nucleus_governance
Enforce file integrity and security posture by locking files against modification, switching security modes, and running automated verification and fix cycles.
Instructions
Enforce file integrity, security posture, and automated verification loops for the Nucleus Agent OS. Use this tool when you need to lock files against modification, switch security modes, or run auto-fix cycles. Do NOT use for task management (use nucleus_tasks), session state (use nucleus_sessions), or memory storage (use nucleus_engrams). Actions: 'lock' sets an immutable flag on a file preventing modification. 'unlock' removes that flag (destructive: re-enables writes). 'set_mode' switches between 'red' (restricted, blocks dangerous ops) and 'blue' (permissive) security modes. 'auto_fix_loop' runs a verify-diagnose-fix-retry cycle: it executes your verification_command, and if it fails, attempts to fix the file, then retries until the command passes or max retries exceeded. 'delete_file' permanently removes a file (destructive, irreversible). 'watch' monitors a file path and returns changes detected within the duration window. 'curl' proxies HTTP requests through Nucleus egress controls. 'pip_install' installs Python packages with governance audit logging. 'status' returns current security mode and lock state. 'list_directory' returns directory contents. Side effects: lock/unlock modify filesystem extended attributes. delete_file removes data permanently. Prerequisites: .brain directory must exist. Returns JSON with {success: boolean, data: object}. Example: {action: 'auto_fix_loop', params: {file_path: 'src/app.py', verification_command: 'python -m py_compile src/app.py'}} returns {success: true, data: {iterations: 2, fixed: true}}.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| action | Yes | Select the governance action to execute. 'auto_fix_loop' runs automated verification and repair. 'lock'/'unlock' control file immutability. 'set_mode' changes security posture between 'red' (restricted) and 'blue' (permissive). 'delete_file' is destructive and irreversible. 'status'/'list_directory' are read-only. 'curl' proxies external HTTP requests through egress controls. 'pip_install' installs packages with audit logging. | |
| params | No | Action-specific parameters as key-value pairs. auto_fix_loop: {file_path: string (required, path to verify), verification_command: string (required, shell command that returns exit code 0 on success)}. lock: {path: string (required, file or directory to make immutable)}. unlock: {path: string (required, file or directory to make writable again)}. set_mode: {mode: string (required, 'red' or 'blue')}. list_directory: {path: string (optional, defaults to .brain root)}. delete_file: {path: string (required, DESTRUCTIVE — permanently removes file)}. watch: {path: string (required, file or directory to monitor), duration: integer (optional, seconds to watch, default 30)}. curl: {url: string (required), method: string (optional, 'GET'|'POST'|'PUT'|'DELETE', default 'GET'), headers: object (optional), body: string (optional)}. pip_install: {package: string (required, PyPI package name)}. status: no parameters needed. |