Skip to content

release 0.6.3 — defensive-scope authorization framing across agent-facing surfaces#7

Merged
raccioly merged 1 commit into
mainfrom
claude/exciting-robinson-accbae
Jun 19, 2026
Merged

release 0.6.3 — defensive-scope authorization framing across agent-facing surfaces#7
raccioly merged 1 commit into
mainfrom
claude/exciting-robinson-accbae

Conversation

@raccioly

Copy link
Copy Markdown
Owner

What & why

A user reported that a friend's coding agent flagged a plain "run this security tool on my repo" as suspicious and made them bypass a confirmation. Root cause: the tool's agent-facing surfaces led with capability words ("pentest, find vulnerabilities", probe files named jwt-attacks.sh / hs256-brute-force.py), and a careful agent is trained to treat dual-use security tooling cautiously without clear authorization context.

This release front-loads a defensive scope-and-authorization statement on every surface an agent actually reads at decision time — so the agent is handed its authorization instead of stalling to reconstruct it. No behavior change; wording/ordering only.

The fix is on the surfaces a model reads — not badges

Badges/README prose don't reach the agent at decision time. The agent reads: the request, the skill text, the briefing, the install metadata, and the staged probes. All of those now lead with: defensive · operator's OWN code · read-only by default · prod/third-party out of scope · human approves each probe.

Surface Change
Skill description + SKILL.md top banner Lead with defensive/authorization envelope (was "pentest, find vulnerabilities")
AGENT-BRIEFING.md header (briefing.py) New "Scope & authorization" line first under the title
Plugin / marketplace / PyPI / CLI --help descriptions Reframed defensively
22 staged probe templates One-line DEFENSIVE CHECK — run only against a system you own header after each shebang
README hero line Ownership-asserting phrasing + pipx install (provenance)
docs/METHODOLOGY.md New section: "Why your agent might pause — and how to phrase the request"

Deliberately preserved

The live-fire checkpoint stays: before any probe fires at a running host, the agent still confirms target + scope. The false positive we killed was the pause on statically reading your own repo — not the one before live-firing at a server.

Verification

  • 139/139 tests pass
  • Both JSON manifests parse; websec --help renders the new description
  • docguard guard 85/86 (the one warning is the pre-existing "Spec-Kit not installed" advisory, unrelated)

Cuts release 0.6.3 (patch — docs/framing only).

…authorization framing

Reduce dual-use false-positive pauses where a careful coding agent flags a plain "security-review my repo" as suspicious. The agent reads the prompt, the skill text, the AGENT-BRIEFING, the plugin/PyPI/CLI descriptions, and the staged probes — all now lead with "defensive pass on the operator's own code, read-only by default, prod/third-party out of scope, human approves each probe." Adds a METHODOLOGY section explaining the why. No behavior change; the live-fire confirmation checkpoint is preserved.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@raccioly raccioly merged commit 679b414 into main Jun 19, 2026
3 checks passed
@raccioly raccioly deleted the claude/exciting-robinson-accbae branch June 23, 2026 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant