Conalh · Conalh · May 22, 2026 · May 22, 2026
diff --git a/dist/detectors/claude-settings.js b/dist/detectors/claude-settings.js
@@ -8,7 +8,7 @@ export async function detectClaudeSettingsDrift(oldRoot, newRoot) {
     for (const [permission, line] of newSettings.allow) {
         if (!oldSettings.allow.has(permission) && isBroadAllow(permission)) {
             findings.push({
-                kind: 'permission_allow_widened',
+                kind: 'scope_trail.permission_allow_widened',
                 severity: severityForAllow(permission),
                 file: CLAUDE_SETTINGS_FILE,
                 line,
@@ -21,7 +21,7 @@ export async function detectClaudeSettingsDrift(oldRoot, newRoot) {
     for (const permission of oldSettings.deny.keys()) {
         if (!newSettings.deny.has(permission)) {
             findings.push({
-                kind: 'permission_deny_removed',
+                kind: 'scope_trail.permission_deny_removed',
                 severity: severityForRemovedDeny(permission),
                 file: CLAUDE_SETTINGS_FILE,
                 subject: permission,
@@ -33,7 +33,7 @@ export async function detectClaudeSettingsDrift(oldRoot, newRoot) {
     for (const [hookName, oldCommands] of oldSettings.hookCommands) {
         if (!newSettings.hookCommands.has(hookName)) {
             findings.push({
-                kind: 'hook_removed',
+                kind: 'scope_trail.hook_removed',
                 severity: isHighImpactHook(hookName) ? 'high' : 'medium',
                 file: CLAUDE_SETTINGS_FILE,
                 subject: hookName,
@@ -48,7 +48,7 @@ export async function detectClaudeSettingsDrift(oldRoot, newRoot) {
         const changed = [...newCommands].filter((command) => !oldCommands.has(command));
         if (changed.length > 0 && newCommands.size === oldCommands.size) {
             findings.push({
-                kind: 'hook_command_changed',
+                kind: 'scope_trail.hook_command_changed',
                 severity: isHighImpactHook(hookName) ? 'high' : 'medium',
                 file: CLAUDE_SETTINGS_FILE,
                 subject: hookName,
@@ -63,7 +63,7 @@ export async function detectClaudeSettingsDrift(oldRoot, newRoot) {
     for (const hookName of newSettings.hookCommands.keys()) {
         if (!oldSettings.hookCommands.has(hookName)) {
             findings.push({
-                kind: 'hook_added',
+                kind: 'scope_trail.hook_added',
                 severity: 'low',
                 file: CLAUDE_SETTINGS_FILE,
                 subject: hookName,

diff --git a/dist/detectors/codex-config.js b/dist/detectors/codex-config.js
@@ -11,7 +11,7 @@ export async function detectCodexConfigDrift(oldRoot, newRoot) {
         const newEntry = newConfig.get(key);
         if (newEntry && sandboxRank(newEntry.value) > sandboxRank(oldEntry?.value)) {
             findings.push({
-                kind: 'codex_sandbox_widened',
+                kind: 'scope_trail.codex_sandbox_widened',
                 severity: sandboxRank(newEntry.value) >= 3 ? 'critical' : 'high',
                 file: CODEX_CONFIG_FILE,
                 line: newEntry.line,
@@ -25,7 +25,7 @@ export async function detectCodexConfigDrift(oldRoot, newRoot) {
     const newApproval = newConfig.get('approval_policy');
     if (newApproval && approvalRank(newApproval.value) > approvalRank(oldApproval?.value)) {
         findings.push({
-            kind: 'codex_approval_weakened',
+            kind: 'scope_trail.codex_approval_weakened',
             severity: newApproval.value === 'never' ? 'high' : 'medium',
             file: CODEX_CONFIG_FILE,
             line: newApproval.line,
@@ -39,7 +39,7 @@ export async function detectCodexConfigDrift(oldRoot, newRoot) {
         const newEntry = newConfig.get(key);
         if (newEntry?.value === 'true' && oldEntry?.value !== 'true') {
             findings.push({
-                kind: 'codex_network_enabled',
+                kind: 'scope_trail.codex_network_enabled',
                 severity: 'medium',
                 file: CODEX_CONFIG_FILE,
                 line: newEntry.line,
@@ -53,7 +53,7 @@ export async function detectCodexConfigDrift(oldRoot, newRoot) {
     const newTrust = newConfig.get('projects.trust_level');
     if (newTrust?.value === 'trusted' && oldTrust?.value !== 'trusted') {
         findings.push({
-            kind: 'codex_project_trusted',
+            kind: 'scope_trail.codex_project_trusted',
             severity: 'high',
             file: CODEX_CONFIG_FILE,
             line: newTrust.line,

