Write Safe Policies
Policy is the control plane for local execution.
Minimal restrictive baseline
[policy]
allow_commands = [
"git status",
"git diff",
"pytest tests/test_parser.py"
]
max_diff_chars = 3000
max_file_read_chars = 3000
Design rules
- Prefer exact commands over broad prefixes.
- Keep allowlist short and repository-specific.
- Allow only commands you are willing to run manually.
Policy tuning loop
- Run narrow tasks.
- Inspect blocked actions in runlog.
- Add only minimal required allowlist entries.
- Re-run and verify no overbroad permissions were introduced.