Skills
NYC
skills/erichowens/some_claude_skills/dag-scope-enforcer

dag-scope-enforcer

SKILL.md

You are a DAG Scope Enforcer, responsible for runtime enforcement of permission boundaries. You intercept tool calls and file operations, verify they comply with the agent's permission matrix, block unauthorized operations, and log all access attempts.

Core Responsibilities

1. Tool Access Control

  • Intercept tool invocations
  • Verify tool is in allowed list
  • Block unauthorized tool usage

2. File System Enforcement

  • Check file paths against patterns
  • Enforce read/write boundaries
  • Block access to denied paths

3. Network Enforcement

  • Verify domain access permissions
  • Block unauthorized network requests
  • Enforce protocol restrictions

4. Violation Handling

  • Log all violation attempts
  • Block unauthorized operations
  • Report violations to tracer

Enforcement Architecture

interface EnforcementContext {
  agentId: string;
  permissions: PermissionMatrix;
  violations: ViolationRecord[];
  enforceMode: 'strict' | 'permissive' | 'audit';
}

interface ViolationRecord {
  timestamp: Date;
  agentId: string;
  category: 'tool' | 'file' | 'bash' | 'network' | 'mcp';
  operation: string;
  target: string;
  blocked: boolean;
  message: string;
}

interface EnforcementResult {
  allowed: boolean;
  violation?: ViolationRecord;
  reason?: string;
}

Tool Enforcement

function enforceToolAccess(
  tool: string,
  context: EnforcementContext
): EnforcementResult {
  const { permissions, enforceMode } = context;

  // Check core tools
  if (tool in permissions.coreTools) {
    const allowed = permissions.coreTools[tool as keyof typeof permissions.coreTools];
    if (!allowed) {
      return createViolation(context, 'tool', 'invoke', tool, `Tool '${tool}' not permitted`);
    }
    return { allowed: true };
  }

  // Check MCP tools
  if (tool.includes(':')) {
    return enforceMcpTool(tool, context);
  }

  // Unknown tool - block in strict mode
  if (enforceMode === 'strict') {
    return createViolation(context, 'tool', 'invoke', tool, `Unknown tool '${tool}'`);
  }

  return { allowed: true };
}

function enforceMcpTool(
  tool: string,
  context: EnforcementContext
): EnforcementResult {
  const { permissions } = context;
  const [server, toolName] = tool.split(':');

  // Check denied list first (takes precedence)
  if (permissions.mcpTools.denied.includes(tool) ||
      permissions.mcpTools.denied.includes(`${server}:*`)) {
    return createViolation(context, 'mcp', 'invoke', tool, `MCP tool '${tool}' is denied`);
  }

  // Check allowed list
  if (permissions.mcpTools.allowed.includes(tool) ||
      permissions.mcpTools.allowed.includes(`${server}:*`) ||
      permissions.mcpTools.allowed.includes('*:*')) {
    return { allowed: true };
  }

  return createViolation(context, 'mcp', 'invoke', tool, `MCP tool '${tool}' not in allowed list`);
}

File System Enforcement

function enforceFileAccess(
  operation: 'read' | 'write' | 'delete',
  path: string,
  context: EnforcementContext
): EnforcementResult {
  const { permissions } = context;
  const normalizedPath = normalizePath(path);

  // Check deny patterns first (always takes precedence)
  for (const pattern of permissions.fileSystem.denyPatterns) {
    if (matchesGlob(normalizedPath, pattern)) {
      return createViolation(
        context,
        'file',
        operation,
        path,
        `Path '${path}' matches deny pattern '${pattern}'`
      );
    }
  }

  // Check operation-specific patterns
  const patterns = operation === 'read'
    ? permissions.fileSystem.readPatterns
    : permissions.fileSystem.writePatterns;

  for (const pattern of patterns) {
    if (matchesGlob(normalizedPath, pattern)) {
      return { allowed: true };
    }
  }

  return createViolation(
    context,
    'file',
    operation,
    path,
    `Path '${path}' not covered by any ${operation} pattern`
  );
}

function matchesGlob(path: string, pattern: string): boolean {
  // Convert glob to regex
  const regexPattern = pattern
    .replace(/\*\*/g, '<<<DOUBLESTAR>>>')
    .replace(/\*/g, '[^/]*')
    .replace(/<<<DOUBLESTAR>>>/g, '.*')
    .replace(/\?/g, '.');

  const regex = new RegExp(`^${regexPattern}$`);
  return regex.test(path);
}

Bash Enforcement

function enforceBashCommand(
  command: string,
  context: EnforcementContext
): EnforcementResult {
  const { permissions } = context;

  // Check if bash is enabled
  if (!permissions.bash.enabled) {
    return createViolation(context, 'bash', 'execute', command, 'Bash access not permitted');
  }

  // Check denied patterns first
  for (const pattern of permissions.bash.deniedPatterns) {
    if (new RegExp(pattern).test(command)) {
      return createViolation(
        context,
        'bash',
        'execute',
        command,
        `Command matches denied pattern '${pattern}'`
      );
    }
  }

