agent-security-lens 0.1.0

package/data/intelligence/security-evaluation-standard.json

@@ -0,0 +1,221 @@
+{
+  "schema_version": "0.2.0",
+  "updated_at": "2026-06-15T00:00:00.000Z",
+  "standard_id": "asl-agent-component-safety-standard",
+  "model_version": "asl-safety-standard@0.2.0",
+  "principle": "ASL evaluates a component in a specific installation context. Capability exposure is not proof of malicious intent; decisions combine exposure, verified controls, supply-chain trust, evidence confidence and confirmed incidents.",
+  "exposure_contexts": {
+    "runtime_exposure": {
+      "weight": 1,
+      "meaning": "Executable source or runtime configuration on the default component path."
+    },
+    "install_exposure": {
+      "weight": 0.85,
+      "meaning": "Installation, setup, build or deployment behavior."
+    },
+    "documented_optional_capability": {
+      "weight": 0.45,
+      "meaning": "Capability documented in examples, tests or optional bundled instructions."
+    },
+    "supply_chain_exposure": {
+      "weight": 0.35,
+      "meaning": "Dependency, manifest or publication metadata exposure."
+    },
+    "repository_maintenance_activity": {
+      "weight": 0,
+      "meaning": "Repository CI or release activity retained as evidence but excluded from installed-component runtime risk."
+    }
+  },
+  "score_dimensions": {
+    "exposure_risk": {
+      "direction": "higher_is_more_exposed",
+      "range": [0, 100],
+      "meaning": "Potential impact of the capabilities the component can exercise."
+    },
+    "control_strength": {
+      "direction": "higher_is_better",
+      "range": [0, 100],
+      "meaning": "Controls already verified for the proposed installation. Recommended controls do not count until applied."
+    },
+    "supply_chain_trust": {
+      "direction": "higher_is_better",
+      "range": [0, 100],
+      "meaning": "Source identity, version pinning, release provenance, maintenance and dependency transparency."
+    },
+    "evidence_confidence": {
+      "direction": "higher_is_better",
+      "range": [0, 100],
+      "meaning": "Completeness, reliability, reproducibility and independent review of ASL evidence."
+    },
+    "incident_risk": {
+      "direction": "higher_is_more_severe",
+      "range": [0, 100],
+      "meaning": "Version-scoped, deduplicated and corroborated security incidents. General sentiment is auxiliary only."
+    }
+  },
+  "review_levels": {
+    "L0_discovered": "Source discovered; no security decision.",
+    "L1_auto_assessed": "Automated metadata or static assessment; cannot authorize automatic installation.",
+    "L2_evidence_reviewed": "Versioned evidence, technical scan, community-source check and independent recalculation completed.",
+    "L3_runtime_validated": "L2 plus controlled runtime or sandbox validation.",
+    "L4_continuously_monitored": "L3 plus active version, incident and source-change monitoring."
+  },
+  "component_states": {
+    "cataloged": "Discovered from a source. Not reviewed.",
+    "triaged": "Basic metadata and source have been checked.",
+    "scanned": "Static risk signals have been extracted.",
+    "review_pending": "Waiting for ASL team review.",
+    "reviewed": "Reviewed with evidence and a machine-readable decision.",
+    "published": "Served to agents through ASL intelligence API.",
+    "deprecated": "Outdated or superseded.",
+    "archived": "No longer active or duplicate."
