feat(runtime): per-skill capability scopes + inline MCP broker

[theyavuzarslan]

Summary

Two independent runtime features for review:

• Per-skill capability scopes — resolve an exec/network/filesystem allowlist per skill and emit CAPABILITY_*_DENIED reasons when an action falls outside it. Local capability manifests overlay cloud policy with local precedence; capability denials bypass the auto-allow gate.
• Inline MCP broker — a JSON-RPC stdio proxy that vets tools/call traffic against the runtime policy and fails closed on both block and require_approval. Exposed via a new mcp-broker CLI command.

Test plan

• npm run build (tsc, clean)
• node --test dist/tests/*.test.js — 436 tests, 0 failures
• New coverage: src/tests/capabilities.test.ts, src/tests/mcp-broker.test.ts

🤖 Generated with Claude Code

[github-actions]

AgentGuard PR Review

I found one actionable issue in the patch.

1. severity: high — src/runtime/mcp-broker.ts (runMcpBrokerStdio, child stderr handling)
   • What can go wrong: the broker forwards the downstream server’s stderr directly to the client’s stderr without serialization or framing, while synthesized JSON-RPC veto responses are written to stdout. For clients that merge both streams, a malicious or buggy downstream MCP server can emit JSON-looking content on stderr that is indistinguishable from broker output, or race with broker diagnostics and confuse parsers/logging. More importantly, the broker’s own onBlocked logs in src/cli.ts also write to stderr, so downstream output and broker warnings can interleave unpredictably and corrupt operator-facing audit trails.
   • Concrete fix: route all broker-generated and downstream diagnostic output through a dedicated, framed writer or keep downstream stderr isolated from broker diagnostics. At minimum, prefix and serialize broker logs separately from child stderr, and avoid emitting JSON-RPC-like content on stderr.