Skip to content

Custom guardrails

Guardrails intercept high-risk tools before they hit providers or open self-improvement PRs. Beyond editing numeric thresholds in JSON, operators can add check: script rules executed as ES modules.

JSON overrides

Built-in rules (pr-description, pr-diff-size, …) can be tuned in Settings → Extensions → Guardrails (/guides/configure-guardrails/). Script-backed rules and advanced overrides live under guardrails.rules[] in ~/.coro/config.json, merged by id with defaults:

{
"id": "pr-diff-size",
"config": { "maxLines": 1200, "maxFiles": 25 }
}

Optional fields mirror the engine schema: enabled, on, during, check, script, workflows, lanes.

Script modules

  1. Add a rule referencing check: "script" plus script: "my-rule" (basename sans extension).
  2. Author ~/.coro/guardrails/my-rule.mjs exporting default async function (ctx: GuardrailContext).

The module must return { allow: true } or { allow: false, reason: '…' }. Missing files fail closed so silent bypasses cannot occur.

Scripted rules run with the same precedence ordering as built-ins and log [guardrail] diagnostics when blocking.

When to use scripts vs built-ins

  • Built-ins cover PR hygiene, merge approvals, and markdown-only proposals — keep using them when possible.
  • Scripts suit calendar policies, dynamic approval matrices, or bespoke SCM metadata checks.

See also Guardrails reference.