// Cross-cutting agent safety rules — clickable refs, temp files, sub-agent limits, UX preservation. Auto-loaded as a dependency by other skills.
[HINT] Download the complete skill directory including SKILL.md and all related files
| name | rules |
| description | Cross-cutting agent safety rules — clickable refs, temp files, sub-agent limits, UX preservation. Auto-loaded as a dependency by other skills. |
| compatibility | any |
| metadata | {"version":"0.0.1","subagent_safe":true} |
Cross-cutting rules that apply to all teatree skills. Loaded automatically via requires:.
Use Ctrl+F/grep to jump to a rule. Sections are grouped below by theme; numbering is for navigation only — every rule is binding.
Skill loading & verification
User intent, interruptions, and asking
Permissions, classifier, and authorization
Communication & references
API & shell recipes
Files, agents, and worktrees
Workflow discipline
Adapted from superpowers/using-superpowers.
When a skill might apply — even a 1% chance — invoke it BEFORE responding, exploring, or asking clarifying questions. The UserPromptSubmit hook suggests skills; you must load every suggestion. If the hook doesn't fire, pick the right skill yourself.
Stop rationalizing. These thoughts mean you're skipping a skill:
| Thought | Reality |
|---|---|
| "This is just a simple question" | Questions are tasks. Check for skills. |
| "Let me explore the codebase first" | Skills tell you HOW to explore. Load first. |
| "I need more context first" | Skill check comes BEFORE clarifying questions. |
| "The skill is overkill for this" | Simple tasks become complex. Use it. |
| "I already know how to do this" | Skills evolve. Load the current version. |
| "I'll just do this one thing first" | Load skills BEFORE doing anything. |
Announce at start: State which skill(s) you loaded and why, so the user can verify you're on the right track.
Adapted from superpowers/verification-before-completion.
No completion claims without fresh verification evidence in the same response. If you haven't run the command and read its output in this message, you cannot claim it passes.
Banned language without evidence: "should pass", "probably works", "seems correct", "looks good", "I'm confident". These words without a command output are lies, not claims.
When the user asks how their codebase or harness compares to an external reference — an article, a framework's docs, a competitor's product, a popular library — the reflex is to pattern-match: a name in the reference resembles a skill or file or function the agent has seen, so the agent claims it's covered (or claims the inverse). This pattern-match is unreliable across naming differences and partial-implementation gaps, and it always defaults toward overclaiming coverage when the agent has the user's project context loaded.
Required before any "X is covered / X is a gap" claim:
rg, grep -r, or git log -S against the codebase, not against memory.file:line for each "covered" assertion. A claim that something exists must point at where it exists.Banned shortcuts:
Why this rule exists. When the user's project state is loaded into context (CLAUDE.md, MEMORY.md, recent file reads), the agent's pattern-matching defaults aggressive — it treats name-similarity as coverage and produces flattering comparisons that don't survive a rg check. The corrective is to require evidence at the point of claim, not at the point of correction.
When the user gives a direct, explicit instruction (skip tests, push now, use this approach), execute it IMMEDIATELY. Do not try a "better" approach first, do not retry the same failing approach hoping it works, and do not silently substitute your own plan. Execute the instruction first (it's fast and safe), then suggest an alternative if you have one.
When the auto-mode classifier denies a tool call (Bash command rejected, MCP call refused, "permission denied" from the harness, etc.), stop immediately. Do not retry, do not work around it with a different command, do not "find another way". A classifier denial is an immediate session blocker — handle it before doing anything else.
Required response, every time:
Bash(gh issue create *), Bash(docker buildx prune *)). The rule must be the smallest rule that covers the use case — never a blanket Bash or Bash(* *).AskUserQuestion with two options:
~/.claude/settings.json (permissions.allow array) yourself, via the Edit tool. Read the file first, merge the new entry into the existing array, write it back. If the write succeeds, retry the original command. If the write is denied by the harness self-modification guardrail, only then fall back: hand over a paste-ready snippet, wait for the user to apply it, then retry. Do not preemptively skip the edit attempt — the goal is zero manual operations for the user when the harness allows it.Banned reactions to a classifier denial:
gh issue create → gh api repos/.../issues).settings.json, CLAUDE.md, or any plugin-distributed permissions file to add an allow rule.Why this rule exists. The classifier exists to give the user a final say on standing-permission expansions. Auto-mode aggressiveness combined with classifier strictness is a recurring source of teatree workflow breakage — agents that retry, decompose, or sidestep silently accumulate scope, lose user trust, and ship work the user never authorized. The right escalation is to ask once, fix permission at the user-scope settings file, retry.
