Guardrails defaults
Guardrails sit between the LLM and destructive tools. They are distinct from workflow tools: whitelists: even if a tool is allowed, a guardrail may veto a specific invocation and return a structured denial the model must repair.
Shipped defaults (packages/runner/config/guardrails.defaults.json) merge with optional overrides in ~/.coro/config.json → guardrails.rules[] (matched by id). Edit overrides in Settings → Extensions → Guardrails—see /guides/configure-guardrails/ for screenshots.
Default rules
| Rule id | on | during | check | config (defaults) |
|---|---|---|---|---|
pr-description | scm.create_pr | — | pr-description | minLength: 80, requiredHeadings: ["## What"] |
pr-diff-size | scm.create_pr | ["coding"] | pr-diff-size | maxLines: 1000, maxFiles: 40 |
proposal-markdown-only | propose_change | — | proposal-markdown-only | (no structured config) |
merge-requires-approval | scm.merge_pr | ["review","review-and-verify"] | merge-requires-approval | minApprovals: 1 |
Field meanings
on— Logical hook (scm.create_pr,scm.merge_pr,propose_change, or generictool.before).during— Optional allowlist of workflow phase names where the rule is evaluated; omit = all phases touching that hook.check— Built-in evaluator name orscriptfor bespoke.mjsrules.config— Check-specific knobs (thresholds, heading requirements, approval counts).
Enforcement surfaces
- Directly inside MCP handlers (
scm_create_pr,propose_change, …). - At the executor PreToolUse boundary for mapped PR tools emitted by MCP-mode plugins.
Denials emit [guardrail] <rule-id> blocked mcp__coro__… lines classified in the dashboard as Guardrail events.
Customisation quick path

Settings → Extensions → Guardrails toggles global enablement and per-rule thresholds. Click Save all changes to persist. For automation or values the UI does not expose, edit JSON directly:
{ "guardrails": { "rules": [ { "id": "pr-diff-size", "config": { "maxLines": 800 } }, { "id": "pr-description", "enabled": false } ] }}For scripted policies, see Custom guardrail.