Pipeline · Phase 1
Allowlist Gate — known-safe commands pass instantly.
Read-only, navigation, and project-scoped commands (git status, ls, npm test, …) match a built-in trie and a user-defined extension list. The match itself is free; what happens next depends on allowlist_mode.
| Property | Value |
|---|---|
| Latency | <1ms |
| Scope | Guarded tools only |
| Type | Gate (no score emitted) |
| Weight | — |
| Short-circuit | match + allowlist_mode: exit → allow · else continue to Phase 2 |
Built-in safe commands
| Category | Commands |
|---|---|
| Basic | ls, echo, pwd, whoami, date, hostname, uname, tree, du, df, sort, uniq, diff, cd |
| Read | cat, head, tail, wc, grep, find, which, type |
| File ops | mkdir, cp, mv, touch |
| Git | git status, log, diff, branch, show, remote, clone, checkout, pull, fetch, merge, add, commit, push |
| Package managers | npm install, npm run, npm test, npm ci, npm start, npx, yarn, pnpm, pip install, pip3 install |
| Build & run | node, python, tsc, go build, go run, cargo build, cargo run, cargo test, make, … |
Allowlist is bypassed when shell metacharacters appear
An entry in the safe list is allowed only if the command contains no shell metacharacters (;, |, &, `, $, (, ), {, }) and accesses no sensitive paths. git status; rm -rf / does NOT match — Phase 2 still runs.
Configuration
guard.allowed_commands— extra command prefixes treated as safe (additional to the built-ins).guard.allowlist_mode—continue(default; record a hint, still run Phases 2–6) orexit(instant allow, skip later phases).
Why continue is the default
So that external/LLM policy in Phases 5–6 can't be bypassed by the built-in safe list. If you don't run external policy and want maximum speed on common commands, switch to exit:
guard:
allowed_commands: ["pnpm ", "bun "]
allowlist_mode: exit