tweek 0.3.1__py3-none-any.whl → 0.4.1__py3-none-any.whl

tweek/cli_vault.py

@@ -0,0 +1,313 @@
+#!/usr/bin/env python3
+"""
+Tweek CLI — Vault and License command groups.
+
+Extracted from cli.py to keep the main CLI module manageable.
+"""
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Optional
+
+import click
+
+from rich.table import Table
+
+from tweek.cli_helpers import console, TWEEK_BANNER
+
+
+# ============================================================
+# VAULT COMMANDS
+# ============================================================
+
+@click.group()
+def vault():
+    """Manage credentials in secure storage (Keychain on macOS, Secret Service on Linux)."""
+    pass
+
+
+@vault.command("store",
+    epilog="""\b
+Examples:
+  tweek vault store myskill API_KEY                Prompt for value securely
+  tweek vault store myskill API_KEY sk-abc123      Store an API key (visible in history!)
+"""
+)
+@click.argument("skill")
+@click.argument("key")
+@click.argument("value", required=False, default=None)
+def vault_store(skill: str, key: str, value: Optional[str]):
+    """Store a credential securely for a skill."""
+    from tweek.vault import get_vault, VAULT_AVAILABLE
+    from tweek.platform import get_capabilities
+
+    if not VAULT_AVAILABLE:
+        console.print("[red]\u2717[/red] Vault not available.")
+        console.print("  [white]Hint: Install keyring support: pip install keyring[/white]")
+        console.print("  [white]On macOS, keyring uses Keychain. On Linux, install gnome-keyring or kwallet.[/white]")
+        return
+
+    caps = get_capabilities()
+
+    # If value not provided as argument, prompt securely (avoids shell history exposure)
+    if value is None:
+        value = click.prompt(f"Enter value for {key}", hide_input=True)
+        if not value:
+            console.print("[red]No value provided.[/red]")
+            return
+
+    try:
+        vault_instance = get_vault()
+        if vault_instance.store(skill, key, value):
+            console.print(f"[green]\u2713[/green] Stored {key} for skill '{skill}'")
+            console.print(f"[white]Backend: {caps.vault_backend}[/white]")
+        else:
+            console.print(f"[red]\u2717[/red] Failed to store credential")
+            console.print("  [white]Hint: Check your keyring backend is unlocked and accessible[/white]")
+    except Exception as e:
+        console.print(f"[red]\u2717[/red] Failed to store credential: {e}")
+        console.print("  [white]Hint: Check your keyring backend is unlocked and accessible[/white]")
+
+
+@vault.command("get",
+    epilog="""\b
+Examples:
+  tweek vault get myskill API_KEY        Retrieve a stored credential
+  tweek vault get deploy AWS_SECRET      Retrieve a deployment secret
+"""
+)
+@click.argument("skill")
+@click.argument("key")
+def vault_get(skill: str, key: str):
+    """Retrieve a credential from secure storage."""
+    from tweek.vault import get_vault, VAULT_AVAILABLE
+
+    if not VAULT_AVAILABLE:
+        console.print("[red]\u2717[/red] Vault not available.")
+        console.print("  [white]Hint: Install keyring support: pip install keyring[/white]")
+        return
+
+    vault_instance = get_vault()
+    value = vault_instance.get(skill, key)
+
+    if value is not None:
+        console.print(f"[yellow]GAH![/yellow] Credential access logged")
+        import sys as _sys
+        if not _sys.stdout.isatty():
+            console.print("[yellow]WARNING: stdout is piped — credential may be logged.[/yellow]", err=True)
+        console.print(value)
+    else:
+        console.print(f"[red]\u2717[/red] Credential not found: {key} for skill '{skill}'")
+        console.print("  [white]Hint: Store it with: tweek vault store {skill} {key} <value>[/white]".format(skill=skill, key=key))
+
+
+@vault.command("migrate-env",
+    epilog="""\b
+Examples:
+  tweek vault migrate-env --skill myapp                Migrate .env to vault
+  tweek vault migrate-env --skill myapp --dry-run      Preview without changes
+  tweek vault migrate-env --skill deploy --env-file .env.production   Migrate specific file
+"""
+)
+@click.option("--dry-run", is_flag=True, help="Show what would be migrated without doing it")
+@click.option("--env-file", default=".env", help="Path to .env file")
+@click.option("--skill", required=True, help="Skill name to store credentials under")
+def vault_migrate_env(dry_run: bool, env_file: str, skill: str):
+    """Migrate credentials from .env file to secure storage."""
