pi-crew 0.2.25 → 0.3.1

package/src/runtime/iteration-hooks.ts

@@ -6,6 +6,7 @@
  */
 import { spawn } from "node:child_process";
 import * as fs from "node:fs";
+import * as path from "node:path";
 import { resolveShellForScript } from "../utils/resolve-shell.ts";
 import { sanitizeEnvSecrets } from "../utils/env-filter.ts";
 import { DENIED_METRIC_NAMES } from "./metric-parser.ts";
@@ -56,6 +57,25 @@ const MAX_STDOUT_BYTES = 8192;
 /** Hook execution timeout in milliseconds (30 seconds). */
 const HOOK_TIMEOUT_MS = 30_000;
 
+/**
+ * Validates that a hook script path is within an allowed directory.
+ * Allowed paths:
+ * - Relative paths starting with ".hooks/" (case-sensitive)
+ * - Absolute paths under $HOME/.pi/hooks/
+ * All other paths are rejected to prevent arbitrary script execution.
+ * @param hookPath - The hook script path to validate
+ * @returns true if the path is allowed, false otherwise
+ */
+export function isAllowedHookPath(hookPath: string): boolean {
+	if (!hookPath || hookPath.trim().length === 0) return false;
+	if (!path.isAbsolute(hookPath)) {
+		const normalized = path.normalize(hookPath);
+		return normalized === ".hooks" || normalized.startsWith(".hooks/");
+	}
+	const homeHooks = path.join(process.env.HOME ?? "", "", ".pi", "hooks");
+	return hookPath === homeHooks || hookPath.startsWith(homeHooks + path.sep);
+}
+
 /**
  * Create a not-fired result for when the hook script is absent or not executable.
  */
@@ -113,9 +133,9 @@ function isScriptRunnable(scriptPath: string): boolean {
  * Spawns `bash <script>` with the hook payload as JSON on stdin.
  * Captures stdout (capped at 8KB) and stderr. Enforces a 30-second timeout.
  *
- * **Security note:** The script path is user-configurable and executed with
- * minimal environment (PATH, HOME, USER, LANG). Only use with trusted script paths from
- * workspace-owned configuration. No path containment validation is performed.
+ * **Security note:** Hook paths are restricted to `.hooks/` relative paths
+ * or `$HOME/.pi/hooks/` absolute paths. All other paths are rejected before
+ * execution.
  *
  * @param payload - Structured hook payload
  * @param hookScriptPath - Absolute or relative path to the hook script
@@ -126,7 +146,12 @@ export async function runIterationHook(
 	hookScriptPath: string,
 	options?: { timeoutMs?: number },
 ): Promise<HookResult> {
-	if (!isScriptRunnable(hookScriptPath)) {
+	if (!isAllowedHookPath(hookScriptPath)) {
+		return { fired: false, stdout: "", stderr: "hook path not allowed: " + hookScriptPath, exitCode: null, timedOut: false, durationMs: 0 };
+	}
+	// Resolve relative paths relative to cwd
+	const resolvedScript = path.isAbsolute(hookScriptPath) ? hookScriptPath : path.join(payload.cwd, hookScriptPath);
+	if (!isScriptRunnable(resolvedScript)) {
 		return notFiredResult();
 	}
 
@@ -136,7 +161,7 @@ export async function runIterationHook(
 	const stderrChunks: Buffer[] = [];
 
 	return new Promise<HookResult>((resolve) => {
-		const { command, args } = resolveShellForScript(hookScriptPath);
+		const { command, args } = resolveShellForScript(resolvedScript);
 		const child = spawn(command, args, {
 			cwd: payload.cwd,
 			env: { ...sanitizeEnvSecrets(process.env, { allowList: ["PATH", "HOME", "USER", "USERPROFILE", "TEMP", "TMP", "TMPDIR", "LANG", "LC_ALL", "ComSpec", "SystemRoot", "PI_*"] }), PI_CREW_HOOK: "1" },
@@ -264,4 +289,4 @@ export function hookLogEntry(
 	}
 
