The 33 block rules
Every rule exists because an agent tried the dangerous command.
Mass deletion (G-001 to G-006)
- G-001 — rm -rf with multiple targets or root paths
- G-002 — rm -rf / or rm -rf /*
- G-003 — rm -rf ~ or rm -rf $HOME
- G-004 — find . -delete without -name or -type filter
- G-005 — git clean -fdx (removes all untracked and ignored files)
- G-006 — Recursive chmod 000 or chown on broad paths
History destruction (G-007 to G-013)
- G-007 — git push --force to main/master/production branches
- G-008 — git reset --hard without a specific commit
- G-009 — git rebase on shared branches
- G-010 — git filter-branch or git-filter-repo
- G-011 — git reflog expire --all
- G-012 — git gc --prune=now (immediate garbage collection)
- G-013 — Deleting remote branches matching main|master|prod|release
Database (G-014 to G-016)
- G-014 — DROP DATABASE or DROP SCHEMA
- G-015 — TRUNCATE TABLE without WHERE on production-like names
- G-016 — Raw SQL migration with DELETE FROM and no WHERE clause
Infrastructure (G-017 to G-019)
- G-017 — terraform destroy without -target
- G-018 — kubectl delete namespace on production namespaces
- G-019 — docker system prune -a (removes all unused images and containers)
Production (G-020 to G-022)
- G-020 — npm publish or cargo publish outside of /ship phase
- G-021 — Deploying to production URLs detected from environment or config
- G-022 — heroku run or railway run with destructive commands
Remote code execution (G-023 to G-025)
- G-023 — curl | bash or wget | sh (pipe-to-shell)
- G-024 — eval with untrusted input from environment variables
- G-025 — python -c or node -e with network-fetched code
Security degradation (G-026)
- G-026 — chmod 777 on any file or directory
Safety bypass (G-027 to G-028)
- G-027 — --no-verify flag on git commit or push
- G-028 — Disabling linters or type checkers via CLI flags in non-test contexts
Credential injection (G-029)
- G-029 — Writing secrets directly into source files (detected by pattern match against known key formats)
Secrets access (G-030)
- G-030 — Reading .env, .env.local, or known credential files and echoing contents
Privilege escalation (G-031)
- G-031 — sudo commands outside of package installation
Container escape (G-032)
- G-032 — docker run --privileged or mounting the Docker socket
Network exposure (G-033)
- G-033 — Binding to 0.0.0.0 without explicit port restriction
The 9 warn rules
Warn rules do not block execution. They flag the command and ask the agent to confirm intent:
- W-001 — Installing global npm packages
- W-002 — Modifying .gitignore to exclude common patterns
- W-003 — Adding new environment variables
- W-004 — Changing database schema in a migration
- W-005 — Modifying CI/CD configuration files
- W-006 — Adding new dependencies (prompts version check)
- W-007 — Ports below 1024 in dev servers
- W-008 — Writing to directories outside src/ or test/
- W-009 — Commands with more than 3 pipes
Adding custom rules
Add rules in your project config. Block rules prevent execution. Warn rules prompt for confirmation.
// .nanostack/config.json
{
"guard": {
"custom_block": [
{
"id": "C-001",
"pattern": "aws s3 rm.*--recursive",
"reason": "Recursive S3 deletion is irreversible",
"alternative": "aws s3 rm <specific-key>"
}
],
"custom_warn": [
{
"id": "CW-001",
"pattern": "npm run seed",
"reason": "Seeding overwrites existing data"
}
]
}
}Custom rules are checked after built-in rules. If both a built-in and custom rule match, the stricter action (block over warn) applies.