keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_capabilities/tools/cargo-only-bash/text.md
Parfii-bot c0c3483f02 feat(agent-substrate/phase-1): capability library — 11 declarative bundles 
22 files per locked §Initial capability atom inventory:

policy/no-git-ops/               (gate: PreToolUse:Bash, bypass ORCHESTRATOR_META)
scope/files-whitelist/           (gate + verify worktree)
scope/files-denylist/            (gate + verify worktree)
quality/constructor-pattern/     (verify worktree)
quality/cargo-check-green/       (verify both — worktree short-circuit + simulated-merge)
quality/tests-green/             (verify both)
safety/no-dep-bump/              (gate + verify both)
output/report-format/            (verify worktree)
output/severity-grade/           (verify worktree)
tools/read-only/                 (gate: deny Edit/Write)
tools/cargo-only-bash/           (gate: Bash allowlist)

All capability.toml share [capability]/[restricts]/[parameterized]/[text]/
[gate]/[verify] section layout. rust-module paths pre-wired to match
phase-3 file layout. All text.md under 200 words, imperative,
self-contained (composer concatenates with --- separator).

Cross-refs to rule files preserved:
- policy::no-git-ops → RULE 0.13 (orchestrator-branch-first.md)
- quality::constructor-pattern → RULE ZERO (code-style.md)
- output::severity-grade → debugging.md §Security Review
- safety::no-dep-bump → supply-chain rationale

Agent attempted wc -w for word counts — sandbox correctly denied Bash
per RULE 0.13, observable reinforcement of the very policy this
capability encodes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 02:35:52 +08:00

1.1 KiB
Raw Blame History

Bash — cargo-only allowlist

You MAY use Bash, but only for commands that match this allowlist. Anything else is blocked at the gate.

Allowed command prefixes:

  • cargo ... — build, check, test, fmt, clippy, run
  • mkdir ... — create directories inside the worktree
  • ls ... — directory listing
  • cat ... — read a file
  • grep ... — search
  • find ... — locate files
  • rm -rf /tmp/... — cleanup under /tmp only

Everything else is denied, including (non-exhaustive): git, gh, curl, wget, npm, pip, python, node, bash -c, sudo, sh, env VAR=..., docker, kubectl, ssh, scp, process-tree manipulation, and compound commands that chain an allowed prefix with a denied one via ;, &&, ||, or pipes.

The gate inspects the full command string. Do not try to hide a denied call behind a heredoc, variable expansion, or xargs. If you need a tool that is not on the allowlist, STOP and describe the need in your return — the orchestrator will either widen the role or handle the step directly.

Prefer dedicated tools over Bash whenever possible: Read/Write for files, Glob/Grep for search.