 	return entry;
-}
+}

package/src/runtime/live-agent-manager.ts

@@ -145,12 +145,12 @@ export async function terminateLiveAgent(agentIdOrTaskId: string, status: CrewAg
 	if (!handle) return undefined;
 	handle.status = status;
 	handle.updatedAt = new Date().toISOString();
-	liveAgents.delete(handle.agentId);
 	try { if (eventLogFn && eventsPath) eventLogFn(eventsPath, { type: "live_agent.terminated", runId: handle.runId, taskId: handle.taskId, message: `Live agent terminated: ${handle.agent} status=${status}`, data: { agentId: handle.agentId, status, role: handle.role, workspaceId: handle.workspaceId } }); } catch { /* non-critical */ }
 	try {
 		await handle.session.abort?.();
 	} finally {
 		safeDisposeLiveSession(handle);
+		liveAgents.delete(handle.agentId);  // Move AFTER abort completes to prevent race
 	}
 	return handle;
 }

package/src/runtime/role-permission.ts

@@ -1,3 +1,5 @@
+import { isSensitivePath } from "./sensitive-paths.ts";
+
 export type RolePermissionMode = "read_only" | "workspace_write" | "danger_full_access" | "explicit_confirm";
 
 const READ_ONLY_ROLES = new Set(["explorer", "reviewer", "security-reviewer", "verifier", "analyst", "critic", "planner", "writer"]);
@@ -21,8 +23,12 @@ export function isReadOnlyCommand(command: string): boolean {
 	return READ_ONLY_COMMANDS.has(first) && !/\s(-i|--in-place)\b|\s>{1,2}\s|\brm\b|\bmv\b|\bcp\b|\b(?:npm|pnpm|yarn|bun)\s+(install|add|ci|remove)\b|\bgit\s+(commit|push|merge|rebase|reset|checkout|clean)\b/.test(command);
 }
 
-export function checkRolePermission(role: string, command: string): PermissionCheckResult {
+export function checkRolePermission(role: string, command: string, filePath?: string): PermissionCheckResult {
 	const mode = permissionForRole(role);
+	// Also block access to known sensitive paths even for read-only commands
+	if (filePath && isSensitivePath(filePath)) {
+		return { allowed: false, mode, reason: `Path '${filePath}' is sensitive (credentials, SSH keys, etc.) — access denied for all roles.` };
+	}
 	if (mode === "read_only" && !isReadOnlyCommand(command)) return { allowed: false, mode, reason: `Role '${role}' is read-only and command may modify state.` };
 	return { allowed: true, mode };
 }

