@event4u/agent-config 6.0.0 → 6.1.0

package/src/scripts/lint_empty_roadmaps.py

@@ -0,0 +1,80 @@
+#!/usr/bin/env python3
+"""Hard-Gate linter: no empty roadmap files under ``agents/roadmaps/``.
+
+A roadmap ``.md`` that is 0 bytes (or only whitespace) is never valid — it
+carries no goal, no phases, no content. Empty roadmaps have been introduced
+twice by an external ``chore: add uncomitted roadmaps`` auto-commit that
+staged 0-byte placeholders (2026-06-13: ``road-to-6.0.0-final-readiness.md``
+and ``road-to-reaping-catches-pre-inventory-orphans.md``). The local
+pre-commit dashboard check did not catch them — the dashboard generator
+silently skips empty files — and the commits bypassed it anyway. This linter
+is the authoritative backstop: it fails CI (and the pre-commit hook) so an
+empty roadmap can never reach ``main`` again, regardless of how it was staged.
+
+Scope: every ``*.md`` under ``agents/roadmaps/`` (active, ``archive/``,
+``skipped/``, ``stubs/``, ``later/``) — empty is invalid everywhere. The
+``.gitkeep`` placeholders are not ``.md`` and are ignored.
+
+Cap: ≤ 120 LOC, stdlib only. Hooked into ``task ci`` / ``task ci-fast`` via
+``task lint-empty-roadmaps`` and into the pre-commit hook.
+
+Exit codes: 0 = clean, 1 = at least one empty roadmap found.
+"""
+from __future__ import annotations
+
+import sys
+from pathlib import Path
+
+QUIET = "--quiet" in sys.argv
+
+ROADMAP_DIR = Path("agents/roadmaps")
+
+
+def _repo_root() -> Path:
+    """Walk up from CWD until a dir containing ``agents/roadmaps`` is found."""
+    here = Path.cwd()
+    for candidate in (here, *here.parents):
+        if (candidate / ROADMAP_DIR).is_dir():
+            return candidate
+    return here
+
+
+def find_empty_roadmaps(root: Path) -> list[Path]:
+    base = root / ROADMAP_DIR
+    if not base.is_dir():
+        return []
+    empties: list[Path] = []
+    for md in sorted(base.rglob("*.md")):
+        try:
+            text = md.read_text(encoding="utf-8")
+        except (OSError, UnicodeDecodeError):
+            # Unreadable / binary -> not an empty-text file; leave to other gates.
+            continue
+        if text.strip() == "":
+            empties.append(md.relative_to(root))
+    return empties
+
+
+def main() -> int:
+    root = _repo_root()
+    empties = find_empty_roadmaps(root)
+
+    if not empties:
+        if not QUIET:
+            print("✅  lint-empty-roadmaps: no empty roadmap files.")
+        return 0
+
+    print("❌  lint-empty-roadmaps: empty (0-byte / whitespace-only) roadmap file(s):")
+    for rel in empties:
+        print(f"      {rel}")
+    print()
+    print("   A roadmap with no content is invalid. Either:")
+    print("     • restore the intended content, or")
+    print("     • delete the file (if its content lives in agents/roadmaps/archive/).")
+    print("   Empty roadmap stubs are usually an artefact of an auto-commit that")
+    print("   staged a 0-byte placeholder — remove it; do not commit it.")
+    return 1
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/src/scripts/lint_hidden_unicode.py

@@ -0,0 +1,132 @@
+#!/usr/bin/env python3
+"""P1.1 — hidden-Unicode / smuggling-codepoint linter (road-to-security-pillar.md).
+
+Detects the invisible-character class used by the "rules-file backdoor" attack:
+instructions a human reviewer cannot see but the model reads. The codepoint set
+covers bidi controls (Trojan Source), zero-width / format chars, the Unicode Tag
+block, variation-selector runs, Private Use Area, and stray C0/C1 controls.
