Field Reference
Fields extract values from tool call inputs for condition matching.
Built-in fields
command
Resolves to input.command. Used for Bash/shell tool calls.
IF command CONTAINS "rm -rf"
path
Resolves to input.file_path or input.path (tries both). Used for file operations.
IF path ENDS_WITH ".env"
IF path GLOB "src/**/*.ts"
content
Resolves to input.content or input.new_string (tries both). Used for write/edit operations.
IF content LINE_CONTAINS "console.log"
IF content REGEX "@ts-ignore"
tool
Resolves to the tool name itself (e.g., "Bash", "Read", "Write", "Agent").
IF tool EQUALS "Bash"
IF tool NOT EQUALS "Read"
Generic input fields
Access any key in the tool input object using input.<key> syntax:
IF input.subagent_type EQUALS "Explore"
IF input.run_in_background EQUALS "true"
IF input.description CONTAINS "delete"
IF input.file_path GLOB "*.secret"
Behavior
- String values are used as-is
- Non-string values (numbers, booleans, objects, arrays) are JSON-stringified before matching
- Missing keys resolve to empty string — positive conditions won't match,
NOTconditions will match - Null values resolve to empty string
Examples
Given tool call:
{
"tool": "Agent",
"input": {
"subagent_type": "Explore",
"run_in_background": true,
"prompt": "Find all TypeScript files"
}
}
| Field | Resolves to |
|---|---|
input.subagent_type | "Explore" |
input.run_in_background | "true" (JSON-stringified) |
input.prompt | "Find all TypeScript files" |
input.nonexistent | "" (empty string) |
Use cases
Audit agent activity by type:
rule log-explore-agents {
LOG agent
IF input.subagent_type EQUALS "Explore"
MESSAGE "Explore agent activity logged."
}
Block background agents:
rule no-background-agents {
DENY agent
IF input.run_in_background EQUALS "true"
MESSAGE "Background agents are not allowed."
}
Restrict agent models:
rule no-haiku-agents {
DENY agent
IF input.model EQUALS "haiku"
MESSAGE "Only sonnet and opus models allowed for agents."
}