+  },
+  "permission_model": [
+    "shell-execution",
+    "subprocess-spawn",
+    "remote-code-install",
+    "filesystem-read",
+    "filesystem-write",
+    "credential-access",
+    "browser-access",
+    "network-access",
+    "database-access",
+    "repository-write",
+    "message-write",
+    "workflow-automation",
+    "background-execution",
+    "data-retention",
+    "multi-agent-delegation",
+    "third-party-integration"
+  ],
+  "risk_domains": [
+    {
+      "id": "execution-risk",
+      "weight": -25,
+      "signals": ["shell-execution", "subprocess-spawn", "remote-code-install", "docker-runtime"]
+    },
+    {
+      "id": "data-exposure-risk",
+      "weight": -22,
+      "signals": ["credential-access", "filesystem-read", "browser-access", "database-access", "data-retention"]
+    },
+    {
+      "id": "remote-access-risk",
+      "weight": -16,
+      "signals": ["network-access", "external-api", "webhook", "remote-mcp-endpoint"]
+    },
+    {
+      "id": "delegation-risk",
+      "weight": -14,
+      "signals": ["multi-agent-delegation", "tool-chaining", "third-party-integration"]
+    },
+    {
+      "id": "persistence-automation-risk",
+      "weight": -18,
+      "signals": ["workflow-automation", "background-execution", "scheduled-trigger"]
+    },
+    {
+      "id": "instruction-injection-risk",
+      "weight": -20,
+      "signals": ["hidden-instruction", "override-rules", "ignore-safety", "prompt-injection-pattern"]
+    }
+  ],
+  "trust_signals": [
+    {
+      "id": "source-official-or-known-org",
+      "weight": 12,
+      "source": "github_metadata"
+    },
+    {
+      "id": "active-maintenance",
+      "weight": 8,
+      "source": "commit_history"
+    },
+    {
+      "id": "transparent-permissions",
+      "weight": 10,
+      "source": "documentation_review"
+    },
+    {
+      "id": "signed-release-or-pinned-version",
+      "weight": 8,
+      "source": "release_metadata"
+    },
+    {
+      "id": "high-community-adoption",
+      "weight": 6,
+      "source": "popularity_signal"
+    },
+    {
+      "id": "negative-community-reports",
+      "weight": -18,
+      "source": "sentiment_monitoring"
+    },
+    {
+      "id": "unresolved-security-issues",
+      "weight": -16,
+      "source": "issue_monitoring"
+    },
+    {
+      "id": "unknown-maintainer",
+      "weight": -10,
+      "source": "metadata_gap"
+    }
+  ],
+  "source_reliability": {
+    "official_registry": 0.95,
+    "official_github_org": 0.9,
+    "github_metadata": 0.75,
+    "package_registry": 0.75,
+    "directory_listing": 0.65,
+    "community_report": 0.55,
+    "social_media": 0.45,
+    "unverified_blog": 0.35
+  },
+  "sentiment_monitoring": {
+    "sources": ["GitHub issues", "GitHub discussions", "Reddit", "Hacker News", "V2EX", "X/Twitter", "YouTube/Bilibili comments", "WeChat public articles"],
+    "negative_terms": [
+      "stole token",
+      "leaked key",
+      "unexpected shell",
+      "hidden download",
+      "malicious",
+      "unsafe",
+      "suspicious",
+      "prompt injection",
+      "credential leak",
+      "cookie",
+      "backdoor"
+    ],
+    "positive_terms": ["read-only", "scoped token", "sandbox", "signed release", "permission documented"],
+    "fields": ["mention_count", "negative_count", "positive_count", "source_reliability", "sample_urls", "last_seen_at"],
+    "rule": "Sentiment is an auxiliary risk signal. It never alone proves a component is malicious."
+  },
+  "decision_thresholds": {
+    "allow": "Only when evidence is reviewed, residual risk is low, supply-chain trust is sufficient and required controls are verified.",
+    "allow_with_restrictions": "Evidence is reviewed and the installation is acceptable only after listed controls are applied.",
+    "ask_user": "Evidence is incomplete, required controls are missing or the proposed context remains highly exposed.",
+    "avoid": "A hard failure or confirmed unresolved critical incident blocks installation."
