@kybernesis/arp-scope-catalog 0.2.0

package/scopes/files.projects.list.yaml

@@ -0,0 +1,18 @@
+id: files.projects.list
+version: 1.0.0
+label: List projects
+description: Peer can list project names and IDs from your project registry.
+category: files
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"list",
+    resource == ProjectRegistry::"self"
+  );
+consent_text_template: "See the list of your projects (names + IDs only)."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/files.share.external.yaml

@@ -0,0 +1,39 @@
+id: files.share.external
+version: 1.0.0
+label: Share files outside circle
+description: Peer can share files from a project with an external recipient allowlist.
+category: files
+risk: critical
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+  - name: recipient_allowlist
+    type: EmailList
+    required: true
+    validation: "rfc5322-or-domain-glob"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"share_external",
+    resource in Project::"{{project_id}}"
+  ) when {
+    context.recipient_matches_allowlist({{recipient_allowlist_json}})
+  };
+consent_text_template: "Share files from {{project_id}} externally to: {{recipient_allowlist_display}}."
+obligations_forced:
+  - type: require_principal_confirmation
+    params:
+      max_age_seconds: 0
+  - type: audit_level
+    params:
+      level: verbose
+  - type: notify_principal
+    params: {}
+  - type: insert_watermark
+    params: {}
+implies: []
+conflicts_with:
+  - files.project.files.delete
+tier_gate: self_xyz.verified_human
+step_up_required: true

package/scopes/identity.card.read.yaml

@@ -0,0 +1,18 @@
+id: identity.card.read
+version: 1.0.0
+label: Read agent card
+description: Allow the peer agent to fetch your agent card (name, supported protocols, public endpoints).
+category: identity
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource == AgentCard::"self"
+  );
+consent_text_template: "See your public agent card."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/identity.introduction.request.yaml

@@ -0,0 +1,24 @@
+id: identity.introduction.request
+version: 1.0.0
+label: Request introduction
+description: Peer can ask your agent to introduce them to another agent you know.
+category: identity
+risk: medium
+parameters:
+  - name: to_agent
+    type: AgentDID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"request_introduction",
+    resource == Agent::"{{to_agent}}"
+  );
+consent_text_template: "Introduce Peer to {{to_agent}}."
+obligations_forced:
+  - type: require_principal_confirmation
+    params:
+      max_age_seconds: 86400
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/identity.principal.verify.yaml

@@ -0,0 +1,19 @@
+id: identity.principal.verify
+version: 1.0.0
+label: Verify owner binding
+description: Peer can fetch and verify your representation VC, confirming which human principal your agent represents.
+category: identity
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"verify_principal",
+    resource == Principal::"self"
+  );
+consent_text_template: "Let Peer verify who your agent represents."
+obligations_forced: []
+implies:
+  - identity.card.read
+conflicts_with: []
+step_up_required: false

package/scopes/knowledge.query.yaml

@@ -0,0 +1,31 @@
+id: knowledge.query
+version: 1.0.0
+label: Query knowledge base
+description: Peer can query a specific knowledge base and receive token-bounded answers.
+category: notes
+risk: medium
+parameters:
+  - name: kb_id
+    type: ProjectID
+    required: true
+  - name: max_tokens
+    type: Integer
+    required: true
+    default: 8000
+    validation: "100..50000"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"query",
+    resource == KnowledgeBase::"{{kb_id}}"
+  ) when {
+    context.requested_tokens <= {{max_tokens}}
+  };
+consent_text_template: "Query knowledge base {{kb_id}} (up to {{max_tokens}} tokens/response)."
+obligations_forced:
+  - type: summarize_only
+    params:
+      max_words: "{{max_tokens}}"
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/messaging.chat.send.yaml

@@ -0,0 +1,27 @@
+id: messaging.chat.send
+version: 1.0.0
+label: Send chat message
+description: Peer can send chat messages on your behalf within an allowlisted set of channels.
+category: messaging
+risk: medium
+parameters:
+  - name: channel_allowlist
+    type: AttributeList
+    required: true
+    validation: "at-least-one"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"send_chat",
+    resource == ChatChannel
+  ) when {
+    resource.id in {{channel_allowlist_json}}
+  };
+consent_text_template: "Send chat messages on your behalf in: {{channel_allowlist_display}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/messaging.email.draft.compose.yaml

@@ -0,0 +1,23 @@
+id: messaging.email.draft.compose
+version: 1.0.0
+label: Compose drafts (no send)
+description: Peer can compose email drafts in your drafts folder without sending them.
+category: messaging
+risk: medium
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"compose_draft",
+    resource == Email::"drafts"
+  );
+  forbid (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"send_email",
+    resource
+  );
+consent_text_template: "Compose email drafts for you to review (no sending)."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/messaging.email.send.reviewed.yaml