+
+Scope: every `.md` under src/{skills,rules,agent-src,domains} + frontmatter.
+Containment: a real teaching doc never needs the *actual* invisible char (it
+writes ``U+200B`` as text), so this linter scans even inside ordinary code
+fences; only a ```security-example fence or a `security-lint: allow
+hidden-unicode` pragma exempts a file/region.
+
+Exit 0 clean, 1 on any blocking finding. ``--fix`` writes an NFKC-normalised,
+zero-width-stripped sibling ``<file>.sanitized`` for human review (never
+auto-applied).
+
+Usage: python3 src/scripts/lint_hidden_unicode.py [--json] [--fix]
+"""
+from __future__ import annotations
+
+import argparse
+import sys
+import unicodedata
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+from _lib import security_lint as sl  # noqa: E402
+
+CHECK = "hidden-unicode"
+
+# (name, predicate over a single codepoint) — ordered by specificity.
+_BIDI = {0x202A, 0x202B, 0x202C, 0x202D, 0x202E, 0x2066, 0x2067, 0x2068, 0x2069,
+         0x200E, 0x200F, 0x061C}
+_ZERO_WIDTH = {0x200B, 0x200C, 0x200D, 0x2060, 0xFEFF, 0x00AD}
+_DEPRECATED = {0x206A, 0x206B, 0x206C, 0x206D, 0x206E, 0x206F, 0xFFF9, 0xFFFA, 0xFFFB}
+
+
+def _classify(cp: int) -> str | None:
+    if cp in _BIDI:
+        return "bidi-control"
+    if cp in _ZERO_WIDTH:
+        return "zero-width"
+    if 0xE0000 <= cp <= 0xE007F:
+        return "unicode-tag"
+    if cp in _DEPRECATED:
+        return "deprecated-format"
+    if 0xE000 <= cp <= 0xF8FF or 0xF0000 <= cp <= 0xFFFFD or 0x100000 <= cp <= 0x10FFFD:
+        return "private-use-area"
+    # C0/C1 controls except tab/newline/CR
+    if (0x00 <= cp <= 0x1F or 0x7F <= cp <= 0x9F) and cp not in (0x09, 0x0A, 0x0D):
+        return "control-char"
+    return None
+
+
+# Variation selectors flagged only in runs of >=3 on one line (steganography).
+# Restricted to the SUPPLEMENTARY block (U+E0100–E01EF): the standard selectors
+# U+FE00–FE0F are legitimate emoji/text presentation (e.g. ❌️ ✅️ ⚠️) and runs
+# of them are normal, so they are NOT a steganography signal.
+_VS = set(range(0xE0100, 0xE01F0))
+
+
+def _scan(sf: sl.ScannedFile) -> list[sl.Finding]:
+    if sf.pragma_allows(CHECK):
+        return []
+    out: list[sl.Finding] = []
+    for lineno, text in sf.iter_lines(skip_example_fence=True):
+        vs_run = 0
+        for ch in text:
+            cp = ord(ch)
+            if cp in _VS:
+                vs_run += 1
+                continue
+            kind = _classify(cp)
+            if kind:
+                name = unicodedata.name(ch, "<unnamed>")
+                out.append(sl.Finding(
+                    path=sf.rel, line=lineno, check=CHECK, severity="HIGH",
+                    message=f"{kind} U+{cp:04X} ({name})",
+                    weight=sf.weight,
+                ))
+        if vs_run >= 3:
+            out.append(sl.Finding(
+                path=sf.rel, line=lineno, check=CHECK, severity="HIGH",
+                message=f"variation-selector run x{vs_run} (steganography signature)",
+                weight=sf.weight,
+            ))
+    return out
+
+
+def _sanitize(path: Path) -> Path:
+    raw = path.read_text(encoding="utf-8", errors="surrogatepass")
+    cleaned = "".join(
+        ch for ch in raw
+        if _classify(ord(ch)) is None and ord(ch) not in _VS
+    )
+    cleaned = unicodedata.normalize("NFKC", cleaned)
+    out = path.with_suffix(path.suffix + ".sanitized")