+  },
+  "hard_failures": [
+    "credential-theft-confirmed",
+    "hidden-data-exfiltration",
+    "malicious-code-confirmed",
+    "token-passthrough",
+    "known-critical-vulnerability-unmitigated",
+    "version-mismatch",
+    "destructive-action-without-confirmation",
+    "confirmed-critical-security-incident"
+  ],
+  "community_intelligence_policy": {
+    "confidence_rule": "Evidence confidence measures whether relevant sources were systematically checked and records are reproducible. Positive sentiment never proves safety.",
+    "incident_rule": "Negative claims affect incident risk only after component identity, affected version, source independence and technical support are evaluated.",
+    "deduplication_keys": ["canonical_url", "content_hash", "claim_type", "affected_version", "technical_artifact_hash"],
+    "incident_states": ["unverified", "credible", "corroborated", "confirmed", "fixed", "rejected"]
+  },
+  "evidence_requirements": {
+    "cataloged": ["source_url", "collected_at", "source_type"],
+    "reviewed": ["source_url", "install_or_usage_docs", "permission_or_capability_evidence", "risk_signals", "safe_install_plan"],
+    "published": ["reviewed_record", "decision", "trust_score", "version_or_time_window", "reviewer_or_team"]
+  }
+}

package/data/recommendations/core/recommendations.json

@@ -0,0 +1,256 @@
+{
+  "id": "core-recommendations",
+  "version": "0.1.0",
+  "status": "draft",
+  "recommendations": [
+    {
+      "id": "pin-local-mcp-server",
+      "title": "Replace moving MCP commands with pinned local MCP servers",
+      "type": "replacement",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.62,
+      "rank": 90,
+      "applies_to": {
+        "rule_ids": ["obs-mcp-stdio-process", "mcp-stdio-process-server"],
+        "permissions_any": ["subprocess-spawn", "mcp-tool-access"]
+      },
+      "recommended_actions": [
+        "Verify the MCP package owner before enabling the server.",
+        "Pin the MCP package or executable version."
+      ],
+      "recommended_alternatives": [
+        "Use a local MCP server pinned to a reviewed version.",
+        "Disable unused MCP servers before running the agent."
+      ],
+      "agent_instruction": "Review this MCP server, pin its package or executable version, and disable it if the current task does not require it.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to pin MCP server versions",
+          "command": "Review all MCP stdio servers in this workspace. Pin package or executable versions, then disable any server that is not required for the current workflow.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Restore the previous MCP configuration from version control or the saved assessment snapshot."
+    },
+    {
+      "id": "replace-remote-mcp-with-local",
+      "title": "Use local pinned MCP for sensitive workspaces",
+      "type": "replacement",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.58,
+      "rank": 86,
+      "applies_to": {
+        "rule_ids": ["obs-mcp-remote-endpoint", "mcp-remote-endpoint"],
+        "categories": ["remote-access-risk"],
+        "permissions_any": ["external-endpoint", "network-access", "mcp-tool-access"]
+      },
+      "recommended_actions": [
+        "Verify who operates the remote MCP endpoint.",
+        "Disable remote MCP endpoints for sensitive local repositories."
+      ],
+      "recommended_alternatives": [
+        "Use a local pinned MCP server for sensitive workspaces.",
+        "Use remote MCP only with explicit tool allowlists."
+      ],
+      "agent_instruction": "Disable remote MCP endpoints in this workspace unless the owner is verified and the exposed tools are explicitly allowlisted.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to remove remote MCP endpoints",
+          "command": "Find remote MCP endpoints in this agent configuration. Disable them for sensitive workspace use, or replace them with local pinned MCP servers.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Re-enable the remote endpoint only after recording its owner, purpose and allowed tools."
+    },
+    {
+      "id": "scope-filesystem-access",
+      "title": "Scope filesystem tools to a dedicated workspace",
+      "type": "configuration",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.64,
+      "rank": 88,
+      "applies_to": {
+        "rule_ids": ["obs-mcp-filesystem-capability", "mcp-filesystem-write"],
+        "permissions_any": ["filesystem-read", "filesystem-write"]
+      },
+      "recommended_actions": [
+        "Limit filesystem access to a dedicated project directory.",
+        "Prefer read-only filesystem tools when inspection is enough."
+      ],
+      "recommended_alternatives": [
+        "Use read-only filesystem tooling.",
+        "Use a temporary workspace copy for untrusted agent runs."
+      ],
+      "agent_instruction": "Restrict filesystem MCP access to the current project workspace and switch to read-only mode when write access is not required.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to scope filesystem access",
+          "command": "Review filesystem tool configuration. Limit it to this project directory and remove write access unless the task explicitly needs it.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Restore the previous path scope only after confirming the agent needs broader file access."
