c0c3483f02
22 files per locked §Initial capability atom inventory: policy/no-git-ops/ (gate: PreToolUse:Bash, bypass ORCHESTRATOR_META) scope/files-whitelist/ (gate + verify worktree) scope/files-denylist/ (gate + verify worktree) quality/constructor-pattern/ (verify worktree) quality/cargo-check-green/ (verify both — worktree short-circuit + simulated-merge) quality/tests-green/ (verify both) safety/no-dep-bump/ (gate + verify both) output/report-format/ (verify worktree) output/severity-grade/ (verify worktree) tools/read-only/ (gate: deny Edit/Write) tools/cargo-only-bash/ (gate: Bash allowlist) All capability.toml share [capability]/[restricts]/[parameterized]/[text]/ [gate]/[verify] section layout. rust-module paths pre-wired to match phase-3 file layout. All text.md under 200 words, imperative, self-contained (composer concatenates with --- separator). Cross-refs to rule files preserved: - policy::no-git-ops → RULE 0.13 (orchestrator-branch-first.md) - quality::constructor-pattern → RULE ZERO (code-style.md) - output::severity-grade → debugging.md §Security Review - safety::no-dep-bump → supply-chain rationale Agent attempted wc -w for word counts — sandbox correctly denied Bash per RULE 0.13, observable reinforcement of the very policy this capability encodes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
21 lines
560 B
TOML
21 lines
560 B
TOML
[capability]
|
|
name = "tools::read-only"
|
|
category = "tools"
|
|
version = "1.0"
|
|
description = "Deny Edit and Write tools entirely — agent may read but not mutate the filesystem."
|
|
rationale = "Read-only agents (research, critic, explorer) must never alter source. A denial at the tool level is simpler and more robust than per-path scope checks."
|
|
|
|
[restricts]
|
|
tool-patterns = []
|
|
tools-denied = ["Edit", "Write"]
|
|
|
|
[parameterized]
|
|
accepts = []
|
|
|
|
[text]
|
|
path = "text.md"
|
|
|
|
[gate]
|
|
rust-module = "gates::tools_read_only"
|
|
event = "PreToolUse:Edit|Write"
|
|
severity = "block"
|