You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Ship a Claude Code PreToolUse hook (nous-plan-enforcer) that intercepts Bash calls during EXECUTE_ANALYZE and rejects (or warns) if the command isn't derivable from experiment_plan.yaml.
Why this matters
The 5/18 mech-design-enforcement session showed two executor processes racing on the same iter dir — partly because nothing inside the agent enforced the plan. Hooks intercept tool calls deterministically before the LLM acts, so we can hard-guard the boundary.
This issue makes it enforceable, not just descriptive.
Proposed approach
Define a JSON-Schema for experiment_plan.yaml commands (allowlist of binaries + arg patterns).
Implement a Python script bin/nous-plan-enforcer that reads stdin (the proposed tool call), checks against the plan in CWD, exits 0 (allow) or non-zero (reject with reason).
Register it as a PreToolUse hook in the per-campaign settings template (depends on Test issue #15).
Two modes:
--strict → hook rejects unknown commands.
--warn (default) → hook lets them through but logs to iter-N/plan_violations.jsonl.
Document the escape hatch (a special # nous: ad-hoc comment in a command).
Acceptance criteria
In strict mode, an executor that tries rm -rf / (or any unplanned command) is blocked.
In warn mode, violations land in plan_violations.jsonl with timestamp + arm context.
No false positives on the seven existing example campaigns.
Notes
This is a defense-in-depth measure on top of --dangerously-skip-permissions. It does not replace Test issue #15's permission policies.
TL;DR
Ship a Claude Code PreToolUse hook (
nous-plan-enforcer) that interceptsBashcalls during EXECUTE_ANALYZE and rejects (or warns) if the command isn't derivable fromexperiment_plan.yaml.Why this matters
The 5/18 mech-design-enforcement session showed two executor processes racing on the same iter dir — partly because nothing inside the agent enforced the plan. Hooks intercept tool calls deterministically before the LLM acts, so we can hard-guard the boundary.
What's already shipped
experiment_plan.yamlis the existing plan artifact (PR feat: Phase 3 — Real experiment execution #25, feat: nous validate CLI + executor writes artifacts directly #54).Proposed approach
experiment_plan.yamlcommands (allowlist of binaries + arg patterns).bin/nous-plan-enforcerthat reads stdin (the proposed tool call), checks against the plan in CWD, exits 0 (allow) or non-zero (reject with reason).--strict→ hook rejects unknown commands.--warn(default) → hook lets them through but logs toiter-N/plan_violations.jsonl.# nous: ad-hoccomment in a command).Acceptance criteria
rm -rf /(or any unplanned command) is blocked.plan_violations.jsonlwith timestamp + arm context.Notes
--dangerously-skip-permissions. It does not replace Test issue #15's permission policies.Part of #120.