+    },
+    {
+      "id": "lock-down-remote-triggers",
+      "title": "Require allowlists for remote trigger channels",
+      "type": "configuration",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.6,
+      "rank": 84,
+      "applies_to": {
+        "rule_ids": ["obs-remote-trigger-config", "openclaw-remote-channel-policy", "hermes-gateway-trigger"],
+        "permissions_any": ["remote-trigger"]
+      },
+      "recommended_actions": [
+        "Set explicit user or group allowlists for remote channels.",
+        "Disable remote trigger channels in sensitive workspaces."
+      ],
+      "recommended_alternatives": [
+        "Use local-only mode for sensitive work.",
+        "Require manual approval before remote messages start agent actions."
+      ],
+      "agent_instruction": "Disable open remote trigger channels or add explicit allowlists before trusting this agent environment.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to lock down remote triggers",
+          "command": "Find remote trigger channels such as Telegram, Discord, gateway or webhook settings. Disable open triggers or add explicit allowlists.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Keep a copy of the original channel settings before changing trigger policies."
+    },
+    {
+      "id": "disable-unreviewed-schedules",
+      "title": "Disable scheduled agent runs until reviewed",
+      "type": "workflow",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.57,
+      "rank": 76,
+      "applies_to": {
+        "rule_ids": ["obs-scheduled-agent-execution", "openclaw-scheduled-task"],
+        "permissions_any": ["scheduled-execution"]
+      },
+      "recommended_actions": [
+        "Review scheduled prompts and allowed tools.",
+        "Disable schedules that can run without active user review."
+      ],
+      "recommended_alternatives": [
+        "Use manual run mode for sensitive tasks.",
+        "Require confirmation before scheduled tasks execute tools."
+      ],
+      "agent_instruction": "Disable scheduled agent execution until each scheduled prompt and its allowed tools have been reviewed.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to disable unreviewed schedules",
+          "command": "Find scheduled agent tasks. Disable any schedule whose prompt and allowed tools have not been reviewed.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Re-enable only the specific schedule that has a reviewed prompt and tool scope."
+    },
+    {
+      "id": "use-scoped-agent-credentials",
+      "title": "Replace personal credentials with scoped agent credentials",
+      "type": "credential",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.66,
+      "rank": 92,
+      "applies_to": {
+        "rule_ids": ["obs-credential-reference", "core-env-reference", "skill-env-requirement"],
+        "permissions_any": ["credential-access", "env-read"]
+      },
+      "recommended_actions": [
+        "Use dedicated low-privilege credentials for agent environments.",
+        "Remove unused secrets from local agent configuration."
+      ],
+      "recommended_alternatives": [
+        "Use scoped tokens with limited repository or workspace access.",
+        "Use read-only tokens when the agent only needs inspection."
+      ],
+      "agent_instruction": "Replace personal or high-privilege credentials with dedicated low-privilege tokens for this agent environment.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to inventory credential use",
+          "command": "List credentials referenced by this agent environment and propose scoped low-privilege replacements before running tools.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Revoke any temporary token created during review if it is no longer needed."
+    },
+    {
+      "id": "review-shell-execution-policy",
+      "title": "Require review for shell-capable agent behavior",
+      "type": "workflow",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.56,
+      "rank": 82,
+      "applies_to": {
+        "rule_ids": ["core-shell-execution"],
+        "permissions_any": ["shell-execution"]
+      },
+      "recommended_actions": [
+        "Review the command source and argument construction.",
+        "Disable shell access when the workflow does not need it."
+      ],
+      "recommended_alternatives": [
+        "Use a sandboxed command runner.",
+        "Use read-only inspection tools instead of shell execution."
+      ],
+      "agent_instruction": "Do not grant shell execution to this agent until the command source, allowed commands and workspace scope are reviewed.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to restrict shell use",
+          "command": "Review shell execution usage in this environment. Disable shell tools unless the task explicitly requires them, and document allowed commands.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Restore shell access only for reviewed tasks and commands."
+    },
+    {
+      "id": "pin-remote-skill-sources",
+      "title": "Pin remote skill sources to reviewed versions",
+      "type": "replacement",
+      "status": "draft",
+      "source": "manual-curated",
+      "confidence": 0.59,
+      "rank": 80,
+      "applies_to": {
+        "rule_ids": ["core-remote-download", "skill-remote-install-source", "hermes-openclaw-migration"],
+        "permissions_any": ["external-download", "skill-installation"]
+      },
+      "recommended_actions": [
+        "Verify the skill source and maintainer.",
+        "Pin skill sources to a commit SHA or signed release."
+      ],
+      "recommended_alternatives": [
+        "Use bundled skills from a reviewed distribution.",
+        "Use a locally vendored skill copy for sensitive workspaces."
+      ],
+      "agent_instruction": "Replace moving remote skill sources with pinned commits or reviewed release artifacts before enabling the skill.",
+      "one_step_commands": [
+        {
+          "title": "Ask the agent to pin remote skill sources",
+          "command": "Find remote skill install sources. Replace moving branches or latest URLs with pinned commits or reviewed release versions.",
+          "platform": "agent-instruction",
+          "requires_confirmation": true
+        }
+      ],
+      "rollback_note": "Keep the previous skill source URL in the assessment record before replacing it."
+    }
+  ]
+}

package/data/trust/signal-taxonomy.json

@@ -0,0 +1,107 @@
+{
+  "id": "trust-signal-taxonomy",
+  "version": "0.1.0",
+  "status": "draft",
+  "signals": [
+    {
+      "id": "static-shell-execution",
+      "title": "Shell execution capability detected",
+      "direction": "negative",
+      "weight": -25,
+      "source_type": "static-analysis",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["finding_id", "file_path", "line_number", "permission:shell-execution", "permission:subprocess-spawn"],
+      "description": "The entity can execute local commands or delegates to a local process."
+    },
+    {
+      "id": "static-remote-endpoint",
+      "title": "Remote endpoint capability detected",
+      "direction": "negative",
+      "weight": -18,
+      "source_type": "static-analysis",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["finding_id", "file_path", "line_number", "permission:network-access"],
+      "description": "The entity uses a remote endpoint that can receive data, provide tools or influence agent behavior."
+    },
+    {
+      "id": "static-credential-reference",
+      "title": "Credential reference detected",
+      "direction": "negative",
+      "weight": -18,
+      "source_type": "static-analysis",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["finding_id", "file_path", "line_number", "permission:credential-access"],
+      "description": "The entity references credentials, tokens or environment variables."
+    },
+    {
+      "id": "static-filesystem-write",
+      "title": "Filesystem write capability detected",
+      "direction": "negative",
+      "weight": -22,
+      "source_type": "static-analysis",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["finding_id", "file_path", "line_number", "permission:filesystem-write"],
+      "description": "The entity can write to local files or delegates to a tool that can write to local files."
+    },
+    {
+      "id": "github-active-maintenance",
+      "title": "Active maintenance",
+      "direction": "positive",
+      "weight": 10,
+      "source_type": "github",
+      "applies_to": ["agent", "mcp", "skill", "maintainer"],
+      "evidence_required": ["repository_url", "recent_commit_date", "release_or_tag_history"],
+      "description": "The repository appears actively maintained based on recent commits, releases or issue activity."
+    },
+    {
+      "id": "github-verified-organization",
+      "title": "Verified or recognizable organization",
+      "direction": "positive",
+      "weight": 12,
+      "source_type": "github",
+      "applies_to": ["agent", "mcp", "skill", "maintainer"],
+      "evidence_required": ["organization_url", "verification_or_reputation_evidence"],
+      "description": "The maintainer is a verified or recognizable organization with public history."
+    },
+    {
+      "id": "transparency-permission-docs",
+      "title": "Transparent permission documentation",
+      "direction": "positive",
+      "weight": 12,
+      "source_type": "transparency",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["readme_url_or_path", "permission_section"],
+      "description": "The project explains what permissions, tools, credentials or network endpoints it uses."
+    },
+    {
+      "id": "transparency-pinned-release",
+      "title": "Pinned or signed release available",
+      "direction": "positive",
+      "weight": 10,
+      "source_type": "transparency",
+      "applies_to": ["agent", "mcp", "skill", "version"],
+      "evidence_required": ["release_url", "tag_or_signature_evidence"],
+      "description": "The entity can be installed from a pinned version, release artifact or signed package."
