Rules

@securitylayerai/rules is a data package — YAML rule definitions and capability templates with a thin TypeScript loader. It has no runtime dependency on core. The CLI and other packages consume the YAML at runtime using core's parseRulesYaml().

Baseline rules (`rules/baseline.yaml`)

14 deterministic rules that complement core's built-in rules. These cover patterns that the built-in rules don't:

Category	Rule ID	Decision	What it catches
Destructive	`destructive-chmod-recursive-777`	DENY	`chmod -R 777 /` (recursive world-writable on root)
Destructive	`destructive-chown-recursive`	DENY	`chown -R` on system paths (`/usr`, `/etc`, `/var`, etc.)
Credentials	`cred-gnupg`	DENY	Access to `~/.gnupg/**` (GnuPG keyring)
Credentials	`cred-pem-files`	DENY	`cat`, `cp`, `scp` etc. on `.pem` / `.key` files
Credentials	`cred-kube-config`	DENY	Access to `~/.kube/config`
Credentials	`cred-docker-config`	DENY	Access to `~/.docker/config.json`
Exfiltration	`exfil-base64-to-curl`	DENY	`base64 \| curl` pipe pattern
Exfiltration	`exfil-tar-to-curl`	DENY	`tar \| curl` pipe pattern (archive to network)
RCE	`rce-python-pipe`	DENY	`curl \| python` pipe pattern
RCE	`rce-eval-command`	REQUIRE_APPROVAL	`eval` usage (may execute arbitrary code)
RCE	`rce-netcat-listener`	DENY	`nc -l` (potential reverse shell)
Git	`dangerous-git-force-push`	DENY	`git push --force` to main/master
Packages	`dangerous-npm-publish`	REQUIRE_APPROVAL	`npm publish`
Containers	`dangerous-docker-privileged`	DENY	`docker run --privileged`

Session templates (`capabilities/sessions.yaml`)

Pre-configured session capability sets:

Template	Capabilities	Default taint
`main`	All 15 capabilities	`owner`
`group`	`channel.send`, `file.read`, `memory.read.trusted`, `web_fetch`	`trusted`
`dm-unknown`	`channel.send` only	`untrusted`

Channel defaults (`capabilities/channels.yaml`)

Per-channel capability limits:

Channel	Max capabilities
`owner-terminal`	ALL
`whatsapp`	`channel.send`, `file.read`, `memory.read.trusted`
`telegram`	`channel.send`, `file.read`, `memory.read.trusted`, `web_fetch`
`slack`	`channel.send`, `file.read`, `web_fetch`
`discord`	`channel.send`, `file.read`
`email`	`channel.send`
`webchat`	`channel.send`, `web_fetch`

Skill defaults (`capabilities/skills-defaults.yaml`)

Common skill capability profiles:

Profile	Capabilities
`read-only`	`file.read`, `web_fetch`
`file-editor`	`file.read`, `file.write`
`web-only`	`web_fetch`
`full-access`	All non-elevated capabilities

TypeScript API

import {
  getPackMetadata,
  loadBaselineRules,
  loadSessionTemplates,
  loadChannelDefaults,
  loadSkillDefaults,
} from "@securitylayerai/rules";

// Pack metadata
const meta = getPackMetadata();
// { name: "@securitylayerai/rules", version: "0.0.1", type: "rule-pack", ruleCount: 14 }

// Load baseline rules as raw YAML string
const rulesYaml = await loadBaselineRules();

// Load parsed capability templates
const sessions = await loadSessionTemplates();
const channels = await loadChannelDefaults();
const skills = await loadSkillDefaults();

Package structure

packages/rules/
├── src/
│   ├── index.ts          # Loader functions
│   └── types.ts          # RulePackMetadata, template types
├── rules/
│   └── baseline.yaml     # 14 security rules
├── capabilities/
│   ├── sessions.yaml     # Session templates
│   ├── channels.yaml     # Channel defaults
│   └── skills-defaults.yaml  # Skill profiles
└── test/
    └── loader.test.ts    # YAML loading + regex accuracy tests

Writing custom rules

The baseline rules are a starting point. You can add your own rules using the same YAML format:

version: 1
rules:
  - id: my-custom-rule
    description: Block access to production database
    match:
      type: pattern
      value: "\\bpsql\\s+.*production"
    decision: DENY
    reason: "Direct access to production database"

Rule match types:

pattern — Regex match against the full command string
path — Glob match against file paths
pipe_pair — Match piped command structures (from → to)