keisei/KeiSeiKit-1.0
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
KeiSeiKit-1.0/_capabilities/tools/bash-allowlist/text.md
Parfii-bot e4b64418fc feat(convergence/u2): capability renames + back-compat aliases 
Pre-unlock wave U2. Task 3 from CONVERGENCE-PLAN — rename misleading
capability names, keep old names as deprecated aliases.

Renames:
- tools::read-only → tools::deny-tools (mechanism is tool-name denial,
  not "read-only" metaphor)
- tools::cargo-only-bash → tools::bash-allowlist (mechanism is Bash
  pattern allow-list; cargo-only is one config value)

Back-compat via registry.resolve_alias():
- Old dir _capabilities/tools/{read-only,cargo-only-bash}/ retained with
  capability.toml-only stub: `alias = "<new-name>"` + `deprecated` field
- registry.rs loads alias stubs, redirects lookup before dispatch
- warn_deprecated_once() emits single-shot stderr per alias per process
  via OnceLock<Mutex<HashSet>>
- Zero breaking change to existing manifests / task.toml referencing
  old names

Rust impl files renamed in place:
- gates/tools_read_only.rs → gates/tools_deny_tools.rs (struct
  DenyTools)
- gates/tools_cargo_only_bash.rs → gates/tools_bash_allowlist.rs
  (struct BashAllowlist)
- gates/mod.rs + registry.rs + gate_smoke.rs updated

Roles updated (3): read-only.toml, explorer.toml, edit-local.toml —
reference new names directly.

Tests: kei-agent-runtime 41/41 (was 40, +1 deprecated_aliases_resolve
_to_new_names), _assembler 40/40 unchanged (substrate role expansion
follows new paths).

Docs updated: AGENT-ROLES.md, AGENT-SUBSTRATE-SCHEMA.md, 4 _manifests
referencing the old names (comment-only annotations).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-23 03:43:40 +08:00

1.2 KiB
Raw Blame History

Bash — allowlist gate

You MAY use Bash, but only for commands that match this allowlist. Anything else is blocked at the gate.

Default-allowed command prefixes:

  • cargo ... — build, check, test, fmt, clippy, run
  • rustc ... — direct compilation probes
  • rustup ... — toolchain inspection
  • mkdir ... — create directories inside the worktree
  • ls ... — directory listing
  • pwd — print working directory
  • rm -rf /tmp/... — cleanup under /tmp only

Everything else is denied, including (non-exhaustive): git, gh, curl, wget, npm, pip, python, node, bash -c, sudo, sh, env VAR=..., docker, kubectl, ssh, scp, process-tree manipulation, and compound commands that chain an allowed prefix with a denied one via ;, &&, ||, or pipes.

The gate inspects the full command string. Do not try to hide a denied call behind a heredoc, variable expansion, or xargs. If you need a tool that is not on the allowlist, STOP and describe the need in your return — the orchestrator will either widen the role or handle the step directly.

Prefer dedicated tools over Bash whenever possible: Read/Write for files, Glob/Grep for search.