guardrails-ref 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/examples/README.md +5 -0
- package/examples/artifact-verification/GUARDRAIL.md +35 -0
- package/examples/context-rotation/GUARDRAIL.md +34 -0
- package/examples/no-eval-or-dynamic-code/GUARDRAIL.md +34 -0
- package/examples/no-plaintext-secrets/GUARDRAIL.md +1 -0
- package/examples/privilege-boundaries/GUARDRAIL.md +34 -0
- package/examples/require-commit-approval/GUARDRAIL.md +33 -0
- package/package.json +1 -1
package/examples/README.md
CHANGED
|
@@ -8,9 +8,14 @@ Reference guardrails you can add with `npx guardrails-ref add <name>`. Use `npx
|
|
|
8
8
|
| `no-placeholder-credentials` | Fake or placeholder API keys instead of asking for real values |
|
|
9
9
|
| `no-silent-error-handling` | Catching errors without surfacing them to the user |
|
|
10
10
|
| `require-access-control` | Exposing sensitive data or admin actions without role checks |
|
|
11
|
+
| `artifact-verification` | Destructive ops without plan.md and audit log |
|
|
12
|
+
| `context-rotation` | Continuing in polluted context; reset when 80% full or 10+ errors |
|
|
11
13
|
| `database-migrations` | Direct schema changes instead of migrations |
|
|
12
14
|
| `no-destructive-commands` | `rm -rf`, `DROP TABLE`, `TRUNCATE` without approval |
|
|
15
|
+
| `no-eval-or-dynamic-code` | eval(), new Function(), or dynamic code execution |
|
|
13
16
|
| `no-new-deps-without-approval` | New packages without human confirmation |
|
|
17
|
+
| `privilege-boundaries` | Touching node_modules, .git, lockfiles, .env without approval |
|
|
18
|
+
| `require-commit-approval` | git commit or push without explicit user approval |
|
|
14
19
|
| `no-hardcoded-urls` | Hardcoded API URLs, base URLs, endpoints |
|
|
15
20
|
| `no-sudo-commands` | `sudo`, `su`, or root commands without approval |
|
|
16
21
|
| `rate-limiting` | Runaway tool calls and API loops |
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: artifact-verification
|
|
3
|
+
description: Before destructive operations, generate a plan for human review and log actions to an audit trail. Apply when deleting, dropping, truncating, or modifying production.
|
|
4
|
+
scope: project
|
|
5
|
+
severity: critical
|
|
6
|
+
triggers:
|
|
7
|
+
- "Deleting files or directories"
|
|
8
|
+
- "Dropping tables or databases"
|
|
9
|
+
- "Truncating data"
|
|
10
|
+
- "Production modifications"
|
|
11
|
+
- "Schema changes"
|
|
12
|
+
license: MIT
|
|
13
|
+
metadata:
|
|
14
|
+
author: agent-guardrails
|
|
15
|
+
version: "1.0"
|
|
16
|
+
source: https://guardrails.md/
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
# Artifact Verification
|
|
20
|
+
|
|
21
|
+
## Trigger
|
|
22
|
+
Before any destructive operation: deletes, drops, truncates, or production modifications.
|
|
23
|
+
|
|
24
|
+
## Instruction
|
|
25
|
+
- Generate a `plan.md` (or equivalent) describing all changes, affected paths, and impact
|
|
26
|
+
- Present the plan for human approval before executing
|
|
27
|
+
- Wait for explicit confirmation before proceeding
|
|
28
|
+
- Log all actions to `audit.log` (or project-defined audit trail) with timestamp and scope
|
|
29
|
+
- Never skip the plan step even if the user seems to approve verbally — require written confirmation or explicit approval in the plan
|
|
30
|
+
|
|
31
|
+
## Reason
|
|
32
|
+
Agents have executed destructive operations without a reviewable artifact. A plan provides rollback context and ensures humans can verify scope before irreversible changes. Audit logging enables post-incident analysis.
|
|
33
|
+
|
|
34
|
+
## Provenance
|
|
35
|
+
Based on guardrails.md Pattern 1: Artifact verification.
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: context-rotation
|
|
3
|
+
description: When context exceeds 80% capacity or 10+ consecutive errors, save state, summarize, and reset to prevent "The Gutter" — agents repeating mistakes in polluted context.
|
|
4
|
+
scope: session
|
|
5
|
+
severity: warning
|
|
6
|
+
triggers:
|
|
7
|
+
- "Context window approaching capacity"
|
|
8
|
+
- "Repeated identical errors"
|
|
9
|
+
- "Circular tool call loops"
|
|
10
|
+
- "10+ consecutive failures"
|
|
11
|
+
license: MIT
|
|
12
|
+
metadata:
|
|
13
|
+
author: agent-guardrails
|
|
14
|
+
version: "1.0"
|
|
15
|
+
source: https://guardrails.md/
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# Context Rotation
|
|
19
|
+
|
|
20
|
+
## Trigger
|
|
21
|
+
Context exceeds 80% capacity, 10+ consecutive errors, repeated identical failures, or circular tool call loops.
|
|
22
|
+
|
|
23
|
+
## Instruction
|
|
24
|
+
- Save current state to `context-snapshot.md` (or equivalent) before resetting
|
|
25
|
+
- Summarize key learnings and what was attempted
|
|
26
|
+
- Reset the context window
|
|
27
|
+
- Re-inject: GUARDRAILS.md + summary + original objective
|
|
28
|
+
- Do not continue in polluted context — rotation prevents recursive failure loops
|
|
29
|
+
|
|
30
|
+
## Reason
|
|
31
|
+
Agents feed outputs back into context. When it fills with error logs and failed attempts, the agent prioritizes recent failures over original instructions and enters "The Gutter" — repeating the same mistakes indefinitely. Rotation breaks the loop.
|
|
32
|
+
|
|
33
|
+
## Provenance
|
|
34
|
+
Based on guardrails.md Pattern 2: Context rotation.
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: no-eval-or-dynamic-code
|
|
3
|
+
description: Never use eval(), new Function(), or similar dynamic code execution. Prevents code injection and security vulnerabilities.
|
|
4
|
+
scope: project
|
|
5
|
+
severity: critical
|
|
6
|
+
triggers:
|
|
7
|
+
- "Executing user input"
|
|
8
|
+
- "Dynamic code execution"
|
|
9
|
+
- "JSON parsing to code"
|
|
10
|
+
- "eval"
|
|
11
|
+
- "Function constructor"
|
|
12
|
+
license: MIT
|
|
13
|
+
metadata:
|
|
14
|
+
author: agent-guardrails
|
|
15
|
+
version: "1.0"
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# No Eval or Dynamic Code
|
|
19
|
+
|
|
20
|
+
## Trigger
|
|
21
|
+
Considering `eval()`, `new Function()`, `setTimeout(string)`, `setInterval(string)`, or any mechanism that executes a string as code.
|
|
22
|
+
|
|
23
|
+
## Instruction
|
|
24
|
+
- Never use `eval()` — use `JSON.parse()` for JSON, proper parsers for other formats
|
|
25
|
+
- Never use `new Function(body)` or `Function(arg1, arg2, body)` with dynamic body
|
|
26
|
+
- Never pass user input to `setTimeout`, `setInterval`, or `vm.runInContext` as executable code
|
|
27
|
+
- For dynamic behavior: use lookup tables, strategy pattern, or safe configuration — not code-as-string
|
|
28
|
+
- If the user requests "eval" or "dynamic execution": explain the security risk and suggest alternatives
|
|
29
|
+
|
|
30
|
+
## Reason
|
|
31
|
+
Dynamic code execution with user or external input enables code injection. Attackers can escape strings and execute arbitrary code. Use structured data and safe parsing instead.
|
|
32
|
+
|
|
33
|
+
## Provenance
|
|
34
|
+
OWASP, common security guidance for handling untrusted input.
|
|
@@ -25,6 +25,7 @@ Implementing authentication endpoints, adding logging, integrating third-party A
|
|
|
25
25
|
- Use bcrypt with 12 salt rounds for password hashing
|
|
26
26
|
- Always require HTTPS for authentication endpoints
|
|
27
27
|
- Use a `redactSensitive()` helper when logging objects that may contain secrets
|
|
28
|
+
- Audit all logs before committing to ensure no credentials are included
|
|
28
29
|
|
|
29
30
|
## Reason
|
|
30
31
|
API keys were exposed in git during a 2025 security audit. Plaintext credentials in logs led to emergency key rotation.
