Verify that a diff touching mutating Talos tools (reboot, upgrade, rollback, reset, patch_config, apply_config) preserves all required guards — confirm=true, explicit nodes, correct dry_run/preserve/graceful defaults. Run before requesting staff-reviewer.
Scan the current diff against the CLAUDE.md § Safety matrix (cached in
references/guard-matrix.md) and emit a structured report the
staff-reviewer agent can consume directly.
Parse $ARGUMENTS:
--base <ref> — base ref for the diff. Defaults to origin/main.Validate the base ref:
git rev-parse --verify "${BASE:-origin/main}" >/dev/null \
|| abort "Unknown base ref: $BASE"
List changed mutating-tool files.
git diff --name-only "${BASE:-origin/main}"...HEAD -- 'internal/tools/*.go'
Filter by basename to one of: , , , or any (files that implement , , , , , , or preflight helpers that gate those mutations). Exit early with verdict if the filtered list is empty.
lifecyclefilespatch_blocklist*_preflightrebootupgraderollbackresetpatch_configapply_configGOLoad the guard matrix. Read references/guard-matrix.md. Its
required_args and default_values columns are the ground truth.
Scan each file for guard presence. For every matched file:
git diff "${BASE:-origin/main}"...HEAD -U3 -- <file> \
| grep -nE 'confirm|nodes|dry_run|preserve|graceful|wait'
Cross-reference the hunks against the matrix row for the tool.
Classify each guard. Flag a regression when:
if !confirm / len(nodes)==0),dry_run: true → dry_run: false),4b. Preflight helper check. For any *_preflight.go in the filtered
set, load .claude/rules/quorum-member-counting.md and apply its
invariants against the diff (dedup by member Id before counting,
map[<id-type>]struct{} structure, no reliance on
len(msg.GetMembers())). Flag as regression if a preflight helper
is introduced or modified without the dedup pattern.
## Guard Audit — <change-id>
| tool | required_args_ok | defaults_ok | evidence | verdict |
|-------------------|------------------|-------------|-----------------------------|---------|
| talos_reboot | yes/no | yes/no | <file:line> `<quoted code>` | pass/fail |
| talos_upgrade | ... | ... | ... | ... |
| talos_rollback | ... | ... | ... | ... |
| talos_reset | ... | ... | ... | ... |
| talos_patch_config| ... | ... | ... | ... |
| talos_apply_config| ... | ... | ... | ... |
## Findings
- **<tool>.<guard>** — <pass|regress|missing>
Evidence: <file:line> `<quoted code>`
Validation: re-run `grep -nE '<pattern>' <file>` — guard still present.
## Verdict
<approved | escalate: guards regressed>
Omit rows for tools whose file was not touched.
references/guard-matrix.md — guard matrix mirrored verbatim from repo-root CLAUDE.md § Safety..claude/rules/quorum-member-counting.md — preflight helper invariants (member-ID dedup, strict-majority rule).