Keel Skills operates in two complementary layers. The soft layer — three skills — makes the agent apply the four-step check before any action that writes or changes something. The hard layer — theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/quitohooded/keel-skills/llms.txt
Use this file to discover all available pages before exploring further.
PreToolUse hook backed by your AGENT_POLICY.md — intercepts every tool call deterministically before it runs and blocks hot ones for explicit approval, regardless of what the model decided. Together they cover the two failure modes: an agent that reasons carelessly, and a headless or CI agent where no human is present to give a green light.
The two layers
The soft and hard layers address different failure modes and have complementary strengths and weaknesses. Running both is what makes the framework reliable across interactive and non-interactive contexts. Soft layer (skills / reasoning): The three skills make the agent internalize the four-step check and apply it as part of its own reasoning process. Because the agent is reasoning with full context — knowing the project, the instruction, and the situation — the soft layer handles nuance well. Its weakness is that it depends on the model choosing to comply. Hard layer (enforcement hook): ThePreToolUse hook (enforce-policy.cjs) is deterministic code that runs before every tool call. It reads the hot zones from your AGENT_POLICY.md (plus the SPEC §4 defaults) and maps each tool call to allow, ask, or deny. It doesn’t reason — it pattern-matches — and it fires unconditionally.
| Layer | What it is | Strength | Weakness | Covers headless? |
|---|---|---|---|---|
| Soft | Three skills that prompt the agent to run the four-step check before acting | Context-aware; handles nuance and project-specific circumstances | Depends on the model choosing to comply | No — relies on model reasoning |
| Hard | PreToolUse hook that intercepts tool calls before they run | Deterministic; fires unconditionally before every matched tool call | Pattern-matches commands and paths; a sophisticated adversarial agent can route around it | Yes — ask verdicts are auto-escalated to deny in CI |
Session lifecycle
Session starts — policy injected
When a Claude Code session opens, the
SessionStart hook fires and runs inject-policy.cjs. If an AGENT_POLICY.md exists at the project root, its full contents are injected into the session context. The policy is now present in the model’s context window without the agent having to choose to read it.Agent receives a task — four-step check runs
When the agent receives an instruction, the
authorization-protocol skill prompts it to run the four-step check before acting. The agent classifies the instruction as a goal, a method, or a green light, and determines whether the action is free or needs a green light. If it needs one and no standing approval covers the scope, the agent stops and asks.Agent attempts a tool call — PreToolUse hook intercepts
Before any tool call executes, the
PreToolUse hook fires and inspects it against the hot defaults from SPEC §4 plus any hot_paths and hot_commands defined in your AGENT_POLICY.md machine-readable block. The hook returns one of three verdicts:allow— the call is not hot, or is covered by a standing approval; execution continues.ask— the call is hot and lacks a green light; the hook surfaces an explicit human-approval prompt before execution.deny— the call is hot, lacks a green light, and no human is available to approve (headless/CI mode); execution is blocked.
The three skills
Each skill is a Markdown document that Claude Code loads as part of the agent’s context. They are generic — none of your project’s specifics are embedded in them.Authorization Protocol
The core governance skill. Defines the goal / method / green light distinction, the four-step check, hot-zone defaults, and the rule for following through on a green light you already have.
Model Delegation
Cost and risk control for subagents. Enforces tier-by-task assignment, a maximum nesting depth of two, no self-escalation, and a cheapest-first tool ladder. Subagents can never grant a green light.
Context Discipline
Session hygiene. Defines when to end a long session, what to record so decisions aren’t lost, and how to leave a resumable handoff that doesn’t depend on reconstructing context from chat.
The AGENT_POLICY.md
The key architectural decision in Keel Skills is the separation of mechanism from your data. The skills describe the pattern — what a risky zone is, what a green light means, how to choose a model. YourAGENT_POLICY.md holds all the specifics:
- Which paths in your project are hot (e.g.,
src/migrations/**,public/**) - Which commands are hot for your stack (e.g.,
vercel deploy,supabase db push) - Where your decisions log and project-state file live
- Any standing approvals already in place (e.g., “the agent may run
npm run buildwithout a new green light”)
SessionStart hook injects AGENT_POLICY.md automatically, the policy is always present — it doesn’t depend on the agent choosing to read it or remembering it from a previous session. The same plugin installation works across all your projects; each project’s AGENT_POLICY.md configures it for that project’s specifics.
The optional machine-readable block inside AGENT_POLICY.md gives the PreToolUse hook a parseable subset it can act on deterministically:
Headless / CI mode
When no human is present to give a green light, anyask verdict would block indefinitely. Keel handles this explicitly: in headless or CI contexts, ask is automatically escalated to deny.
The hook detects non-interactive mode from two environment variables:
ask verdict — meaning the action is hot and lacks a standing approval — it is upgraded to deny and the tool call is blocked. This ensures that a CI pipeline running the agent cannot silently take an action that would require human approval in an interactive session.