Skip to content

Configure guardrails

Guardrails are deterministic checks that run when high-risk tools fire (scm.create_pr, scm.merge_pr, propose_change, optional tool.before hooks). They complement workflow tools: allowlists and agent prose (/concepts/guardrails/, /reference/guardrails/).

Open Settings → Extensions → Guardrails in the bundled dashboard (launch the desktop app or run coro start for a CLI install):

Guardrails settings

From this page you can:

  • Toggle global enablement
  • Enable/disable individual rules (pr-description, pr-diff-size, merge-requires-approval, proposal-markdown-only, …)
  • Adjust numeric thresholds (minLength, maxLines, maxFiles, minimum approvals)

Click Save all changes when the sticky footer appears. Values persist as guardrails overrides inside ~/.coro/config.json—you do not need to edit JSON for routine tuning.

JSON overrides (advanced)

Defaults ship from packages/runner/config/guardrails.defaults.json and merge per-rule with your overrides (matched by id). Use direct JSON only when automating config or setting values the UI does not expose:

{
"guardrails": {
"enabled": true,
"rules": [
{ "id": "pr-diff-size", "config": { "maxLines": 1500, "maxFiles": 60 } },
{ "id": "pr-description", "enabled": false }
]
}
}

Dangerous combos (for example disabling merge-requires-approval globally) belong only in experimentation sandboxes — keep production guardrails strict enough that automation cannot silently ship unreviewable PRs.

Script-backed rules

/concepts/guardrails/ documents how to declare executable checks when JSON is insufficient. Prefer keeping scripts in tenant intelligence repos (memory/snippets/ procedural references) plus version-controlled script paths distributed via your infra team. Custom script paths are configured in JSON, not the dashboard toggles.

Approvals interplay

merge-requires-approval must align with your SCM branch protections and how service accounts authenticate — misconfiguration causes stuck review phases unrelated to Claude quality (/guides/webhooks/).