+    out.write_text(cleaned, encoding="utf-8")
+    return out
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__, epilog=sl.GUIDELINE_EPILOG)
+    ap.add_argument("--json", action="store_true")
+    ap.add_argument("--fix", action="store_true",
+                    help="write a sanitised sibling for each flagged file (review only)")
+    args = ap.parse_args()
+
+    findings: list[sl.Finding] = []
+    flagged: set[Path] = set()
+    for sf in sl.iter_corpus():
+        hits = _scan(sf)
+        findings.extend(hits)
+        if hits:
+            flagged.add(sf.path)
+
+    if args.fix:
+        for p in sorted(flagged):
+            print(f"  fixed → {_sanitize(p).relative_to(sl.ROOT)}")
+
+    if args.json:
+        import json
+        print(json.dumps([f.__dict__ for f in findings], indent=2))
+        return 1 if any(f.is_fail for f in findings) else 0
+
+    return sl.report(findings, check_label="hidden-unicode")
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/src/scripts/lint_instruction_smuggling.py

@@ -0,0 +1,107 @@
+#!/usr/bin/env python3
+"""P1.2 — instruction-smuggling / suppression-phrase linter (road-to-security-pillar.md).
+
+Detects instructions smuggled into rule/skill/command bodies (and MCP tool
+descriptions) that try to steer or silence the agent — the prose half of the
+"rules-file backdoor" + MCP "tool-poisoning" attack classes.
+
+Precision over recall (false-positive containment, P1.5): the corpus
+*legitimately* quotes attack strings as teaching material, so this linter only
+treats a pattern as a **blocking (HIGH)** smuggle when it appears as live
+**prose** — outside any code fence and outside inline `backtick` spans, where a
+teaching doc would put a quoted example. Shell / secret-path signatures are
+common in legitimate security docs, so they are **MED warnings**, never blocking.
+
+- HIGH (fail): disclosure-suppression imperative ("do not mention/tell the
+  user", "without explaining") or an imperative injection tag (`<IMPORTANT>`,
+  "ignore previous instructions", "you are now …") in live prose.
+- MED (warn): pipe-to-shell, reverse-shell, or secret-path read in live prose.
+
+Scope: every `.md` under src/{skills,rules,agent-src,domains}. Exempt: a
+```security-example fence or a `security-lint: allow instruction-smuggling` pragma.
+
+Usage: python3 src/scripts/lint_instruction_smuggling.py [--json]
+"""
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+from _lib import security_lint as sl  # noqa: E402
+
+CHECK = "instruction-smuggling"
+
+_INLINE_CODE = re.compile(r"`[^`]*`")
+
+# HIGH — disclosure suppression as an imperative addressed to the agent.
+_SUPPRESS = re.compile(
+    r"\b(do not|don'?t|never)\s+(mention|tell|inform|disclose|reveal|notify)\b"
+    r"[^.]{0,40}\b(the )?(user|human|reviewer|operator|owner)\b"
+    r"|without (telling|informing|notifying|explaining to) (the )?(user|them|anyone)",
+    re.IGNORECASE,
+)
+# HIGH — imperative injection / role-takeover tags and phrases.
+_INJECT = re.compile(
+    r"<\s*(important|system|admin|secret|critical)\s*>"
+    r"|ignore (all |the )?(previous|prior|above) (instructions|prompts|rules)"
+    r"|disregard (all |the )?(previous|prior|above)"
+    r"|you are now (a|an|the)\b"
+    r"|new system prompt",
+    re.IGNORECASE,
+)
+
+# MED — execution / exfil signatures (common in legit security docs → warn only).
