e6ed7f8b8e
8 capabilities (output/quality/safety/scope/tools) + 12 manifests + 5 roles. Consistent classification per W9-A rules. Deprecated-alias stubs (tools::cargo-only-bash, tools::read-only) skipped — no [gate]/[verify] sections. facet-query results: kingdom=capability → 11 hits (was 3) kingdom=capability gate → 6 hits (was 2) kingdom=manifest → 12 hits (was 0) Roles tagged but not reachable by current facet_query (walker scans _capabilities + _manifests). Forward-compat for walker extension. cargo test -p kei-atom-discovery: 16/16 preserved. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
34 lines
1 KiB
TOML
34 lines
1 KiB
TOML
[capability]
|
|
name = "tools::deny-tools"
|
|
category = "tools"
|
|
version = "1.0"
|
|
description = "Add a list of tools (Edit, Write, MultiEdit, NotebookEdit) to the PreToolUse deny-list — agent may read but not mutate the filesystem."
|
|
rationale = "Read-only agents (research, critic, explorer) must never alter source. A denial at the tool level is simpler and more robust than per-path scope checks. Renamed from `tools::read-only` (v0.17) — 'deny-tools' explicitly names the mechanism (add tools to deny-list) rather than using the metaphorical 'read-only' label."
|
|
|
|
[restricts]
|
|
tool-patterns = []
|
|
tools-denied = ["Edit", "Write", "MultiEdit", "NotebookEdit"]
|
|
|
|
[parameterized]
|
|
accepts = []
|
|
|
|
[text]
|
|
path = "text.md"
|
|
|
|
[gate]
|
|
rust-module = "gates::tools_deny_tools"
|
|
event = "PreToolUse:Edit|Write"
|
|
severity = "block"
|
|
|
|
[taxonomy]
|
|
kingdom = "capability"
|
|
mechanism = "gate"
|
|
domain = "tools"
|
|
layer = "agent-substrate"
|
|
stage = "runtime"
|
|
stability = "stable"
|
|
language = "rust"
|
|
|
|
[lineage]
|
|
creator = "ag-orchestrator-human"
|
|
created = "2026-04-23"
|