a4e667de10
Single-commit clean baseline after security scrub of niche-tells, project codenames, internal jargon, and contributor-email leaks. Contents: - 100 Rust crates (_primitives/_rust/) - 37 agent manifests (_manifests/) + generated specs (_generated/) - 67 user-invocable skills (skills/) - 33 hooks (hooks/) - Composition blocks (_blocks/) - Documentation (docs/, README.md) - TS adapter packages (_ts_packages/) - Assembler (_assembler/) - Roles (_roles/) - Templates (_templates/) - Forgejo CI (.forgejo/) Author: Denis Parfionovich <info@greendragon.info> License: see LICENSE.
28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
## Bash — allowlist gate
|
|
|
|
You MAY use `Bash`, but only for commands that match this allowlist.
|
|
Anything else is blocked at the gate.
|
|
|
|
Default-allowed command prefixes:
|
|
- `cargo ...` — build, check, test, fmt, clippy, run
|
|
- `rustc ...` — direct compilation probes
|
|
- `rustup ...` — toolchain inspection
|
|
- `mkdir ...` — create directories inside the worktree
|
|
- `ls ...` — directory listing
|
|
- `pwd` — print working directory
|
|
- `rm -rf /tmp/...` — cleanup under `/tmp` only
|
|
|
|
Everything else is denied, including (non-exhaustive): `git`,
|
|
`gh`, `curl`, `wget`, `npm`, `pip`, `python`, `node`, `bash -c`,
|
|
`sudo`, `sh`, `env VAR=...`, `docker`, `kubectl`, `ssh`, `scp`,
|
|
process-tree manipulation, and compound commands that chain an
|
|
allowed prefix with a denied one via `;`, `&&`, `||`, or pipes.
|
|
|
|
The gate inspects the full command string. Do not try to hide a
|
|
denied call behind a heredoc, variable expansion, or `xargs`. If
|
|
you need a tool that is not on the allowlist, STOP and describe
|
|
the need in your return — the orchestrator will either widen the
|
|
role or handle the step directly.
|
|
|
|
Prefer dedicated tools over Bash whenever possible: `Read`/`Write`
|
|
for files, `Glob`/`Grep` for search.
|