{
  "version": 1,
  "templates": [
    {
      "id": "never-force-push-main",
      "name": "Never force-push to main",
      "category": "Git Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "git\\s+push\\s+(--force|-f)",
      "problem": "Stops destructive history rewrites on protected branches before they land.",
      "roi": "Protects every shared repo from the fastest irreversible mistake.",
      "rollout": "Enable on every team repo on day one."
    },
    {
      "id": "never-skip-tests-before-commit",
      "name": "Never skip tests before commit",
      "category": "Verification",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "git\\s+commit",
      "problem": "Requires proof before code leaves the laptop, reducing broken commits and noisy CI.",
      "roi": "Cuts review churn and CI rollback time across the team.",
      "rollout": "Pair with repository-specific test commands."
    },
    {
      "id": "evidence-before-done",
      "name": "Require evidence before saying done",
      "category": "Agent Honesty",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "completion_claim_without_verification",
      "problem": "Prevents agents from claiming success without test, deploy, or runtime evidence.",
      "roi": "Raises trust in autonomous runs and reduces manual re-checking.",
      "rollout": "Use for every workflow where proof matters more than speed."
    },
    {
      "id": "protect-production-sql",
      "name": "Protect production SQL",
      "category": "Database Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(drop|truncate|delete)\\s+.*production",
      "problem": "Blocks destructive SQL operations against production-like targets.",
      "roi": "One saved incident pays for the whole rollout.",
      "rollout": "Turn on for any team touching live data."
    },
    {
      "id": "back-up-env-before-edit",
      "name": "Back up .env before editing",
      "category": "Secrets Hygiene",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "\\.env",
      "problem": "Flags risky config edits before tokens or local credentials are lost.",
      "roi": "Reduces secret churn and local breakage during setup work.",
      "rollout": "Good default for every machine and shared repo."
    },
    {
      "id": "promote-known-good-workflows",
      "name": "Promote known-good workflows",
      "category": "Positive Reinforcement",
      "signal": "👍",
      "defaultAction": "allow",
      "severity": "medium",
      "pattern": "verified_workflow_pattern",
      "problem": "Turns repeated thumbs-up patterns into recommended workflow defaults and starter rules.",
      "roi": "Helps new agents and new teammates start from what already works.",
      "rollout": "Use with shared lessons to accelerate onboarding."
    },
    {
      "id": "require-diff-impact-before-central-edit",
      "name": "Require diff impact before central edits",
      "category": "Knowledge Graph Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "centrality:(high|critical).*tool:(edit|write|patch)",
      "problem": "Blocks edits to high-centrality files unless the agent has inspected the dependency impact first.",
      "roi": "Turns code-graph context into a concrete guardrail for the changes most likely to break many downstream paths.",
      "rollout": "Enable after generating a code knowledge graph and tagging critical files or modules."
    },
    {
      "id": "checkpoint-cross-layer-refactor",
      "name": "Checkpoint cross-layer refactors",
      "category": "Knowledge Graph Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "high",
      "pattern": "layers_touched:(api|service|data|ui).*(api|service|data|ui)",
      "problem": "Requires an explicit checkpoint before an agent changes multiple architectural layers in one run.",
      "roi": "Prevents broad refactors from becoming invisible blast-radius expansion.",
      "rollout": "Use with graph layer labels from tools such as Understand Anything, code-graph MCPs, or internal architecture maps."
    },
    {
      "id": "protect-graph-generated-artifacts",
      "name": "Protect generated graph artifacts",
      "category": "Knowledge Graph Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "medium",
      "pattern": "\\.(understand-anything|codegraph|knowledge-graph)\\/.*",
      "problem": "Stops agents from editing generated knowledge-graph artifacts as if they were source of truth.",
      "roi": "Keeps graph context reproducible and avoids corrupting the evidence layer agents rely on for impact analysis.",
      "rollout": "Enable for repos that commit or cache graph outputs locally."
