guardrail 0.1.0

Defensive guardrails for AI coding agents — block destructive commands via hooks
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292

# Akeyless CLI guardrail suite — deployed via blackmatter-akeyless
# Covers all 44 destructive operations from the Akeyless API

# ── Delete: Secrets/Items ──────────────────────────────────────
- name: akeyless-delete-item
  pattern: '(?i)(akeyless|aky)\s+delete-item\b'
  severity: block
  message: "Akeyless delete-item — permanently destroys a secret/key"
  category: akeyless
  test_block: "akeyless delete-item --name /my/secret"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-items
  pattern: '(?i)(akeyless|aky)\s+delete-items\b'
  severity: block
  message: "Akeyless delete-items — batch secret deletion"
  category: akeyless
  test_block: "akeyless delete-items --path /old-secrets"
  test_allow: "akeyless list-items --path /"

- name: akeyless-dynamic-secret-delete
  pattern: '(?i)(akeyless|aky)\s+dynamic-secret-delete\b'
  severity: block
  message: "Akeyless dynamic-secret-delete — removes dynamic secret producer"
  category: akeyless
  test_block: "akeyless dynamic-secret-delete --name /my/producer"
  test_allow: "akeyless list-items --path /"

- name: akeyless-rotated-secret-delete
  pattern: '(?i)(akeyless|aky)\s+rotated-secret-delete\b'
  severity: block
  message: "Akeyless rotated-secret-delete — removes rotated secret"
  category: akeyless
  test_block: "akeyless rotated-secret-delete --name /my/rotated"
  test_allow: "akeyless list-items --path /"

- name: akeyless-static-secret-delete-sync
  pattern: '(?i)(akeyless|aky)\s+static-secret-delete-sync\b'
  severity: block
  message: "Akeyless static-secret-delete-sync — removes sync configuration"
  category: akeyless
  test_block: "akeyless static-secret-delete-sync --name /my/sync"
  test_allow: "akeyless list-items --path /"

- name: akeyless-folder-delete
  pattern: '(?i)(akeyless|aky)\s+folder-delete\b'
  severity: block
  message: "Akeyless folder-delete — removes folder and potentially nested items"
  category: akeyless
  test_block: "akeyless folder-delete --path /old-folder"
  test_allow: "akeyless list-items --path /"

# ── Delete: Auth Methods ───────────────────────────────────────
- name: akeyless-delete-auth-method
  pattern: '(?i)(akeyless|aky)\s+delete-auth-method\b'
  severity: block
  message: "Akeyless delete-auth-method — removes authentication method"
  category: akeyless
  test_block: "akeyless delete-auth-method --name /my/auth"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-auth-methods
  pattern: '(?i)(akeyless|aky)\s+delete-auth-methods\b'
  severity: block
  message: "Akeyless delete-auth-methods — batch auth method deletion"
  category: akeyless
  test_block: "akeyless delete-auth-methods --path /old-auth"
  test_allow: "akeyless list-items --path /"

# ── Delete: Roles & Access ────────────────────────────────────
- name: akeyless-delete-role
  pattern: '(?i)(akeyless|aky)\s+delete-role\b'
  severity: block
  message: "Akeyless delete-role — removes RBAC role"
  category: akeyless
  test_block: "akeyless delete-role --name /my/role"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-roles
  pattern: '(?i)(akeyless|aky)\s+delete-roles\b'
  severity: block
  message: "Akeyless delete-roles — batch role deletion"
  category: akeyless
  test_block: "akeyless delete-roles --path /old-roles"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-role-association
  pattern: '(?i)(akeyless|aky)\s+delete-role-association\b'
  severity: block
  message: "Akeyless delete-role-association — removes auth↔role binding"
  category: akeyless
  test_block: "akeyless delete-role-association --assoc-id my-assoc"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-role-rule
  pattern: '(?i)(akeyless|aky)\s+delete-role-rule\b'
  severity: warn
  message: "Akeyless delete-role-rule — removes access rule from role"
  category: akeyless
  test_block: "akeyless delete-role-rule --role-name /my/role --path /secrets"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-group
  pattern: '(?i)(akeyless|aky)\s+delete-group\b'
  severity: block
  message: "Akeyless delete-group — removes access group"
  category: akeyless
  test_block: "akeyless delete-group --name my-group"
  test_allow: "akeyless list-items --path /"

- name: akeyless-policies-delete
  pattern: '(?i)(akeyless|aky)\s+policies-delete\b'
  severity: block
  message: "Akeyless policies-delete — removes security policy"
  category: akeyless
  test_block: "akeyless policies-delete --name my-policy"
  test_allow: "akeyless list-items --path /"

# ── Delete: Targets ────────────────────────────────────────────
- name: akeyless-delete-target
  pattern: '(?i)(akeyless|aky)\s+delete-target\b'
  severity: block
  message: "Akeyless delete-target — removes target integration"
  category: akeyless
  test_block: "akeyless delete-target --name /my/target"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-targets
  pattern: '(?i)(akeyless|aky)\s+delete-targets\b'
  severity: block
  message: "Akeyless delete-targets — batch target deletion"
  category: akeyless
  test_block: "akeyless delete-targets --path /old-targets"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-target-association
  pattern: '(?i)(akeyless|aky)\s+delete-target-association\b'
  severity: warn
  message: "Akeyless delete-target-association — removes item↔target binding"
  category: akeyless
  test_block: "akeyless delete-target-association --assoc-id my-assoc"
  test_allow: "akeyless list-items --path /"

# ── Delete: Gateway/Infrastructure ─────────────────────────────
- name: akeyless-delete-gw-cluster
  pattern: '(?i)(akeyless|aky)\s+delete-gw-cluster\b'
  severity: block
  message: "Akeyless delete-gw-cluster — removes entire gateway cluster"
  category: akeyless
  test_block: "akeyless delete-gw-cluster --cluster-name my-gw"
  test_allow: "akeyless list-items --path /"

- name: akeyless-gateway-delete-producer
  pattern: '(?i)(akeyless|aky)\s+gateway-delete-producer\b'
  severity: block
  message: "Akeyless gateway-delete-producer — removes dynamic secret producer from gateway"
  category: akeyless
  test_block: "akeyless gateway-delete-producer --name my-producer"
  test_allow: "akeyless list-items --path /"

- name: akeyless-gateway-delete-k8s-auth
  pattern: '(?i)(akeyless|aky)\s+gateway-delete-k8s-auth-config\b'
  severity: block
  message: "Akeyless gateway-delete-k8s-auth-config — removes K8s auth from gateway"
  category: akeyless
  test_block: "akeyless gateway-delete-k8s-auth-config --name my-k8s-auth"
  test_allow: "akeyless list-items --path /"

- name: akeyless-gateway-delete-migration
  pattern: '(?i)(akeyless|aky)\s+gateway-delete-migration\b'
  severity: block
  message: "Akeyless gateway-delete-migration — removes migration configuration"
  category: akeyless
  test_block: "akeyless gateway-delete-migration --id my-migration"
  test_allow: "akeyless list-items --path /"

- name: akeyless-gateway-delete-allowed-access
  pattern: '(?i)(akeyless|aky)\s+gateway-delete-allowed-access\b'
  severity: block
  message: "Akeyless gateway-delete-allowed-access — removes gateway access"
  category: akeyless
  test_block: "akeyless gateway-delete-allowed-access --id my-access"
  test_allow: "akeyless list-items --path /"

- name: akeyless-delete-event-forwarder
  pattern: '(?i)(akeyless|aky)\s+delete-event-forwarder\b'
  severity: warn
  message: "Akeyless delete-event-forwarder — removes audit/event forwarding"
  category: akeyless
  test_block: "akeyless delete-event-forwarder --name my-forwarder"
  test_allow: "akeyless list-items --path /"

# ── Delete: KMIP ───────────────────────────────────────────────
- name: akeyless-kmip-delete-client
  pattern: '(?i)(akeyless|aky)\s+kmip-delete-client\b'
  severity: block
  message: "Akeyless kmip-delete-client — removes KMIP client"
  category: akeyless
  test_block: "akeyless kmip-delete-client --client-id my-client"
  test_allow: "akeyless list-items --path /"

