jbr870/claude-permit
1
0
Fork 0
Code Issues 17 Pull requests Projects Releases Packages Wiki Activity Actions

Enrich auto-rules.toml with provenance metadata #3

New issue
Open
opened 2026-04-09 13:37:57 +00:00 by jbr870 · 0 comments
jbr870 commented 2026-04-09 13:37:57 +00:00
Owner
Copy link

Summary

When rules are auto-promoted to auto-rules.toml, the LLM reasoning, session context, and decision tier are discarded. Only a timestamp comment survives. Users reviewing their auto-rules can't answer "why was this rule created?" without digging through the audit log.

User Stories Served

  • US-11: Auto-rule provenance — see which auto-rules exist and how they got there, with the original LLM reasoning

Current State

# Auto-promoted 2026-02-26T12:34:56Z: Bash: npm test
[[allow]]
tool = 'Bash'
[allow.fields]
command = '^npm\s+test'

Proposed Enhancement

Add metadata fields that the rule engine ignores but humans and tooling can read:

# Auto-promoted 2026-02-26T12:34:56Z: Bash: npm test
[[allow]]
tool = 'Bash'
promoted_at = '2026-02-26T12:34:56Z'
promoted_tier = 'GREEN'
promoted_reasoning = 'npm test is a read-only test runner, safe to auto-approve'
promoted_session = 'abc-123'
[allow.fields]
command = '^npm\s+test'

The rule engine already ignores unknown fields (serde deny_unknown_fields is not set), so these are backwards-compatible.

Context

See wiki: Data Capture Analysis — "Structural Issues §2: Auto-rules.toml loses provenance"

## Summary When rules are auto-promoted to auto-rules.toml, the LLM reasoning, session context, and decision tier are discarded. Only a timestamp comment survives. Users reviewing their auto-rules can't answer "why was this rule created?" without digging through the audit log. ## User Stories Served - **US-11:** Auto-rule provenance — see which auto-rules exist and how they got there, with the original LLM reasoning ## Current State ```toml # Auto-promoted 2026-02-26T12:34:56Z: Bash: npm test [[allow]] tool = 'Bash' [allow.fields] command = '^npm\s+test' ``` ## Proposed Enhancement Add metadata fields that the rule engine ignores but humans and tooling can read: ```toml # Auto-promoted 2026-02-26T12:34:56Z: Bash: npm test [[allow]] tool = 'Bash' promoted_at = '2026-02-26T12:34:56Z' promoted_tier = 'GREEN' promoted_reasoning = 'npm test is a read-only test runner, safe to auto-approve' promoted_session = 'abc-123' [allow.fields] command = '^npm\s+test' ``` The rule engine already ignores unknown fields (serde `deny_unknown_fields` is not set), so these are backwards-compatible. ## Context See wiki: [Data Capture Analysis](https://git.wihslon.com/jbr870/claude-permit/wiki/product%2Fdata-capture-analysis) — "Structural Issues §2: Auto-rules.toml loses provenance"
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
12-auto-promote-quote-escaping
No results found.
Labels
Clear labels   
enhancement
New feature or improvement

  
observability
Insights, stats, and transparency features

  
research
Research and analysis

No labels
enhancement
observability
research
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jbr870/claude-permit#3
No description provided.