    },
    {
      "id": "block-package-lifecycle-secret-harvest",
      "name": "Block package lifecycle secret harvest",
      "category": "Supply Chain Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(preinstall|install|postinstall|prepare).*(env|token|secret|credential|npmrc|pypirc|docker\\/config|ssh)",
      "problem": "Stops package lifecycle scripts from reading local credentials during npm, PyPI, Docker, or CLI compromise scenarios.",
      "roi": "Turns developer-machine supply-chain awareness into a runtime stop before secrets are harvested at scale.",
      "rollout": "Enable on every repo where agents can install packages, run package scripts, or edit dependency automation."
    },
    {
      "id": "review-untrusted-cli-before-execution",
      "name": "Review untrusted CLI before execution",
      "category": "Supply Chain Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(curl|wget).*(bash|sh)|npx\\s+[^@\\s]+|uvx\\s+|pipx\\s+run",
      "problem": "Blocks one-shot CLI execution paths that can turn a copied command into developer-machine compromise.",
      "roi": "Prevents AI assistants from amplifying malicious copy-paste install flows across repos and machines.",
      "rollout": "Allowlist trusted internal CLIs and require source review for every new external executable."
    },
    {
      "id": "checkpoint-dependency-bot-autofix",
      "name": "Checkpoint dependency bot autofix",
      "category": "Supply Chain Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "high",
      "pattern": "(dependabot|renovate|npm audit fix|pnpm audit|pip install -U|docker pull|cargo update)",
      "problem": "Requires a human-readable checkpoint before automated dependency updates expand the trusted code surface.",
      "roi": "Keeps dependency bots and package managers from silently widening blast radius during a supply-chain incident.",
      "rollout": "Start as warn mode for dependency PRs; promote to block for production services or privileged developer machines."
    },
    {
      "id": "require-credential-exposure-assessment",
      "name": "Require credential exposure assessment",
      "category": "Supply Chain Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(secret|token|credential|api[_-]?key|ssh|npmrc|pypirc|docker\\/config).*(rotate|exposed|leak|incident|compromise)",
      "problem": "Forces an exposure assessment before an agent claims a supply-chain incident is resolved.",
      "roi": "Connects prevention with remediation: what credential lived where, who touched it, and whether rotation is required.",
      "rollout": "Use with incident-response runbooks and secrets scanner output from GitGuardian or internal tooling."
    },
    {
      "id": "require-local-dependency-vulnerability-scan",
      "name": "Require local dependency vulnerability scan before installation",
      "category": "Supply Chain Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(npm install|pnpm add|yarn add|bun add|npm i|pnpm i|yarn i).*(vulnerable|cve|high|critical|osv|cve-lite)",
      "problem": "Blocks package installations that introduce dependencies containing known high-severity or critical vulnerabilities (CVEs) before they are written to the lockfile.",
      "roi": "Prevents AI agents from introducing vulnerable packages into the workspace. Complements zero-egress local-first scanning toolings (like OWASP CVE Lite CLI) directly at the terminal level.",
      "rollout": "Enable on every repo where agents can install dependencies or modify lockfiles."
    },
    {
      "id": "require-section-tree-before-multimodal-answer",
      "name": "Require section tree before multimodal answers",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(multimodal|image|chart|figure|table).*answer.*(missing|no).*section[_ -]?tree",
      "problem": "Blocks visual document answers when the agent has not preserved document hierarchy, section IDs, and source paths.",
      "roi": "Prevents multimodal RAG demos from becoming ungrounded image guessing while keeping costs lower than full multimodal embeddings.",
      "rollout": "Enable for PDF, report, support-doc, research-paper, and compliance workflows before agents answer with images."
    },
    {
      "id": "require-image-pointer-grounding",
      "name": "Require image pointer grounding",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(image|figure|chart|diagram).*answer.*(missing|no).*pointer",
      "problem": "Requires every cited visual to carry a source document, parent section, and file path pointer.",
      "roi": "Turns proxy-pointer RAG structure into an auditable answer boundary instead of trusting visual similarity.",
      "rollout": "Start on any workflow that returns charts, figures, screenshots, or PDF images to users."
