@kybernesis/arp-scope-catalog 0.2.0

package/scopes/tools.invoke.mutating.yaml

@@ -0,0 +1,37 @@
+id: tools.invoke.mutating
+version: 1.0.0
+label: Invoke tools with side effects
+description: Peer can invoke specific tools on your MCP server that cause changes (not just reads).
+category: tools
+risk: high
+parameters:
+  - name: tool_allowlist
+    type: ToolIDList
+    required: true
+    validation: "at-least-one"
+  - name: max_per_day
+    type: Integer
+    required: true
+    default: 20
+    validation: "1..1000"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"invoke_tool",
+    resource == Tool
+  ) when {
+    resource.id in {{tool_allowlist_json}} &&
+    context.requests_last_day <= {{max_per_day}}
+  };
+consent_text_template: "Use these tools on your behalf (max {{max_per_day}}/day): {{tool_allowlist_display}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+  - type: rate_limit
+    params:
+      window: day
+      max: "{{max_per_day}}"
+implies: []
+conflicts_with: []
+step_up_required: true

package/scopes/tools.invoke.read.yaml

@@ -0,0 +1,28 @@
+id: tools.invoke.read
+version: 1.0.0
+label: Invoke read-only tools
+description: Peer can invoke read-only (no-side-effect) tools on your MCP server, restricted to an allowlist.
+category: tools
+risk: medium
+parameters:
+  - name: tool_allowlist
+    type: ToolIDList
+    required: true
+    validation: "at-least-one"
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"invoke_tool",
+    resource == Tool
+  ) when {
+    resource.id in {{tool_allowlist_json}} &&
+    resource.readonly == true
+  };
+consent_text_template: "Invoke these read-only tools on your behalf: {{tool_allowlist_display}}."
+obligations_forced:
+  - type: audit_level
+    params:
+      level: verbose
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/work.projects.list.yaml

@@ -0,0 +1,18 @@
+id: work.projects.list
+version: 1.0.0
+label: Current active projects
+description: Peer can see the list of projects you're actively working on (names only).
+category: work
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"list",
+    resource == WorkProjects::"self"
+  );
+consent_text_template: "Share the list of your active projects."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false

package/scopes/work.reports.summary.yaml

@@ -0,0 +1,29 @@
+id: work.reports.summary
+version: 1.0.0
+label: Generate status summary
+description: Peer can ask your agent to generate a status summary for a bounded time period.
+category: work
+risk: medium
+parameters:
+  - name: period
+    type: Enum
+    required: true
+    default: "week"
+    validation: ["day", "week", "month", "quarter"]
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"summarize",
+    resource == WorkReport::"self"
+  ) when {
+    context.period == "{{period}}"
+  };
+consent_text_template: "Generate a {{period}} work status summary."
+obligations_forced:
+  - type: summarize_only
+    params:
+      max_words: 1000
+implies:
+  - work.status.read
+conflicts_with: []
+step_up_required: false

package/scopes/work.status.read.yaml

@@ -0,0 +1,18 @@
+id: work.status.read
+version: 1.0.0
+label: Current work status
+description: Peer can see your current work status (available, busy, out-of-office).
+category: work
+risk: low
+parameters: []
+cedar_template: |
+  permit (
+    principal == Agent::"{{audience_did}}",
+    action == Action::"read",
+    resource == WorkStatus::"self"
+  );
+consent_text_template: "Share your current work status (available/busy/OOO)."
+obligations_forced: []
+implies: []
+conflicts_with: []
+step_up_required: false