scope-guard
Use when a task must stay inside a narrow file or directory boundary, or when risky commands need an explicit stop rule — define the writable surface first so the agent does not drift.
Best use case
scope-guard is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Use when a task must stay inside a narrow file or directory boundary, or when risky commands need an explicit stop rule — define the writable surface first so the agent does not drift.
Teams using scope-guard should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/scope-guard/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How scope-guard Compares
| Feature / Agent | scope-guard | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Use when a task must stay inside a narrow file or directory boundary, or when risky commands need an explicit stop rule — define the writable surface first so the agent does not drift.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Scope Guard Scope Guard is a Copilot-native way to reduce blast radius. It combines explicit file ownership, prompt-level boundaries, and approval checkpoints so the agent treats one area as writable and everything else as read-only unless you reopen the scope. ## Why This is Copilot-Exclusive Copilot CLI does not expose Claude-style hook permissions, but it does combine several useful primitives: - **Plan Mode approval** before execution starts - **Task delegation** where each agent gets its own brief - **Prompt-scoped ownership** for exact paths, files, and stop conditions This skill packages those primitives into a repeatable guardrail pattern for risky or tightly scoped work. ## When to Use - Production code, infrastructure, migrations, auth, billing, or other high-risk surfaces - Refactors that should stay inside one directory or file set - Parallel agent work where each agent must own a separate writable area - Tasks that may involve destructive commands and need a pause before execution ## When NOT to Use | Instead of scope-guard | Use | |------------------------|-----| | You need full branch- or filesystem-level isolation | `workflow/using-git-worktrees` | | You want broad autonomous execution after the plan is approved | `copilot-exclusive/autopilot-patterns` | | The task is read-only research with no file edits | Do a normal explore pass or use `context-prime` to load the relevant files first | ## Prerequisites - Know the exact writable path or file list - Decide what counts as a risky command for this task - Have a rollback path if the work matters enough to isolate further ## Modes | Mode | Intent | Behavior | |------|--------|----------| | **Careful** | Risk warning | The agent must stop and ask before running destructive or high-impact commands | | **Freeze** | Path lock | The agent may read broadly, but may only edit inside the named path or file list | | **Guard** | Careful + Freeze | The agent stays inside the approved writable surface and pauses before risky commands | ## Workflow ### 1. Define the writable surface Name the exact path, file set, or ownership boundary before any edits begin: ```text Only modify files under src/payments/. You may read other files for context, but do not edit, create, or delete anything outside that path. ``` If the task spans multiple owned areas, list them explicitly. ### 2. Choose the mode **Careful** when the surface is broad but the commands are risky: ```text Work across the approved files normally, but stop and ask before any destructive command, dependency change, schema migration, force push, or file deletion. ``` Treat wrapper-prefixed commands as the same risk as the underlying command. `env ...`, `sudo ...`, `watch ...`, `ionice ...`, and `setsid ...` do not make a risky action safe. Likewise, treat `find -exec` and `find -delete` as explicit stop-and-review cases, not routine discovery commands. **Freeze** when the path boundary matters more than the command type: ```text You may only write to docs/api/. Read other files if needed, but do not edit outside docs/api/. ``` **Guard** when both constraints matter: ```text Use Guard mode for this task. Writable surface: infra/terraform/. Stop and ask before any delete, rename, state import, or other destructive infrastructure action. ``` ### 3. Add a plan checkpoint for risky work For high-risk changes, review the plan before execution: ```text Enter Plan Mode first. List every file you expect to touch and any risky commands you might need. Do not execute until that scope is approved. ``` This turns the plan itself into the first guardrail. ### 4. Re-brief each delegated agent separately Do not assume one agent's scope automatically applies to another. Restate the ownership boundary for every background or parallel agent: ```text Owned path: packages/billing/ Do not touch shared CI, lockfiles, or docs. If the fix requires an out-of-scope edit, stop and report the blocker. ``` ### 5. Remove the guard explicitly When the restriction is no longer needed, say so plainly: ```text Scope restriction removed. You may now edit any necessary files for the next task. ``` Do not rely on the agent to infer that the boundary changed. ## Practical Guardrails - Name both the **allowed paths** and the **forbidden shared surfaces** - Tell the agent what to do on a scope violation: **stop and report** - Pair large or destructive tasks with a branch or worktree - Review the diff before merging, even when the guard held - Write risky-command rules in terms of the real action, not only the first token. For example, `sudo rm -rf`, `env NODE_ENV=prod npm run migrate`, and `find . -delete` should all follow the same pause rules as their underlying destructive command ## Related Skills - [`plan-mode-mastery`](../plan-mode-mastery/SKILL.md) — approve file scope before execution - [`autopilot-patterns`](../autopilot-patterns/SKILL.md) — run autonomously after the boundary is clear - [`fleet-parallel`](../fleet-parallel/SKILL.md) — assign separate writable surfaces per agent - [`using-git-worktrees`](../../workflow/using-git-worktrees/SKILL.md) — move from logical scope limits to physical checkout isolation
Related Skills
verification-before-completion
Use before claiming any task is done — run the exact command that proves the fix works, read the output, and only then report success.
using-git-worktrees
Use when you need multiple branches checked out at once — create isolated working directories for parallel development without cloning the repository repeatedly
triage
Use when a single issue needs structured triage — classify it, reproduce if needed, request missing information, and leave a durable brief or close-out note in the tracker.
to-issues
Use when a plan, spec, or PRD must become an actionable backlog — break it into thin dependency-aware issues that each deliver a verifiable vertical slice
sprint-workflow
Use when starting a new feature, refactor, or multi-step dev task — runs the full sprint cycle (Think → Plan → Build → Review → Test → Ship → Monitor) using Copilot CLI's plan/autopilot modes.
sprint-retro
Use at the end of a sprint to run a data-driven retrospective — analyzes session history and git metrics to surface what shipped, what slowed you down, and concrete improvements.
security-audit
Use when a codebase needs a formal security audit beyond a quick scan — applies OWASP Top 10 and STRIDE threat modeling from a CSO perspective to surface systemic vulnerabilities.
release
Use when a sprint or feature is complete and ready to ship — tags the version, generates GitHub Release notes, runs rollout or smoke verification, and publishes to npm/PyPI/Docker registries.
prompt-optimizer
Use when a rough prompt, vague idea, or task description needs to become a finished copy-pasteable prompt for a chat-based LLM - rewrite it into one ready-to-send prompt with no blanks, no placeholders, and a clear output shape.
outside-voice
Use when you need an independent second opinion before, during, or after implementation — run challenge, consult, or review mode in a direct builder-to-builder voice
llm-wiki
Use when research or domain knowledge keeps getting rediscovered across sessions — build a supplementary markdown wiki that compounds synthesized knowledge without replacing GitHub or committed project guidance
interview-me
Use when a request is underspecified and you need to discover what the user actually wants before writing a plan, spec, or code - ask one question at a time, attach your current hypothesis, and stop only after the intent is explicitly confirmed.