playbooks

home / skills / ruvnet / ruflo / claims

claims skill

/.agents/skills/claims

This skill enforces claims-based authorization for multi-agent coordination, granting, revoking, and verifying permissions to secure operations and access

npx playbooks add skill ruvnet/ruflo --skill claims

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
1.6 KB
---
name: claims
description: >
  Claims-based authorization for agents and operations. Grant, revoke, and verify permissions for secure multi-agent coordination.
  Use when: permission management, access control, secure operations, authorization checks.
  Skip when: open access, no security requirements, single-agent local work.
---

# Claims Authorization Skill

## Purpose
Claims-based authorization for secure agent operations and access control.

## Claim Types

| Claim | Description |
|-------|-------------|
| `read` | Read file access |
| `write` | Write file access |
| `execute` | Command execution |
| `spawn` | Agent spawning |
| `memory` | Memory access |
| `network` | Network access |
| `admin` | Administrative operations |

## Commands

### Check Claim
```bash
npx claude-flow claims check --agent agent-123 --claim write
```

### Grant Claim
```bash
npx claude-flow claims grant --agent agent-123 --claim write --scope "/src/**"
```

### Revoke Claim
```bash
npx claude-flow claims revoke --agent agent-123 --claim write
```

### List Claims
```bash
npx claude-flow claims list --agent agent-123
```

## Scope Patterns

| Pattern | Description |
|---------|-------------|
| `*` | All resources |
| `/src/**` | All files in src |
| `/config/*.toml` | TOML files in config |
| `memory:patterns` | Patterns namespace |

## Security Levels

| Level | Claims |
|-------|--------|
| `minimal` | read only |
| `standard` | read, write, execute |
| `elevated` | + spawn, memory |
| `admin` | all claims |

## Best Practices
1. Follow principle of least privilege
2. Scope claims to specific resources
3. Audit claim usage regularly
4. Revoke claims when no longer needed

Overview

This skill implements claims-based authorization to manage permissions for agents and operations. It lets you grant, revoke, inspect, and list claims scoped to resources, enabling secure multi-agent coordination and fine-grained access control. Use it to enforce least-privilege policies across distributed agent workflows.

How this skill works

The skill tracks a set of named claims (read, write, execute, spawn, memory, network, admin) and applies optional resource scope patterns for each grant. Commands let you check whether an agent has a specific claim, grant or revoke claims with scope patterns, and enumerate active claims for an agent. Security levels map to bundled claim sets (minimal, standard, elevated, admin) for quick provisioning.

When to use it

  • When coordinating multiple agents that need different access rights to files, network, or memory.
  • When enforcing least-privilege access in production multi-agent workflows.
  • When onboarding or offboarding agents and needing to audit or revoke permissions.
  • When implementing conditional authorization for operations like spawn or execute.
  • When you need scoped resource permissions (e.g., only /src/** or specific config files).

Best practices

  • Apply the principle of least privilege: grant only required claims and scopes.
  • Use scoped patterns (e.g., /src/**, /config/*.toml) instead of global '*' where possible.
  • Prefer security levels for common roles but customize scopes for sensitive agents.
  • Audit claim usage regularly and revoke unused claims promptly.
  • Log claim changes and checks to support incident investigation and compliance.

Example use cases

  • Grant a build agent write access to /src/** and execute for running tests, then revoke after CI completes.
  • Restrict an analytics agent to read-only access to a dataset directory and memory read for cached context.
  • Deny network access to experimental agents while allowing spawn privileges for sandboxed sub-agents.
  • Provision an admin role with elevated or admin security level for maintenance windows, then remove it afterwards.
  • Check claims before performing sensitive operations (file edits, command execution, or spawning agents).

FAQ

Which claim should I use for running commands?

Use the execute claim for command execution; combine with write if commands modify files.

How do scope patterns work?

Scope patterns support wildcards like * and ** to limit a claim to specific resources (e.g., /src/** or /config/*.toml).