Command Risk Assessment
Every terminal command is scored with a 4-level risk system before execution.
Risk Levels
| Level | Auto-Approved? | Examples |
|---|---|---|
| Safe | Yes (if prefix whitelisted) | ls, cat, date, echo |
| Medium | After first approval | curl, git push, npm install |
| High | After first approval | rm, mv, chmod, kill |
| Critical | Never persisted (default) | sudo rm -rf, dd, mkfs |
Permission Modes
| Key | Type | Default | Description |
|---|---|---|---|
default | โ | โ | Safe/Medium/High approvals persist across restarts. Critical is per-session only. |
cautious | โ | โ | All approvals are per-session only. |
yolo | โ | โ | All approvals persist forever. |
Dangerous Constructs
Patterns that always elevate risk:
- Command substitution:
$(...)and backticks - Process substitution:
>(...),<(...) - Redirection:
>,>> - Multiple commands:
;,&&,|| - Pipes into shells or
sudo
Sensitive Path Detection
Commands referencing these files are automatically elevated:
.env— environment secrets- SSH keys:
id_rsa,id_ed25519 - Cloud configs:
.aws,.kube,.docker - System auth:
shadow,passwd,sudoers - Credentials:
master.key,.netrc,.pgpass
Hard Blocks (New)
Even before approval flow, broad or sensitive delete patterns are blocked, including risky rm -rf and find ... -delete targets.
Configuration
Set
terminal.permission_mode in config.toml. Default is "default".