feat(skills): add least-privilege-plan skill#114
Open
webeventualsapp-cpu wants to merge 1 commit into
Open
Conversation
Add a read-only least-privilege-plan skill that compares declared grants against bounded, receipt-derived run history and classifies each grant as keep, reduce, revoke, or needs_human_review. Includes evidence, rationale, and operational risk for each decision. - SKILL.md: full procedure, output schema, worked example, edge cases - X.yaml: execution profile with readonly sandbox and typed inputs - run.mjs: deterministic CLI runner producing structured JSON output - fixtures: over-granted-plan-reduces and minimal-grants-unchanged harness cases Refs auscaster/frantic-board#81 Signed-off-by: webeventualsapp-cpu <webeventualsapp@gmail.com>
Collaborator
|
Thanks for pushing the skill PR. The PR is the source/provenance trail; Frantic is the review and payment surface. Next step: submit the delivery on the matching bounty page: https://gofrantic.com/bounties/37 Before delivering, publish with the current runx login path and include the live registry npx --yes @runxhq/cli@latest login --provider github --for publish
npx --yes @runxhq/cli@latest registry publish ./skills/least-privilege-plan/SKILL.md --registry https://api.runx.aiDo not paste Connect session URLs, agent tokens, or payout secrets into GitHub. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
keep,reduce,revoke, orneeds_human_reviewFiles Added
skills/least-privilege-plan/SKILL.md— Full skill definition with procedure, output schema, worked example, edge cases, and stop conditionsskills/least-privilege-plan/X.yaml— Execution profile with readonly sandbox, typed inputs, and structured outputsskills/least-privilege-plan/run.mjs— Deterministic CLI runner that produces structured JSON grant plansskills/least-privilege-plan/fixtures/over-granted-plan-reduces.yaml— Harness case: over-granted permissions are reduced/revokedskills/least-privilege-plan/fixtures/minimal-grants-unchanged.yaml— Harness case: minimal grants confirmed unchangedHow it differs from
least-privilege-auditorThe auditor skill diffs granted scopes against receipt-backed usage and proposes attenuation (narrowing existing grants). The plan skill takes declared or proposed grants and produces a forward-looking plan that ensures only the minimum necessary permissions are granted before authority is applied. The plan classifies each grant with operational risk assessment and evidence trail.
Validation
run.mjstested locally with both fixture inputs (plan_proposed and no_change cases)Resolves auscaster/frantic-board#81