- name: akeyless-kmip-delete-server
  pattern: '(?i)(akeyless|aky)\s+kmip-delete-server\b'
  severity: block
  message: "Akeyless kmip-delete-server — removes KMIP server"
  category: akeyless
  test_block: "akeyless kmip-delete-server --name my-server"
  test_allow: "akeyless list-items --path /"

# ── Delete: Other ──────────────────────────────────────────────
- name: akeyless-esm-delete
  pattern: '(?i)(akeyless|aky)\s+esm-delete\b'
  severity: block
  message: "Akeyless esm-delete — removes external secrets manager sync"
  category: akeyless
  test_block: "akeyless esm-delete --name my-esm"
  test_allow: "akeyless list-items --path /"

- name: akeyless-usc-delete
  pattern: '(?i)(akeyless|aky)\s+usc-delete\b'
  severity: block
  message: "Akeyless usc-delete — removes universal secrets connector"
  category: akeyless
  test_block: "akeyless usc-delete --name my-usc"
  test_allow: "akeyless list-items --path /"

- name: akeyless-dynamic-secret-tmp-creds-delete
  pattern: '(?i)(akeyless|aky)\s+dynamic-secret-tmp-creds-delete\b'
  severity: warn
  message: "Akeyless dynamic-secret-tmp-creds-delete — revokes temporary credentials"
  category: akeyless
  test_block: "akeyless dynamic-secret-tmp-creds-delete --name /my/producer --tmp-creds-id abc123"
  test_allow: "akeyless list-items --path /"

# ── Revoke Operations ──────────────────────────────────────────
- name: akeyless-revoke-creds
  pattern: '(?i)(akeyless|aky)\s+revoke-creds\b'
  severity: block
  message: "Akeyless revoke-creds — revokes dynamic secret credentials"
  category: akeyless
  test_block: "akeyless revoke-creds --name /my/producer"
  test_allow: "akeyless list-items --path /"

- name: akeyless-revoke-certificate
  pattern: '(?i)(akeyless|aky)\s+revoke-certificate\b'
  severity: block
  message: "Akeyless revoke-certificate — revokes PKI certificate"
  category: akeyless
  test_block: "akeyless revoke-certificate --name /my/cert --serial 12345"
  test_allow: "akeyless list-items --path /"

- name: akeyless-gateway-revoke-tmp-users
  pattern: '(?i)(akeyless|aky)\s+gateway-revoke-tmp-users\b'
  severity: warn
  message: "Akeyless gateway-revoke-tmp-users — revokes temporary gateway users"
  category: akeyless
  test_block: "akeyless gateway-revoke-tmp-users --name my-producer"
  test_allow: "akeyless list-items --path /"

- name: akeyless-uid-revoke-token
  pattern: '(?i)(akeyless|aky)\s+uid-revoke-token\b'
  severity: warn
  message: "Akeyless uid-revoke-token — revokes authentication token"
  category: akeyless
  test_block: "akeyless uid-revoke-token --revoke-token t-abc123"
  test_allow: "akeyless list-items --path /"

# ── Rotate Operations ──────────────────────────────────────────
- name: akeyless-rotate-key
  pattern: '(?i)(akeyless|aky)\s+rotate-key\b'
  severity: warn
  message: "Akeyless rotate-key — rotates encryption key (old key version retired)"
  category: akeyless
  test_block: "akeyless rotate-key --name /my/key"
  test_allow: "akeyless list-items --path /"

- name: akeyless-rotate-secret
  pattern: '(?i)(akeyless|aky)\s+rotate-secret\b'
  severity: warn
  message: "Akeyless rotate-secret — forces immediate secret rotation"
  category: akeyless
  test_block: "akeyless rotate-secret --name /my/rotated-secret"
  test_allow: "akeyless list-items --path /"

# ── Reset Operations ───────────────────────────────────────────
- name: akeyless-reset-access-key
  pattern: '(?i)(akeyless|aky)\s+reset-access-key\b'
  severity: block
  message: "Akeyless reset-access-key — resets API access key (old key invalidated)"
  category: akeyless
  test_block: "akeyless reset-access-key --access-id p-abc123"
  test_allow: "akeyless list-items --path /"