feat(security): runtime scope policy enforcement for agent tools#3
Merged
Conversation
Add ScopePolicyConfig and ScopedRepo structs to config schema with: - enabled (bool, default false) - allowed_repos (Vec<ScopedRepo> with non-empty paths validation) - allowed_http_domains, allowed_file_paths, scoped_commands - Default scoped_commands: ["gh", "gcloud"] - Validation bail! for empty paths in allowed_repos - 4 unit tests: default values, TOML parsing, validation, missing section Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add ScopePolicy struct with check_http_url, check_shell_command, check_git_repo, and check_file_path methods. Compiled from ScopePolicyConfig via from_config(). All methods short-circuit when policy is disabled. 16 unit tests covering allowed, denied, and disabled scenarios for each check method.
Wire ScopePolicy construction and passing in all_tools_with_runtime and default_tools_with_runtime. Register scope_check module. Teammates will implement the tool structs to accept the new parameter. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add scope policy check in HttpRequestTool.execute() before validate_url(). Accepts Option<Arc<ScopePolicy>> in constructor. Logs warn on violation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add ScopePolicy to ShellTool. check_shell_command runs before rate limit. Unscoped commands pass through. Existing tests updated for new constructor signatures. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Advisory tool wrapping ScopePolicy check methods. The LLM calls
scope_check with action_type (http|shell|git|file) and target to
pre-validate actions before execution.
Returns structured JSON {allowed, reason}. When scope_policy is None,
returns allowed=true with "scope policy not configured".
Includes unit tests for all action types, enabled/disabled policy,
missing policy, unknown action type, and missing parameters.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add Option<Arc<ScopePolicy>> to FileWriteTool and FileEditTool. check_file_path is called before the autonomy check (can_act), refusing paths outside allowed_file_paths. Existing tests pass with scope=None. New tests cover denied (/etc/) and allowed (/zeroclaw-data/workspace/) paths. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Remove user_agent field from HttpRequestTool (not in AdeptMind/master) - Export ScopePolicyConfig and ScopedRepo from config module - Drop coordination/syscall/WasmRuntime references (artemislab-only) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
franciscofregona
approved these changes
Mar 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[scope_policy]config section to whitelist allowed repos, HTTP domains, file paths, and scoped commandsScopePolicyruntime validator with 4 check methods (check_http_url,check_shell_command,check_git_repo,check_file_path)http_request,shell,git_operations,file_write,file_edit) — hard block before any side-effectscope_checktool for LLM pre-flight verificationMotivation
Prompt-based guardrails are not sufficient for production agent deployments. This PR adds runtime enforcement so that even if the LLM ignores instructions, the tool layer refuses to execute out-of-scope actions with an explicit error message.
Files changed (12)
src/config/schema.rsScopePolicyConfig,ScopedRepostructs, validationsrc/config/mod.rssrc/security/scope_policy.rssrc/security/mod.rssrc/tools/scope_check.rssrc/tools/mod.rssrc/tools/http_request.rssrc/tools/shell.rssrc/tools/git_operations.rssrc/tools/file_write.rssrc/tools/file_edit.rssrc/onboard/wizard.rsTest plan
ScopePolicyConfigparsing tests (valid TOML, invalid TOML, defaults) — 4 testsScopePolicycheck methods (allowed, denied, disabled) — 16 testsScopeCheckTooladvisory responses — 14 testsscope_policy: Nonepreserves existing tool behaviorcargo checkpasses cleanly (verified locally)🤖 Generated with Claude Code