package/src/runtime/tool-progress.ts

@@ -0,0 +1,281 @@
+/**
+ * Tool Progress Event System
+ * 
+ * Provides real-time visibility into tool execution within child Pi workers.
+ * 
+ * Event flow:
+ * 1. Child Pi emits JSON events on stdout (tool_execution_start, tool_execution_end, etc.)
+ * 2. child-pi.ts parses these events and passes them to onJsonEvent callback
+ * 3. task-runner.ts calls applyAgentProgressEvent() to update task state
+ * 4. This module provides structured types and utilities for the event system
+ */
+
+import type { CrewAgentProgress } from "../state/types.ts";
+
+// ── Event Types ─────────────────────────────────────────────────────────
+
+export interface ToolExecutionStartEvent {
+	type: "tool_execution_start";
+	toolName: string;
+	toolCallId: string;
+	args?: Record<string, unknown>;
+	timestamp: number;
+}
+
+export interface ToolExecutionEndEvent {
+	type: "tool_execution_end";
+	toolName: string;
+	toolCallId: string;
+	result?: unknown;
+	timestamp: number;
+}
+
+export interface ToolExecutionUpdateEvent {
+	type: "tool_execution_update";
+	toolName: string;
+	toolCallId: string;
+	partialResult?: unknown;
+	timestamp: number;
+}
+
+export interface ToolExecutionErrorEvent {
+	type: "tool_execution_error" | "tool_execution_failed";
+	toolName: string;
+	toolCallId: string;
+	error?: string;
+	timestamp: number;
+}
+
+export interface MessageEndEvent {
+	type: "message_end";
+	message: {
+		role: "assistant" | "user" | "system";
+		content?: unknown[];
+		usage?: UsageStats;
+		model?: string;
+		stopReason?: string;
+	};
+	timestamp: number;
+}
+
+export interface UsageStats {
+	input: number;
+	output: number;
+	cacheRead?: number;
+	cacheWrite?: number;
+	cost?: { total: number };
+	turns?: number;
+	totalTokens?: number;
+}
+
+// Union type of all tool progress events
+export type ToolProgressEvent =
+	| ToolExecutionStartEvent
+	| ToolExecutionEndEvent
+	| ToolExecutionUpdateEvent
+	| ToolExecutionErrorEvent
+	| MessageEndEvent;
+
+// ── Event Utilities ───────────────────────────────────────────────────────
+
+/**
+ * Extract tool name from any event type
+ */
+export function getToolName(event: ToolProgressEvent): string | undefined {
+	if ("toolName" in event) return event.toolName;
+	return undefined;
+}
+
+/**
+ * Check if event indicates tool is running
+ */
+export function isToolRunning(event: ToolProgressEvent): boolean {
+	return event.type === "tool_execution_start";
+}
+
+/**
+ * Check if event indicates tool completed
+ */
+export function isToolComplete(event: ToolProgressEvent): boolean {
+	return event.type === "tool_execution_end";
+}
+
+/**
+ * Check if event indicates tool failed
+ */
+export function isToolError(event: ToolProgressEvent): boolean {
+	return event.type === "tool_execution_error" || event.type === "tool_execution_failed";
+}
+
+/**
+ * Get usage stats from message_end event
+ */
+export function getUsage(event: ToolProgressEvent): UsageStats | undefined {
+	if (event.type === "message_end" && event.message?.usage) {
+		return event.message.usage as UsageStats;
+	}
+	return undefined;
+}
+
+// ── Progress Display ──────────────────────────────────────────────────────
+
+export interface ToolProgressDisplay {
+	/** Current/last tool being executed */
+	currentTool?: string;
+	/** Preview of tool arguments (truncated) */
+	currentToolArgs?: string;
+	/** When tool started */
+	currentToolStartedAt?: string;
+	/** All recent tools with their args */
+	recentTools: Array<{
+		tool: string;
+		args?: string;
+		startedAt?: string;
+		endedAt?: string;
+		status: "running" | "done" | "error";
+	}>;
+	/** Token usage snapshot */
+	tokens?: number;
+	/** Context window usage percentage */
+	contextPercent?: number;
+	/** Total tool count */
+	toolCount: number;
+	/** Last activity timestamp */
+	lastActivityAt?: string;
+	/** Activity state */
+	activityState: "active" | "idle" | "done";
+}
+
+/**
