feat: add nudge field to rule schema + 2 example rules#2
Merged
Conversation
Adds an optional `nudge: string` property to each entry of `gate.evaluate[]`. It is purely additive — existing rules without it remain valid and the daemon-side change is gated separately. The field is intended to carry a human-readable recovery hint that the daemon pipes through to the agent harness alongside the verdict (e.g. "use trash instead of rm -rf"), so a deny can also teach the agent the correct retry. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Adds two community rules that exercise the new gate.evaluate[].nudge field: - safety.rm-suggest-trash (medium): denies dangerous rm shapes (-r/-R/-f bundles, --recursive, --force) and points the agent at `trash` / `trash-cli` for recoverable deletes, with `rm -i` as the middle ground and a "ask the operator" escape hatch for permanent recursive deletes. Deliberately softer than rogue.destructive-bash; this one teaches recovery, the other one hard-blocks the worst case. - safety.secret-read-suggest-skill (high): denies Reads of canonical secret-bearing paths (.env / .env.*, ~/.ssh/*, ~/.aws/credentials, kubeconfig, .netrc, etc.) and nudges toward an illustrative openagentlock/skills `secret-fetcher` skill, with operator paste as the actually-actionable fallback today. Demonstrates the "force use of a skill" pattern — a deny that simultaneously teaches the agent the correct path forward. Both rules use only RE2-compatible regex (no negative lookahead, no backreferences) and follow the existing rule.yaml + README layout. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Anchor the rm-suggest-trash regexes to start-of-command (or after a shell separator/sudo) so `git rm -rf`, `jj rm`, `cargo rm`, `npm rm` no longer trigger the "use trash" nudge, which is wrong for those operations. Plain `rm -rf`, `sudo rm -rf`, and inline-separator forms (`cd / && rm -rf …`, `ls; rm -rf …`) still match. Also cap `gate.evaluate[].nudge` at 2000 chars in the schema to keep nudges as short prose rather than smuggled-in skill prompts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional `nudge: string` to `gate.evaluate[]` entries. Lets rule authors provide a short prompt that the OpenAgentLock daemon concatenates onto the deny reason — agents see "use `trash` instead" or "use the secret-fetcher skill" rather than just being blocked.
Companion PR on the main repo: https://github.com/openagentlock/OpenAgentLock/pulls — that's where the daemon-side plumbing + hook output formatting lives.
What's in this PR
/.ssh` / `/.aws/credentials` paths, nudges toward an `openagentlock/skills` `secret-fetcher` skill.Backward compat: schema change is purely additive (optional field), and `additionalProperties: true` was already on `evaluate[]`. All 27 pre-existing rules still validate.
Test plan
🤖 Generated with Claude Code