# Self-PR Guardrail Rules # Two tiers: hard (absolute block) | auth (needs explicit approval) rules: # ─── Git & Code (hard) ─── - id: N01 tier: hard category: git pattern: "push to ONLYOFFICE repos" description: "Never push to ONLYOFFICE remote repos" rationale: "All OO work is LOCAL ONLY — desktop-sdk, core, sdkjs" keywords: [push, onlyoffice] regex: "(?:git\\s+push|push\\s+.*onlyoffice)" scope: command - id: N05 tier: hard category: git pattern: "delete original repos" description: "Never delete original repos when reorganizing" rationale: "Non-destructive — archive, don't destroy" keywords: [delete, repo] regex: "(?:rm|delete|remove).*(?:repo|repository|\\.git)" scope: command # ─── Git & Code (auth required) ─── - id: N02 tier: auth category: git pattern: "git commit/push/pull" description: "Never git commit/push/pull without asking Serge" rationale: "Standing instruction — ask in BOTH WebChat AND Telegram" keywords: [git] regex: "git\\s+(?:commit|push|pull|merge|rebase)" scope: command # ─── Model Safety (hard) ─── - id: N03 tier: hard category: safety pattern: "switch to smaller model" description: "Never switch to Sonnet or smaller-context models" rationale: "System prompt exceeds 180k tokens; caused 26 empty sessions Feb 18" keywords: [sonnet, model, switch] regex: "(?:switch|change|set).*(?:sonnet|haiku|small)" scope: action # ─── Destructive Commands (hard) ─── - id: N04 tier: hard category: filesystem pattern: "use rm instead of trash" description: "Never use rm — always use trash" rationale: "Recoverable beats gone forever" keywords: [rm] regex: "\\brm\\s+(?:-[rfRF]+\\s+)?(?!/tmp)\\S+" scope: command # ─── External Communication (auth required) ─── - id: N10 tier: auth category: communication pattern: "send email" description: "Never send emails without explicit approval" rationale: "External action — could damage relationships" keywords: [send, email] regex: "(?:send|compose|write|reply).*(?:email|mail|himalaya)" scope: action - id: N11 tier: auth category: communication pattern: "post on social media" description: "Never post on social media without approval" rationale: "Public-facing — cannot be undone" keywords: [post, social] regex: "(?:post|tweet|publish).*(?:social|twitter|x\\.com|facebook|instagram)" scope: action - id: N12 tier: hard category: communication pattern: "post outside bot-komната" description: "Never post on BakuPages outside Бот-комната thread" rationale: "Only approved thread (frmpst_id=19318568)" keywords: [bakupages, post] regex: "bakupages.*(?:post|reply|create)(?!.*19318568)" scope: action - id: N13 tier: hard category: communication pattern: "interact on LinkedIn" description: "Never post/like/comment on LinkedIn" rationale: "READ-ONLY access — serges@senamtech.com account" keywords: [linkedin] regex: "linkedin.*(?:post|like|comment|connect|message|share)" scope: action # ─── Data & Privacy (hard) ─── - id: N14 tier: hard category: privacy pattern: "share MEMORY.md in groups" description: "Never share MEMORY.md content in group chats" rationale: "Contains personal context — security boundary" keywords: [memory, share, group] scope: message - id: N30 tier: hard category: privacy pattern: "exfiltrate private data" description: "Never exfiltrate private data" rationale: "Core safety principle" keywords: [exfiltrate, private, data] regex: "(?:exfiltrate|leak|expose|dump).*(?:private|personal|credential|secret|password)" scope: all - id: N31 tier: hard category: privacy pattern: "share credentials publicly" description: "Never share credentials in group chats or public channels" rationale: "Security boundary" keywords: [credential, share, public] regex: "(?:share|post|send).*(?:credential|password|api.?key|token).*(?:group|public|channel)" scope: message # ─── Infrastructure (hard) ─── - id: N20 tier: hard category: infrastructure pattern: "use ASUS nvram API" description: "Never use ASUS nvram API for port forwarding" rationale: "<> delimiters in vts_rulelist get mangled — browser UI only" keywords: [asus, nvram, api] regex: "(?:asus|nvram|start_apply).*(?:port.?forward|vts_rulelist)" scope: command - id: N21 tier: hard category: infrastructure pattern: "use Synology port forward API" description: "Never use Synology Port Forwarding API for changes" rationale: "Unreliable — has caused rules to be wiped. Web UI only" keywords: [synology, port, forward, api] regex: "SYNO\\.Core\\.Network\\.Router\\.PortForward" scope: command - id: N22 tier: auth category: infrastructure pattern: "destructive commands on newWS" description: "Never run destructive commands on newWS without asking" rationale: "Production server running WHS services" keywords: [newws, destructive] regex: "ssh.