Rules of Engagement
pattern detail

filesystem-destructive-standing

Blocks destructive filesystem actions by default and escalates risky write/delete operations based on blast radius.

doctrinal basis

Collateral damage estimation and proportionality for local system changes.

Use the summary here for context, then inspect the YAML or related patterns for the concrete rule path.

What it catches

  • Recursive deletes triggered by malicious prompt context.
  • Package-install or shell-script flows that pivot into system file rewrites.
  • Mass edits that would touch too many files without operator review.

Related patterns

Download YAML Back to library
policy yaml

The downloadable policy stays available below, but the inline YAML now wraps cleanly for narrow screens.

name: filesystem-destructive-standing
version: 1.1.0
doctrinal_basis: Standing ROE / standing rules for use of force map to always-on filesystem authority boundaries; proportionality and collateral damage estimation map to file_count and byte_count blast-radius caps; escalation of force maps to human approval before destructive filesystem mutations proceed; restricted engagement zones map to protected paths, credentials, secrets, audit logs, approval gates, and irreversible deletion.
description: Standing filesystem guardrails for agent-initiated read, preview, write, move, delete, permission, ownership, archive, and destructive path operations.
rules:
  - id: deny-filesystem-secret-access
    applies_to:
      action_class:
        - filesystem.secret.*
        - filesystem.credentials.*
        - filesystem.token.*
        - filesystem.private_key.*
    decision: deny
    reasoning: Standing filesystem ROE denies direct secret, credential, token, or private-key access; use scoped secret-manager operations instead.

  - id: deny-filesystem-protected-path-change
    applies_to:
      action_class:
        - filesystem.protected_path.write
        - filesystem.protected_path.delete
        - filesystem.protected_path.move
        - filesystem.protected_path.permission.change
        - filesystem.protected_path.ownership.change
    decision: deny
    reasoning: Standing filesystem ROE denies mutation of protected paths without special ROE authority outside this standing template.

  - id: deny-filesystem-control-plane-change
    applies_to:
      action_class:
        - filesystem.audit_log.*
        - filesystem.approval_gate.*
        - filesystem.policy.*
        - filesystem.backup.disable
        - filesystem.recovery.disable
    decision: deny
    reasoning: Standing filesystem ROE denies changes to audit logs, approval gates, policy files, backup controls, or recovery controls.

  - id: deny-irreversible-filesystem-destruction
    applies_to:
      action_class:
        - filesystem.delete.permanent
        - filesystem.delete.recursive_force
        - filesystem.wipe.*
        - filesystem.shred.*
        - filesystem.format.*
        - filesystem.partition.*
    decision: deny
    reasoning: Irreversible filesystem destruction is outside standing authority and must not be executed by an agent.

  - id: deny-high-file-count-destructive-change
    applies_to:
      action_class:
        - filesystem.delete.trash
        - filesystem.delete.standard
        - filesystem.move
        - filesystem.overwrite
        - filesystem.permission.change
        - filesystem.ownership.change
        - filesystem.archive.extract
    conditions:
      - type: blast_radius_max
        parameter: file_count
        threshold: 25
    decision: deny
    reasoning: Requested filesystem mutation affects ${file_count} files, exceeding the standing 25-file hard cap.

  - id: deny-high-byte-count-destructive-change
    applies_to:
      action_class:
        - filesystem.delete.trash
        - filesystem.delete.standard
        - filesystem.move
        - filesystem.overwrite
        - filesystem.permission.change
        - filesystem.ownership.change
        - filesystem.archive.extract
    conditions:
      - type: blast_radius_max
        parameter: byte_count
        threshold: 104857600
    decision: deny
    reasoning: Requested filesystem mutation affects ${byte_count} bytes, exceeding the standing 104857600-byte hard cap.

  - id: escalate-filesystem-destructive-change
    applies_to:
      action_class:
        - filesystem.delete.trash
        - filesystem.delete.standard
        - filesystem.move
        - filesystem.overwrite
        - filesystem.permission.change
        - filesystem.ownership.change
        - filesystem.archive.extract
    decision: escalate
    escalation:
      requires: human_approval
      via: filesystem-ops
    reasoning: Destructive filesystem mutation requires filesystem-ops approval under standing ROE before execution.

  - id: escalate-filesystem-creation-or-append
    applies_to:
      action_class:
        - filesystem.write.create
        - filesystem.write.append
        - filesystem.directory.create
    decision: escalate
    escalation:
      requires: justification
      via: filesystem-ops
    reasoning: Filesystem creation or append requires operator justification so the audit log captures purpose, path, and expected scope before execution.

  - id: allow-filesystem-readonly
    applies_to:
      action_class:
        - filesystem.read.*
        - filesystem.list
        - filesystem.stat
        - filesystem.search
        - filesystem.diff.preview
    decision: allow
    reasoning: Read-only filesystem inspection is authorized under standing ROE when it does not mutate file contents, metadata, permissions, ownership, policy, secrets, or controls.

  - id: allow-filesystem-dry-run
    applies_to:
      action_class:
        - filesystem.plan.preview
        - filesystem.delete.dry_run
        - filesystem.move.dry_run
        - filesystem.archive.dry_run
    decision: allow
    reasoning: Non-mutating filesystem preview or dry-run is authorized under standing ROE when the adapter guarantees no filesystem state change.