+    },
+    {
+      "id": "community-negative-report",
+      "title": "Negative community report",
+      "direction": "negative",
+      "weight": -25,
+      "source_type": "community",
+      "applies_to": ["agent", "mcp", "skill", "maintainer", "version"],
+      "evidence_required": ["source_url", "report_summary", "accessed_at"],
+      "description": "Community discussion reports suspicious behavior, hidden downloads, unexpected shell usage or credential exposure."
+    },
+    {
+      "id": "manual-reviewed-alternative",
+      "title": "Manually reviewed alternative",
+      "direction": "positive",
+      "weight": 15,
+      "source_type": "manual-review",
+      "applies_to": ["recommendation", "mcp", "skill"],
+      "evidence_required": ["reviewer", "review_date", "review_notes"],
+      "description": "A recommendation or alternative has been manually reviewed against the current taxonomy."
+    }
+  ]
+}

package/docs/asl-agent-component-safety-standard-v0.2.md

@@ -0,0 +1,56 @@
+# ASL Agent Component Safety Standard v0.2
+
+## Evaluation Subject
+
+ASL does not permanently label an MCP, Skill, or Agent as safe or unsafe. It evaluates whether a specific component, version, and source are acceptable under a specific permission, control, and deployment context.
+
+Capability exposure is not proof of malicious intent. Only evidence-backed hard failures or confirmed unresolved critical incidents directly produce `avoid`.
+
+## Dimensions
+
+| Dimension | Range | Meaning |
+|---|---:|---|
+| Exposure Risk | 0-100 | Potential impact of shell, file, credential, browser, network, and background capabilities |
+| Control Strength | 0-100 | Verified isolation, confirmation, least-privilege, and audit controls |
+| Supply Chain Trust | 0-100 | Source identity, version pinning, releases, maintenance, and publication transparency |
+| Evidence Confidence | 0-100 | Evidence completeness, reliability, reproducibility, and independent review |
+| Incident Risk | 0-100 | Severity of deduplicated, version-scoped, and corroborated security incidents |
+
+Recommended mitigations do not increase Control Strength until they are applied and verifiable.
+
+## Exposure Contexts
+
+| Context | Weight | Meaning |
+|---|---:|---|
+| `runtime_exposure` | 1.00 | Executable source or runtime configuration on the default path |
+| `install_exposure` | 0.85 | Installation, setup, build, or deployment behavior |
+| `documented_optional_capability` | 0.45 | Capability shown in documentation, examples, tests, or optional Skills |
+| `supply_chain_exposure` | 0.35 | Dependency, manifest, and publication metadata exposure |
+| `repository_maintenance_activity` | 0.00 | Repository CI and release activity, not installed-component runtime permission |
+
+Maintenance findings remain archived evidence for review and historical comparison.
+
+## Decisions
+
+- `allow`: reviewed evidence, low residual risk, sufficient supply-chain trust, and required controls verified.
+- `allow_with_restrictions`: evidence is sufficient, but returned controls must be applied first.
+- `ask_user`: evidence is incomplete, required controls are missing, or the proposed context remains highly exposed.
+- `avoid`: a hard failure or confirmed unresolved critical incident blocks installation.
+
+Static L2 review alone never authorizes unrestricted installation.
+
+## Evidence Levels
+
+- `L0 Discovered`
+- `L1 Auto Assessed`
+- `L2 Evidence Reviewed`
+- `L3 Runtime Validated`
+- `L4 Continuously Monitored`
+
+## Community and Incident Evidence
+
+Positive sentiment does not prove safety, and ordinary negative comments do not directly reduce the score. ASL checks component identity, affected version, technical support, source independence, and maintainer response. Sentiment is auxiliary; credible incidents enter Incident Risk.
+
+## Reproducibility
+
+Every reviewed record must disclose its component and source, scoring model version, decision, required controls, evidence level, review time, known limitations, and historical versions. Superseded records are archived rather than erased.

package/examples/dot-hermes/.hermes/config.json

@@ -0,0 +1,17 @@
+{
+  "mcp": {
+    "servers": {
+      "remote-tools": {
+        "type": "http",
+        "url": "https://example-hermes.invalid/mcp"
+      }
+    }
+  },
+  "gateway": {
+    "telegram": {
+      "enabled": true,
+      "botToken": "${TELEGRAM_BOT_TOKEN}",
+      "allowed_users": []
+    }
+  }
+}