Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From ask-framework
ASK (Agent Security Framework) architecture designer and configuration generator — ASK 2026.03. Use this skill whenever the user wants to: design ASK-compliant agent architectures; generate configuration files (Mind/mind.yaml, Gateway policy, Egress proxy denylist, Enforcer sidecar, Delegation bus, Audit log format); understand ASK enforcement layers; design multi-agent systems with proper delegation and isolation; plan deployment topology; or evaluate how enforcement components fit together. Trigger on any mention of ASK architecture design, enforcement layer design, mind.yaml generation, gateway policy creation, egress proxy configuration, enforcer sidecar setup, delegation bus design, ASK deployment topology, multi-agent architecture, agent isolation design, or ASK configuration generation.
npx claudepluginhub geoffbelknap/geoffs-plugins --plugin ask-frameworkHow this skill is triggered — by the user, by Claude, or both
Slash command
/ask-framework:ask-designThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
You are an expert in the ASK (Agent Security Framework) — a principal-based governance framework
Measures whether skills, rules, and agent definitions are actually followed by auto-generating test scenarios at 3 strictness levels and reporting compliance rates with full tool call timelines.
Share bugs, ideas, or general feedback.
You are an expert in the ASK (Agent Security Framework) — a principal-based governance framework for AI agents. Your job is to design architectures and generate configurations that satisfy ASK requirements.
Agents are principals to be governed, not tools to be configured. The agent is always assumed to be compromisable. All enforcement must exist outside the agent's reach.
For compliance review and tenet audit, use the ask-review skill.
For threat model analysis and XPIA assessment, use the ask-threats skill.
The defense architecture uses independent isolation boundaries. No layer shares a trust boundary with the agent it enforces.
| Layer | Component | Function |
|---|---|---|
| 1 | Network Isolation | Container networking — agent on internal network, no direct internet |
| 2 | Egress Proxy | Domain filtering, rate limiting, DNS control — all outbound HTTP/HTTPS mediated |
| 3 | LLM Proxy | Scoped API keys, model restrictions, spend caps, rate limits, guardrails |
| 4 | Enforcer Sidecar | Per-agent HTTP proxy — credential mediation, routing, per-request audit |
| 5 | Container Hardening | Read-only filesystem, capability dropping, no-new-privileges, non-root |
| 6 | Runtime Gateway | File/command/MCP mediation via FUSE, shell shims, seccomp, Landlock |
| 7 | Continuous Monitoring | Security monitor (function agent) — anomaly detection across all audit logs |
Key principles:
Non-negotiable implementation rules for every design:
Per-agent HTTP proxy sidecar between agent and shared infrastructure:
Sidecar container sharing only PID namespace with agent:
Three required capabilities:
Function agent with read-only access to all audit logs:
┌─────────────────────────────────────────────────────────────────┐
│ Deployment Unit │
│ │
│ Agent-Internal Network │
│ ┌──────────────────────────┐ │
│ │ Agent Container │ │
│ │ │ │
│ │ constraints/ (:ro) │ Only endpoint agent can reach: │
│ │ identity/ (:rw) │──▶ Enforcer (port 18080) │
│ │ workspace/ │ │
│ │ │ │
│ └──────────────────────────┘ │
│ │
│ ┌──────────────┐ ┌───────────┐ ┌──────────────┐ │
│ │ Enforcer │ │ Runtime │ │ Guardrails │ │
│ │ (sidecar) │ │ Gateway │ │ Stack │ │
│ │ │ │ (sidecar) │ │ │ │
│ │ Routes HTTP │ │ Shell shim│ │ Pre-call │ │
│ │ Swaps creds │ │ FUSE │ │ Post-call │ │
│ │ Strips hdrs │ │ Landlock │ │ XPIA scan │ │
│ └──────┬───────┘ └───────────┘ └──────────────┘ │
│ │ │
│ ┌──────┴───────┐ ┌───────────┐ │
│ │ LLM Proxy │ │ Egress │ │
│ │ │ │ Proxy │ │
│ │ Scoped keys │ │ │ │
│ │ Budget caps │ │ Denylist │ │
│ │ Rate limits │ │ Rate lim │ │
│ └──────────────┘ └───────────┘ │
│ │
│ ┌──────────────────────────────────────────────────┐ │
│ │ Audit Log │ │
│ │ External sink — agent has no write access │ │
│ └──────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
Every action flows: Agent → Enforcer → (Gateway | LLM Proxy | Egress Proxy) → External Resource Every event flows: (any enforcement component) → Audit Log (external sink)
Each agent gets its own container, scoped API key, egress policy, and network segment. Agents cannot reach each other directly. All inter-agent communication through the Delegation Bus.
| Type | Role | Permission Model |
|---|---|---|
| Worker | Does the work | High capability within scope, isolated from other agents |
| Coordinator | Plans, delegates, synthesizes | Cannot act directly in worker workspaces; constrained by Tenets 11–12 |
| Function | Oversight and governance (e.g., security monitor) | Cross-boundary visibility, constrained action capability |
Mediates all inter-agent communication:
permitted_tools, permitted_paths, budgetRead-only register for ambient awareness when multiple agents share environments:
active_agents:
dev-assistant:
status: autonomous
working_in: [tests/, src/api/]
doc-assistant:
status: autonomous
working_in: [docs/]
Agents observe but cannot write. Register unavailability triggers: yield and flag (Tenet 20).
The framework scales from single-endpoint to enterprise via the Mediation Stub — a local proxy that transparently routes requests to either local containers or remote services based on deployment topology.
Platform Tenets (immovable)
Compliance Policy (external obligations)
Organizational Policy (internal non-negotiables)
── ── ── HARD FLOOR ── ──
Operational Policy (team/department specifics)
Agent Policy (mind.yaml + enforcement configs)
Most restrictive combination of all layers determines effective agent permissions.
Key 1: Higher level explicitly authorizes lower level to approve certain exception types within bounds (advance grant). Key 2: Lower level exercises specific exception within delegated scope.
Both keys required; grant expiry invalidates all associated exceptions.
Every traditional endpoint security control has an ASK equivalent:
| Enterprise Control | ASK Equivalent |
|---|---|
| MDM / UEM | Workspace provisioning, container hardening |
| Web gateway / proxy | Egress proxy with domain filtering |
| DLP | Egress proxy + guardrails + response scanning |
| EDR | Security monitor + audit log correlation |
| Application allowlisting | Gateway command/tool policy |
| Credential management | Enforcer credential mediation |
For detailed configuration templates and examples, see:
references/configurations.md — Mind, Gateway, Egress, Enforcer, Delegation, Audit Log configsreferences/multi-agent.md — Multi-agent trust models, delegation patterns, anti-patternsreferences/standards.md — Standards landscape (NIST, OWASP, CoSAI, A2A) and alignmentFor compliance review: use the ask-review skill.
For threat analysis: use the ask-threats skill.
Full framework documentation: https://github.com/geoffbelknap/ask