Conversation
Two distinct false-positive classes seen in the wild: - string-literal context: "shutdown" matched inside echo labels like 'echo "=== broker shutdown ==="'. Tighten to require flag/now/+ or start-of-command / chained-command position. - search-pattern context: 'rg ... "rm -rf" file | head' triggered the rule because the destructive substring lived inside a regex pattern. Add an is_pure_search_or_print_command exemption macro guarded against command chaining (&&, ||, ;, $(, backticks). Pipes are allowed; the xargs rm -rf gap is documented and accepted. Tightens 'sudo rm' -> 'sudo rm ' (trailing space) for consistency.
Static per build, derived from cfg!(target_os = ...). Lets rules condition on the host OS without parsing the payload — needed by upcoming self-protection rules whose path patterns differ between Unix and Windows installs.
Three rule families in a new Section 7: - Deny destructive premptictl subcommands (stop / restart / disable / uninstall / daemon / hook remove / mode <arg>); read-only subcommands stay allowed. - Deny per-OS service-stop alternatives, gated on agent.os: systemd stop/disable on Linux, launchctl unload/bootout on macOS, taskkill / Stop-Service / Run-key delete on Windows, plus pkill/killall against falco. - Deny Write/Edit under the Prempti install prefix and on ~/.claude/settings.json; ASK before Read of settings.json. Prempti only sees agent-initiated tool calls; users invoke premptictl in their own shell, so denying these patterns from the agent does not block legitimate user operations.
…ings.local.json
Address findings on the rules-hardening branch:
- is_likely_destructive_command had been narrowed too far. Re-add
coverage for sudo / absolute-path / systemctl wrappers around
reboot/halt/shutdown (sudo reboot, /sbin/reboot, systemctl reboot,
systemctl poweroff, etc.) while keeping the bare 'shutdown' echo
prose out.
- is_prempti_install_path on Windows was overbroad ('/prempti/'
matched any repo dir named prempti). Tighten to require
'/AppData/Local/prempti/' (case-insensitive via icontains).
- is_claude_settings_path now matches both settings.json and
settings.local.json — Claude Code reads hooks from either file,
so the deny was bypassable via the .local variant.
Document the new agent.os field in CLAUDE.md, rules/README.md,
plugins/coding-agents-plugin/README.md, and the plugin SPEC.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.