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: privilege-boundaries
|
|
3
|
+
description: Define what paths and resources the agent can read or write. Never touch node_modules, .git, or production config without explicit approval.
|
|
4
|
+
scope: project
|
|
5
|
+
severity: critical
|
|
6
|
+
triggers:
|
|
7
|
+
- "File system operations"
|
|
8
|
+
- "Reading or writing files"
|
|
9
|
+
- "Modifying config"
|
|
10
|
+
- "Accessing dependencies"
|
|
11
|
+
license: MIT
|
|
12
|
+
metadata:
|
|
13
|
+
author: agent-guardrails
|
|
14
|
+
version: "1.0"
|
|
15
|
+
source: https://guardrails.md/
|
|
16
|
+
---
|
|
17
|
+
|
|
18
|
+
# Privilege Boundaries
|
|
19
|
+
|
|
20
|
+
## Trigger
|
|
21
|
+
Any file system read/write, config modification, or access to project directories.
|
|
22
|
+
|
|
23
|
+
## Instruction
|
|
24
|
+
- **Forbidden (never touch without explicit approval):** `node_modules/`, `.git/`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml`, `.env`, `.env.*`, production config files
|
|
25
|
+
- **Read-only unless instructed:** Database migrations, CI config (`.github/`, `.gitlab-ci.yml`), deployment config
|
|
26
|
+
- **Allowed for normal edits:** Source code (`src/`, `lib/`), tests (`test/`, `__tests__/`), docs, project config files
|
|
27
|
+
- When in doubt, ask before modifying files outside the current task scope
|
|
28
|
+
- If the user requests changes to forbidden paths, stop and confirm scope before proceeding
|
|
29
|
+
|
|
30
|
+
## Reason
|
|
31
|
+
Agents have corrupted `node_modules`, overwritten lockfiles, and exposed secrets by modifying `.env`. Explicit boundaries prevent accidental damage to dependency state and version control.
|
|
32
|
+
|
|
33
|
+
## Provenance
|
|
34
|
+
Based on guardrails.md Pattern 3: Privilege boundaries.
|
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: require-commit-approval
|
|
3
|
+
description: Never run git commit or git push without explicit user approval. Show diff, wait for confirmation before committing.
|
|
4
|
+
scope: project
|
|
5
|
+
severity: critical
|
|
6
|
+
triggers:
|
|
7
|
+
- "Committing changes"
|
|
8
|
+
- "git commit"
|
|
9
|
+
- "git push"
|
|
10
|
+
- "Pushing to remote"
|
|
11
|
+
license: MIT
|
|
12
|
+
metadata:
|
|
13
|
+
author: agent-guardrails
|
|
14
|
+
version: "1.0"
|
|
15
|
+
---
|
|
16
|
+
|
|
17
|
+
# Require Commit Approval
|
|
18
|
+
|
|
19
|
+
## Trigger
|
|
20
|
+
About to run `git commit`, `git push`, or any operation that persists changes to version control.
|
|
21
|
+
|
|
22
|
+
## Instruction
|
|
23
|
+
- Never run `git commit` or `git push` without explicit user approval
|
|
24
|
+
- Show the diff (or summary of changes) and ask for confirmation before committing
|
|
25
|
+
- Wait for the user to confirm (e.g. "yes", "commit", "push") before executing
|
|
26
|
+
- If the user says "commit my changes" or similar, still show what will be committed and get explicit approval
|
|
27
|
+
- Prefer `git add` + show status, then wait — do not auto-commit
|
|
28
|
+
|
|
29
|
+
## Reason
|
|
30
|
+
Agents have committed incomplete work, wrong files, or broken code without the user reviewing. Unapproved commits pollute history and can push secrets or bugs to remotes.
|
|
31
|
+
|
|
32
|
+
## Provenance
|
|
33
|
+
Common failure mode in autonomous coding agents.
|
package/package.json
CHANGED