name: cm-guardian-runtime description: "Use when you need to check if a destructive command is blocked or run guardian freeze checks."

cm-guardian-runtime — destructive command & freeze checks

Commands

cm guardian check -- git push --force origin main    # exits 1 if blocked
cm guardian path-check --file ./src/app.ts --roots src,lib

Behaviour

• Regex set for rm -rf, DROP TABLE, git push --force, git reset --hard, pipes to shell, etc.
• Prefix whitelist includes npm run build, npm test, npx vitest.
• Violations append to .cm/guardian.log.

Investigate / debug mode

When using cm-debugging or root-cause work, treat freeze roots as mandatory: only edit inside allowed directories until the hypothesis is proven.

Config

See .cm/config.example.yaml → guardian:. Hook patterns (Cursor / Codex): docs/workflows/guardian-hooks.md (repo root).