watchdog-approvals
npx skills add https://github.com/lemonhall/lemonhalll_dot_agent --skill watchdog-approvals
Agent 安装分布
Skill 文档
çé¨çæè½ï¼Watchdog Approvalsï¼
Overview
æâç¨æ·å·²ç»æç¡®æ¹åè¿çå®å ¨è¡ä¸ºâåºåè¿ Codex ç审æ¹é ç½®ï¼è®©ä¸ä¸æ¬¡æ§è¡åç±»å¨ä½ä¸ååå¤å¼¹ç¡®è®¤ï¼åæ¶é¿å ææéæ¾å¤§å°ä¸å¯æ§èå´ã
æ ¸å¿ææ³ï¼åªæä¹ åâç¡®å®å®å ¨ä¸é«é¢âçå¨ä½ï¼å¹¶ä¸ç¨æå°åç allowlistï¼å¯åæ»ãå¯å®¡è®¡ï¼ã
What counts as âapprovedâ?
ä» æï¼å¨å½åä¼è¯ä¸ï¼ç¨æ·å¯¹æä¸ç±»æä½æ确说è¿âå¯ä»¥/é½ææ/以åå«åé®/å å ¥ allowlistâã
ä¸å æ¬ï¼
- 没æå¾å°ç¨æ·æç¡®ææçé«é£é©å¨ä½ï¼å é¤ãæ§è¡æªç¥äºè¿å¶ã访é®ææç®å½çï¼
- åªåä¸æ¬¡ç临æ¶å¨ä½ï¼é¤éç¨æ·è¦æ±æä¹ åï¼
Where Codex stores approvals (this environment)
é常éè¦åæ¶ç两å¤ï¼
-
Project trust levelï¼é¡¹ç®ä¿¡ä»»çº§å«ï¼
- File:
~/.codex/config.toml - Key:
[projects."<path>"] trust_level = "trusted" | "untrusted"
- File:
-
Command allow rulesï¼å½ä»¤å 许å表ï¼
- File:
~/.codex/rules/default.rules - Format:
prefix_rule(pattern=[...], decision="allow") - å«ä¹ï¼å½å½ä»¤ argv 以
pattern为åç¼æ¶ï¼ç´æ¥å 许
- File:
注æï¼è¿æ¯ç¨æ·æºå¨ä¸çå®å ¨è¾¹çé ç½®ãä»»ä½åå ¥é½å¿ é¡»å¯è§£éãå¯æ¤éãå¯æå°åã
Collaboration Rulesï¼åä½è§å / å®å ¨çºªå¾ï¼
åå ¥å®¡æ¹é ç½®åï¼å¿ é¡»åå°ï¼
-
å ææ¡ï¼åè½ç
- ååºâåéå è®¸é¡¹æ¸ åâï¼æ¯æ¡å«ï¼ç¨éãé£é©ãèå´ï¼
- 让ç¨æ·éæ¡ç¡®è®¤ï¼YES/NOï¼
-
æå°åææ
- ä¼å
allowlist ä»åºå
åºå®èæ¬ï¼ä¾å¦
scripts/run_*.sh|ps1ï¼ï¼ä¸è¦ç´æ¥ allowlist/bin/bash -lc <ä»»æå½ä»¤> - ä¸è¦ allowlist 带ç¨æ·è¾å
¥åæ°çå±é©å½ä»¤ï¼ä¾å¦
rm -rf <path>ï¼ï¼é¤é path æ¯åºå®ä¸å®å ¨ç - é¿å
å
¨å±è·¯å¾ï¼ä¾å¦æ
/mnt/e/development设为 trusted ä¼è¦ç太å¤ä»åºï¼ä¼å repo rootï¼
- ä¼å
allowlist ä»åºå
åºå®èæ¬ï¼ä¾å¦
-
å¯åæ»
- ä¿®æ¹åå¤ä»½ï¼
cp ~/.codex/rules/default.rules ~/.codex/rules/default.rules.bakcp ~/.codex/config.toml ~/.codex/config.toml.bak
- æ¯æ¬¡åªå å°éè§åï¼1â5 æ¡ï¼ï¼å¹¶éªè¯éè¿å继ç»
- ä¿®æ¹åå¤ä»½ï¼
-
å¯éªè¯
- åå ¥åï¼ç«å»æ§è¡ä¸æ¬¡âåæ¬ä¼å¼¹å®¡æ¹âçå¨ä½ï¼ç¡®è®¤å·²éé»éè¿
-
ä¸ä¼ªé
- ä¸çç¨æ·æ³ææä»ä¹ï¼åªä»âç¨æ·æç¡®æ¹åè¿âçè¡ä¸ºæç¼è§å
How to extract âalready approved actionsâ (practical workflow)
