Stats
Actions
Tags
From agentops
Hard-blocks edits outside declared frozen directories to protect paths during risky changes. Use when you need to prevent accidental writes outside a safe zone.
How this skill is triggered — by the user, by Claude, or both
Slash command
/agentops:scopeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
> **Purpose:** Declare which directories are in scope for the current work session. Edits outside the declared scope are hard-blocked by a PreToolUse hook.
Purpose: Declare which directories are in scope for the current work session. Edits outside the declared scope are hard-blocked by a PreToolUse hook.
YOU MUST EXECUTE THIS WORKFLOW. Do not just describe it.
/scope freeze cli/cmd/ao/ # Freeze a single directory
/scope freeze cli/cmd/ao/ skills/scope/ # Freeze multiple (additive)
/scope unfreeze cli/cmd/ao/ # Remove one frozen directory
/scope unfreeze # Clear ALL frozen directories
/scope status # Show current lock state
/scope status --json # JSON output
When .agents/scope.lock declares one or more frozen_dirs:
Edit, Write, or Bash tool call whose target path is outside every frozen directory is rejected by hooks/edit-scope-guard.sh with a structured stderr reason and a non-zero exit code (Claude Code converts that into a tool-use refusal).frozen_dirs is empty, the hook short-circuits with exit 0 (no enforcement; allow everything).The lock file is written via cli/internal/llmwiki/scope_guard.go:SafeAtomicWrite, so concurrent freeze / unfreeze calls converge atomically (last writer wins, never tears).
/scope freeze <dir>...Append one or more directories to the frozen set. Idempotent; re-freezing an already-frozen directory is a no-op. Updates acquired_at (ISO-8601) and acquired_by (session id or PID) on every write.
/scope unfreeze [<dir>]Without arguments, clears the entire frozen set. With one or more directory arguments, removes just those entries. Removing a directory that is not frozen is a no-op.
/scope status [--json]Print the current lock state. With --json, emit a single JSON object matching the schema in references/lock-file-format.md. Without flags, print a human-readable summary including each frozen directory, the acquisition timestamp, and the acquiring session.
/scope guard (future combo skill)Reserved for a follow-up skill that combines freeze + status + spawn-orchestration. Not implemented in this release; documented here for forward reference.
.agents/scope.lock is a single JSON object. Full schema lives in references/lock-file-format.md. Key fields:
schema_version — currently 1frozen_dirs — list of repo-relative directory prefixes (trailing slash optional)acquired_at — ISO-8601 UTC timestampacquired_by — string identifying the writer (session id, PID, or label)User says: /scope freeze cli/cmd/ao/ cli/internal/scope/
What happens:
ao scope freeze cli/cmd/ao/ cli/internal/scope/ writes .agents/scope.lock via SafeAtomicWrite.hooks/edit-scope-guard.sh (registered as PreToolUse on Edit|Write|Bash) consults the lock on every subsequent tool call.Write to skills/foo/SKILL.md is rejected; a worker editing cli/cmd/ao/scope.go proceeds.User says: /scope unfreeze
What happens:
ao scope unfreeze rewrites .agents/scope.lock with frozen_dirs: []..agents/scope.lock path. Wave 2 (issue I5) migrates the path through lib/ao-paths.sh.rm -rf, git reset --hard, DROP DATABASE, kubectl delete, terraform destroy) — including allowlist layering, one-shot override codes, and PreToolUse wiring — see references/destructive-command-guard-patterns.md. Wire it alongside the scope guard when a wave touches infrastructure or shared data.cc-hooks.npx claudepluginhub boshu2/agentops --plugin agentopsRestricts Edit/Write/MultiEdit to one directory for the session, blocking edits outside it. Useful for debugging or fencing parallel agents.
Restricts Edit and Write operations to a specific directory for the session. Blocks edits outside the allowed path. Useful when debugging to prevent accidentally modifying unrelated code.
Prevents destructive operations on production systems and autonomous agents by intercepting dangerous commands, restricting edits to a directory, or combining both protections.