Write a per-task scope_contract.json and a glob-aware checker that compares the agent's diff against the contract and flags any forbidden or off-scope writes.
- A task description with allowed globs, forbidden globs, acceptance commands, rollback paragraph, approvals required
- Two demo runs: one that stays in scope, one that creeps
scope_contract.jsonschema validator (subset of JSON Schema, glob arrays)- A diff parser that produces a
RunSummaryfrom touched files plus commands run scope_check(contract, run) -> (violations, in_scope, off_scope)scope_report.jsonsaved next to the script
python3 code/main.pyexits zero- The in-scope run reports zero violations
- The creeping run reports the exact off-scope files and the reason for each
- Time budgets, network egress allowlists. The lesson ships file globs; the exercise prompts extend it.
- Wiring into a runtime interrupt. The lesson exits at the report.
docs/en.md- full lessoncode/main.py- reference implementationoutputs/skill-scope-contract.md- extracted skill