CtrlK
BlogDocsLog inGet started
Tessl Logo

jbaruch/nanoclaw-trusted

Rules for trusted NanoClaw groups. Shared memory, session bootstrap, cross-group memory updates. Loaded for trusted and main containers only.

74

Quality

93%

Does it follow best practices?

Impact

No eval scenarios have been run

SecuritybySnyk

Risky

Do not use without reviewing

Overview
Quality
Evals
Security
Files

container-trust-levels.mdrules/

alwaysApply:
Yes

Container Trust Levels

The runtime contract

The runtime's mount layout is the contract. A read-only-filesystem error on a write to the group folder means you're in an untrusted container.

Don't retry on EROFS

If a write to /workspace/group/ fails with EROFS / "Read-only file system", do NOT retry. The mount is intentionally RO; the retry will fail the same way.

Full capability matrix

The full trust-tier capability matrix (mounts, plugins, Composio access, idle timeout, RAM/CPU caps) lives in docs/trust-tier-capabilities.md.

rules

async-tasks-extended.md

compaction-aware-summaries.md

composio-vs-agents.md

container-trust-levels.md

context-bootstrap-bg-agents.md

daily-discoveries-rule.md

duplicate-prevention.md

github-data-via-gh.md

global-memory.md

ground-truth-trusted.md

identity-compaction-recovery.md

identity-dual-handle.md

installed-content-immutable.md

local-context-anchoring.md

memory-file-locations.md

messages-db-schema.md

no-orphan-tasks.md

no-silent-defer.md

pending-response-tracking.md

proactive-fact-saving.md

proactive-participation.md

reply-threading.md

session-bootstrap.md

skills-policy.md

verification-protocol.md

wiki-awareness.md

CHANGELOG.md

README.md

requirements-dev.txt

tile.json