@@ -0,0 +1,36 @@
+id: messaging.email.send.reviewed
+version: 1.0.0
+label: Send email (after your review)
+description: Peer drafts emails on your behalf; each send requires your one-tap approval before going out.
+category: messaging
+risk: high
+parameters:
+  - name: recipient_allowlist
+    type: EmailList
+    required: false
+    default: []
+    validation: "rfc5322-or-domain-glob"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"send_email",
+    resource == Email::"outbox"
+  ) when {
+    {{#if recipient_allowlist}}
+    context.recipient_matches_allowlist({{recipient_allowlist_json}})
+    {{else}}
+    true
+    {{/if}}
+  };
+consent_text_template: "Draft and (with your approval) send emails{{#if recipient_allowlist}} to: {{recipient_allowlist_display}}{{/if}}."
+obligations_forced:
+  - type: require_principal_confirmation
+    params:
+      max_age_seconds: 0
+  - type: audit_level
+    params:
+      level: verbose
+implies:
+  - messaging.email.draft.compose
+conflicts_with: []
+step_up_required: true

package/scopes/messaging.email.summary.yaml

@@ -0,0 +1,26 @@
+id: messaging.email.summary
+version: 1.0.0
+label: Email summaries only
+description: Peer receives only summaries of your email threads, never the raw content.
+category: messaging
+risk: medium
+parameters:
+  - name: label_filter
+    type: AttributeList
+    required: false
+    default: []
+    validation: "label-or-folder-name"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"summarize",
+    resource == Email
+  );
+consent_text_template: "Share email summaries (never raw content){{#if label_filter}} for labels: {{label_filter_display}}{{/if}}."
+obligations_forced:
+  - type: summarize_only
+    params:
+      max_words: 250
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/messaging.email.thread.read.yaml

@@ -0,0 +1,29 @@
+id: messaging.email.thread.read
+version: 1.0.0
+label: Read email threads
+description: Peer can read the full contents of email threads matching optional label filters.
+category: messaging
+risk: high
+parameters:
+  - name: label_filter
+    type: AttributeList
+    required: false
+    default: []
+    validation: "label-or-folder-name"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource == Email
+  ) {{#if label_filter}}when {
+    resource.labels.containsAny({{label_filter_json}})
+  }{{/if}};
+consent_text_template: "Read email thread contents{{#if label_filter}} for labels: {{label_filter_display}}{{/if}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies:
+  - messaging.email.summary
+conflicts_with: []
+step_up_required: true

package/scopes/messaging.relay.to_principal.yaml

@@ -0,0 +1,22 @@
+id: messaging.relay.to_principal
+version: 1.0.0
+label: Relay message to owner
+description: Peer can ask your agent to relay a short message to you (the principal).
+category: messaging
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"relay_to_principal",
+    resource == Principal::"self"
+  );
+consent_text_template: "Let Peer send you short relayed messages."
+obligations_forced:
+  - type: rate_limit
+    params:
+      window: hour
+      max: 10
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/notes.read.yaml

@@ -0,0 +1,25 @@
+id: notes.read
+version: 1.0.0
+label: Read notes
+description: Peer can read full note contents in a specific collection.
+category: notes
+risk: medium
+parameters:
+  - name: collection_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource in Collection::"{{collection_id}}"
+  );
+consent_text_template: "Read notes in collection {{collection_id}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies:
+  - notes.search
+conflicts_with: []
+step_up_required: false

package/scopes/notes.search.yaml

@@ -0,0 +1,24 @@
+id: notes.search
+version: 1.0.0
+label: Search notes
+description: Peer can search notes within a collection and receive title+snippet matches.
+category: notes
+risk: medium
+parameters:
+  - name: collection_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"search",
+    resource in Collection::"{{collection_id}}"
+  );
+consent_text_template: "Search notes in collection {{collection_id}}."
+obligations_forced:
+  - type: summarize_only
+    params:
+      max_words: 100
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/notes.write.yaml

@@ -0,0 +1,32 @@
+id: notes.write
+version: 1.0.0
+label: Create/update notes
+description: Peer can create and update notes in a collection, up to a daily cap.
+category: notes
+risk: medium
+parameters:
+  - name: collection_id
+    type: ProjectID
+    required: true
+  - name: max_per_day
+    type: Integer
+    required: true
+    default: 100
+    validation: "1..1000"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action in [Action::"write", Action::"update"],
+    resource in Collection::"{{collection_id}}"
+  ) when {
+    context.notes_written_today < {{max_per_day}}
+  };
+consent_text_template: "Create/update notes in {{collection_id}} (up to {{max_per_day}}/day)."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies:
+  - notes.read
+conflicts_with: []
+step_up_required: false