    },
    {
      "id": "block-cross-document-image-leakage",
      "name": "Block cross-document image leakage",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "image_doc_id\\s*!=\\s*answer_doc_id|cross[_ -]?document.*image",
      "problem": "Stops agents from attaching a plausible visual from the wrong source document.",
      "roi": "Protects trust in buyer-facing document answers where one wrong chart or figure can invalidate the whole system.",
      "rollout": "Promote to block as soon as the ingestion pipeline records document IDs for image pointers."
    },
    {
      "id": "checkpoint-vision-filter-for-visual-claims",
      "name": "Checkpoint vision filter for visual claims",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(visual|image|chart|figure).*claim.*(without|no).*vision[_ -]?filter",
      "problem": "Requires an optional vision-model sanity check before high-impact answers rely on visual content.",
      "roi": "Keeps the cheap text-pointer path fast while adding review only when the answer makes visual claims.",
      "rollout": "Use warn mode for low-risk docs and block mode for legal, financial, medical, or customer-facing visual answers."
    },
    {
      "id": "require-rag-baseline-before-precision-tuning",
      "name": "Require RAG baseline before precision tuning",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(rag|retrieval|embedding).*(fine[- ]?tune|threshold|precision).*(missing|no).*(baseline|recall)",
      "problem": "Blocks embedding, threshold, or precision tuning when the agent has not preserved a retrieval baseline and recall check.",
      "roi": "Prevents a local precision improvement from silently degrading general retrieval quality across the agentic pipeline.",
      "rollout": "Require baseline recall@k, precision@k, and answer-with-evidence metrics before changing retrieval thresholds or embedding models."
    },
    {
      "id": "require-two-stage-rag-verifier-for-structural-near-misses",
      "name": "Require two-stage RAG verifier for structural near misses",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(negation|role reversal|structural near[- ]?miss|compositional).*(without|no).*(verifier|rerank|second stage)",
      "problem": "Requires a token-level verifier, reranker, or second-stage check when retrieval must distinguish structurally similar but meaningfully different evidence.",
      "roi": "Catches the role-reversal and negation failures that vector similarity and keyword search can miss before downstream agents act.",
      "rollout": "Enable for legal, finance, compliance, support, and autonomous-agent workflows where wrong retrieval can trigger real actions."
    },
    {
      "id": "checkpoint-rag-latency-precision-tradeoff",
      "name": "Checkpoint RAG latency and precision tradeoff",
      "category": "Document RAG Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(rerank|verifier|cross[- ]?encoder|two[- ]?stage).*(latency|sla|budget)",
      "problem": "Requires an explicit latency budget before adding verifier or reranker stages to precision-sensitive retrieval.",
      "roi": "Keeps high-risk RAG workflows accurate without accidentally making production agents too slow or expensive to run.",
      "rollout": "Start in warn mode; promote to block when latency regressions exceed the workflow SLA."
    },
    {
      "id": "require-director-journal-for-long-running-agent",
      "name": "Require director journal for long-running agent",
      "category": "Long-Running Agent Context",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(long[- ]?running|multi[- ]?agent|background agent).*(missing|no).*(director journal|working memory|structured memory)",
      "problem": "Blocks long-running agent work when the system relies on raw chat history instead of a structured working-memory journal.",
      "roi": "Prevents context-window bloat, compaction drift, and incoherent handoffs across hundreds of agent requests.",
      "rollout": "Enable for background agents, multi-agent investigations, revenue loops, and any workflow expected to span more than one session."
    },
    {
      "id": "require-critic-review-for-agent-findings",
      "name": "Require critic review for agent findings",
      "category": "Long-Running Agent Context",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(finding|claim|expert report|agent summary).*(missing|no).*(critic|review|credibility|evidence score)",
      "problem": "Requires a critic pass with evidence inspection and credibility scoring before agent findings become shared truth.",
      "roi": "Stops invented or misinterpreted findings from becoming the memory that future agents build on.",
      "rollout": "Start with warn mode for summaries; promote to block for security, revenue, incident, and customer-facing findings."