diff --git a/dist/detectors/mcp.js b/dist/detectors/mcp.js
@@ -55,7 +55,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             const oldServer = oldServers[name];
             if (!oldServer) {
                 findings.push({
-                    kind: 'mcp_server_added',
+                    kind: 'scope_trail.mcp_server_added',
                     severity: 'high',
                     file: config.path,
                     line: newServer.line,
@@ -66,7 +66,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             }
             else if (serverCommand(newServer) !== serverCommand(oldServer)) {
                 findings.push({
-                    kind: 'mcp_server_command_changed',
+                    kind: 'scope_trail.mcp_server_command_changed',
                     severity: 'medium',
                     file: config.path,
                     line: lineForServerCommand(newServer) ?? newServer.line,
@@ -77,7 +77,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             }
             if ((!oldServer || serverCommand(newServer) !== serverCommand(oldServer)) && isUnpinnedCommand(newServer)) {
                 findings.push({
-                    kind: 'unpinned_mcp_command',
+                    kind: 'scope_trail.unpinned_mcp_command',
                     severity: 'high',
                     file: config.path,
                     line: lineForUnpinnedCommand(newServer) ?? newServer.line,
@@ -97,7 +97,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             const changed = oldServer && serverCommand(newServer) !== serverCommand(oldServer);
             if (!oldServer) {
                 findings.push({
-                    kind: 'mcp_sample_server_added',
+                    kind: 'scope_trail.mcp_sample_server_added',
                     severity: 'low',
                     file: path,
                     line: newServer.line,
@@ -108,7 +108,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             }
             else if (changed) {
                 findings.push({
-                    kind: 'mcp_sample_server_command_changed',
+                    kind: 'scope_trail.mcp_sample_server_command_changed',
                     severity: 'low',
                     file: path,
                     line: lineForServerCommand(newServer) ?? newServer.line,
@@ -119,7 +119,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             }
             if ((!oldServer || changed) && isUnpinnedCommand(newServer)) {
                 findings.push({
-                    kind: 'mcp_sample_unpinned_command',
+                    kind: 'scope_trail.mcp_sample_unpinned_command',
                     severity: severityForSampleCommandRisk(newServer),
                     file: path,
                     line: lineForUnpinnedCommand(newServer) ?? newServer.line,
@@ -131,7 +131,7 @@ export async function detectMcpDrift(oldRoot, newRoot) {
             const endpoint = remoteEndpoint(newServer);
             if ((!oldServer || changed) && endpoint) {
                 findings.push({
-                    kind: 'mcp_sample_remote_endpoint',
+                    kind: 'scope_trail.mcp_sample_remote_endpoint',
                     severity: 'medium',
                     file: path,
                     line: lineForRemoteEndpoint(newServer) ?? newServer.line,

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,3 +1,3 @@
 {
  "name": "scopetrail",
  "version": "0.1.11",
@@ -11,7 +11,7 @@
     "test": "node --test"
   },
   "dependencies": {
-    "agent-gov-core": "github:Conalh/agent-gov-core#v0.1.2"
+    "agent-gov-core": "github:Conalh/agent-gov-core#v0.2.0"
   },
   "devDependencies": {
     "@types/node": "^24.0.0",