+ * Format tool progress for display
+ */
+export function formatToolProgress(progress: CrewAgentProgress, maxContextTokens = 128000): ToolProgressDisplay {
+	const recentTools = progress.recentTools.map((t) => ({
+		tool: t.tool,
+		args: t.args,
+		startedAt: t.startedAt,
+		endedAt: t.endedAt,
+		status: t.endedAt ? "done" : "running" as const,
+	}));
+
+	// If there's a currentTool but no endedAt, it's still running
+	const currentRunning = progress.recentTools.find(
+		(t) => !t.endedAt && t.tool === progress.currentTool,
+	);
+	if (currentRunning && progress.currentTool) {
+		recentTools.push({
+			tool: progress.currentTool,
+			args: progress.currentToolArgs,
+			startedAt: progress.currentToolStartedAt,
+			status: "running",
+		});
+	}
+
+	const tokens = progress.tokens ?? 0;
+	const contextPercent = maxContextTokens > 0 ? Math.round((tokens / maxContextTokens) * 100) : 0;
+
+	return {
+		currentTool: progress.currentTool,
+		currentToolArgs: progress.currentToolArgs,
+		currentToolStartedAt: progress.currentToolStartedAt,
+		recentTools,
+		tokens,
+		contextPercent,
+		toolCount: progress.toolCount,
+		lastActivityAt: progress.lastActivityAt,
+		activityState: progress.activityState as "active" | "idle" | "done",
+	};
+}
+
+/**
+ * Format a single line summary of current tool
+ */
+export function formatCurrentToolLine(progress: CrewAgentProgress): string {
+	if (!progress.currentTool) return "";
+	
+	const args = progress.currentToolArgs 
+		? ` ${progress.currentToolArgs.slice(0, 50)}${progress.currentToolArgs.length > 50 ? "..." : ""}`
+		: "";
+	
+	const toolCount = progress.toolCount > 0 ? ` (${progress.toolCount})` : "";
+	
+	return `${progress.currentTool}${args}${toolCount}`;
+}
+
+/**
+ * Format token usage for display
+ */
+export function formatTokenUsage(progress: CrewAgentProgress, maxTokens = 128000): string {
+	const tokens = progress.tokens ?? 0;
+	const percent = maxTokens > 0 ? Math.round((tokens / maxTokens) * 100) : 0;
+	return `${tokens.toLocaleString()} / ${maxTokens.toLocaleString()} (${percent}%)`;
+}
+
+// ── Progress Bar Rendering ────────────────────────────────────────────────
+
+export interface ProgressBarOptions {
+	width?: number;
+	showPercent?: boolean;
+	showCount?: boolean;
+}
+
+/**
+ * Render a progress bar for tool execution
+ */
+export function renderProgressBar(
+	progress: CrewAgentProgress,
+	options: ProgressBarOptions = {},
+): string {
+	const width = options.width ?? 20;
+	const showPercent = options.showPercent ?? true;
+	const showCount = options.showCount ?? true;
+
+	// Calculate based on recent tools (max 10)
+	const recentCount = Math.min(progress.recentTools.length, 10);
+	const filled = Math.round((recentCount / 10) * width);
+	const empty = width - filled;
+
+	const bar = "█".repeat(filled) + "░".repeat(empty);
+	const percent = showPercent ? ` ${progress.toolCount} tools` : "";
+	const tokens = progress.tokens 
+		? ` | ${(progress.tokens / 1000).toFixed(1)}k tokens` 
+		: "";
+
+	return `[${bar}]${percent}${tokens}`;
+}
+
+// ── Event Filtering ──────────────────────────────────────────────────────
+
+/**
+ * Filter events to only tool execution events
+ */
+export function filterToolEvents(events: ToolProgressEvent[]): ToolProgressEvent[] {
+	return events.filter(
+		(e) =>
+			e.type === "tool_execution_start" ||
+			e.type === "tool_execution_end" ||
+			e.type === "tool_execution_update" ||
+			e.type === "tool_execution_error" ||
+			e.type === "tool_execution_failed",
+	);
+}
+
+/**
+ * Get events for a specific tool
+ */
+export function getEventsForTool(
+	events: ToolProgressEvent[],
+	toolName: string,
+): ToolProgressEvent[] {
+	return events.filter((e) => {
+		if ("toolName" in e) return e.toolName === toolName;
+		return false;
+	});
+}
+
+/**
+ * Check if any event indicates an error
+ */
+export function hasError(events: ToolProgressEvent[]): boolean {
+	return events.some(isToolError);
+}

