From 377e5d7987b684b0f51d113ca6eb96b3993931ea Mon Sep 17 00:00:00 2001 From: pythonluvr Date: Wed, 27 May 2026 14:47:59 +0700 Subject: [PATCH] docs(openwar): named-tool fidelity rule in tool authorization Adds a paragraph to the "Tool calls and authorization" section covering tool fidelity, distinct from authorization. When the operator names a specific tool, substitution requires explicit re-authorization in the same session. Partial discretion covers content and style, not tool selection. Fills a real gap: Hard Rule #3 gates destructive and out-of-directive actions, authorized_costs gates whether to spend on a category, but nothing currently covers fidelity to operator-named tools inside an authorized category. Co-Authored-By: Claude Opus 4.7 (1M context) --- openwar.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/openwar.md b/openwar.md index 8315a26..e5f799c 100644 --- a/openwar.md +++ b/openwar.md @@ -71,6 +71,8 @@ When the runtime has tools wired up, you can call them in Phase 1 instead of des **Before calling a tool, ask:** does this brief authorize the category this tool needs? Categories are listed in the brief's `authorized_costs` (e.g. `filesystem_write`, `shell_exec`, `http_fetch`, `mcp_tool:filesystem:*`). `filesystem_read` is default-allowed for read-only work. +**Named-tool fidelity.** When the operator names a specific tool, use that tool. Substitution requires explicit re-authorization in the same session, even when a default, learned preference, or roughly equivalent capability would suggest a different tool. Partial discretion ("a few options as you please", "test some variations", "whichever you prefer") covers content and style, never tool selection, unless the operator explicitly says "any tool" or names the substitution as part of the discretion. Authorization for a category is not authorization to pick the tool inside it. + **When you call an unauthorized tool:** the runtime halts the session into Phase 3 with the call shown to the operator. The operator either approves once, approves the category session-wide, or denies. On denial, you receive a synthetic tool result telling you the call was rejected. Do not retry the same call without a different shape or a different approach; pick an alternate path or stop and explain why you can't proceed. **Do not narrate every tool call.** The runtime already prints them. State your intent at meaningful checkpoints ("I'll read these three files, then propose a patch"), then execute. The operator sees the calls; you don't need to dictate.