    },
    {
      "id": "checkpoint-critic-timeline-conflict-resolution",
      "name": "Checkpoint critic timeline conflict resolution",
      "category": "Long-Running Agent Context",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(timeline|memory|journal).*(conflict|duplicate|contradict|stale).*(without|no).*(resolution|credibility)",
      "problem": "Requires duplicate removal and source-strength conflict resolution before a long-running agent updates its timeline.",
      "roi": "Keeps long-lived agent memory coherent while preserving only the strongest evidence across rounds.",
      "rollout": "Use in warn mode for internal loops and block mode when the timeline feeds irreversible actions or external replies."
    },
    {
      "id": "require-verifier-before-reasoning-compression",
      "name": "Require verifier before reasoning compression",
      "category": "Reasoning Efficiency Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(reasoning|chain|trace).*(compress|shorten|prune).*(without|no).*(verifier|accuracy|pass@1)",
      "problem": "Blocks reasoning-length compression when the workflow has not preserved verifier, accuracy, and rollback evidence.",
      "roi": "Saves tokens only when compressed reasoning still passes quality checks instead of trading correctness for shorter traces.",
      "rollout": "Enable for model-routing, benchmark, prompt-eval, and expensive agent workflows before shortening reasoning traces."
    },
    {
      "id": "checkpoint-low-confidence-reasoning-steps",
      "name": "Checkpoint low-confidence reasoning steps",
      "category": "Reasoning Efficiency Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(low[- ]?confidence|uncertain).*(step|reasoning).*(correct rollout|accepted answer)",
      "problem": "Requires inspection before low-confidence steps in otherwise successful reasoning become reinforced training or routing signal.",
      "roi": "Reduces brittle step-level learning where a correct final answer hides unstable intermediate reasoning.",
      "rollout": "Start as warn mode for prompt and model evals; promote to block when those traces update routing or fine-tuning data."
    },
    {
      "id": "checkpoint-high-confidence-failed-rollout",
      "name": "Checkpoint high-confidence failed rollout",
      "category": "Reasoning Efficiency Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(high[- ]?confidence|confident).*(failed|verifier failed|truncated).*(rollout|trace)",
      "problem": "Requires a verifier-error or truncation check before penalizing confident reasoning from failed rollouts.",
      "roi": "Prevents training or routing updates from punishing correct reasoning when the failure came from truncation or verifier noise.",
      "rollout": "Use for reasoning-compression experiments, evaluation harnesses, and DPO/RLHF export review."
    },
    {
      "id": "require-hybrid-prefix-cache-coherence-eval",
      "name": "Require hybrid prefix cache coherence eval",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(deepseek|sparse attention|hybrid attention|prefix cache).*(missing|no).*(coherence|rollback|cache eval)",
      "problem": "Blocks hybrid sparse-attention serving changes when prefix cache lifetime, compressed KV reuse, and rollback behavior have not been verified.",
      "roi": "Prevents expensive long-context inference rollouts from reusing stale cache state or corrupting speculative decode paths.",
      "rollout": "Enable before raising context windows, switching cache implementations, or deploying ShadowRadix-style prefix caching."
    },
    {
      "id": "require-hybrid-inference-routing-approval",
      "name": "Require approval for hybrid cloud escalation on sensitive data",
      "category": "Hybrid Inference Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(hybrid|local-cloud|perplexity.*hybrid|personal computer).*(escalat|cloud|send to cloud|route to server).*(sensitive|secret|pii|customer|confidential|codebase)",
      "problem": "Hybrid local-cloud orchestrators (e.g. Perplexity Computex 2026) must not silently escalate sensitive context (code, feedback, lessons, PII) to cloud models without explicit approval or local-only enforcement.",
      "roi": "High: Prevents data exfil in agentic workflows while still allowing hybrid cost/privacy wins. Critical as more agents adopt local-cloud routing (Personal Computer, AI PCs). Captures high-value feedback for custom hybrid rules.",
      "rollout": "Start as block for paths matching secrets/env/customer data; promote to warn after baseline hybrid agent sessions. Pair with perplexity/hybrid-* model candidates and adapters/perplexity/HYBRID.md."
