This repository was archived by the owner on Apr 6, 2026. It is now read-only.
docs: document invariantModes and disabledInvariants policy overrides#1527
Merged
docs: document invariantModes and disabledInvariants policy overrides#1527
Conversation
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds documentation to CLAUDE.md describing how operators can override built-in invariant behavior via policy configuration.
Changes:
- Adds an “Invariant Configuration (Policy Overrides)” section under Architecture & Key Patterns.
- Documents two override mechanisms (
invariantModes/disabledInvariants) and provides a YAML example. - References the source files responsible for parsing and composing these settings.
Comment on lines
+238
to
+242
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariantModes`** sets an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are parsed in `packages/policy/src/yaml-loader.ts` and merged across composed policies in `packages/policy/src/composer.ts` (disabled invariants union across all sources). | ||
|
|
||
| ```yaml | ||
| # Set a specific invariant to monitor mode (warn but don't block) | ||
| invariantModes: |
There was a problem hiding this comment.
The doc refers to a policy YAML field invariantModes and the example uses invariantModes:, but the YAML loader actually expects an invariants: mapping at the top level (parsed into policy.invariantModes). As written, the example/config key won’t be recognized by parseYamlPolicy() in packages/policy/src/yaml-loader.ts.
Suggested change
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariantModes`** sets an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are parsed in `packages/policy/src/yaml-loader.ts` and merged across composed policies in `packages/policy/src/composer.ts` (disabled invariants union across all sources). | |
| ```yaml | |
| # Set a specific invariant to monitor mode (warn but don't block) | |
| invariantModes: | |
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariants`** is the top-level mapping used in YAML to set an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. This mapping is parsed into `policy.invariantModes` by `packages/policy/src/yaml-loader.ts`. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are merged across composed policies in `packages/policy/src/composer.ts` (disabled invariants union across all sources). | |
| ```yaml | |
| # Set a specific invariant to monitor mode (warn but don't block) | |
| invariants: |
|
|
||
| ### Invariant Configuration (Policy Overrides) | ||
|
|
||
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariantModes`** sets an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are parsed in `packages/policy/src/yaml-loader.ts` and merged across composed policies in `packages/policy/src/composer.ts` (disabled invariants union across all sources). |
There was a problem hiding this comment.
This paragraph says both invariantModes and disabledInvariants are “merged across composed policies in composer.ts”, but composePolicies() only unions disabledInvariants—it does not merge/resolve invariant mode overrides. Invariant mode precedence is resolved elsewhere (e.g., CLI’s buildModeConfig() reads the first policy with invariantModes, and resolveInvariantMode() applies defaults), so the doc should reflect that (or reference those files instead).
Suggested change
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariantModes`** sets an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are parsed in `packages/policy/src/yaml-loader.ts` and merged across composed policies in `packages/policy/src/composer.ts` (disabled invariants union across all sources). | |
| The 26 built-in invariants (defined in `packages/invariants/src/definitions.ts`) enforce by default, but operators can override them in policy YAML via two mechanisms. **`invariantModes`** sets an invariant to `monitor` mode — it still evaluates and emits warnings but does not block the action, useful for rolling out new invariants or during planned maintenance. **`disabledInvariants`** completely removes an invariant from evaluation — use sparingly, as it eliminates the safety check entirely. Both fields are parsed in `packages/policy/src/yaml-loader.ts`, but only **`disabledInvariants`** is merged across composed policies in `packages/policy/src/composer.ts` (unioned across all sources). **`invariantModes`** overrides are resolved later by the CLI/runtime configuration rather than merged in the policy composer. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
invariantModes(monitor mode — warn but allow) anddisabledInvariants(completely disable)Test plan
packages/invariants/src/definitions.ts,packages/policy/src/yaml-loader.ts,packages/policy/src/composer.ts) are accurate🤖 Generated with Claude Code