+_MED = [
+    (re.compile(r"\bcurl\b[^\n|]*\|\s*(ba|z|fi)?sh\b", re.IGNORECASE), "pipe-to-shell (curl|sh)"),
+    (re.compile(r"\bwget\b[^\n|]*\|\s*(ba|z|fi)?sh\b", re.IGNORECASE), "pipe-to-shell (wget|sh)"),
+    (re.compile(r"\b(socat|nc)\b[^\n]*\b(exec|-e)\b|/dev/tcp/", re.IGNORECASE), "reverse-shell signature"),
+    (re.compile(r"(~/\.ssh/id_[rd]sa|/etc/shadow|\.aws/credentials)"), "secret-path read"),
+]
+
+
+def _strip_inline_code(text: str) -> str:
+    """Blank out inline `code` spans so quoted examples don't trip prose checks."""
+    return _INLINE_CODE.sub(lambda m: " " * len(m.group(0)), text)
+
+
+def _scan(sf: sl.ScannedFile) -> list[sl.Finding]:
+    if sf.pragma_allows(CHECK):
+        return []
+    out: list[sl.Finding] = []
+    # prose = lines outside ANY fence; inline-code spans blanked.
+    for lineno, text in sf.iter_lines(skip_example_fence=True, skip_any_fence=True):
+        prose = _strip_inline_code(text)
+        if _SUPPRESS.search(prose):
+            out.append(sl.Finding(sf.rel, lineno, CHECK, "HIGH",
+                                  "disclosure-suppression imperative in prose", sf.weight))
+        if _INJECT.search(prose):
+            out.append(sl.Finding(sf.rel, lineno, CHECK, "HIGH",
+                                  "injection / role-takeover phrase in prose", sf.weight))
+        for rx, label in _MED:
+            if rx.search(prose):
+                out.append(sl.Finding(sf.rel, lineno, CHECK, "MED",
+                                      f"{label} in prose (verify intent)", sf.weight))
+    return out
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__, epilog=sl.GUIDELINE_EPILOG)
+    ap.add_argument("--json", action="store_true")
+    args = ap.parse_args()
+
+    findings: list[sl.Finding] = []
+    for sf in sl.iter_corpus():
+        findings.extend(_scan(sf))
+
+    if args.json:
+        import json
+        print(json.dumps([f.__dict__ for f in findings], indent=2))
+        return 1 if any(f.is_fail for f in findings) else 0
+    return sl.report(findings, check_label="instruction-smuggling")
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/src/scripts/lint_marketplace.py

@@ -3,7 +3,7 @@
 Lint .claude-plugin/marketplace.json for the event4u/agent-config package.
 
 Validates the Claude Code Plugin Marketplace manifest against the canonical
-shape used by anthropics/skills:
+manifest shape:
 
   - Required top-level fields: name, owner, metadata, plugins
   - owner must have name + email

package/src/scripts/lint_mcp_config_security.py

@@ -0,0 +1,124 @@
+#!/usr/bin/env python3
+"""P1.3 — MCP-config security linter (road-to-security-pillar.md). OWASP ASI04.
+
+Scans shipped MCP configuration — named config files (``*.mcp.json``,
+``mcp.json``, ``claude_desktop_config.json*``) and fenced ```json blocks that
+declare ``mcpServers`` — for the supply-chain smells behind MCP tool-poisoning
+and rug-pull attacks.
+
+- HIGH (fail): a **real inline secret value** in a shipped config (an actual
+  key, not the bare prefix used as documentation). Secrets belong in
+  ``${env:VAR}``.
+- MED (warn): ``npx -y`` auto-install, unpinned server version, ``autoApprove``
+  / ``enableAllProjectMcpServers``, ``0.0.0.0`` binding, shell metacharacters in
+  args, omnibus scopes (``*`` / ``all`` / ``full-access``), ``*_BASE_URL`` in a
+  project-scoped env. These are smells, not leaks — templates legitimately show
+  them, so they warn (and weight 0.25x in example/template files per P1.5).