    },
    {
      "id": "checkpoint-speculative-decoding-acceptance",
      "name": "Checkpoint speculative decoding acceptance",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "high",
      "pattern": "(speculative|mtp|eagle).*(accept|rollback|draft).*(low|missing|unstable)",
      "problem": "Requires acceptance-rate, rollback, and correctness evidence before speculative decoding is treated as a production speedup.",
      "roi": "Avoids routing traffic to a faster-looking path that collapses acceptance length or hides draft-token correctness failures.",
      "rollout": "Start in warn mode for lab benchmarks; promote to block when speculation is enabled for customer traffic."
    },
    {
      "id": "require-long-context-kv-offload-capacity-plan",
      "name": "Require long-context KV offload capacity plan",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(long context|1m token|kv cache|hisparse|cpu offload).*(missing|no).*(capacity|offload|memory budget)",
      "problem": "Blocks long-context serving rollouts when KV cache capacity, CPU offload, or memory budgets are not documented and benchmarked.",
      "roi": "Prevents GPU memory cliffs and surprise throughput regressions when agents send very large traces or document contexts.",
      "rollout": "Require for 128k+ context targets and any hosted inference path where batch size or context length can grow automatically."
    },
    {
      "id": "require-rollout-routing-and-indexer-replay",
      "name": "Require rollout routing and indexer replay",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(rl|training|fine[- ]?tune|reward).*(missing|no).*(routing replay|indexer replay|train[- ]?inference drift)",
      "problem": "Blocks RL or fine-tuning updates when rollout routing, sparse indexer choices, and train-inference drift are not captured and replayed.",
      "roi": "Stops verified-RL experiments from optimizing against a different execution path than the one served during rollout.",
      "rollout": "Enable for any self-hosted model training, reward optimization, DPO export review, or policy update based on sparse-attention rollouts."
    },
    {
      "id": "checkpoint-mixed-precision-determinism",
      "name": "Checkpoint mixed-precision determinism",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "high",
      "pattern": "(fp4|fp8|mixed precision|quant).*(nondeterministic|spike|drift|missing deterministic)",
      "problem": "Requires deterministic settings and sensitive FP32 path checks before mixed-precision inference or training results become routing evidence.",
      "roi": "Keeps FP4/FP8 savings from producing silent numerical drift, noisy KL spikes, or false benchmark confidence.",
      "rollout": "Start in warn mode for benchmarking and promote to block when mixed-precision results update routing, training, or customer-facing model choices."
    },
    {
      "id": "checkpoint-long-context-throughput-regression",
      "name": "Checkpoint long-context throughput regression",
      "category": "Sparse Attention Runtime Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "medium",
      "pattern": "(long context|decode throughput|tpot|latency).*(regression|drop|slowdown)",
      "problem": "Requires a measured throughput comparison before long-context runtime changes are treated as performance improvements.",
      "roi": "Prevents teams from adopting impressive-looking runtime changes that only work on narrow prompts or short contexts.",
      "rollout": "Use in CI benchmark jobs and model-routing reviews whenever context length, cache policy, or speculation settings change."
    },
    {
      "id": "require-ai-gateway-control-plane",
      "name": "Require AI gateway control plane",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(model|llm|provider).*(direct key|api key|no gateway|bypass gateway)",
      "problem": "Blocks model-provider rollout when requests bypass a central gateway or proxy with cost, identity, provider, and retention controls.",
      "roi": "Prevents leaked keys, fragmented spend, and invisible model usage before agent adoption scales across the company.",
      "rollout": "Enable before adding new AI coding clients, model providers, or bring-your-own-key routes."
