# Phase 42 — staffing.any task class rules (file-backed).
#
# Rules that apply across ALL staffing task classes (fill, rescue,
# sms_draft, etc). The router registers them once and evaluates them
# on every staffing.* call.

[[rule]]
id = "any.no-destructive-sql-in-context"
task_class = "staffing.any"
description = "Reject staffing calls whose SQL context contains destructive verbs"
action = { type = "Reject", message = "destructive SQL rejected by staffing.any gate" }

[rule.condition]
type = "FieldContainsAny"
field = "sql_context"
needles = ["drop table", "truncate", "delete from", "drop schema", "drop database"]

# Additional staffing.any rules (e.g. PII scrubbing, rate limits) can be
# layered here; see the in-code staffing_rules() for the pii-redact rule
# that ships by default.