Step 1 â Build a candidate list during the session
å½åºç°å®¡æ¹æ示ä¸ç¨æ·æ¹åæ¶ï¼ç«å»è®°å½ä¸æ¡åé项ï¼
- Action nameï¼ä¾å¦ âRun headless Godot testsâ
- Exact command argvï¼ææ´æ¨èï¼å¼å¯¼æ¹æåºå®èæ¬åå allowlist èæ¬ï¼
- Scopeï¼åªå 许å¨æ¬ä»åºï¼åªå 许æ个åºå®åæ°ç»åï¼
- Why safeï¼ä¸ºä»ä¹è¿æ¯å®å ¨/å¯æ§/é«é¢
Step 2 â Normalize to a stable allow pattern
ä¼å 级ï¼ä»å®å ¨å°å±é©ï¼ï¼
- allowlistï¼
scripts/<fixed entrypoint>ï¼å¼ºçæ¨èï¼ - allowlistï¼
git push/git statusè¿ç±»ä½é£é©åºå®åå½ä»¤ - allowlistï¼åºå®äºè¿å¶ + åºå®åæ°åç¼ï¼éè¦è°¨æ ï¼
- ç¦æ¢ï¼
/bin/bash -lc "<anything>"ï¼èå´è¿å¤§ï¼
Step 3 â Present proposal + get confirmation
ç¨è¡¨æ ¼ç»ç¨æ·éæ¡ç¡®è®¤ï¼YES/NOï¼ï¼ç¤ºä¾ï¼
| Candidate | Pattern | Why | Risk | Persist? |
|---|---|---|---|---|
| Run tests | ["scripts/run_godot_tests.ps1"] |
CI-equivalent | low | YES |
Step 4 â Write config + verify
- 追å
prefix_rule(...)å°~/.codex/rules/default.rules - å¦éä¿¡ä»»ä»åºï¼åå
¥
~/.codex/config.tomlç[projects."<repo-root>"] trust_level="trusted" - è¿è¡ä¸æ¬¡éªè¯å½ä»¤ï¼åºä¸å弹审æ¹ï¼
Checklistï¼æ§è¡æ¸ åï¼
- ååºæ¬æ¬¡ä¼è¯ééå¤åºç°ç审æ¹ç¹ï¼å½ä»¤/è¡ä¸ºï¼
- 对æ¯ä¸ªåé项åï¼ç¨é / é£é© / æå° pattern / æ¯å¦å¯æ¹æåºå®èæ¬
- 让ç¨æ·éæ¡ YES/NO
- å¤ä»½ï¼
-
cp ~/.codex/rules/default.rules ~/.codex/rules/default.rules.bak -
cp ~/.codex/config.toml ~/.codex/config.toml.bak
-
- å°æ¥åå ¥ï¼1â5 æ¡è§åï¼
- ç«å»éªè¯ä¸æ¬¡âåæ¬ä¼å¼¹å®¡æ¹âçå¨ä½
- å¦æåºç°æå¤æ¾æ/误å¹é
ï¼ç«å»åæ»
.bak并éæ°æ¶æ pattern
Red Flagsï¼çå°å°±åï¼
- âå å ¨é¨è®¾æ trusted / allow allï¼çäºâ
- âç» /bin/bash -lc åéé allowlistâ
- âå ä¸ä¸ª rm -rf * çè§åâ
- â没让ç¨æ·éæ¡ç¡®è®¤å°±è½çâ
Example: Safe patterns for this repo (åè)
建议ä¼å allowlist åºå®èæ¬ï¼èä¸æ¯ Godot äºè¿å¶æ¬èº«ï¼
- Windowsï¼
scripts\\run_godot_tests.ps1
- WSL/Linuxï¼
- å
å°è£
ä¸ä¸ª
scripts/run_godot_tests_linux.shï¼åºå®GODOT_LINUX_EXEï¼ï¼å allowlist è¿ä¸ªèæ¬
- å
å°è£
ä¸ä¸ª
Outcome
ä½ æç»äº¤ä»çæ¯ï¼
- æ´å°çéå¤å®¡æ¹å¼¹çª
- ä¸è¢«æ¾å¤§çæéè¾¹çï¼æå° allowlist + å¯åæ» + å¯éªè¯ï¼
- ä¸å¥å¯å¤å¶çåä½æµç¨ï¼ææ¡ â éæ¡ç¡®è®¤ â è½ç â éªè¯ï¼