+
+Usage: python3 src/scripts/lint_mcp_config_security.py [--json]
+"""
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+from _lib import security_lint as sl  # noqa: E402
+
+CHECK = "mcp-config-security"
+
+_NAME_HINTS = re.compile(r"(^|/)(\.mcp\.json|mcp\.json|claude_desktop_config\.json)")
+
+# Real secret VALUES (prefix + enough key chars to be a live credential).
+_SECRET = re.compile(
+    r"sk-ant-[A-Za-z0-9_\-]{20,}"
+    r"|sk-proj-[A-Za-z0-9_\-]{20,}"
+    r"|AKIA[0-9A-Z]{16}"
+    r"|AIza[0-9A-Za-z_\-]{35}"
+    r"|ghp_[0-9A-Za-z]{36}"
+    r"|eyJ[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}\.[A-Za-z0-9_\-]{10,}"
+)
+
+# Line-level smells (match on a single line).
+_MED = [
+    (re.compile(r"\bautoApprove\b|\benableAllProjectMcpServers\b", re.IGNORECASE), "auto-approve / auto-enable bypasses consent"),
+    (re.compile(r"0\.0\.0\.0"), "0.0.0.0 bind (exposed beyond localhost)"),
+    (re.compile(r'"[^"]*_BASE_URL"\s*:'), "*_BASE_URL in config (request-redirect / token-exfil vector)"),
+    (re.compile(r'"(scopes?|permissions?)"\s*:\s*(\[[^\]]*"(\*|all|full-access)"|"(\*|all|full-access)")', re.IGNORECASE), "omnibus scope (* / all / full-access)"),
+    (re.compile(r'"args"\s*:\s*\[[^\]]*(&&|\|\||;|`)'), "shell metacharacters in args"),
+]
+# Chunk-level smells (span multiple lines in pretty-printed JSON).
+_NPX = re.compile(r'"command"\s*:\s*"(npx|uvx)"', re.IGNORECASE)
+_NPX_YES = re.compile(r'"\s*(-y|--yes)\s*"')
+
+
+def _candidate_chunks(sf: sl.ScannedFile):
+    """Yield (start_lineno, [lines]) for MCP-config regions in this file."""
+    if _NAME_HINTS.search(sf.rel):
+        yield 1, list(enumerate(sf.lines, start=1))
+        return
+    if sf.path.suffix != ".md":
+        return
+    # fenced ```json / ```jsonc blocks that mention mcpServers / command
+    in_block, start, buf = False, 0, []
+    for i, text in enumerate(sf.lines, start=1):
+        st = text.strip()
+        if not in_block and re.match(r"`{3,}(json[c5]?|jsonc)\b", st):
+            in_block, start, buf = True, i, []
+            continue
+        if in_block and re.match(r"`{3,}\s*$", st):
+            joined = "\n".join(t for _, t in buf)
+            if "mcpServers" in joined or '"command"' in joined:
+                yield start, buf
+            in_block, buf = False, []
+            continue
+        if in_block:
+            buf.append((i, text))
+
+
+def _scan(sf: sl.ScannedFile):
+    if sf.pragma_allows(CHECK):
+        return []
+    out = []
+    for start, numbered in _candidate_chunks(sf):
+        for lineno, text in numbered:
+            if _SECRET.search(text):
+                out.append(sl.Finding(sf.rel, lineno, CHECK, "HIGH",
+                                      "inline secret value in MCP config — use ${env:VAR}",
+                                      sf.weight))
+            for rx, label in _MED:
+                if rx.search(text):
+                    out.append(sl.Finding(sf.rel, lineno, CHECK, "MED", label, sf.weight))
+        # chunk-level: npx/uvx auto-install spans command + args lines
+        npx_line = next((ln for ln, t in numbered if _NPX.search(t)), start)
+        chunk = "\n".join(t for _, t in numbered)
+        if _NPX.search(chunk) and _NPX_YES.search(chunk):
+            out.append(sl.Finding(sf.rel, npx_line, CHECK, "MED",
+                                  "npx/uvx -y auto-install (supply-chain risk; pin + pre-install)",
+                                  sf.weight))
+    return out
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__, epilog=sl.GUIDELINE_EPILOG)
+    ap.add_argument("--json", action="store_true")
+    args = ap.parse_args()
+
+    findings = []
+    # scan .md (fenced examples) under the default roots PLUS named MCP configs
+    # under src/templates (where the shipped claude_desktop_config template lives).