package/src/tools/safe-bash-extension.ts

@@ -0,0 +1,95 @@
+/**
+ * Safe Bash Extension for pi-crew
+ * Wraps the built-in bash tool with dangerous command blocking
+ * 
+ * Usage:
+ * 1. Enable in config: { "tools": { "bash": { "safeMode": true } } }
+ * 2. Or use via agent config: { "extensions": ["path/to/safe-bash-extension.ts"] }
+ * 3. Or set env var: PI_CREW_SAFE_BASH=true
+ */
+
+import type { ExtensionAPI } from "@mariozechner/pi-coding-agent";
+import { createBashTool } from "@mariozechner/pi-coding-agent";
+import { Type } from "@sinclair/typebox";
+import * as path from "node:path";
+
+// Dangerous command patterns to block
+const DANGEROUS_PATTERNS = [
+	// rm -rf on root or home
+	/\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?(-[a-zA-Z]*r[a-zA-Z]*\s+)?(\/|~\/?\s|~\/?\b)/,
+	/\brm\s+(-[a-zA-Z]*r[a-zA-Z]*\s+)?(-[a-zA-Z]*f[a-zA-Z]*\s+)?(\/|~\/?\s|~\/?\b)/,
+	// Privilege escalation
+	/\bsudo\b/,
+	/\bsu\s+root\b/,
+	// Filesystem destruction
+	/\bmkfs\b/,
+	/\bdd\s+if=/,
+	// Fork bomb
+	/:\(\)\s*\{\s*:\|:&\s*\}\s*;:/,
+	// Device writing
+	/>\s*\/dev\/[sh]d[a-z]/,
+	/\bchmod\s+(-[a-zA-Z]+\s+)?777\s+\//,
+	/\bchown\s+(-[a-zA-Z]+\s+)?root/,
+	// Pipe to shell (download and execute)
+	/\bcurl\s.*\|\s*(ba)?sh/i,
+	/\bwget\s.*\|\s*(ba)?sh/i,
+	// System shutdown/reboot
+	/\bshutdown\b/,
+	/\breboot\b/,
+	/\binit\s+0\b/,
+	// Kill critical processes
+	/\bkill\s+-9\s+1\b/,
+	/\bkillall\b/,
+	// Encoded commands
+	/\|\s*base64\s+-d/,
+	// Network to shell
+	/\bbash\s+-i\s+>\s*\&/,
+	// /etc/passwd manipulation
+	/\becho\s+.*>\s*\/etc\/passwd/,
+];
+
+function isDangerous(command: string): string | null {
+	const normalized = command.replace(/\\\n/g, " ").replace(/\s+/g, " ").trim();
+	for (const pattern of DANGEROUS_PATTERNS) {
+		if (pattern.test(normalized)) {
+			return `Command blocked: matches dangerous pattern \`${pattern}\``;
+		}
+	}
+	return null;
+}
+
+export default function safeBashExtension(pi: ExtensionAPI): void {
+	const cwd = pi.context?.cwd || process.cwd();
+	const bashTool = createBashTool(cwd);
+
+	pi.registerTool({
+		name: "safe_bash",
+		label: "Safe Bash",
+		description:
+			"Execute a bash command safely. Blocks dangerous commands like `rm -rf /`, `sudo`, `curl | sh`, etc.",
+		parameters: Type.Object({
+			command: Type.String({ description: "Bash command to execute" }),
+			timeout: Type.Optional(
+				Type.Number({ description: "Timeout in seconds (optional)" }),
+			),
+			description: Type.Optional(
+				Type.String({ description: "Description of what this command does (optional)" }),
+			),
+		}),
+		async execute(toolCallId, params, signal, onUpdate) {
+			const danger = isDangerous(params.command);
+			if (danger) {
+				return {
+					content: [
+						{
+							type: "text" as const,
+							text: `🚫 ${danger}\n\nIf you need to run this command, use the regular 'bash' tool instead, but be careful!`,
+						},
+					],
+				};
+			}
+			// Safe - delegate to real bash tool
+			return bashTool.execute(toolCallId, params, signal, onUpdate);
+		},
+	});
+}