Boundary: who edits permissions where.
settings.json) defines the protocol. Teatree never relaxes permissions on the user's behalf.~/.claude/settings.json (user scope) directly — that's the path with zero manual steps for the user. Many users have a standing authorization for this in their autoMode.allow. The agent only falls back to handing over a paste-ready snippet after the harness self-modification guardrail blocks the write — never as the default path. The snippet is the manual fallback, not the primary mechanism.plugins/t3/settings.json, CLAUDE.md standing clauses) are never the right place to relax for a single workflow — that would grant the standing right to every user of the plugin. Refuse if asked to do this; explain that user-scope settings.json is the right knob.The user cannot see system-reminders, memory content, or hook output injected into your context. When your response is influenced by any of this invisible context, briefly state what you received so the user can follow your reasoning. For example: "Teatree suggested loading /t3:code. Memory mentions X."
If the user's message is ambiguous (references "this", "it", a link they forgot to paste, etc.) — ask for clarification. Do NOT guess based on context the user can't see. Guessing leads to confusing exchanges where the user has no idea what you're talking about.
Every MR, ticket, issue, or note reference — in markdown files, platform comments, and agent responses — must be a clickable markdown link.
[!5657](https://example.com/org/repo/-/merge_requests/5657) — not !5657[PROJ-1234](https://example.com/org/repo/-/issues/1234) — not PROJ-1234This applies everywhere: MR/PR descriptions, inline comments, test evidence, chat messages, and responses to the user.
When extracting an API token from a CLI tool, always extract to a variable first — never inline in curl. See your platform reference (t3:platforms) § "Token Extraction" for the platform-specific recipe.
In Python heredocs: shell variables are NOT inherited. Use os.popen(...) inside Python or export TOKEN before the heredoc.
When using temporary files (for MR note bodies, test data, etc.):
/tmp/mr_note_body.md — stale content from other sessions gets posted to the wrong MR.mktemp or inline Python heredocs instead.>| (clobber override) not > — zsh noclobber silently prevents overwrite.os.unlink() in Python, rm in shell)./tmp/t3-snapshot-*.md are recovered automatically by the PostCompact hook. Use t3-snapshot-${CLAUDE_SESSION_ID:-manual}-$(date +%Y%m%d-%H%M).md for the filename. Delete after persisting findings to durable storage.Some issue tracker CLIs cannot serialize nested JSON. Always use curl with -H "Content-Type: application/json" and a proper JSON -d body for payloads containing nested objects.
For note bodies containing markdown images (), shell variable interpolation and jq --arg both escape ! to \!. Always use Python (urllib.request or requests) to serialize the JSON payload.
When fixing a broken UX mechanism (web terminal, browser launch, notification method), fix it in-kind — do not replace it with a different mechanism without asking. If proposing a different approach, ask the user first: "Currently this uses X. Want to keep that or switch to Y?"
Every artifact you publish under the user's identity — git commits, MR/PR descriptions, MR/PR comments and discussions, issue bodies, Slack/Teams messages, email drafts, release notes — must read as if the user wrote it. Never append AI/agent signatures or footers.
Canonical setting: [teatree] agent_signature in ~/.teatree.toml (default false). Programmatic teatree code paths that post on the user's behalf consult teatree.identity.agent_signature_enabled() (or wrap their suffix in agent_signature_suffix(...)). When you publish through an external tool (MCP Slack send, gh comment, glab discussion, raw httpx), apply the same policy by hand: omit the signature unless the setting is true.
Banned trailers and footers in any user-on-behalf artifact:
Co-Authored-By: <model> <noreply@anthropic.com> (or any other agent identity)🤖 Generated with Claude Code / Generated with [Claude Code](...)Sent using Claude / Drafted by Claude / via Claude / (via AI) / via the assistantThis rule is global, not commit-specific. The original "no Co-Authored-By in commits" rule was a special case; the principle generalizes to every venue where the agent posts on the user's behalf. If you would not put Co-Authored-By on a commit, do not put Sent using Claude on a Slack message. The user is responsible for the content; the agent is the typist, not the author.
When the user is the author and explicitly invokes you: if the user asks for a draft to review before sending themselves, no signature is needed (they will send it themselves anyway). When you post on their behalf (Slack DM, MR discussion, GitHub comment, email), the rule still applies — the message must be indistinguishable in form from one the user wrote.
Failure mode this rule prevents: the agent appends "Sent using Claude" to a Slack message it sends to a colleague on the user's behalf. The colleague now sees that the user did not write the message themselves; the user looks lazy or impersonal, and the rapport with the colleague is damaged. Same logic for Co-Authored-By in commits, "🤖 Generated" footers in MR descriptions, and "via the assistant" suffixes in issue comments.
MR/PR comment posting (test plans, evidence, review notes) must be serialized — never dispatch two parallel agents that both post comments on MRs. Parallel agents cannot check for each other's posts, resulting in duplicate comments. Post all MR comments from the main conversation thread, or serialize agent tasks so only one posts at a time.
Before creating an issue, PR, discussion, or any body of content on an external repo, check the target repo's visibility:
gh repo view <owner>/<repo> --json visibility,isPrivate
If the target is PUBLIC, the body must not contain internal identifiers: customer names, internal GitLab/Jira/Notion URLs, client-specific repo names, ticket IDs from private trackers, CI job/pipeline IDs, local filesystem paths (/Users/…, /home/…), environment variable values, or internal hostnames. Replace with generic placeholders (<repo>, <namespace>, <ticket_url>, $T3_WORKSPACE_DIR/<ticket>/<repo>) before posting.
Ambiguous destinations need a question. When the user says "file a bug" without a repo and there are multiple candidates (public upstream vs. private overlay, team repo vs. personal repo), use AskUserQuestion to confirm the target before writing the body. Never guess — the cost of asking is low; the cost of publishing internal info is high.
The authorization to "file a bug" does not authorize posting internal info to a public repo. User instructions like "file a teatree bug" authorize the action of filing, not the destination. A public target always requires a scrubbed body.
When remediating a privacy leak on a public repo (force-push to drop PII, delete a comment that exposed a credential, rewrite a branch that leaked internal data), every public artifact produced during the remediation must be neutral. Do not name what leaked, do not name that a leak occurred, do not describe the scrub. Announcing the remediation on a public surface amplifies the leak (Streisand effect) — the commit subject, the PR comment, and the branch name are all crawled, cached, and indexed.
Banned words in any public artifact produced during remediation (commit subject/body, PR or issue description or comment, release note, changelog, public branch name):
leak / leaked / scrub / redact / real (as in "real phone number") / private / personal / sensitive / accidental / accident / specific classes of the leaked data (phone, email, password, token, credential, secret, key, address, ssn).
Required form:
fix(<scope>): update example values, refactor(<scope>): replace placeholder, docs(<scope>): refresh example. Bad: scrub real phone number, remove leaked credential, redact personal email.fix/update-examples, chore/refresh-docs. Bad: fix/scrub-phone-leak, hotfix/leaked-token.Superseded. / Not needed.). Do not explain why.Pre-done grep (run before claiming the remediation is complete):
git log --format='%H %s%n%b' <branch-start>..HEAD | \
grep -iE 'leak|scrub|redact|real|private|personal|sensitive|accident|phone|email|password|token|credential|secret|address'
Also grep every PR/issue body or comment authored during remediation. Any hit is Streisand — rewrite the artifact (or delete the comment) before declaring done.
Why: A commit subject is as public as the diff, and a PR-close comment is permanent. Describing what was removed tells the next reader exactly what used to be there and where to look in the commit graph. The fix is silent.
Sub-agents (Agent tool) lose all loaded skills, MCP access, and shell functions. By default, never dispatch sub-agents for skill-dependent work. Do all skill-dependent work sequentially in the main conversation.
Exception: Skills with subagent_safe: true in their YAML frontmatter are pure methodology/guidelines that work without shell functions, MCP tools, or cross-skill state.
Before delegating platform API work: Read the relevant platform reference (t3:platforms) before writing sub-agent prompts that involve API calls (draft notes, discussions, MR operations). Sub-agents can't read skills themselves — copy the exact API recipe into the agent prompt.
After a sub-agent completes, re-read any files it modified. Sub-agents get a forked copy of your file state — their edits don't update your cache. Writing to a file without re-reading first will silently overwrite their changes.
When integrating with tools (issue trackers, CI, chat), prefer their API or CLI over scraping files. File-based approaches break on layout changes, don't handle pagination, and miss metadata.
Never replace a symlink with a real file. ls -la first if unsure. If a path is a symlink, edit the target — never delete the link and write a new file.
Use command rm, command cp, command mv in Bash tool calls to avoid zsh interactive aliases that hang. Also gs is aliased to git status — use command gs for GhostScript.
Never modify skill files outside a git repo. Resolve real path with readlink -f, verify git rev-parse --git-dir succeeds. Changes to non-git copies are silently lost.
When a teatree or skill infrastructure bug is discovered during any task, fix it immediately as first priority. Never defer to focus on the user's task — broken infrastructure causes cascading failures.
When you add, change, or remove a hook on OverlayBase (e.g. get_required_ports, get_port_env, uses_redis, get_health_checks, get_readiness_probes, get_base_images, …) on this machine, you must in the same session update every overlay registered locally to adopt the new contract — even when the change is "additive" with a working default.
Why: the teatree codebase is overlay-agnostic and CI cannot see the user's installed overlays. A "default returns empty/false" is silent — the overlay keeps shipping, but with the wrong runtime behaviour (port collisions, skipped readiness checks, missing health invariants). The drift only surfaces when the user runs the new command and gets a confusing failure with no obvious root cause.
How to apply:
uv run python -c "from importlib.metadata import entry_points; [print(ep.value) for ep in entry_points(group='teatree.overlays')]". Treat the output as the authoritative list — not memory, not assumptions about which overlays are installed.Past failure mode this rule prevents. A wave of teatree PRs added several overlay hooks. A registered overlay kept running on the no-op defaults — multiple worktrees collided on the same backend port because get_required_ports returned an empty set, and worktree ready reported green even when nothing was serving. The teatree side looked clean; the symptom only showed up downstream after weeks.
When the user asks for work that is actionable in the current session — a small skill edit, a one-file CLI addition, a test fix, a rule promotion — do it in the current response. Do not propose filing a ticket for "later", do not frame the work as a follow-up suggestion, do not ask for confirmation to proceed on obviously in-scope work. Deferring concrete work to a ticket queue is the single most common way an agent wastes the user's time — the ticket piles up, context evaporates, and work that could have shipped in the same PR now takes a fresh session.
Banned patterns when the work is actionable in this turn:
Defaulting to "later" without asking is treated as "I discovered a bug but I don't care." A finding that surfaces during a session must result in action this turn — either the fix lands, or the user is asked which lane it goes into. Silent deferral is not a lane.
When deferral IS legitimate (narrow set):
When in doubt, do the work. A tiny PR adding the fix alongside the main change is always preferable to a stand-alone ticket that lives in the backlog for weeks.
Bundle Bugs Found Mid-Session into the Current PR (Non-Negotiable when in auto mode).
When you encounter a bug, broken behavior, or rough edge during any session — fix it on the spot, in the current MR if at all reasonable. Do not narrate the finding as a deferral, do not propose filing tickets, do not ask "should I fix this in a separate PR?" before doing the obvious work. Work unattended.
Decision rubric (apply silently — don't narrate to the user):
| Fix size | Action |
|---|---|
| Small (≤ ~50 LOC, no architectural decisions) | Bundle into the current PR. Skip the "Isolate Unrelated Fixes" rule from t3:ship — small fixes have lower scope-creep cost than coordination cost. |
| Medium (related domain, fits the current ticket's spirit) | Still bundle if the PR title can fairly cover it (e.g., assorted shipping-flow bug fixes during a CLI refactor). Mention in the PR body so reviewers see it. |
| Large (architectural, cross-cutting, or genuinely orthogonal) | Create a worktree + PR immediately, implement, ship. No new ticket. |
| Truly large work that cannot fit a session | File a ticket and leave it. Last resort. |
Only stop and ask when:
This rule reinforces "Do Work Now" — the bundling decision is part of doing the work, not a separate question to ask.
When genuinely unsure, ASK — never silently defer. If the fix is borderline (small but truly orthogonal, or medium-sized but the current PR is already large), present three explicit options to the user via AskUserQuestion:
Use options 2 and 3 only when there is a concrete reason against option 1. Asking is acceptable; silently writing "worth filing later" and moving on is not.
When contribute = true in ~/.teatree.toml, retro findings and cross-cutting rules must land in teatree skill files, not in the agent's personal memory/config. Personal memory is the fallback for user-specific facts — paths, credentials, editor preferences, one-machine workflow choices. For anything that would help another user of these skills, write to the skill.
Before writing a feedback/guardrail to personal memory, check:
contribute = true in ~/.teatree.toml? → yes almost always makes this a skill edit.Promote means edit an existing skill. Pick the best-fit existing skill (/t3:rules, /t3:next, /t3:ship, etc.) and insert the rule there. Do not invent a new skill for a single rule — that fragments the skill graph.
When implementing features that require an external service (Notion, Slack, CI, etc.), ask "how do you authenticate with this service?" BEFORE writing any code. The answer (direct API token, CLI auth, MCP tool, OAuth, etc.) determines the entire architecture. Skipping this question leads to multiple implementation pivots.
When an MR targets a non-default branch, that is intentional — it means the MR is part of a dependency chain. Never change an MR's target branch, rebase it onto a different base, or remove MR dependencies without explicit user instruction.
Destroying MR dependency chains wastes hours of carefully organized work.
On every prompt, use TaskCreate to create tasks before doing any work — even for a single task. Mark each task in_progress when starting, completed when done. Never skip this. Visible task tracking prevents forgotten steps and shows the user your progress.
When a new request arrives while you are in the middle of work, do not silently pivot. Default to finishing the current task, queue the new one, and tell the user.
TaskCreate) before doing anything else.This rule does NOT override User Instructions Are Priority 1 — explicit corrections like "skip tests, push now" are blocking by definition. The interrupt rule handles the routine case where a new request looks important but isn't tied to the current state.
Never ask questions inline in text responses. Always use the AskUserQuestion tool — it gives the user a structured UI to respond and prevents questions from being buried in output. One question at a time; wait for the answer before asking the next.
The setting teatree.mode in ~/.teatree.toml (or the T3_MODE env var) picks between two doctrines for publishing actions — push, MR create, MR merge, MR approve/unapprove, remote branch deletion, Slack posts, any write that leaves the local machine. The default is interactive (security-conservative). auto opts into full autonomy.
Do not assume interactive mode. Before saying "not pushed, your call", before asking "push?", and before prompting for any publishing confirmation, actively resolve the effective mode in this order (first match wins):
T3_MODE environment variable (auto or interactive).[overlays.<active>] table in ~/.teatree.toml where <active> = T3_OVERLAY_NAME env var or the repo's registered overlay.[teatree] table in ~/.teatree.toml.interactive.If the effective mode resolves to auto, apply the auto-mode doctrine below — do not ask for push confirmation, do not phrase the end-of-task as "your call", just push.
The most common failure mode is defaulting to interactive without performing steps 1-4 — saying "not pushed, interactive mode" on a repo the user has already opted into auto. That reads as the agent ignoring the user's configured preference and forces them to repeat it every session.
Commit approval ≠ push approval. Squash approval ≠ push approval. "All done" ≠ push approval. Rebase approval ≠ force-push approval. Always present the final state and ask "Push?" as a separate question after committing, squashing, or rebasing — use AskUserQuestion, not an inline question.
--force-with-lease): get separate explicit confirmation even if the user already approved the rebase. A rebase and a force-push are two decisions.t3.mode = "auto" or T3_MODE=auto)The user has opted into end-to-end autonomy. The agent ships complete features without pausing for confirm prompts on the publishing actions listed above. In particular:
makemigrations --dry-run --check).Mode is per-overlay. The setting can live under [overlays.<name>] and override the global [teatree].mode. A user can run auto mode on a personal dogfooding overlay while keeping interactive on a client overlay — the active overlay (resolved via T3_OVERLAY_NAME) determines which doctrine applies. See BLUEPRINT.md § 11.1.1.
Quality gates still run — they just don't depend on user confirmation. The objection auto mode answers is "stop gating on confirmation," not "skip quality checks."