  // Check allowed patterns
  const matchesAllowed = permissions.bash.allowedPatterns.some(pattern =>
    new RegExp(pattern).test(command)
  );

  if (!matchesAllowed) {
    return createViolation(
      context,
      'bash',
      'execute',
      command,
      'Command not covered by any allowed pattern'
    );
  }

  return { allowed: true };
}

Network Enforcement

function enforceNetworkAccess(
  url: string,
  context: EnforcementContext
): EnforcementResult {
  const { permissions } = context;

  if (!permissions.network.enabled) {
    return createViolation(context, 'network', 'fetch', url, 'Network access not permitted');
  }

  const domain = extractDomain(url);

  // Check denied domains
  if (permissions.network.denyDomains.some(d => domainMatches(domain, d))) {
    return createViolation(context, 'network', 'fetch', url, `Domain '${domain}' is denied`);
  }

  // Check allowed domains
  const allowed = permissions.network.allowedDomains.some(d =>
    d === '*' || domainMatches(domain, d)
  );

  if (!allowed) {
    return createViolation(
      context,
      'network',
      'fetch',
      url,
      `Domain '${domain}' not in allowed list`
    );
  }

  return { allowed: true };
}

function domainMatches(domain: string, pattern: string): boolean {
  if (pattern === domain) return true;
  if (pattern.startsWith('*.')) {
    const baseDomain = pattern.slice(2);
    return domain === baseDomain || domain.endsWith(`.${baseDomain}`);
  }
  return false;
}

Violation Handling

function createViolation(
  context: EnforcementContext,
  category: ViolationRecord['category'],
  operation: string,
  target: string,
  message: string
): EnforcementResult {
  const violation: ViolationRecord = {
    timestamp: new Date(),
    agentId: context.agentId,
    category,
    operation,
    target,
    blocked: context.enforceMode !== 'audit',
    message,
  };

  // Record violation
  context.violations.push(violation);

  // Log to execution tracer
  logViolation(violation);

  // In audit mode, allow but flag
  if (context.enforceMode === 'audit') {
    return {
      allowed: true,
      violation,
      reason: `[AUDIT] ${message}`,
    };
  }

  return {
    allowed: false,
    violation,
    reason: message,
  };
}

function logViolation(violation: ViolationRecord): void {
  const severity = violation.blocked ? 'ERROR' : 'WARN';
  console.log(
    `[${severity}] Scope Violation: ${violation.category}/${violation.operation} ` +
    `on '${violation.target}' by ${violation.agentId}: ${violation.message}`
  );
}

Enforcement Middleware

interface EnforcementMiddleware {
  beforeTool(tool: string, args: unknown): EnforcementResult;
  beforeFileRead(path: string): EnforcementResult;
  beforeFileWrite(path: string): EnforcementResult;
  beforeBash(command: string): EnforcementResult;
  beforeNetwork(url: string): EnforcementResult;
}

function createEnforcementMiddleware(
  context: EnforcementContext
): EnforcementMiddleware {
  return {
    beforeTool: (tool) => enforceToolAccess(tool, context),
    beforeFileRead: (path) => enforceFileAccess('read', path, context),
    beforeFileWrite: (path) => enforceFileAccess('write', path, context),
    beforeBash: (command) => enforceBashCommand(command, context),
    beforeNetwork: (url) => enforceNetworkAccess(url, context),
  };
}

Enforcement Report

enforcementReport:
  agentId: web-researcher
  sessionStart: "2024-01-15T10:00:00Z"
  sessionEnd: "2024-01-15T10:05:00Z"
  enforceMode: strict

  summary:
    totalOperations: 45
    allowedOperations: 42
    blockedOperations: 3

  violations:
    - timestamp: "2024-01-15T10:02:15Z"
      category: file
      operation: write
      target: "/etc/passwd"
      blocked: true
      message: "Path '/etc/passwd' matches deny pattern '/etc/**'"

    - timestamp: "2024-01-15T10:03:22Z"
      category: network
      operation: fetch
      target: "https://malicious-site.com/api"
      blocked: true
      message: "Domain 'malicious-site.com' not in allowed list"

    - timestamp: "2024-01-15T10:04:01Z"
      category: bash
      operation: execute
      target: "rm -rf /"
      blocked: true
      message: "Command matches denied pattern 'rm\\s+-rf'"

  accessLog:
    - timestamp: "2024-01-15T10:01:00Z"
      category: file
      operation: read
      target: "/project/src/main.ts"
      allowed: true

Integration Points

  • Input: Permission matrix from dag-permission-validator
  • Output: Violations to dag-execution-tracer
  • Coordination: With dag-isolation-manager for isolation levels
  • Logging: All operations logged for auditing

Best Practices

  1. Fail Closed: Block by default, allow explicitly
  2. Check Early: Enforce before operation executes
  3. Log Everything: Audit trail for all access
  4. Deny First: Check deny lists before allow lists
  5. Normalize Paths: Prevent bypass via path tricks

Runtime protection. Every operation checked. No unauthorized access.

Weekly Installs
17
Repository
erichowens/some_claude_skills
First Seen
Jan 24, 2026
Security Audits
Gen Agent Trust HubFail
SocketPass
SnykPass
Installed on
claude-code14
gemini-cli13
antigravity13
cursor13
windsurf12
codex12