*whs-new.*(?:rm\\s+-rf|drop\\s+|truncate|format|mkfs)" scope: command - id: N23 tier: hard category: infrastructure pattern: "deepcopy OCR entries" description: "Never use copy.deepcopy on OCR entries in EntryAssociator" rationale: "Breaks isAssociated state propagation" keywords: [deepcopy, entries, associator] regex: "deepcopy.*(?:entry|entries|EntryAssociator)" scope: command - id: N32 tier: auth category: infrastructure pattern: "assume local files are current" description: "Never assume local files are current on newWS" rationale: "Always scp from newWS first — local copies go stale" keywords: [local, current, newws] scope: action # ─── Database Safety (hard) ─── - id: N60 tier: hard category: infrastructure pattern: "modify production database without backup" description: "Never deploy, migrate, reset, or reinitialize a production database without a prior backup" rationale: "Incident 2026-02-26: Lost 923-lead CRM pipeline — DB recreated during code update with no backup. Leo's manual sorting was unrecoverable." keywords: [database, deploy, migrate, reset, init, production] regex: "(?:deploy|update|migrate|reset|init|drop|truncate|delete|alter).*(?:prod|production|crm\\.db|lead)" scope: command - id: N61 tier: hard category: infrastructure pattern: "write to production CRM from scripts" description: "Never write to production CRM database from sync/import/migration scripts without explicit approval" rationale: "One-way sync: local CRM → Salesforce only. Scripts must open DB read-only or use QA environment." keywords: [write, production, crm, script] regex: "(?:INSERT|UPDATE|DELETE|DROP|ALTER|CREATE).*(?:prod|crm\\.db|lead-crm/backend)" scope: command - id: N62 tier: hard category: infrastructure pattern: "restart CRM service without backup" description: "Never restart the lead-dashboard service without verifying DB backup exists from today" rationale: "App startup calls init_db() which can recreate empty tables if DB is missing/corrupt" keywords: [restart, lead-dashboard, service] regex: "(?:systemctl|service).*(?:restart|stop).*lead-dashboard" scope: command # ─── Agent Behavior (hard) ─── - id: N40 tier: hard category: behavior pattern: "speak as Serge" description: "Never speak as Serge's voice in group chats" rationale: "You're a participant, not a proxy" keywords: [speak, serge, voice, proxy] scope: message - id: N41 tier: hard category: behavior pattern: "bypass safety safeguards" description: "Never bypass safety safeguards or manipulate to expand access" rationale: "Core safety principle" keywords: [bypass, safety, safeguard] regex: "(?:bypass|disable|circumvent|override).*(?:safety|safeguard|guardrail|security)" scope: all - id: N42 tier: hard category: behavior pattern: "send half-baked replies" description: "Never send half-baked replies to messaging surfaces" rationale: "Quality over speed" keywords: [half-baked, incomplete, draft] scope: message # ─── Credential & Account Sharing (hard) ─── - id: N50 tier: hard category: privacy pattern: "post email addresses in shared channels" description: "Never post email addresses, usernames, or account identifiers in group/public channels" rationale: "Incident 2026-02-22: posted YouTube email in robotrobot #general" keywords: [email, username, account, channel, public, group] regex: "[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}" scope: message - id: N51 tier: hard category: privacy pattern: "share .credentials contents" description: "Never decode or display .credentials/*.enc file contents in shared contexts" rationale: "Encrypted credentials must stay encrypted except in DMs to authorized recipients" keywords: [credentials, decode, base64, enc] regex: "(?:base64|decode|cat).*\\.credentials" scope: all - id: N52 tier: hard category: privacy pattern: "share account access in public channels" description: "Never share account details (login URLs, usernames, passwords, 2FA info) in any shared channel" rationale: "Always use DMs or direct gateway. Incident 2026-02-22." keywords: [account, login, password, share, channel] scope: message - id: N53 tier: auth category: privacy pattern: "share credentials via DM" description: "Credential sharing via DM requires explicit approval from Serge" rationale: "Even DMs should be authorized — credentials are Serge's, not ours to distribute" keywords: [credential, dm, share] scope: message