package/scopes/payments.authorize.capped.yaml

@@ -0,0 +1,37 @@
+id: payments.authorize.capped
+version: 1.0.0
+label: Authorize payments up to a cap
+description: Peer can trigger x402 payments up to the per-transaction and rolling 30-day caps you set.
+category: payments
+risk: high
+parameters:
+  - name: max_per_txn_usd
+    type: Decimal
+    required: true
+    default: 5
+    validation: "0.01..1000"
+  - name: max_per_30d_usd
+    type: Decimal
+    required: true
+    default: 50
+    validation: "0.01..10000"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"authorize_payment",
+    resource == Wallet::"primary"
+  ) when {
+    context.quoted_price_usd <= {{max_per_txn_usd}} &&
+    context.spend_last_30d_usd + context.quoted_price_usd <= {{max_per_30d_usd}}
+  };
+consent_text_template: "Pay up to ${{max_per_txn_usd}} per request, ${{max_per_30d_usd}} total per 30 days."
+obligations_forced:
+  - type: notify_principal
+    params: {}
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+tier_gate: self_xyz.verified_human
+step_up_required: true

package/scopes/payments.history.read.yaml

@@ -0,0 +1,28 @@
+id: payments.history.read
+version: 1.0.0
+label: Read past transactions
+description: Peer can read your payment history for the past N days.
+category: payments
+risk: medium
+parameters:
+  - name: days_back
+    type: Integer
+    required: true
+    default: 30
+    validation: "1..365"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource == PaymentHistory::"self"
+  ) when {
+    context.query_window_days <= {{days_back}}
+  };
+consent_text_template: "Read payment history for the past {{days_back}} days."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/payments.quote.request.yaml

@@ -0,0 +1,18 @@
+id: payments.quote.request
+version: 1.0.0
+label: Request a price quote
+description: Peer can request a price quote for an action or purchase (quote only, no payment).
+category: payments
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"request_quote",
+    resource == Wallet::"primary"
+  );
+consent_text_template: "Let Peer request a price quote (no payment)."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/payments.refund.request.yaml

@@ -0,0 +1,24 @@
+id: payments.refund.request
+version: 1.0.0
+label: Request refund
+description: Peer can request a refund against a prior payment.
+category: payments
+risk: medium
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"request_refund",
+    resource == Payment
+  );
+consent_text_template: "Let Peer request a refund on a prior payment."
+obligations_forced:
+  - type: require_principal_confirmation
+    params:
+      max_age_seconds: 0
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/tasks.assign.yaml

@@ -0,0 +1,27 @@
+id: tasks.assign
+version: 1.0.0
+label: Assign tasks to humans
+description: Peer can assign tasks in a project to specific people.
+category: tasks
+risk: high
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"assign",
+    resource in Project::"{{project_id}}"
+  );
+consent_text_template: "Assign tasks to people in project {{project_id}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+  - type: notify_principal
+    params: {}
+implies:
+  - tasks.read
+conflicts_with: []
+step_up_required: true

package/scopes/tasks.create.yaml

@@ -0,0 +1,31 @@
+id: tasks.create
+version: 1.0.0
+label: Create tasks
+description: Peer can create tasks in a project, up to a daily cap.
+category: tasks
+risk: medium
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+  - name: max_per_day
+    type: Integer
+    required: true
+    default: 50
+    validation: "1..500"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"create",
+    resource in Project::"{{project_id}}"
+  ) when {
+    context.tasks_created_today < {{max_per_day}}
+  };
+consent_text_template: "Create tasks in {{project_id}} (up to {{max_per_day}}/day)."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/tasks.list.yaml

@@ -0,0 +1,21 @@
+id: tasks.list
+version: 1.0.0
+label: List tasks
+description: Peer can list tasks within a project.
+category: tasks
+risk: low
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"list",
+    resource in Project::"{{project_id}}"
+  );
+consent_text_template: "List tasks in project {{project_id}}."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/tasks.read.yaml

@@ -0,0 +1,22 @@
+id: tasks.read
+version: 1.0.0
+label: Read task details
+description: Peer can read details (title, status, assignee, due) of tasks within a project.
+category: tasks
+risk: low
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource in Project::"{{project_id}}"
+  );
+consent_text_template: "Read task details in project {{project_id}}."
+obligations_forced: []
+implies:
+  - tasks.list
+conflicts_with: []
+step_up_required: false

package/scopes/tasks.status.update.yaml

@@ -0,0 +1,22 @@
+id: tasks.status.update
+version: 1.0.0
+label: Update task status
+description: Peer can update the status (open/in-progress/done) of tasks in a project.
+category: tasks
+risk: medium
+parameters:
+  - name: project_id
+    type: ProjectID
+    required: true
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"update_status",
+    resource in Project::"{{project_id}}"
+  );
+consent_text_template: "Update task status in {{project_id}}."
+obligations_forced: []
+implies:
+  - tasks.read
+conflicts_with: []
+step_up_required: false