144 lines
3.5 KiB
JSON
144 lines
3.5 KiB
JSON
{
|
|
"description": "Granular Bash Permissions - Paranoid mode with explicit command whitelisting",
|
|
"version": "3.38.0",
|
|
"notes": [
|
|
"For security-conscious users who want explicit control over every bash command",
|
|
"Uses prefix matching: 'Bash(pytest:*)' allows 'pytest tests/', 'pytest -v', etc.",
|
|
"Add new patterns as needed for your workflow",
|
|
"Consider settings.autonomous-dev.json for less restrictive alternative"
|
|
],
|
|
"permissions": {
|
|
"allow": [
|
|
"Read(**)",
|
|
"Write(**)",
|
|
"Edit(**)",
|
|
"Glob",
|
|
"Grep",
|
|
"Task",
|
|
"WebFetch",
|
|
"WebSearch",
|
|
"TodoWrite",
|
|
"NotebookEdit",
|
|
"mcp__",
|
|
"Bash(pytest:*)",
|
|
"Bash(python -m pytest:*)",
|
|
"Bash(python:*)",
|
|
"Bash(python3:*)",
|
|
"Bash(pip list:*)",
|
|
"Bash(pip show:*)",
|
|
"Bash(pip freeze:*)",
|
|
"Bash(git status:*)",
|
|
"Bash(git diff:*)",
|
|
"Bash(git log:*)",
|
|
"Bash(git branch:*)",
|
|
"Bash(git show:*)",
|
|
"Bash(git blame:*)",
|
|
"Bash(git stash list:*)",
|
|
"Bash(gh issue:*)",
|
|
"Bash(gh pr:*)",
|
|
"Bash(gh repo:*)",
|
|
"Bash(ls:*)",
|
|
"Bash(cat:*)",
|
|
"Bash(head:*)",
|
|
"Bash(tail:*)",
|
|
"Bash(wc:*)",
|
|
"Bash(find:*)",
|
|
"Bash(grep:*)",
|
|
"Bash(rg:*)",
|
|
"Bash(echo:*)",
|
|
"Bash(pwd:*)",
|
|
"Bash(which:*)",
|
|
"Bash(env:*)",
|
|
"Bash(date:*)",
|
|
"Bash(whoami:*)",
|
|
"Bash(hostname:*)",
|
|
"Bash(npm run:*)",
|
|
"Bash(npm test:*)",
|
|
"Bash(npm list:*)",
|
|
"Bash(npx:*)",
|
|
"Bash(yarn test:*)",
|
|
"Bash(yarn run:*)",
|
|
"Bash(bun test:*)",
|
|
"Bash(bun run:*)",
|
|
"Bash(cargo test:*)",
|
|
"Bash(cargo check:*)",
|
|
"Bash(cargo build:*)",
|
|
"Bash(go test:*)",
|
|
"Bash(go build:*)",
|
|
"Bash(make test:*)",
|
|
"Bash(make check:*)"
|
|
],
|
|
"ask": [
|
|
"Bash(git add:*)",
|
|
"Bash(git commit:*)",
|
|
"Bash(git push:*)",
|
|
"Bash(git pull:*)",
|
|
"Bash(git merge:*)",
|
|
"Bash(git rebase:*)",
|
|
"Bash(git reset:*)",
|
|
"Bash(git checkout:*)",
|
|
"Bash(git switch:*)",
|
|
"Bash(npm install:*)",
|
|
"Bash(npm publish:*)",
|
|
"Bash(pip install:*)",
|
|
"Bash(pip uninstall:*)",
|
|
"Bash(cargo install:*)",
|
|
"Bash(go install:*)",
|
|
"Bash(mkdir:*)",
|
|
"Bash(rm:*)",
|
|
"Bash(mv:*)",
|
|
"Bash(cp:*)",
|
|
"Bash(touch:*)",
|
|
"Bash(chmod:*)",
|
|
"Bash(chown:*)"
|
|
],
|
|
"deny": [
|
|
"Read(./.env)",
|
|
"Read(./.env.*)",
|
|
"Read(~/.ssh/**)",
|
|
"Read(~/.aws/**)",
|
|
"Read(./secrets/**)",
|
|
"Read(**/credentials/**)",
|
|
"Write(/etc/**)",
|
|
"Write(/System/**)",
|
|
"Write(/usr/**)",
|
|
"Write(~/.ssh/**)",
|
|
"Write(~/.aws/**)",
|
|
"Bash(sudo:*)",
|
|
"Bash(su:*)",
|
|
"Bash(chmod 777:*)",
|
|
"Bash(chmod -R 777:*)",
|
|
"Bash(curl*|*bash)",
|
|
"Bash(wget*|*bash)",
|
|
"Bash(eval:*)",
|
|
"Bash(exec:*)",
|
|
"Bash(dd:*)",
|
|
"Bash(mkfs:*)",
|
|
"Bash(fdisk:*)",
|
|
"Bash(shutdown:*)",
|
|
"Bash(reboot:*)",
|
|
"Bash(kill -9 1)",
|
|
"Bash(killall:*)",
|
|
"Bash(rm -rf /)",
|
|
"Bash(rm -rf /*)",
|
|
"Bash(rm -rf ~)",
|
|
"Bash(:(){ :|:& };:)"
|
|
],
|
|
"disableBypassPermissionsMode": "disable"
|
|
},
|
|
"hooks": {
|
|
"PreToolUse": [
|
|
{
|
|
"matcher": "*",
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "MCP_AUTO_APPROVE=true python3 plugins/autonomous-dev/hooks/unified_pre_tool.py",
|
|
"timeout": 5
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|