scripts/ optional helpers
176+
tests/ optional verification scripts
177+
README.md usage and examples
178+
CHECKSUM sha256(SKILL.md || manifest.json) frozen at approval
179+
```
180+
181+
`coding-scaffold skills lint` checks every skill for:
182+
183+
- broad "always use this" language in SKILL.md
184+
- hidden-instruction phrases (`do not tell the user`, `ignore the system prompt`, …)
185+
- references to network / shell / credential capabilities that aren't declared in the
186+
`Capabilities required` section
187+
- missing `When to use` or `Verification` sections
188+
- missing required manifest fields (name, version, owner, risk_level, description)
189+
- invalid `risk_level` (must be one of low / medium / high / critical)
190+
- placeholder owners (`<your-handle>`)
191+
- drift since the recorded CHECKSUM (re-run `skills approve <name>` after legitimate edits)
192+
193+
`skills export <name>` produces a sharable `tar.gz` for inter-team reuse.
194+
121195
## What this scaffold does not promise
122196

123197
- It does not sandbox agent execution.

docs/wiki/Team-Rollout.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -195,6 +195,37 @@ coding-scaffold team doctor --target .
195195
When the manifest changes, every developer runs `team sync` and reviews the diff before merging
196196
imports into their working knowledge.
197197

198+
## Readiness Benchmark
199+
200+
Once the scaffold is in place, run the readiness benchmark to check whether the repo is
201+
prepared for safe agentic coding:
202+
203+
```bash
204+
coding-scaffold eval init # optional: write .coding-scaffold/eval-config.json
205+
coding-scaffold eval run # execute all enabled checks
206+
coding-scaffold eval report --cached # re-print the most recent report
207+
```
208+
209+
The benchmark runs deterministic checks only — no shell execution, no LLM calls. It looks for:
210+
211+
- a detectable build signal (`pyproject.toml`, `package.json`, `Cargo.toml`, …)
212+
- a test command mentioned in the agent-context files
213+
- a lint configuration file (or a `[tool.ruff]` / `[tool.black]` / `[tool.mypy]` section)
214+
- agent instructions (`AGENTS.md`, `CLAUDE.md`, or `llms.txt`)
215+
- a policy pack under `.coding-scaffold/policy/`
216+
- a non-empty deny list in `agent-permissions.json`
217+
- a PR template under `.github/PULL_REQUEST_TEMPLATE/`
218+
- an MCP policy file *if* MCP config is detected
219+
- a session-trace location
220+
- a clean `context lint` result
221+
- a context budget within the configured token limit
222+
223+
`eval run` writes the report to `.coding-scaffold/eval-report.json` and exits non-zero when
224+
any check fails, so the benchmark can gate CI before AI-assisted PRs are accepted.
225+
226+
The benchmark scores readiness; it does *not* measure model intelligence. The point is to
227+
confirm the repo gives the agent enough to work with — not to rank the agent.
228+
198229
## Pilot Metrics
199230

200231
These are measurement templates, not features. Track them manually during the pilot. If a number

0 commit comments

Comments
 (0)