package/src/tools/safe-bash.ts

@@ -0,0 +1,188 @@
+/**
+ * Safe Bash Tool for pi-crew
+ * Wraps bash with dangerous command blocking
+ */
+
+import { Type } from "@sinclair/typebox";
+
+// Dangerous command patterns to block
+const DANGEROUS_PATTERNS = [
+	// rm -rf / or rm -rf ~ (catastrophic root/home deletion)
+	/\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*\s*)+(\/|~)(\s*$)/,
+	/\brm\s+(-[a-zA-Z]*[rf][a-zA-Z]*\s*)+(\/|~)($|\s)/,
+	// Privilege escalation
+	/\bsudo\b/,
+	/\bsu\s+root\b/,
+	// Filesystem destruction
+	/\bmkfs\b/,
+	/\bdd\s+if=/,
+	// Fork bomb
+	/^:\s*\(\s*\)\s*\{.*\|.*&.*\}\s*;.*$/,
+	// Device writing
+	/>\s*\/dev\/[sh]d[a-z]/,
+	/\bchmod\s+(-[a-zA-Z]+\s+)?777\s+\//,
+	/\bchown\s+(-[a-zA-Z]+\s+)?root/,
+	// Pipe to shell (download and execute)
+	/\bcurl\s.*\|\s*(ba)?sh/i,
+	/\bwget\s.*\|\s*(ba)?sh/i,
+	// System shutdown/reboot
+	/\bshutdown\b/,
+	/\breboot\b/,
+	/\binit\s+0\b/,
+	// Kill critical processes
+	/\bkill\s+-9\s+1\b/,
+	/\bkillall\b/,
+	// Encoded commands
+	/\|\s*base64\s+-d/,
+	/\|\s*python.*-c/,
+	/\|\s*perl.*-e/,
+	/\|\s*ruby.*-e/,
+	// Network to shell
+	/\bbash\s+-i\s+>\s*\&/,
+	/\bexec\s+.*bash/,
+	// /etc/passwd manipulation
+	/\becho\s+.*>\s*\/etc\/passwd/,
+	/\bcat\s+.*>\s*\/etc\/passwd/,
+];
+
+export interface SafeBashOptions {
+	/** Enable/disable safe mode. Default: true */
+	enabled?: boolean;
+	/** Additional patterns to block */
+	additionalPatterns?: RegExp[];
+	/** Patterns to allow (overrides blocked) */
+	allowPatterns?: RegExp[];
+}
+
+const DEFAULT_ENABLED = true;
+
+/**
+ * Check if a command is dangerous
+ * @returns Error message if dangerous, null if safe
+ */
+export function isDangerous(command: string, options: SafeBashOptions = {}): string | null {
+	const { enabled = DEFAULT_ENABLED, additionalPatterns = [], allowPatterns = [] } = options;
+
+	if (!enabled) return null;
+
+	// Normalize: remove line continuations, collapse whitespace
+	const normalized = command.replace(/\\\n/g, " ").replace(/\s+/g, " ").trim();
+
+	// Check allow patterns first (overrides)
+	for (const pattern of allowPatterns) {
+		if (pattern.test(normalized)) {
+			return null; // Explicitly allowed
+		}
+	}
+
+	// Check dangerous patterns
+	const allPatterns = [...DANGEROUS_PATTERNS, ...additionalPatterns];
+	for (const pattern of allPatterns) {
+		if (pattern.test(normalized)) {
+			return `Command blocked by safe_bash: matches dangerous pattern \`${pattern}\``;
+		}
+	}
+
+	return null;
+}
+
+/**
+ * Validate a bash command before execution
+ * Throws if dangerous
+ */
+export function validateCommand(command: string, options: SafeBashOptions = {}): void {
+	const danger = isDangerous(command, options);
+	if (danger) {
+		throw new Error(danger);
+	}
+}
+
+/**
+ * Create a safe bash tool wrapper
+ * Returns an object with validation function and patterns for integration
+ */
+export function createSafeBash(options: SafeBashOptions = {}) {
+	return {
+		/**
+		 * Validate a command. Throws if dangerous.
+		 */
+		validate(command: string): void {
+			validateCommand(command, options);
+		},
+
+		/**
+		 * Check if a command is dangerous without throwing
+		 */
+		check(command: string): string | null {
+			return isDangerous(command, options);
+		},
+
+		/**
+		 * Get all active patterns (for debugging/config display)
+		 */
+		getPatterns(): { dangerous: RegExp[]; additional: RegExp[]; allow: RegExp[] } {
+			return {
+				dangerous: [...DANGEROUS_PATTERNS],
+				additional: options.additionalPatterns || [],
+				allow: options.allowPatterns || [],
+			};
+		},
+
+		/**
+		 * Check if safe mode is enabled
+		 */
+		isEnabled(): boolean {
+			return options.enabled !== false;
+		},
+	};
+}
+
+/**
+ * Common safe commands that are often blocked but might be needed
+ * These can be used in allowPatterns for specific use cases
+ */
+export const COMMON_SAFE_PATTERNS = {
+	// Safe rm with specific paths
+	safeRm: /\brm\s+(-[a-zA-Z]*f[a-zA-Z]*\s+)?((?![\/~])\/)?(tmp|cache|node_modules|dist|build)\//,
+	// Safe git operations
+	safeGit: /\bgit\s+(clone|pull|push|commit|add|status|diff|log|branch|checkout|merge|rebase)/,
+	// Safe npm/yarn/pnpm
+	safePackage: /\b(npm|yarn|pnpm|bun)\s+(install|run|test|build|start|dev)/,
+	// Safe file read
+	safeRead: /\b(cat|head|tail|less|more|grep|find|ls)\s/,
+};
+
+/**
+ * Preset configurations for different trust levels
+ */
+export const SAFE_BASH_PRESETS = {
+	/** Maximum security - block everything suspicious */
+	strict: {
+		enabled: true,
+		additionalPatterns: [],
+		allowPatterns: [],
+	},
+	/** Moderate - allow common dev operations */
+	development: {
+		enabled: true,
+		additionalPatterns: [],
+		allowPatterns: [COMMON_SAFE_PATTERNS.safePackage],
+	},
+	/** Minimal - only block catastrophic commands */
+	permissive: {
+		enabled: true,
+		additionalPatterns: [],
+		allowPatterns: [
+			COMMON_SAFE_PATTERNS.safeRm,
+			COMMON_SAFE_PATTERNS.safeGit,
+			COMMON_SAFE_PATTERNS.safePackage,
+			COMMON_SAFE_PATTERNS.safeRead,
+		],
+	},
+	/** No safety checks */
+	disabled: {
+		enabled: false,
+		additionalPatterns: [],
+		allowPatterns: [],
+	},
+};