+    roots = (*sl.DEFAULT_SCAN_ROOTS, "src/templates")
+    for sf in sl.iter_corpus(roots=roots, exts=(".md", ".json", ".template")):
+        findings.extend(_scan(sf))
+
+    if args.json:
+        import json
+        print(json.dumps([f.__dict__ for f in findings], indent=2))
+        return 1 if any(f.is_fail for f in findings) else 0
+    return sl.report(findings, check_label="mcp-config-security")
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

package/src/scripts/lint_skill_frontmatter_safety.py

@@ -0,0 +1,144 @@
+#!/usr/bin/env python3
+"""P1.4 — dangerous-frontmatter linter (road-to-security-pillar.md).
+
+Enforces the execution-safety contract from the ``runtime-safety`` rule at the
+frontmatter layer, and flags the consumer-format consent-bypass headers
+(``permissionMode: bypassPermissions``, wildcard ``allowed-tools``) that the
+"skill supply-chain" attack class abuses.
+
+Checks (skill / command / persona / agent frontmatter under src/):
+
+- HIGH: ``execution.type: automated`` but the runtime-safety floor is not met —
+  ``handler`` is ``none``/missing, ``safety_mode`` is not ``strict``, or no
+  ``allowed_tools`` key is declared.
+- HIGH: ``allowed_tools`` (or consumer ``allowed-tools``) grants a wildcard —
+  ``*``, ``Bash(*)``, or bare ``Bash`` — an over-broad tool grant.
+- HIGH: ``permissionMode: bypassPermissions`` (consent bypass).
+
+Reconciles with ``validate_frontmatter.py`` (schema fill) by checking only
+*safety semantics*, never re-reporting shape/required-key errors.
+
+Usage: python3 src/scripts/lint_skill_frontmatter_safety.py [--json]
+"""
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).resolve().parent))
+from _lib import security_lint as sl  # noqa: E402
+
+CHECK = "dangerous-frontmatter"
+
+# Always over-broad: a star or Bash(*) wildcard grant.
+_WILDCARD_TOOL = re.compile(r"(^|[\s,\[\"'])(\*|Bash\(\*\))(\s|,|\]|\"|'|$)")
+# Bare `Bash` (full shell) — over-broad only on a NON-execution skill.
+_BARE_BASH = re.compile(r"(^|[\s,\[\"'])Bash(\s|,|\]|\"|'|$)")
+
+
+def _frontmatter(sf: sl.ScannedFile) -> tuple[list[tuple[int, str]], int] | None:
+    """Return [(lineno, text)] of the frontmatter body + its end line, or None."""
+    if not sf.lines or sf.lines[0].strip() != "---":
+        return None
+    body = []
+    for i in range(1, len(sf.lines)):
+        if sf.lines[i].strip() == "---":
+            return body, i + 1
+        body.append((i + 1, sf.lines[i]))
+    return None
+
+
+def _exec_block(body: list[tuple[int, str]]) -> dict[str, tuple[int, str]]:
+    """Extract execution.* sub-keys as {key: (lineno, value)} (one-level block)."""