    },
    {
      "id": "require-progressive-mcp-tool-discovery",
      "name": "Require progressive MCP tool discovery",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "warn",
      "severity": "high",
      "pattern": "(mcp|tool schema|tool count).*(too many|context bloat|no code mode|no progressive discovery)",
      "problem": "Requires large MCP surfaces to expose a small search/execute or progressive-discovery interface instead of loading every tool schema into every prompt.",
      "roi": "Cuts token burn and context-window clutter while letting teams keep adding useful tools behind the portal.",
      "rollout": "Start warning above 20 tools; promote to block for high-volume clients or expensive frontier-model workflows."
    },
    {
      "id": "require-agent-context-freshness",
      "name": "Require AGENTS.md and LLM wiki freshness",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(AGENTS\\.md|llm wiki|agent context).*(stale|missing|outdated|no owner|no test command)",
      "problem": "Blocks agent work when repository instructions, ownership, dependencies, test commands, or LLM wiki pages are missing or stale.",
      "roi": "Turns knowledge-base enthusiasm into reliable agent context instead of letting stale docs make plausible wrong changes.",
      "rollout": "Regenerate on repo topology changes and require review from the owning team before the context becomes canonical."
    },
    {
      "id": "require-risk-tiered-ai-review",
      "name": "Require risk-tiered AI review",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(merge|pull request|review).*(no ai reviewer|no severity|no rule id|no standards)",
      "problem": "Requires automated review to classify risk, cite standards-as-skills, and separate security, code quality, performance, docs, and release-impact findings.",
      "roi": "Makes AI review actionable and auditable, reducing merge churn while converting standards into reusable agent feedback.",
      "rollout": "Use lite review for trivial changes and full review for money, production, security, data, or customer-facing work."
    },
    {
      "id": "require-sandboxed-background-agent-runtime",
      "name": "Require sandboxed background agent runtime",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(background agent|long running agent|autonomous agent).*(no sandbox|host machine|no durable session|no build log)",
      "problem": "Blocks background agents from cloning, building, testing, or publishing unless they run in an isolated durable environment with logs.",
      "roi": "Lets the team pursue unattended revenue and engineering workflows without turning local developer machines into the execution boundary.",
      "rollout": "Enable for every agent that can run tests, push branches, deploy, publish content, change billing, or touch customer data."
    },
    {
      "id": "block-unauthorized-practice-of-law",
      "name": "Block unauthorized practice of law",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(outcome prediction|jurisdictional recommendation|[Yy]ou\\s+(should|could|might)\\s+(file|sue|claim)|strong case|likely\\s+(prevail|win|succeed))",
      "problem": "Stops advice-shaped intake replies under ABA Rule 5.5.",
      "roi": "Prevents malpractice exposure before delivery.",
      "rollout": "Enable on every AI intake channel."
    },
    {
      "id": "require-conflict-check-before-intake",
      "name": "Require conflict check before intake continues",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(collect_case_facts|schedule_consultation|intake_continue).*(missing|no|unchecked).*(conflict|adverse[_-]party|clearance)",
      "problem": "Requires adverse-party clearance before sensitive facts.",
      "roi": "Catches conflicts before privileged facts cross ethical walls.",
      "rollout": "Use the firm's conflicts API or a synthetic pilot fixture."
    },
    {
      "id": "block-privileged-content-egress",
      "name": "Block privileged content egress",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(send_email|api_call|external_request|schedule|crm_update).*(privileged|attorney[_-]client|work[_-]product|matter[_-]id|confidential)",
      "problem": "Blocks outbound actions with privilege markers.",
      "roi": "Prevents single-action privilege waiver.",
      "rollout": "Define markers, start with hard block, then add in-tenant reroute."
    },
    {
      "id": "require-approved-disclaimer-before-response",
      "name": "Require approved disclaimer before response",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(intake_response|client_reply).*((missing|no)\\s*(disclaimer|disclosure|non[_-]engagement)|(disclaimer|disclosure|non[_-]engagement)\\s*[:=]?\\s*(missing|none|no))",
      "problem": "Requires firm-approved non-engagement language.",
      "roi": "Reduces inadvertent client-relationship risk.",
      "rollout": "Load approved disclaimer during pilot."
