c0c3483f02
22 files per locked §Initial capability atom inventory: policy/no-git-ops/ (gate: PreToolUse:Bash, bypass ORCHESTRATOR_META) scope/files-whitelist/ (gate + verify worktree) scope/files-denylist/ (gate + verify worktree) quality/constructor-pattern/ (verify worktree) quality/cargo-check-green/ (verify both — worktree short-circuit + simulated-merge) quality/tests-green/ (verify both) safety/no-dep-bump/ (gate + verify both) output/report-format/ (verify worktree) output/severity-grade/ (verify worktree) tools/read-only/ (gate: deny Edit/Write) tools/cargo-only-bash/ (gate: Bash allowlist) All capability.toml share [capability]/[restricts]/[parameterized]/[text]/ [gate]/[verify] section layout. rust-module paths pre-wired to match phase-3 file layout. All text.md under 200 words, imperative, self-contained (composer concatenates with --- separator). Cross-refs to rule files preserved: - policy::no-git-ops → RULE 0.13 (orchestrator-branch-first.md) - quality::constructor-pattern → RULE ZERO (code-style.md) - output::severity-grade → debugging.md §Security Review - safety::no-dep-bump → supply-chain rationale Agent attempted wc -w for word counts — sandbox correctly denied Bash per RULE 0.13, observable reinforcement of the very policy this capability encodes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
28 lines
1.1 KiB
Markdown
28 lines
1.1 KiB
Markdown
## Bash — cargo-only allowlist
|
|
|
|
You MAY use `Bash`, but only for commands that match this allowlist.
|
|
Anything else is blocked at the gate.
|
|
|
|
Allowed command prefixes:
|
|
- `cargo ...` — build, check, test, fmt, clippy, run
|
|
- `mkdir ...` — create directories inside the worktree
|
|
- `ls ...` — directory listing
|
|
- `cat ...` — read a file
|
|
- `grep ...` — search
|
|
- `find ...` — locate files
|
|
- `rm -rf /tmp/...` — cleanup under `/tmp` only
|
|
|
|
Everything else is denied, including (non-exhaustive): `git`,
|
|
`gh`, `curl`, `wget`, `npm`, `pip`, `python`, `node`, `bash -c`,
|
|
`sudo`, `sh`, `env VAR=...`, `docker`, `kubectl`, `ssh`, `scp`,
|
|
process-tree manipulation, and compound commands that chain an
|
|
allowed prefix with a denied one via `;`, `&&`, `||`, or pipes.
|
|
|
|
The gate inspects the full command string. Do not try to hide a
|
|
denied call behind a heredoc, variable expansion, or `xargs`. If
|
|
you need a tool that is not on the allowlist, STOP and describe
|
|
the need in your return — the orchestrator will either widen the
|
|
role or handle the step directly.
|
|
|
|
Prefer dedicated tools over Bash whenever possible: `Read`/`Write`
|
|
for files, `Glob`/`Grep` for search.
|