-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.toml
More file actions
107 lines (92 loc) · 2.7 KB
/
config.toml
File metadata and controls
107 lines (92 loc) · 2.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
# All *.toml files in ~/.config/lord-kali/ are loaded in lexicographic order.
# Rules from earlier files match first (first-match-wins priority).
# Split configs like 00-base.toml, 10-bash.toml, 20-groups.toml are supported.
[log]
enabled = true
path = "~/.local/state/lord-kali/hook.jsonl"
[bash]
allowed_commands = [
"awk", "basename", "cat", "cut", "date", "df", "diff", "dirname",
"base64", "cd", "du", "echo", "env", "fd", "file", "find", "free", "grep",
"head", "htop", "id", "jq", "less", "ls", "lsof", "md5sum", "more",
"od", "pgrep", "ping", "printenv", "printf", "ps", "pwd", "realpath", "rg",
"sed", "sha256sum", "sort", "stat", "tail", "tee", "top", "tr", "tree",
"true", "type", "uname", "uniq", "uptime", "wc", "whereis", "which",
"whoami", "xargs", "xxd",
]
[[bash.rules]]
command = "cargo"
args = "{fmt,build,test}{, **}"
decision = "allow"
[[bash.rules]]
command = "git"
args = "{status,diff,log,show,branch,tag,remote,fetch,blame,shortlog,describe,rev-parse,ls-files,ls-tree,cat-file,reflog,stash list,stash show,add}{, **}"
decision = "allow"
[[bash.rules]]
command = "rm"
args = "-rf **"
decision = "deny"
reason = "No recursive force deletes"
[[bash.rules]]
command = "rm"
decision = "ask"
reason = "rm can be dangerous, please ask."
[[bash.rules]]
command = "rmdir"
decision = "ask"
reason = "rmdir can be dangerous, please ask."
[[bash.rules]]
command = "npm"
decision = "deny"
reason = "Use pnpm instead of npm."
[[bash.rules]]
command = "npx"
decision = "deny"
reason = "Use pnpm dlx instead of npx."
[[bash.rules]]
command = "pnpm"
args = "{validate,lint,run validate,run lint}{, **}"
decision = "allow"
[[bash.rules]]
command = "pnpm"
args = "{ls,why,info,view}{, **}"
decision = "allow"
[[bash.rules]]
command = "docker"
args = "logs{, **}"
decision = "allow"
# allow to fetch any URL without a query parameter
[[web-fetch.rules]]
url = "/[^?]*/"
decision = "allow"
# Per-rule project scoping: restrict a rule to specific directories
#
# [[bash.rules]]
# command = "cargo"
# args = "publish{, **}"
# decision = "deny"
# projects = ["~/projects/my-rust-project"]
# Group-scoped overrides: all rules in a group inherit its projects.
# Rules within a group can add extra projects (union with group's).
#
# [[group]]
# projects = ["~/projects/my-rust-project", "~/projects/other"]
#
# [group.bash]
# allowed_commands = ["rustup"]
#
# [[group.bash.rules]]
# command = "cargo"
# args = "publish{, **}"
# decision = "deny"
# reason = "Do not publish from these projects"
#
# [[group.bash.rules]]
# command = "make"
# decision = "allow"
# projects = ["~/projects/third"]
# # effective projects = group's + ["~/projects/third"]
#
# [[group.web-fetch.rules]]
# url = "https://internal.example.com/**"
# decision = "allow"