+    out: dict[str, tuple[int, str]] = {}
+    in_exec = False
+    base_indent = 0
+    for lineno, text in body:
+        if re.match(r"^execution:\s*$", text):
+            in_exec = True
+            base_indent = len(text) - len(text.lstrip())
+            continue
+        if in_exec:
+            indent = len(text) - len(text.lstrip())
+            if text.strip() and indent <= base_indent:
+                in_exec = False
+                continue
+            m = re.match(r"^\s+([\w-]+):\s*(.*)$", text)
+            if m:
+                out[m.group(1)] = (lineno, m.group(2).strip())
+    return out
+
+
+def _scan(sf: sl.ScannedFile) -> list[sl.Finding]:
+    if sf.pragma_allows(CHECK):
+        return []
+    fm = _frontmatter(sf)
+    if not fm:
+        return []
+    body, _end = fm
+    out: list[sl.Finding] = []
+
+    ex = _exec_block(body)
+    handler = ex.get("handler", (0, ""))[1].strip("'\"")
+    is_execution_skill = bool(ex) and handler not in ("", "none")
+
+    # consumer consent-bypass header + wildcard `allowed-tools` (hyphen = Claude
+    # format; the underscore source key is covered by the execution block below).
+    for lineno, text in body:
+        if re.match(r"\s*permissionMode:\s*['\"]?bypassPermissions", text):
+            out.append(sl.Finding(sf.rel, lineno, CHECK, "HIGH",
+                                  "permissionMode: bypassPermissions (consent bypass)", sf.weight))
+        m = re.match(r"\s*allowed-tools:\s*(.+)$", text)
+        if m and (_WILDCARD_TOOL.search(m.group(1))
+                  or (_BARE_BASH.search(m.group(1)) and not is_execution_skill)):
+            out.append(sl.Finding(sf.rel, lineno, CHECK, "HIGH",
+                                  "wildcard / bare-Bash tool grant (over-broad)", sf.weight))
+
+    if not ex:
+        return out
+    etype = ex.get("type", (0, ""))[1].strip("'\"")
+    safety = ex.get("safety_mode", (0, ""))[1].strip("'\"")
+    exec_line = ex.get("type", ex.get("handler", (0, "")))[0]
+
+    if etype == "automated":
+        if handler in ("", "none"):
+            out.append(sl.Finding(sf.rel, exec_line, CHECK, "HIGH",
+                                  "automated execution with handler none/missing (runtime-safety)", sf.weight))
+        if safety != "strict":
+            out.append(sl.Finding(sf.rel, exec_line, CHECK, "HIGH",
+                                  "automated execution without safety_mode: strict (runtime-safety)", sf.weight))
+        if "allowed_tools" not in ex:
+            out.append(sl.Finding(sf.rel, exec_line, CHECK, "HIGH",
+                                  "automated execution without an explicit allowed_tools declaration", sf.weight))
+
+    at_line, at_val = ex.get("allowed_tools", (0, ""))
+    if at_val and _WILDCARD_TOOL.search(at_val):
+        out.append(sl.Finding(sf.rel, at_line, CHECK, "HIGH",
+                              "execution.allowed_tools wildcard (* / Bash(*)) grant", sf.weight))
+    elif at_val and _BARE_BASH.search(at_val) and not is_execution_skill:
+        out.append(sl.Finding(sf.rel, at_line, CHECK, "HIGH",
+                              "bare Bash grant on a non-execution skill (handler none/missing)", sf.weight))
+    return out
+
+
+def main() -> int:
+    ap = argparse.ArgumentParser(description=__doc__, epilog=sl.GUIDELINE_EPILOG)
+    ap.add_argument("--json", action="store_true")
+    args = ap.parse_args()
+
+    findings: list[sl.Finding] = []
+    roots = ("src/skills", "src/agent-src", "src/domains")
+    for sf in sl.iter_corpus(roots=roots, exts=(".md",)):
+        findings.extend(_scan(sf))
+
+    if args.json:
+        import json
+        print(json.dumps([f.__dict__ for f in findings], indent=2))
+        return 1 if any(f.is_fail for f in findings) else 0
+    return sl.report(findings, check_label="dangerous-frontmatter")
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())