Write Safe Policies

Policy is the control plane for local execution.

Minimal restrictive baseline

[policy]
allow_commands = [
  "git status",
  "git diff",
  "pytest tests/test_parser.py"
]
max_diff_chars = 3000
max_file_read_chars = 3000

Design rules

  • Prefer exact commands over broad prefixes.
  • Keep allowlist short and repository-specific.
  • Allow only commands you are willing to run manually.

Policy tuning loop

  1. Run narrow tasks.
  2. Inspect blocked actions in runlog.
  3. Add only minimal required allowlist entries.
  4. Re-run and verify no overbroad permissions were introduced.