Feature Request: Runtime Rule Enforcement — Rules Without Teeth Are Just Suggestions
Hey A0 Team,
I've been running Agent Zero in production for a while now — Docker on a Mac Studio, multiple projects, custom agents, the whole stack. I love what you've built. But I've hit an architectural gap that I think deserves serious attention.
The Problem
I have a rule in my system prompt. It's explicit and unambiguous. It says as follows"
"When creating templates, forms, logs, or any document intended for the user to fill in, interact with, or regularly access — ALWAYS use LibreOffice (Calc for spreadsheets, Writer for documents) via the Desktop console and the office_artifact tool. Save to accessible project directories like documents/, NOT hidden directories like .a0proj/knowledge/."
The rule was there from session start. The model read it. The model understood it. When I asked it to create a vitals template for my family's health tracker, it created a Markdown file buried in a hidden .a0proj/knowledge/ directory instead.
I asked it why. It said: "That's a compliance failure, not an awareness gap."
And it was right. The model understood the rule perfectly. It just didn't follow it. Because nothing made it.
Why This Is a Framework Problem, Not a Model Problem
The model I'm running is GLM-5.1 — it's more than capable of understanding rules. I believe that this isn't about intelligence. It's about architecture.
Right now, the enforcement chain looks like this:
User Request → System Prompt (with rules) → LLM processes everything → Tool call → Execute
There is no validation gate between the LLM's decision and tool execution. The rule is text in a prompt, processed probabilistically alongside everything else. When the model decides to ignore it, nothing stops it.
In software engineering, we don't rely on developers "remembering" rules. We have linters, type systems, CI checks, and code review. Agent Zero has none of these for behavioral rules.
| Layer |
Current State |
What It Should Be |
| Rule definition |
Text in prompt |
Text in prompt (this works fine) |
| Rule enforcement |
Model discretion only |
Runtime validation hooks |
| Violation detection |
User catches it manually |
Automated checking before execution |
| Violation response |
User calls it out post-hoc |
Block + re-prompt automatically |
What I'm Proposing
I see three approaches, and I believe that the best path is a combination of the first two:
1. Tool Call Validation Hook (the hard guard)
Add a validation layer at tool_execute_before that checks tool calls against a rules registry before execution.
LLM decides tool call → tool_execute_before hook validates against rules → PASS or BLOCK + re-prompt
This leverages the existing extension infrastructure. If a rule says "templates must use office_artifact" and the LLM calls text_editor with a path containing "template", the hook blocks it and sends back a correction.
2. Critical Rules Injection (the soft guard)
Rules marked as critical get injected at multiple points in the prompt — not just once at the top. Repetition at decision points dramatically improves compliance without code changes.
3. Output Pattern Validation (the safety net)
A validation layer at response_stream_end checks the completed response against known patterns. If a violation is detected, the response is rejected and the LLM is re-prompted with the violation flagged.
Why This Matters Beyond My Setup
I'm using Agent Zero to manage healthcare records for my 90-year-old father, legal case files for a mortgage dispute, financial portfolios, and business operations. When I define a rule — as the Principal — that rule carries authority. The framework should treat it the same way.
As more users build complex agents with specific behavioral requirements, the gap between stating a rule and enforcing a rule becomes critical. The current system treats all rules as polite suggestions.
The model shouldn't need to be "smart enough" to follow rules. The framework should ensure compliance regardless of model capability.
What I'm Willing to Do
My team and I will build the tool_execute_before validation hook as a proof of concept if the A0 team is open to it. We feel that we know the extension system well enough at this point. Just tell me the preferred approach and we'll get to work.
Wagner dos Santos
President and Chief Innovation Officer
WGNR
Feature Request: Runtime Rule Enforcement — Rules Without Teeth Are Just Suggestions
Hey A0 Team,
I've been running Agent Zero in production for a while now — Docker on a Mac Studio, multiple projects, custom agents, the whole stack. I love what you've built. But I've hit an architectural gap that I think deserves serious attention.
The Problem
I have a rule in my system prompt. It's explicit and unambiguous. It says as follows"
The rule was there from session start. The model read it. The model understood it. When I asked it to create a vitals template for my family's health tracker, it created a Markdown file buried in a hidden
.a0proj/knowledge/directory instead.I asked it why. It said: "That's a compliance failure, not an awareness gap."
And it was right. The model understood the rule perfectly. It just didn't follow it. Because nothing made it.
Why This Is a Framework Problem, Not a Model Problem
The model I'm running is GLM-5.1 — it's more than capable of understanding rules. I believe that this isn't about intelligence. It's about architecture.
Right now, the enforcement chain looks like this:
There is no validation gate between the LLM's decision and tool execution. The rule is text in a prompt, processed probabilistically alongside everything else. When the model decides to ignore it, nothing stops it.
In software engineering, we don't rely on developers "remembering" rules. We have linters, type systems, CI checks, and code review. Agent Zero has none of these for behavioral rules.
What I'm Proposing
I see three approaches, and I believe that the best path is a combination of the first two:
1. Tool Call Validation Hook (the hard guard)
Add a validation layer at
tool_execute_beforethat checks tool calls against a rules registry before execution.This leverages the existing extension infrastructure. If a rule says "templates must use office_artifact" and the LLM calls
text_editorwith a path containing "template", the hook blocks it and sends back a correction.2. Critical Rules Injection (the soft guard)
Rules marked as critical get injected at multiple points in the prompt — not just once at the top. Repetition at decision points dramatically improves compliance without code changes.
3. Output Pattern Validation (the safety net)
A validation layer at
response_stream_endchecks the completed response against known patterns. If a violation is detected, the response is rejected and the LLM is re-prompted with the violation flagged.Why This Matters Beyond My Setup
I'm using Agent Zero to manage healthcare records for my 90-year-old father, legal case files for a mortgage dispute, financial portfolios, and business operations. When I define a rule — as the Principal — that rule carries authority. The framework should treat it the same way.
As more users build complex agents with specific behavioral requirements, the gap between stating a rule and enforcing a rule becomes critical. The current system treats all rules as polite suggestions.
The model shouldn't need to be "smart enough" to follow rules. The framework should ensure compliance regardless of model capability.
What I'm Willing to Do
My team and I will build the
tool_execute_beforevalidation hook as a proof of concept if the A0 team is open to it. We feel that we know the extension system well enough at this point. Just tell me the preferred approach and we'll get to work.Wagner dos Santos
President and Chief Innovation Officer
WGNR