guardrails
Guardrails
Concept of the skill
Use when planning or executing agent/tool operations that touch protected files, credentials, destructive git commands, destructive SQL, PII, secrets, deployments, package publication, or irreversible system mutations.
Coverage
This skill covers the portable guardrail discipline for agents and tool-using assistants: proactive action classification, reactive tripwires, input/output/tool-call guardrail placement, blocking vs advisory enforcement, protected-file and secret-exposure detection, destructive git and SQL patterns, deployment/package-publication gates, excessive-agency containment, and the verification protocol for high-risk operations.
Philosophy of the skill
Agents with broad tool access will eventually approach dangerous operations -- not from malice, but from inference errors, ambiguous instructions, or optimistic assumptions about reversibility. Guardrails exist to make irreversible actions harder to reach than safe alternatives. "Allowed" is not the same as "safe": an agent may be authorized to edit a repo and still need a hard stop before it writes a secret, force-pushes main, drops a production table, or publishes a package.
The core distinction is placement. A pre-action classifier asks "what kind of operation is this?" A guardrail asks "should this exact input, output, or tool call be blocked, escalated, or logged?" Modern agent frameworks expose input guardrails, output guardrails, and tool guardrails at different workflow boundaries; high-risk side effects require checks around the tool invocation itself, not only around the first user message or final answer.
Guardrail Model
Use guardrails as a layered circuit breaker: