Matcher Reference
We maintain a growing, hand-crafted library of deterministic "Matchers" that cover multiple different execution paths for similar operations, so that agents cannot trivially route around one blocked command. We expose this library to our AI when recommending new guardrails, so that it can readily draw upon robust abstractions rather than re-deriving complicated regular expressions and argument checks.
Rule Matchers
When agents use tools caught by any of these matchers, Stoplight can approve, ask, or deny the operation. Each matcher expands into multiple lower-level matches to allow teams to protect an entire behavior class instead of chasing one tool invocation at a time.
| Operation | ID | Description | Target |
|---|---|---|---|
| File reading | file.read | Any attempt to read or view file contents | e.g., **/.env*, credentials.json, **/*.pem |
| File writing | file.write | Any attempt to write or modify file contents | e.g., **/config/*, package.json, **/*.yaml |
| File deletion | file.delete | Any attempt to delete or remove files | e.g., **/migrations/*, **/*.log |
| File creation | file.create | Any attempt to create new files or directories | e.g., **/src/**, **/*.config.js |
| File copying | file.copy | Any attempt to copy files via cp, scp, or rsync | e.g., **/.ssh/*, **/secrets/* |
| File rename / move | file.move | Any attempt to move or rename files | e.g., **/config/*, Makefile |
| File permission changes | file.permission | Changing file permissions, ownership, or access control | e.g., **/bin/*, /etc/** |
| Symlink creation | file.symlink | Creating symbolic links that can bypass path-based guards | e.g., **/.env*, **/secrets/* |
| Sensitive file access | file.sensitive | Accessing inherently sensitive files like SSH keys, certificates, and credentials | — |
Policy Triggers
Policies may use trigger matchers as a screening mechanism to determine if an operation should be considered for review by an LLM based, natural language defined rule. Structurally, they are similar to deterministic rules, but the final decision to approve, ask, or deny is made by an LLM based on the operation and the context, not by whether the match is hit.
| Matcher | Key | Description | Example |
|---|---|---|---|
| Command includes | command_contains | Substring match (case-insensitive) | rm -rf |
| Command excludes | command_not_contains | Negative substring match | --dry-run |
| Command starts with | command_starts_with | Prefix match | kubectl delete |
| Command ends with | command_ends_with | Suffix match | --force |
| Command equals | command_equals | Exact match | npm publish |
| Command regex | command_regex | Regular expression pattern | rm\s+-rf\s+/ |