feat: Add A2Z non-negotiable contract rules to CLAUDE.md by Gavri19H · Pull Request #89 · snarktank/ralph

Gavri19H · 2026-02-07T16:48:04Z

Summary

Add comprehensive A2Z non-negotiable contract guardrails to CLAUDE.md covering autonomy/approval rules, isolation requirements, database safety, security/secrets, quality bars, OpenSpec execution contract, and WordPress MCP limitations.
These rules ensure the agent prevents destructive operations, enforces resource tagging (a2z-* naming), requires explicit approval for costly/irreversible actions, and validates changes through OpenSpec before implementation.

Test plan

Verify CLAUDE.md renders correctly on GitHub
Confirm agent reads and respects the new guardrails in a test mission
Validate that existing CLAUDE.md content (Ralph Agent Instructions) is preserved below the new section

Add autonomy, isolation, database safety, security, quality, and execution contract guardrails that the agent must follow for every mission. These rules prevent destructive operations, enforce resource tagging, and require OpenSpec validation before implementation. Co-Authored-By: Claude <noreply@anthropic.com>

greptile-apps · 2026-02-07T16:50:41Z

Greptile Overview

Greptile Summary

Added 69 lines of "A2Z Contract" guardrails to the top of CLAUDE.md, covering autonomy/approval rules, isolation requirements, database safety, security/secrets, quality bars, OpenSpec execution contract, and WordPress MCP limitations.

Critical issues found:

Circular reference on line 66: instructs agent to read CLAUDE.md (repo root) but this IS that file
References non-existent openspec/ directory and files (openspec/project.md, openspec/changes/<change-id>/proposal.md, etc.)
A2Z Contract rules focus on AWS resources, cloud infrastructure, and mission-based isolation which may not align with Ralph's purpose as a local autonomous coding loop

The existing "Ralph Agent Instructions" section (lines 70-174) is preserved correctly below the new section. While the guardrails contain valuable safety principles, the implementation issues will cause the agent to fail when trying to follow these instructions.

Confidence Score: 2/5

This PR contains logical errors that will break agent functionality when executed
Two critical logical errors exist: a circular reference instructing the agent to read the file it's already reading, and references to non-existent openspec files. These will cause runtime failures when the agent attempts to follow the instructions. Additionally, the context mismatch between A2Z mission-based rules and Ralph's local coding purpose needs verification.
CLAUDE.md requires attention - fix circular reference on line 66 and resolve missing openspec directory references

Important Files Changed

Filename	Overview
CLAUDE.md	Added A2Z contract guardrails at top of file. Contains circular reference and references to non-existent openspec directory. Context mismatch with Ralph's purpose.

Sequence Diagram

sequenceDiagram
    participant PR as PR Author
    participant Repo as Repository
    participant Ralph as Ralph Agent
    participant Claude as Claude Code Instance
    
    PR->>Repo: Add A2Z Contract to CLAUDE.md
    Note over Repo: New section prepended to file
    
    Ralph->>Repo: Spawn new iteration
    Ralph->>Claude: Launch fresh instance
    Claude->>Repo: Read CLAUDE.md
    
    alt Circular Reference Issue
        Claude->>Claude: Reads "You MUST also read: CLAUDE.md (repo root)"
        Note over Claude: Already reading this file - circular reference
    end
    
    alt Missing OpenSpec Files
        Claude->>Repo: Try to read openspec/project.md
        Repo-->>Claude: File not found
        Note over Claude: Referenced files don't exist
    end
    
    alt Context Evaluation
        Claude->>Claude: Process A2Z Contract rules
        Note over Claude: AWS/cloud/mission rules may not align<br/>with Ralph's local coding purpose
    end
    
    Claude->>Repo: Continue with Ralph Agent Instructions
    Note over Claude: Proceed with actual task execution

greptile-apps

_{1 file reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}

greptile-apps · 2026-02-07T16:50:45Z

CLAUDE.md

+You MUST also read:
+- openspec/project.md
+- CLAUDE.md (repo root)
+and follow all constraints within.


circular reference - instructs to read CLAUDE.md (repo root) but this IS the CLAUDE.md file at repo root

Suggested change

You MUST also read:

- openspec/project.md

- CLAUDE.md (repo root)

and follow all constraints within.

You MUST also read:

- openspec/project.md

and follow all constraints within.

greptile-apps · 2026-02-07T16:50:45Z

CLAUDE.md

+## Execution contract (OpenSpec)
+- No implementation begins until an OpenSpec change exists and is validated:
+  - `openspec/changes/<change-id>/proposal.md`
+  - `openspec/changes/<change-id>/tasks.md`
+- Implementation must map to `tasks.md` items.
+- A change is not “done” until it is archived and specs represent the new truth:
+  - `openspec archive <change-id> --yes`


references openspec/ directory and files that don't exist in this repository - will cause confusion when agent tries to follow these instructions

greptile-apps · 2026-02-07T16:50:46Z

CLAUDE.md

+# Non-Negotiables (A2Z Contract)
+
+## Autonomy and approval
+- The agent operates autonomously during planning, development, and testing.
+- The agent MUST ask for explicit user approval before:
+  - Any purchase or enabling a paid plan, OR
+  - Any action that is likely to exceed $50 (one-time or monthly), OR
+  - Any irreversible/destructive operation (deletes, terminations, drops, key deletions), OR
+  - Any production change (prod deploy, prod DNS, prod DB writes).
+- If cost is uncertain, assume it may exceed $50 and ask first.
+
+## Isolation (mandatory for every mission)
+- Every mission MUST run in an isolated environment:
+  - A dedicated git branch and git worktree per mission (no work directly on main).
+  - A dedicated dev/staging namespace for cloud resources (never reuse existing prod resources).
+  - A dedicated data plane for new data (new DB preferred).
+- Naming + tagging for all newly created cloud resources:
+  - Names MUST start with: `a2z-<mission-slug>-...`
+  - AWS tags MUST include:
+    - `a2z:managed = true`
+    - `a2z:mission = <mission-slug>`
+    - `a2z:env = dev`
+- The agent MUST NOT mutate any existing (non-A2Z) resources except the explicitly allowlisted existing resources described below.


check that these A2Z contract rules (AWS resources, cloud infrastructure, mission-based isolation) align with Ralph's purpose as a local autonomous coding agent

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

greptile-apps bot reviewed Feb 7, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add A2Z non-negotiable contract rules to CLAUDE.md#89

feat: Add A2Z non-negotiable contract rules to CLAUDE.md#89
Gavri19H wants to merge 1 commit intosnarktank:mainfrom
Gavri19H:feat/a2z-contract-guardrails

Gavri19H commented Feb 7, 2026

Uh oh!

greptile-apps bot commented Feb 7, 2026

Uh oh!

greptile-apps bot left a comment

Uh oh!

greptile-apps bot Feb 7, 2026

Uh oh!

greptile-apps bot Feb 7, 2026

Uh oh!

greptile-apps bot Feb 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

Gavri19H commented Feb 7, 2026

Summary

Test plan

Uh oh!

greptile-apps bot commented Feb 7, 2026

Greptile Overview

Greptile Summary

Confidence Score: 2/5

Important Files Changed

Sequence Diagram

Uh oh!

greptile-apps bot left a comment

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Feb 7, 2026

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Feb 7, 2026

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Feb 7, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant