@@ -118,6 +118,80 @@ Auditors should expect:
118118- Sensitive runtime values (API keys, Azure endpoints/deployments) are not present in committed
119119 config; they live in ` .env.local ` and are resolved at agent-start time.
120120
121+ ## Machine-Readable Permissions Artifact
122+
123+ ` coding-scaffold permissions write ` generates ` .coding-scaffold/agent-permissions.json ` — a
124+ canonical, machine-readable declaration of what the agent may touch:
125+
126+ ``` json
127+ {
128+ "filesystem" : {
129+ "read" : [" src/**" , " tests/**" , " docs/**" , " ..." ],
130+ "write" : [" src/**" , " tests/**" ],
131+ "deny" : [" .env" , " .env.*" , " secrets/**" , " build/**" , " dist/**" , " ..." ]
132+ },
133+ "shell" : {
134+ "allowed" : [" pytest" , " ruff" , " ..." ],
135+ "requires_approval" : [" rm" , " git push" , " curl" , " wget" , " docker" , " kubectl" ]
136+ },
137+ "network" : " disabled_by_default" ,
138+ "mcp" : {
139+ "remote_servers" : " requires_approval" ,
140+ "unapproved_servers" : " deny"
141+ }
142+ }
143+ ```
144+
145+ The file is reviewable guidance, not enforcement. Coding tools (Claude Code, Codex, OpenCode,
146+ …) read it as authoritative configuration; actual enforcement is the tool's responsibility.
147+ The file is idempotent — re-running ` permissions write ` skips it unless ` --force ` is passed.
148+
149+ ## MCP Governance
150+
151+ The scaffold ships a lightweight review helper for MCP servers (not a full security scanner):
152+
153+ ``` bash
154+ coding-scaffold mcp policy init # write .coding-scaffold/mcp-policy.json
155+ coding-scaffold mcp scan # report findings against the policy
156+ coding-scaffold mcp snapshot # checkpoint the current server set
157+ coding-scaffold mcp diff # report changes since the last snapshot
158+ ```
159+
160+ ` mcp scan ` flags: remote servers, unpinned npm packages, risky launchers (curl-pipe-shell,
161+ sudo, bash -c), broad filesystem access (root or home), unapproved servers (when the policy
162+ has a non-empty approved list), denied servers (as errors), and review-required capabilities.
163+
164+ ` mcp snapshot ` + ` mcp diff ` together let you commit a known-good state and detect drift
165+ in CI. ` mcp diff ` exits non-zero when anything changed since the snapshot, so it can gate
166+ merges that quietly added a server.
167+
168+ ## Skill Pack Governance
169+
170+ Reviewable skills live under ` .coding-scaffold/skills/<name>/ ` :
171+
172+ ```
173+ SKILL.md human-readable contract
174+ manifest.json machine-readable metadata (owner, version, risk_level, capabilities)
175+ scripts/ optional helpers
176+ tests/ optional verification scripts
177+ README.md usage and examples
178+ CHECKSUM sha256(SKILL.md || manifest.json) frozen at approval
179+ ```
180+
181+ ` coding-scaffold skills lint ` checks every skill for:
182+
183+ - broad "always use this" language in SKILL.md
184+ - hidden-instruction phrases (` do not tell the user ` , ` ignore the system prompt ` , …)
185+ - references to network / shell / credential capabilities that aren't declared in the
186+ ` Capabilities required ` section
187+ - missing ` When to use ` or ` Verification ` sections
188+ - missing required manifest fields (name, version, owner, risk_level, description)
189+ - invalid ` risk_level ` (must be one of low / medium / high / critical)
190+ - placeholder owners (` <your-handle> ` )
191+ - drift since the recorded CHECKSUM (re-run ` skills approve <name> ` after legitimate edits)
192+
193+ ` skills export <name> ` produces a sharable ` tar.gz ` for inter-team reuse.
194+
121195## What this scaffold does not promise
122196
123197- It does not sandbox agent execution.
0 commit comments