e4b64418fc
Pre-unlock wave U2. Task 3 from CONVERGENCE-PLAN — rename misleading
capability names, keep old names as deprecated aliases.
Renames:
- tools::read-only → tools::deny-tools (mechanism is tool-name denial,
not "read-only" metaphor)
- tools::cargo-only-bash → tools::bash-allowlist (mechanism is Bash
pattern allow-list; cargo-only is one config value)
Back-compat via registry.resolve_alias():
- Old dir _capabilities/tools/{read-only,cargo-only-bash}/ retained with
capability.toml-only stub: `alias = "<new-name>"` + `deprecated` field
- registry.rs loads alias stubs, redirects lookup before dispatch
- warn_deprecated_once() emits single-shot stderr per alias per process
via OnceLock<Mutex<HashSet>>
- Zero breaking change to existing manifests / task.toml referencing
old names
Rust impl files renamed in place:
- gates/tools_read_only.rs → gates/tools_deny_tools.rs (struct
DenyTools)
- gates/tools_cargo_only_bash.rs → gates/tools_bash_allowlist.rs
(struct BashAllowlist)
- gates/mod.rs + registry.rs + gate_smoke.rs updated
Roles updated (3): read-only.toml, explorer.toml, edit-local.toml —
reference new names directly.
Tests: kei-agent-runtime 41/41 (was 40, +1 deprecated_aliases_resolve
_to_new_names), _assembler 40/40 unchanged (substrate role expansion
follows new paths).
Docs updated: AGENT-ROLES.md, AGENT-SUBSTRATE-SCHEMA.md, 4 _manifests
referencing the old names (comment-only annotations).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
28 lines
1.2 KiB
Markdown
28 lines
1.2 KiB
Markdown
## Bash — allowlist gate
|
|
|
|
You MAY use `Bash`, but only for commands that match this allowlist.
|
|
Anything else is blocked at the gate.
|
|
|
|
Default-allowed command prefixes:
|
|
- `cargo ...` — build, check, test, fmt, clippy, run
|
|
- `rustc ...` — direct compilation probes
|
|
- `rustup ...` — toolchain inspection
|
|
- `mkdir ...` — create directories inside the worktree
|
|
- `ls ...` — directory listing
|
|
- `pwd` — print working directory
|
|
- `rm -rf /tmp/...` — cleanup under `/tmp` only
|
|
|
|
Everything else is denied, including (non-exhaustive): `git`,
|
|
`gh`, `curl`, `wget`, `npm`, `pip`, `python`, `node`, `bash -c`,
|
|
`sudo`, `sh`, `env VAR=...`, `docker`, `kubectl`, `ssh`, `scp`,
|
|
process-tree manipulation, and compound commands that chain an
|
|
allowed prefix with a denied one via `;`, `&&`, `||`, or pipes.
|
|
|
|
The gate inspects the full command string. Do not try to hide a
|
|
denied call behind a heredoc, variable expansion, or `xargs`. If
|
|
you need a tool that is not on the allowlist, STOP and describe
|
|
the need in your return — the orchestrator will either widen the
|
|
role or handle the step directly.
|
|
|
|
Prefer dedicated tools over Bash whenever possible: `Read`/`Write`
|
|
for files, `Glob`/`Grep` for search.
|