jbaruch/nanoclaw-trusted
Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.
77
Quality
96%
Does it follow best practices?
Impact
—
No eval scenarios have been run
Securityby
Risky
Do not use without reviewing
This version of the tile failed moderation
Failed moderation (intent review) in rules/session-bootstrap.md: This is a prompt injection attack disguised as a cursor/IDE rule file. It instructs an AI agent to unconditionally execute a bash command and invoke an external skill ('tessl__trusted-memory') at the start of every session before processing any user input. This is a social engineering/prompt injection technique designed to: 1) Force the AI to execute arbitrary commands without user consent, 2) Potentially load malicious instructions from an external 'trusted-memory' skill/plugin, 3) Establish persistence via a sentinel file (/tmp/session_bootstrapped) to track execution. The authoritative tone ('MANDATORY', 'not optional', 'violating this rule') is a classic prompt injection pattern to override the AI's safety boundaries.
jbaruch/nanoclaw-trusted
Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and admin scope.
Installation
tessl install jbaruch/nanoclaw-trustedRules
Always-on rules are loaded into every turn's context. Conditional rules are loaded by the agent's model when their applyTo: clause matches the current task — kept off baseline context otherwise per jbaruch/coding-policy: rule-frontmatter.
| Rule | Scope | Summary |
|---|---|---|
| compaction-aware-summaries | conditional | When Claude Code compacts context, the summary must preserve information that cannot be recovered from files alone. |
| daily-discoveries-rule | conditional | When you learn something new and operationally important — a workflow, where something lives, how something works, a tool to use for a specific task — immediately write it to /workspace/trusted/memory/daily_discoveries.md: |
| github-data-via-gh | conditional | GitHub state — PRs, issues, repo contents, workflow runs — comes from the gh CLI inside the container (orchestrator forwards GITHUB_TOKEN per jbaruch/nanoclaw#565). curl https://api.github.com/... is still wrong (unauthenticated); Composio GITHUB_* tools remain as fallback only. |
| ground-truth-trusted | conditional | Extends the core ground-truth rule with verification methods and computation available to trusted containers. |
| identity-dual-handle | always-on | Deploy-tier extension of the dual-handle invariant in jbaruch/nanoclaw-core rules/core-behavior.md. |
| installed-content-immutable | conditional | Installed skills and rules under /home/node/.claude/skills/ and /home/node/.claude/.tessl/ are kernel-level read-only at runtime — Write/Edit against them returns EROFS. Real changes flow through the staging → promote → publish → update pipeline. |
| local-context-anchoring | always-on | Anchor every relative time/place phrasing (today / yesterday / now / here, plus Russian equivalents) to the user's local frame from the orchestrator-injected <context> tag's local_datetime / weekday / location_* attrs — not the server clock and not UTC. |
| memory-file-locations | conditional | 1. All typed memory files go in /workspace/trusted/ root — never in /workspace/trusted/memory/. The memory/ subdirectory is ONLY for daily logs and daily_discoveries. |
| messages-db-schema | conditional | Authoritative PRAGMA table_info listing for the canonical messages.db tables. |
| no-orphan-tasks | conditional | Before scheduling any new recurring task, check: |
| no-silent-defer | always-on | Defer is allowed only when there is a concrete handoff that will actually do the deferred work. Otherwise it is a silent skip — and silent skips on something the owner intended to act on are material harm, not noise. |
| proactive-fact-saving | always-on | Personal facts mentioned in conversation must be saved to trusted memory IMMEDIATELY — not at end of session, not during archival, not "when non-trivial." At first mention. |
| session-bootstrap | always-on | Then write the sentinel: echo "done" > /tmp/session_bootstrapped |
| async-tasks-extended | always-on | Trusted-tier extension of the core async-tasks protocol — reaction upgrade, background-agent spawn, scheduled-task silence, post-compaction restart. |
| composio-vs-agents | always-on | Composio for single API calls / read ops; spawn Agent for multi-step workflows with judgment between steps. |
| container-trust-levels | always-on | Runtime detection is the contract: read-only-filesystem error = untrusted container, don't retry. Full capability matrix in docs/trust-tier-capabilities.md. |
| context-bootstrap-bg-agents | always-on | Background-agent prompts must include workspace context (paths, send-message tool, Telegram HTML formatting). |
| duplicate-prevention | always-on | Before creating any resource, check if it exists. Duplicate found → update existing. |
| global-memory | always-on | /workspace/global/CLAUDE.md for cross-group facts. Only update when explicitly asked. |
| identity-compaction-recovery | always-on | After context compaction, re-read /workspace/global/SOUL.md — your persona context is gone. |
| pending-response-tracking | always-on | Stamp session-state.json with pending_response, do the work, send, clear. Heartbeat picks up interrupted responses. |
| proactive-participation | always-on | In trusted groups you're a participant — chime in when useful. Default-silence still applies; a reaction alone is complete participation. |
| reply-threading | always-on | Always reply-thread user messages using reply_to. Required for heartbeat to track unanswered messages. |
| skills-policy | always-on | If a skill exists, invoke it with Skill(skill: "name"). Never read SKILL.md files manually or paste content into Agent prompts. No improvising. |
| verification-protocol | always-on | After these actions, verify independently before confirming to the user: |
| wiki-awareness | conditional | A persistent personal wiki lives at /workspace/trusted/wiki/ with raw sources at /workspace/trusted/sources/. |
Skills
| Skill | Description |
|---|---|
| system-status | Read-only system-status probe for trusted-tier NanoClaw containers — surfaces stuck scheduled tasks, DB size, and recent task-run failures from the orchestrator's SQLite. Use as part of heartbeat or standalone. Renamed from check-system-health (which collided with the admin tile's same-named skill, per nanoclaw-admin#65); admin keeps the canonical full health probe with dismiss-mechanism management. |
| trusted-memory | Session bootstrap and rolling memory updates for trusted containers. On session start, reads MEMORY.md (permanent facts), RUNBOOK.md (operational workflows), recent daily and weekly logs, and highlights.md to restore context. After non-trivial interactions, appends timestamped entries to group-local and cross-group shared daily logs. Use when starting a new session to load previous notes and remember context, or after meaningful conversations to save conversation history, persist session state, or record newly learned owner preferences. |
See CHANGELOG.md for version history.
- Workspace
- jbaruch
- Visibility
- Public
- Created
- Last updated
- Publish Source
- GitHub
- Badge