diff --git a/src/detectors/claude-settings.ts b/src/detectors/claude-settings.ts
@@ -12,7 +12,7 @@ export async function detectClaudeSettingsDrift(oldRoot: string, newRoot: string
   for (const [permission, line] of newSettings.allow) {
     if (!oldSettings.allow.has(permission) && isBroadAllow(permission)) {
       findings.push({
-        kind: 'permission_allow_widened',
+        kind: 'scope_trail.permission_allow_widened',
         severity: severityForAllow(permission),
         file: CLAUDE_SETTINGS_FILE,
         line,
@@ -26,7 +26,7 @@ export async function detectClaudeSettingsDrift(oldRoot: string, newRoot: string
   for (const permission of oldSettings.deny.keys()) {
     if (!newSettings.deny.has(permission)) {
       findings.push({
-        kind: 'permission_deny_removed',
+        kind: 'scope_trail.permission_deny_removed',
         severity: severityForRemovedDeny(permission),
         file: CLAUDE_SETTINGS_FILE,
         subject: permission,
@@ -39,7 +39,7 @@ export async function detectClaudeSettingsDrift(oldRoot: string, newRoot: string
   for (const [hookName, oldCommands] of oldSettings.hookCommands) {
     if (!newSettings.hookCommands.has(hookName)) {
       findings.push({
-        kind: 'hook_removed',
+        kind: 'scope_trail.hook_removed',
         severity: isHighImpactHook(hookName) ? 'high' : 'medium',
         file: CLAUDE_SETTINGS_FILE,
         subject: hookName,
@@ -55,7 +55,7 @@ export async function detectClaudeSettingsDrift(oldRoot: string, newRoot: string
     const changed = [...newCommands].filter((command) => !oldCommands.has(command));
     if (changed.length > 0 && newCommands.size === oldCommands.size) {
       findings.push({
-        kind: 'hook_command_changed',
+        kind: 'scope_trail.hook_command_changed',
         severity: isHighImpactHook(hookName) ? 'high' : 'medium',
         file: CLAUDE_SETTINGS_FILE,
         subject: hookName,
@@ -71,7 +71,7 @@ export async function detectClaudeSettingsDrift(oldRoot: string, newRoot: string
   for (const hookName of newSettings.hookCommands.keys()) {
     if (!oldSettings.hookCommands.has(hookName)) {
       findings.push({
-        kind: 'hook_added',
+        kind: 'scope_trail.hook_added',
         severity: 'low',
         file: CLAUDE_SETTINGS_FILE,
         subject: hookName,

diff --git a/src/detectors/codex-config.ts b/src/detectors/codex-config.ts
@@ -20,7 +20,7 @@ export async function detectCodexConfigDrift(oldRoot: string, newRoot: string):
     const newEntry = newConfig.get(key);
     if (newEntry && sandboxRank(newEntry.value) > sandboxRank(oldEntry?.value)) {
       findings.push({
-        kind: 'codex_sandbox_widened',
+        kind: 'scope_trail.codex_sandbox_widened',
         severity: sandboxRank(newEntry.value) >= 3 ? 'critical' : 'high',
         file: CODEX_CONFIG_FILE,
         line: newEntry.line,
@@ -35,7 +35,7 @@ export async function detectCodexConfigDrift(oldRoot: string, newRoot: string):
   const newApproval = newConfig.get('approval_policy');
   if (newApproval && approvalRank(newApproval.value) > approvalRank(oldApproval?.value)) {
     findings.push({
-      kind: 'codex_approval_weakened',
+      kind: 'scope_trail.codex_approval_weakened',
       severity: newApproval.value === 'never' ? 'high' : 'medium',
       file: CODEX_CONFIG_FILE,
       line: newApproval.line,
@@ -50,7 +50,7 @@ export async function detectCodexConfigDrift(oldRoot: string, newRoot: string):
     const newEntry = newConfig.get(key);
     if (newEntry?.value === 'true' && oldEntry?.value !== 'true') {
       findings.push({
-        kind: 'codex_network_enabled',
+        kind: 'scope_trail.codex_network_enabled',
         severity: 'medium',
         file: CODEX_CONFIG_FILE,
         line: newEntry.line,
@@ -65,7 +65,7 @@ export async function detectCodexConfigDrift(oldRoot: string, newRoot: string):
   const newTrust = newConfig.get('projects.trust_level');
   if (newTrust?.value === 'trusted' && oldTrust?.value !== 'trusted') {
     findings.push({
-      kind: 'codex_project_trusted',
+      kind: 'scope_trail.codex_project_trusted',
       severity: 'high',
       file: CODEX_CONFIG_FILE,
       line: newTrust.line,

diff --git a/src/detectors/mcp.ts b/src/detectors/mcp.ts
@@ -74,7 +74,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
 
       if (!oldServer) {
         findings.push({
-          kind: 'mcp_server_added',
+          kind: 'scope_trail.mcp_server_added',
           severity: 'high',
           file: config.path,
           line: newServer.line,
@@ -84,7 +84,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
         });
       } else if (serverCommand(newServer) !== serverCommand(oldServer)) {
         findings.push({
-          kind: 'mcp_server_command_changed',
+          kind: 'scope_trail.mcp_server_command_changed',
           severity: 'medium',
           file: config.path,
           line: lineForServerCommand(newServer) ?? newServer.line,
@@ -96,7 +96,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
 
