OpenScope plan claude-code-local-broker

source: docs/examples/claude-code/setup.proposal.yaml
sha256: 1dcb9b98e17fadf85ca70c137743c4c9797a8318f9d2dd4dc8761f5177df139f
machine: randy @ Randys-Mac-mini-2.local (darwin) · daemon: running
bounds: default (no bounds.yaml — opinionated defaults)

⛔ BLOCKED — 2 bounds violation(s). apply will refuse until resolved.

AI-AUTHORED METADATA — untrusted, not used in the review

tool claude-code · model claude-fable-5 · session 8d5656ce

Seed config for the claude-code agent, derived from a mining pass over ~/.claude session history (10,560 commands). Everything was observed in use.

Changes vs live config

Area	Change
ssh targets	+4 add, -0 remove
system allow-lists	first write (was empty) — 3 mgrs · 6 pkgs · 2 svcs · 7 procs · 4 ports
policy rules	+35 allow, +3 deny (new vs live)

This proposal only ADDS access; nothing is narrowed or removed.

What it will be able to do (from typed fields)

Agent	App · Action	Scope
claude-code	ssh·check_host	target=kidfence-prod
claude-code	ssh·check_host	target=kidfence-www
claude-code	ssh·check_host	target=openscope-demo
claude-code	ssh·check_host	target=trusted-ds
claude-code	ssh·host_metrics	target=kidfence-prod
claude-code	ssh·host_metrics	target=kidfence-www
claude-code	ssh·host_metrics	target=openscope-demo
claude-code	ssh·host_metrics	target=trusted-ds
claude-code	ssh·list_dir	target=kidfence-prod
claude-code	ssh·list_dir	target=kidfence-www
claude-code	ssh·list_dir	target=openscope-demo
claude-code	ssh·list_dir	target=trusted-ds
claude-code	ssh·read_file	target=kidfence-prod
claude-code	ssh·read_file	target=kidfence-www
claude-code	ssh·read_file	target=openscope-demo
claude-code	ssh·read_file	target=trusted-ds
claude-code	ssh·restart_service	target=trusted-ds
claude-code	ssh·restart_service	service=openscoped target=openscope-demo
claude-code	ssh·restart_service	service=nginx target=kidfence-prod
claude-code	ssh·service_status	target=kidfence-prod
claude-code	ssh·service_status	target=openscope-demo
claude-code	ssh·service_status	target=trusted-ds
claude-code	ssh·tail_logs	target=kidfence-prod
claude-code	ssh·tail_logs	target=openscope-demo
claude-code	ssh·tail_logs	target=trusted-ds
claude-code	system·build	ALL (scoped by admin allow-lists)
claude-code	system·check_port	ALL (scoped by admin allow-lists)
claude-code	system·manage_apps	ALL (scoped by admin allow-lists)
claude-code	system·manage_files	ALL (scoped by admin allow-lists)
claude-code	system·manage_packages	manager=brew
claude-code	system·manage_packages	manager=pip3
claude-code	system·manage_packages	manager=npm
claude-code	system·manage_processes	ALL (scoped by admin allow-lists)
claude-code	system·manage_services	ALL (scoped by admin allow-lists)
claude-code	system·release_port	ALL (scoped by admin allow-lists)

Findings ⛔ 2 blocking · 🔴 7 high · 🟡 7 medium · ⚪ 4 warn · ✅ 2 pass

Severity	Rule	Resource	Summary
🔴 HIGH	SSH-ROOT-USER	kidfence-prod (api.kidfence.ai)	logs in as root — every action runs with full root on this host
🔴 HIGH	SSH-ROOT-USER	kidfence-www (kidfence.ai)	logs in as root — every action runs with full root on this host
🔴 HIGH	SSH-ROOT-USER	openscope-demo (demo.openscopeai.com)	logs in as root — every action runs with full root on this host
🔴 HIGH	SSH-ROOT-USER	trusted-ds (openscopeai.org)	logs in as root — every action runs with full root on this host
⛔ BLOCK	SSH-SECRET-PATH	kidfence-prod:/etc/nginx	read access reaches secrets at /etc/nginx/ssl
🔴 HIGH	SSH-DISRUPTIVE	kidfence-prod	may restart services — a one-command outage on a production host
🔴 HIGH	SSH-DISRUPTIVE	openscope-demo	may restart services — a one-command outage on a production host
🔴 HIGH	SSH-DISRUPTIVE	trusted-ds	may restart services — a one-command outage on a production host
⛔ BLOCK	SYS-APP-CODEEXEC	3 agent-writable source(s)	manage_apps installs+launches into /Applications from /Users/randy/Library/Developer/Xcode/DerivedData (owned by uid 501 (not root)); /Volumes/2TB-1/src (owned by uid 501 (not root)); /tmp (world-writable) — arbitrary code execution as your user
🟡 MEDIUM	SSH-FILE-SECRET	kidfence-prod:/opt/kidfence/compose.yml	compose.yml commonly inlines secrets/env — read grant exposes them
🟡 MEDIUM	SSH-BROAD-PREFIX	kidfence-prod:/var/log	broad read prefix — credentials can leak into files here
🟡 MEDIUM	SSH-WEBROOT-CONFIG	kidfence-prod:/var/www/kidfence.ai	web root — read may expose app config such as .env
🟡 MEDIUM	SSH-WEBROOT-CONFIG	kidfence-www:/var/www/kidfence.ai	web root — read may expose app config such as .env
🟡 MEDIUM	SSH-BROAD-PREFIX	openscope-demo:/var/log	broad read prefix — credentials can leak into files here
🟡 MEDIUM	SSH-BROAD-PREFIX	trusted-ds:/var/log	broad read prefix — credentials can leak into files here
🟡 MEDIUM	SYS-DISRUPTIVE	manage_processes	kill-by-PID enabled with broad process names — local DoS surface
⚠️ WARN	SSH-KEY-EXPOSED	kidfence-prod	no identity_file — ssh uses ~/.ssh, readable by the agent
⚠️ WARN	SSH-KEY-EXPOSED	kidfence-www	no identity_file — ssh uses ~/.ssh, readable by the agent
⚠️ WARN	SSH-KEY-EXPOSED	openscope-demo	no identity_file — ssh uses ~/.ssh, readable by the agent
⚠️ WARN	SSH-KEY-EXPOSED	trusted-ds	no identity_file — ssh uses ~/.ssh, readable by the agent
✅ PASS	SYS-NO-SUDO	packages	no sudo-enabled managers — no NOPASSWD sudoers wildcards generated
✅ PASS	POLICY-DENY-PRESENT	policy	3 defense-in-depth deny rules present (deny overrides allow)

Fixes for blocking findings

SSH-SECRET-PATH narrow to specific non-secret files instead of this prefix
SYS-APP-CODEEXEC remove manage_apps install/launch, or use a root-owned source prefix

Bounds (root-owned envelope)

Check	Status	Detail
no_sudo_managers	✅ pass	0 found
ssh.read_path_reaches_secret	⛔ FAIL	1 found
system.app_install_from_writable_source	⛔ FAIL	1 found
max_targets_per_agent	✅ pass	≤ 16
ssh.root_user	⚠️ acknowledge	4 to confirm