    },
    {
      "id": "restrict-model-endpoint-to-approved-list",
      "name": "Restrict model endpoint to approved list",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(model_call|llm_request|api_endpoint).*(unapproved|unknown|public|consumer)",
      "problem": "Blocks unapproved model endpoints.",
      "roi": "Keeps data inside approved vendor boundaries.",
      "rollout": "Allowlist endpoints during pilot."
    },
    {
      "id": "require-attorney-review-before-routing",
      "name": "Require attorney review before case routing",
      "category": "Legal Intake Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(route_to_attorney|assign_practice_area|schedule_consultation).*(no|missing).*(review|approval|supervisor)",
      "problem": "Requires review before routing or scheduling.",
      "roi": "Prevents bad prospect routing.",
      "rollout": "Start strict; relax after pilot evidence."
    },
    {
      "id": "block-dynamic-tool-creation-without-approval",
      "name": "Block dynamic tool creation without approval",
      "category": "Claw-Style Enterprise Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(claw|enterpriseclaw|dynamic tool|runtime tool|create_tool|self.*evolving).*(create|generate|define).*(tool|action|capability|script)",
      "problem": "Claw-style agents (Automation Anywhere EnterpriseClaw, inspired by Nvidia OpenShell) can create tools at runtime. This must be gated to prevent arbitrary code execution or exfil.",
      "roi": "High: Prevents one of the most dangerous capabilities of autonomous enterprise agents while allowing safe dynamic extension under governance. Directly addresses the 'governance catching up' gap called out in coverage.",
      "rollout": "Block by default for claw agents; allowlist specific safe tool patterns after review. Capture feedback on every dynamic creation attempt."
    },
    {
      "id": "require-review-for-screen-ui-interaction",
      "name": "Require review for screen/UI interaction by agents",
      "category": "Claw-Style Enterprise Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(claw|screen|ui|computer use|mouse|keyboard|click|type|interact).*(screen|desktop|app|gui|human.*like)",
      "problem": "Claw-style agents interact directly with computer screens and apps like a human operator. This creates high risk of unintended actions, data leaks via UI, or compliance violations.",
      "roi": "Prevents agent-driven UI automation from bypassing existing controls. Essential for enterprise RPA + AI agent convergence (Automation Anywhere core).",
      "rollout": "Require human-in-loop or explicit policy approval for any claw screen interaction on production systems. Log all such actions for audit."
    },
    {
      "id": "enforce-agent-identity-separation",
      "name": "Enforce separate agent identity and audit trail",
      "category": "Claw-Style Enterprise Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(agent identity|agent.*credential|human.*credential|impersonat|audit.*agent|agent.*audit).*(missing|no|same as human|not separated)",
      "problem": "Claw agents (and partners like Okta in EnterpriseClaw) require first-class agent identities separate from humans so actions are auditable as agent actions, not human ones. Using human creds hides responsibility.",
      "roi": "Critical for compliance, forensics, and feedback loops. Enables proper capture of agent-specific lessons and prevention rules. Matches industry push (Okta, etc.).",
      "rollout": "Block any claw or autonomous agent action that authenticates as a human user. Require dedicated agent service accounts / identities with scoped permissions."
    },
    {
      "id": "gate-claw-file-system-access",
      "name": "Gate claw-style agent file system access",
      "category": "Claw-Style Enterprise Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(claw|file system|fs access|read file|write file|list dir|device access).*(local|shared|on-prem|airgap)",
      "problem": "Claw agents have broad device-level (local/shared) file system access. Must be strictly gated, especially in on-prem/air-gapped enterprise environments where most data lives.",
      "roi": "Directly supports the hybrid/on-prem reality emphasized in EnterpriseClaw coverage. Prevents broad access from becoming broad exfil or corruption. Ties to ThumbGate's existing path globs and protected files.",
      "rollout": "Use existing protected-paths + new claw-specific rules. Start with read-only for most, explicit approval for writes on sensitive dirs."
