release 0.6.3 — defensive-scope authorization framing across agent-facing surfaces#7
Merged
Merged
Conversation
…authorization framing Reduce dual-use false-positive pauses where a careful coding agent flags a plain "security-review my repo" as suspicious. The agent reads the prompt, the skill text, the AGENT-BRIEFING, the plugin/PyPI/CLI descriptions, and the staged probes — all now lead with "defensive pass on the operator's own code, read-only by default, prod/third-party out of scope, human approves each probe." Adds a METHODOLOGY section explaining the why. No behavior change; the live-fire confirmation checkpoint is preserved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
A user reported that a friend's coding agent flagged a plain "run this security tool on my repo" as suspicious and made them bypass a confirmation. Root cause: the tool's agent-facing surfaces led with capability words ("pentest, find vulnerabilities", probe files named
jwt-attacks.sh/hs256-brute-force.py), and a careful agent is trained to treat dual-use security tooling cautiously without clear authorization context.This release front-loads a defensive scope-and-authorization statement on every surface an agent actually reads at decision time — so the agent is handed its authorization instead of stalling to reconstruct it. No behavior change; wording/ordering only.
The fix is on the surfaces a model reads — not badges
Badges/README prose don't reach the agent at decision time. The agent reads: the request, the skill text, the briefing, the install metadata, and the staged probes. All of those now lead with: defensive · operator's OWN code · read-only by default · prod/third-party out of scope · human approves each probe.
description+SKILL.mdtop bannerAGENT-BRIEFING.mdheader (briefing.py)--helpdescriptionsDEFENSIVE CHECK — run only against a system you ownheader after each shebangpipx install(provenance)docs/METHODOLOGY.mdDeliberately preserved
The live-fire checkpoint stays: before any probe fires at a running host, the agent still confirms target + scope. The false positive we killed was the pause on statically reading your own repo — not the one before live-firing at a server.
Verification
websec --helprenders the new descriptiondocguard guard85/86 (the one warning is the pre-existing "Spec-Kit not installed" advisory, unrelated)Cuts release 0.6.3 (patch — docs/framing only).