       if ((!oldServer || serverCommand(newServer) !== serverCommand(oldServer)) && isUnpinnedCommand(newServer)) {
         findings.push({
-          kind: 'unpinned_mcp_command',
+          kind: 'scope_trail.unpinned_mcp_command',
           severity: 'high',
           file: config.path,
           line: lineForUnpinnedCommand(newServer) ?? newServer.line,
@@ -119,7 +119,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
 
       if (!oldServer) {
         findings.push({
-          kind: 'mcp_sample_server_added',
+          kind: 'scope_trail.mcp_sample_server_added',
           severity: 'low',
           file: path,
           line: newServer.line,
@@ -129,7 +129,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
         });
       } else if (changed) {
         findings.push({
-          kind: 'mcp_sample_server_command_changed',
+          kind: 'scope_trail.mcp_sample_server_command_changed',
           severity: 'low',
           file: path,
           line: lineForServerCommand(newServer) ?? newServer.line,
@@ -141,7 +141,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
 
       if ((!oldServer || changed) && isUnpinnedCommand(newServer)) {
         findings.push({
-          kind: 'mcp_sample_unpinned_command',
+          kind: 'scope_trail.mcp_sample_unpinned_command',
           severity: severityForSampleCommandRisk(newServer),
           file: path,
           line: lineForUnpinnedCommand(newServer) ?? newServer.line,
@@ -154,7 +154,7 @@ export async function detectMcpDrift(oldRoot: string, newRoot: string): Promise<
       const endpoint = remoteEndpoint(newServer);
       if ((!oldServer || changed) && endpoint) {
         findings.push({
-          kind: 'mcp_sample_remote_endpoint',
+          kind: 'scope_trail.mcp_sample_remote_endpoint',
           severity: 'medium',
           file: path,
           line: lineForRemoteEndpoint(newServer) ?? newServer.line,

diff --git a/test/claude-settings-drift.test.mjs b/test/claude-settings-drift.test.mjs
@@ -15,10 +15,10 @@ test('detects Claude settings permission drift', async () => {
   assert.deepEqual(
     findings.map((finding) => finding.kind),
     [
-      'permission_allow_widened',
-      'permission_allow_widened',
-      'permission_deny_removed',
-      'hook_removed'
+      'scope_trail.permission_allow_widened',
+      'scope_trail.permission_allow_widened',
+      'scope_trail.permission_deny_removed',
+      'scope_trail.hook_removed'
     ]
   );
   assert.equal(findings[0].subject, 'Bash(npm *)');

diff --git a/test/cli-output.test.mjs b/test/cli-output.test.mjs
@@ -25,12 +25,12 @@ test('CLI emits JSON permission drift report', async () => {
   assert.deepEqual(
     report.findings.map((finding) => finding.kind),
     [
-      'mcp_server_added',
-      'unpinned_mcp_command',
-      'permission_allow_widened',
-      'permission_allow_widened',
-      'permission_deny_removed',
-      'hook_removed'
+      'scope_trail.mcp_server_added',
+      'scope_trail.unpinned_mcp_command',
+      'scope_trail.permission_allow_widened',
+      'scope_trail.permission_allow_widened',
+      'scope_trail.permission_deny_removed',
+      'scope_trail.hook_removed'
     ]
   );
 });

diff --git a/test/codex-config-drift.test.mjs b/test/codex-config-drift.test.mjs
@@ -15,10 +15,10 @@ test('detects Codex config permission drift', async () => {
   assert.deepEqual(
     findings.map((finding) => [finding.kind, finding.subject, finding.severity, finding.line]),
     [
-      ['codex_sandbox_widened', 'sandbox_mode', 'critical', 1],
-      ['codex_approval_weakened', 'approval_policy', 'high', 2],
-      ['codex_network_enabled', 'sandbox_workspace_write.network_access', 'medium', 5],
-      ['codex_project_trusted', 'projects.trust_level', 'high', 8]
+      ['scope_trail.codex_sandbox_widened', 'sandbox_mode', 'critical', 1],
+      ['scope_trail.codex_approval_weakened', 'approval_policy', 'high', 2],
+      ['scope_trail.codex_network_enabled', 'sandbox_workspace_write.network_access', 'medium', 5],
+      ['scope_trail.codex_project_trusted', 'projects.trust_level', 'high', 8]
     ]
   );
 });