From agentops
Hard-blocks edits outside declared frozen directories using PreToolUse hook. Manage with /scope freeze/unfreeze/status for session scope control.
npx claudepluginhub boshu2/agentops --plugin agentopsThis skill uses the workspace's default tool permissions.
> **Purpose:** Declare which directories are in scope for the current work session. Edits outside the declared scope are hard-blocked by a PreToolUse hook.
Blocks destructive commands like rm -rf, git --force, DROP TABLE, docker prune, and restricts file edits to specified directories. Use on production systems and with autonomous agents.
Blocks destructive commands like rm -rf, git --force-push, kubectl delete; restricts edits to specified directories for production systems or autonomous agents.
Prevents destructive ops in Claude Code via /safe-mode: cautious warns on rm -rf/SQL drops/git force-push; lockdown restricts edits to one dir; clear resets.
Share bugs, ideas, or general feedback.
Purpose: Declare which directories are in scope for the current work session. Edits outside the declared scope are hard-blocked by a PreToolUse hook.
YOU MUST EXECUTE THIS WORKFLOW. Do not just describe it.
/scope freeze cli/cmd/ao/ # Freeze a single directory
/scope freeze cli/cmd/ao/ skills/scope/ # Freeze multiple (additive)
/scope unfreeze cli/cmd/ao/ # Remove one frozen directory
/scope unfreeze # Clear ALL frozen directories
/scope status # Show current lock state
/scope status --json # JSON output
When .agents/scope.lock declares one or more frozen_dirs:
Edit, Write, or Bash tool call whose target path is outside every frozen directory is rejected by hooks/edit-scope-guard.sh with a structured stderr reason and a non-zero exit code (Claude Code converts that into a tool-use refusal).frozen_dirs is empty, the hook short-circuits with exit 0 (no enforcement; allow everything).The lock file is written via cli/internal/llmwiki/scope_guard.go:SafeAtomicWrite, so concurrent freeze / unfreeze calls converge atomically (last writer wins, never tears).
/scope freeze <dir>...Append one or more directories to the frozen set. Idempotent; re-freezing an already-frozen directory is a no-op. Updates acquired_at (ISO-8601) and acquired_by (session id or PID) on every write.
/scope unfreeze [<dir>]Without arguments, clears the entire frozen set. With one or more directory arguments, removes just those entries. Removing a directory that is not frozen is a no-op.
/scope status [--json]Print the current lock state. With --json, emit a single JSON object matching the schema in references/lock-file-format.md. Without flags, print a human-readable summary including each frozen directory, the acquisition timestamp, and the acquiring session.
/scope guard (future combo skill)Reserved for a follow-up skill that combines freeze + status + spawn-orchestration. Not implemented in this release; documented here for forward reference.
.agents/scope.lock is a single JSON object. Full schema lives in references/lock-file-format.md. Key fields:
schema_version — currently 1frozen_dirs — list of repo-relative directory prefixes (trailing slash optional)acquired_at — ISO-8601 UTC timestampacquired_by — string identifying the writer (session id, PID, or label)User says: /scope freeze cli/cmd/ao/ cli/internal/scope/
What happens:
ao scope freeze cli/cmd/ao/ cli/internal/scope/ writes .agents/scope.lock via SafeAtomicWrite.hooks/edit-scope-guard.sh (registered as PreToolUse on Edit|Write|Bash) consults the lock on every subsequent tool call.Write to skills/foo/SKILL.md is rejected; a worker editing cli/cmd/ao/scope.go proceeds.User says: /scope unfreeze
What happens:
ao scope unfreeze rewrites .agents/scope.lock with frozen_dirs: []..agents/scope.lock path. Wave 2 (issue I5) migrates the path through lib/ao-paths.sh.agentopsd (cron-cadence) compose; this skill is purely session-boundary.rm -rf, git reset --hard, DROP DATABASE, kubectl delete, terraform destroy) — including allowlist layering, one-shot override codes, and PreToolUse wiring — see references/destructive-command-guard-patterns.md. Wire it alongside the scope guard when a wave touches infrastructure or shared data.