Some actions remain confirm-gated regardless of mode because they are irreversible or affect shared history:
main, master, development, release, or any branch listed in the overlay's protected_branches).DROP / TRUNCATE on shared databases, deletions in shared directories, rm -rf on paths outside the active worktree.--no-verify on any git command is forbidden in both modes. If a hook fails, fix the underlying issue.This list applies to all repos, all branches, both modes.
Before ending any session that involved multi-file edits, debugging, or implementation work, run /t3:next (which includes /t3:retro). Do NOT wait for the user to ask — self-trigger this. A session without retro loses compound learning.
/t3:next before your final response.When cherry-picking code from orphan commits, stashes, snapshots, or other branches, verify every import and function call exists in the target codebase before applying. Snapshot code assumes a different state — modules, classes, and function signatures may not exist in HEAD. Apply each change surgically and run the type checker (ty-check) before moving on.
Long sessions lose context to automatic compaction. Proactively manage session length:
/t3:next or /t3:retro to preserve findings before compaction.PostCompact hook automatically recovers any /tmp/t3-snapshot-*.md files into context.When implementation is complete (all files written, tests pass or verified), commit immediately in the same response — do not wait for the user to ask. An uncommitted change is not "done"; it is in-progress work at risk of being lost to context compaction, parallel agents, or session timeout.
When a pre-commit hook runs the full test suite and fails on tests unrelated to your changes (pre-existing failures), do not fix them one by one in a loop. After the second unrelated failure, stop and tell the user: the hook is failing on pre-existing test issues, and list the failing tests so they can be fixed separately. Never suggest or use --no-verify — see t3:ship § Never use --no-verify.
All development work MUST happen in a worktree, never on the main clone. Use t3 <overlay> workspace ticket or the using-git-worktrees skill to create one before writing any code.
Pre-edit check — before editing ANY project file: If the file path lives directly under $T3_WORKSPACE_DIR/<repo>/ (not under a ticket subdirectory like $T3_WORKSPACE_DIR/<ticket>/<repo>/), stop — you are in the main clone. Find or create the correct worktree first via t3 <overlay> workspace ticket. The main clone may happen to be on the MR branch (from a previous checkout) — editing there "works" but pollutes the shared clone, risks merge conflicts for other worktrees, and violates isolation.
Pre-commit check — before running git commit (Non-Negotiable): Run git rev-parse --show-toplevel. If the result is the main clone (e.g., $T3_REPO, ~/workspace/<repo>/<repo> — i.e. NOT a $T3_WORKSPACE_DIR/<ticket>/<repo> path), abort the commit. Do not proceed to commit on main or any default branch in the main clone, even if the staged changes are already there from a prior session. Recovery path:
ac/<short-slug> matching the change).git branch <branch> HEAD (snapshots the current staged + working state to the new branch).git stash push --staged, git worktree add ~/workspace/<branch>/<repo> -b <branch>, cd into the worktree, git stash pop, then commit there.git branch <branch> HEAD, git reset --hard origin/main (or git reset --hard <previous-HEAD>), then git worktree add ~/workspace/<branch>/<repo> <branch> and continue from the worktree.Collision detection — check on EVERY file write or git operation:
git status. If you see unexpected modifications to files you did not touch, another agent is working in the same directory.t3 <overlay> workspace ticket or EnterWorktree), then continue there.<path>. I've stopped all work to avoid conflicts. Please resolve before I continue." Do NOT attempt to continue, merge, or work around the collision.Why: Parallel agents modifying the same checkout cause silent data loss — commits overwrite each other, stashes destroy in-progress work, and merge conflicts go undetected. This has cost hours of wasted work. Worktrees give each agent an isolated copy. The rules below are secondary defenses.
Pre-task check — before tackling a known issue (failing CI job, regression, "fix X" ticket): Run git worktree list first. If a worktree branch name matches the bug surface (e.g., ac/fix-e2e-dashboard-* for dashboard E2E failures, or any branch with relevant commits in git log --oneline main..HEAD), another agent is likely already on it. Do NOT spawn a parallel worktree on the same problem — coordinate or stand down. The collision rule above catches conflicts at write-time; this catches them before any work starts.
Assume another agent may be modifying the same repo concurrently. Never git stash, git checkout --, or git restore files you didn't change — this destroys the other agent's in-progress work. Only stage and commit files you explicitly modified.
When posting inline MR comments, target added lines only — not context or unchanged lines.