Custom guardrails
Guardrails intercept high-risk tools before they hit providers or open self-improvement PRs. Beyond editing numeric thresholds in JSON, operators can add check: script rules executed as ES modules.
JSON overrides
Built-in rules (pr-description, pr-diff-size, …) can be tuned in Settings → Extensions → Guardrails (/guides/configure-guardrails/). Script-backed rules and advanced overrides live under guardrails.rules[] in ~/.coro/config.json, merged by id with defaults:
{ "id": "pr-diff-size", "config": { "maxLines": 1200, "maxFiles": 25 }}Optional fields mirror the engine schema: enabled, on, during, check, script, workflows, lanes.
Script modules
- Add a rule referencing
check: "script"plusscript: "my-rule"(basename sans extension). - Author
~/.coro/guardrails/my-rule.mjsexportingdefault async function (ctx: GuardrailContext).
The module must return { allow: true } or { allow: false, reason: '…' }. Missing files fail closed so silent bypasses cannot occur.
Scripted rules run with the same precedence ordering as built-ins and log [guardrail] diagnostics when blocking.
When to use scripts vs built-ins
- Built-ins cover PR hygiene, merge approvals, and markdown-only proposals — keep using them when possible.
- Scripts suit calendar policies, dynamic approval matrices, or bespoke SCM metadata checks.
See also Guardrails reference.