    },
    {
      "id": "block-unauthorized-multi-channel-posts",
      "name": "Block unauthorized multi-channel posts by Hermes Agent",
      "category": "Nous Research Hermes Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(slack|telegram|discord|signal|whatsapp|send_message|post_message|channel_post).*(credentials|api_key|token|auth|password|unreviewed|unapproved)",
      "problem": "Hermes Agent can post directly to messaging platforms. This gate prevents leaked credentials or unapproved messages from being posted publicly.",
      "roi": "High: Prevents public-facing compliance violations, credential leaks, and messaging spam across Telegram, Slack, and Discord.",
      "rollout": "Enable by default for agents connected to external communication channels."
    },
    {
      "id": "prevent-infinite-skill-synthesis-loops",
      "name": "Prevent infinite skill synthesis loops",
      "category": "Nous Research Hermes Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "medium",
      "pattern": "(hermes|skill synthesis|write skill|synthesize skill|evolve skill|self-improve).*(loop|repeated|stuck|regenerate|no progress)",
      "problem": "Hermes Agent can get stuck repeatedly rewriting or generating the same skills in Markdown format without resolving the user's core task.",
      "roi": "Reduces token burn and infinite loop execution loops by gating repeated skill write attempts.",
      "rollout": "Warn/block when skill edits occur more than 3 times within the same session context."
    },
    {
      "id": "validate-synthesized-skills-against-rules",
      "name": "Validate synthesized skills against prevention rules",
      "category": "Nous Research Hermes Agent Governance",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(write skill|synthesize skill|create skill|update skill).*(override|bypass|ignore|violate).*(prevention rule|gate|thumbgate)",
      "problem": "Hermes Agent's self-improvement loop can write new skills that conflict with or attempt to bypass established ThumbGate prevention rules.",
      "roi": "Preserves security invariants by ensuring that synthesized skills never write code patterns blocked by active ThumbGate rules.",
      "rollout": "Scan synthesized skill markdown content for pattern overlap with active prevention rules before writing to the skills directory."
    },
    {
      "id": "require-human-in-the-loop-pause",
      "name": "Enforce Human-in-the-Loop pause for critical decisions",
      "category": "AI Engineering Stack Safety",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "(agent_sdk|openrouter_sdk|human_in_loop|auto_resolve).*(auto_resolve|bypass|skip_pause|critical_action)",
      "problem": "Prevents autonomous agents using the Agent SDK from auto-resolving critical decisions (such as model migration, credential rotations, or financial transactions) without pausing for explicit human approval.",
      "roi": "Ensures human oversight remains functional on highest-risk actions, preventing the agent from acting entirely unsupervised on critical gates.",
      "rollout": "Turn on for all production deployments utilizing OpenRouter or other Agent SDKs with auto-resolve capabilities."
    },
    {
      "id": "careful-mode",
      "name": "Enforce careful mode for destructive commands",
      "category": "On-Demand Dynamic Gating",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "critical",
      "pattern": "(rm\\s+-rf|drop\\s+table|force-push|git\\s+push\\s+-[fF]|git\\s+push\\s+--force|kubectl\\s+delete)",
      "problem": "Blocks dangerous or destructive command sequences (rm -rf, DROP TABLE, force-push, kubectl delete) during sessions where careful mode is activated.",
      "roi": "Protects production environments and main branches from accidental destructive commands executed by autonomous agents.",
      "rollout": "Enable dynamically on-demand using /careful or env overrides when executing in sensitive or production workspaces."
    },
    {
      "id": "freeze-mode",
      "name": "Freeze directory edits",
      "category": "On-Demand Dynamic Gating",
      "signal": "👎",
      "defaultAction": "block",
      "severity": "high",
      "pattern": "^freeze_edit_outside_path.*",
      "problem": "Blocks any file edit or write tool call that is not within a specified active/target directory.",
      "roi": "Restricts agent edits to a controlled workspace, preventing scope drift, accidental modification of configuration or source files, and unwanted global refactors during focused task debugging.",
      "rollout": "Enable dynamically on-demand using /freeze to specify the only path(s) the agent is allowed to write to during the session."
    }
  ]
}
