example.toml at main · burrito.space/chook

burrito.space / chook

fork atom

permissions hook helper

fork atom

chook / example.toml

at main 86 lines 2.2 kB view raw

wrap content

burrito.tngl.sh Make shell metacharacter rejection message blunt and explicit for agents 3w ago

5f0d72b2

 1[audit]
 2audit_file = "/tmp/chook-audit.json"
 3# off | matched | all
 4audit_level = "matched"
 5
 6# === DENY RULES (checked first) ===
 7
 8[[deny]]
 9tool = "Bash"
10command_regex = "^rm .*-rf"
11reason = "Recursive force-delete is blocked. Use rm on specific files, or ask the user to run this manually."
12
13[[deny]]
14tool = "Bash"
15command_regex = "^sudo "
16reason = "sudo is not allowed. Find an alternative that doesn't require elevated privileges."
17
18[[deny]]
19tool = "Read"
20file_path_regex = "\\.(env|secret|pem|key)$"
21reason = "Reading secrets/credentials is blocked. Use environment variables or ask the user to provide the needed values."
22
23[[deny]]
24tool = "Write"
25file_path_regex = "\\.(env|secret|pem|key)$"
26reason = "Writing secrets/credentials is blocked. Ask the user to create or update this file manually."
27
28# Block shell metacharacters in commands — run each command separately or use a package.json script
29[[deny]]
30tool = "Bash"
31command_regex = "&|;|\\||`|\\$\\("
32reason = "BLOCKED: Command contains shell metacharacters (&, ;, |, `, $()). You MUST run exactly ONE command per Bash call. Do NOT chain commands with && or ;. Do NOT use pipes. Do NOT use subshells. Split into separate Bash calls instead."
33
34# === ALLOW RULES (checked after deny) ===
35
36# Allow file ops within the cwd tree where Claude was started
37[[allow]]
38tool = "Read"
39restrict_to_cwd = true
40file_path_exclude_regex = "\\.\\."
41
42[[allow]]
43tool = "Write"
44restrict_to_cwd = true
45file_path_exclude_regex = "\\.\\."
46
47[[allow]]
48tool = "Edit"
49restrict_to_cwd = true
50file_path_exclude_regex = "\\.\\."
51
52[[allow]]
53tool = "Glob"
54restrict_to_cwd = true
55
56# Always allow /tmp access
57[[allow]]
58tool = "Read"
59file_path_regex = "^/tmp/"
60
61[[allow]]
62tool = "Write"
63file_path_regex = "^/tmp/"
64
65[[allow]]
66tool = "Edit"
67file_path_regex = "^/tmp/"
68
69[[allow]]
70tool = "Glob"
71file_path_regex = "^/tmp/"
72
73# Allow safe bash commands (no shell injection)
74[[allow]]
75tool = "Bash"
76command_regex = "^(git |npm |node |npx |bun |cargo |make |ls |cat |head |tail |wc |find |grep |rg |which |echo |pwd |mkdir |cp |mv |touch |chmod |brew |gh )"
77command_exclude_regex = "&|;|\\||`|\\$\\("
78
79# Allow subagents
80[[allow]]
81tool = "Task"
82subagent_type = "Explore"
83
84[[allow]]
85tool = "Task"
86subagent_type = "Plan"