+    from tweek.vault import get_vault, migrate_env_to_vault, VAULT_AVAILABLE
+
+    if not VAULT_AVAILABLE:
+        console.print("[red]\u2717[/red] Vault not available. Install keyring: pip install keyring")
+        return
+
+    env_path = Path(env_file)
+    console.print(f"[cyan]Scanning {env_path} for credentials...[/cyan]")
+
+    if dry_run:
+        console.print("\n[yellow]DRY RUN - No changes will be made[/yellow]\n")
+
+    try:
+        vault_instance = get_vault()
+        results = migrate_env_to_vault(env_path, skill, vault_instance, dry_run=dry_run)
+
+        if results:
+            console.print(f"\n[green]{'Would migrate' if dry_run else 'Migrated'}:[/green]")
+            for key, success in results:
+                status = "\u2713" if success else "\u2717"
+                console.print(f"  {status} {key}")
+            successful = sum(1 for _, s in results if s)
+            total = len(results)
+            console.print(f"\n[green]\u2713[/green] {'Would migrate' if dry_run else 'Migrated'} {successful} credentials to skill '{skill}'")
+
+            if not dry_run and successful == total and env_path.exists():
+                console.print()
+                if click.confirm(f"Remove {env_path}? (credentials are now in the vault)"):
+                    env_path.unlink()
+                    console.print(f"[green]\u2713[/green] Removed {env_path}")
+                else:
+                    console.print(f"[yellow]\u26a0[/yellow] {env_path} still contains plaintext credentials")
+            elif not dry_run and successful < total:
+                failed = total - successful
+                console.print(f"[yellow]\u26a0[/yellow] {failed} credential(s) failed to migrate \u2014 keeping {env_path}")
+        else:
+            console.print("[white]No credentials found to migrate[/white]")
+
+    except Exception as e:
+        console.print(f"[red]\u2717[/red] Migration failed: {e}")
+
+
+@vault.command("delete",
+    epilog="""\b
+Examples:
+  tweek vault delete myskill API_KEY     Delete a stored credential
+  tweek vault delete deploy AWS_SECRET   Remove a deployment secret
+"""
+)
+@click.argument("skill")
+@click.argument("key")
+def vault_delete(skill: str, key: str):
+    """Delete a credential from secure storage."""
+    from tweek.vault import get_vault, VAULT_AVAILABLE
+
+    if not VAULT_AVAILABLE:
+        console.print("[red]\u2717[/red] Vault not available. Install keyring: pip install keyring")
+        return
+
+    vault_instance = get_vault()
+    deleted = vault_instance.delete(skill, key)
+
+    if deleted:
+        console.print(f"[green]\u2713[/green] Deleted {key} from skill '{skill}'")
+    else:
+        console.print(f"[yellow]![/yellow] Credential not found: {key} for skill '{skill}'")
+
+
+# ============================================================
+# LICENSE COMMANDS [experimental]
+# ============================================================
+
+@click.group("license")
+def license_group():
+    """Manage Tweek license and features. [experimental]"""
+    pass
+
+
+@license_group.command("status",
+    epilog="""\b
+Examples:
+  tweek license status                   Show license tier and features
+"""
+)
+def license_status():
+    """Show current license status and available features. [experimental]"""
+    console.print("[yellow]Note: License management is experimental. Pro/Enterprise tiers coming soon.[/yellow]")
+
+    from tweek.licensing import get_license, TIER_FEATURES, Tier
+
+    console.print(TWEEK_BANNER, style="cyan")
+
+    lic = get_license()
+    info = lic.info
+
+    # License info
+    tier_colors = {
+        Tier.FREE: "white",
+        Tier.PRO: "cyan",
+    }
+
+    tier_color = tier_colors.get(lic.tier, "white")
+    console.print(f"[bold]License Tier:[/bold] [{tier_color}]{lic.tier.value.upper()}[/{tier_color}]")
+
+    if info:
+        console.print(f"[white]Licensed to: {info.email}[/white]")
+        if info.expires_at:
+            from datetime import datetime
+            exp_date = datetime.fromtimestamp(info.expires_at).strftime("%Y-%m-%d")
+            if info.is_expired:
+                console.print(f"[red]Expired: {exp_date}[/red]")
+            else:
+                console.print(f"[white]Expires: {exp_date}[/white]")
+        else:
+            console.print("[white]Expires: Never[/white]")
+    console.print()
+
+    # Features table
+    table = Table(title="Feature Availability")
+    table.add_column("Feature", style="cyan")
+    table.add_column("Status")
+    table.add_column("Tier Required")
+
+    # Collect all features and their required tiers
+    feature_tiers = {}
+    for tier in [Tier.FREE, Tier.PRO]:
+        for feature in TIER_FEATURES.get(tier, []):
+            feature_tiers[feature] = tier
+
+    for feature, required_tier in feature_tiers.items():
+        has_it = lic.has_feature(feature)
+        status = "[green]\u2713[/green]" if has_it else "[white]\u25cb[/white]"
+        tier_display = required_tier.value.upper()
+        if required_tier == Tier.PRO:
+            tier_display = f"[cyan]{tier_display}[/cyan]"
+
+        table.add_row(feature, status, tier_display)
+
+    console.print(table)
+
+    if lic.tier == Tier.FREE:
+        console.print()
+        console.print("[green]All security features are included free and open source.[/green]")
+        console.print("[white]Pro (teams) and Enterprise (compliance) coming soon: gettweek.com[/white]")
+
+
+@license_group.command("activate",
+    epilog="""\b
+Examples:
+  tweek license activate YOUR_KEY               Activate a license key (Pro/Enterprise coming soon)
+"""
+)
+@click.argument("license_key")
+def license_activate(license_key: str):
+    """Activate a license key. [experimental]"""
+    console.print("[yellow]Note: License management is experimental. Pro/Enterprise tiers coming soon.[/yellow]")
+
+    from tweek.licensing import get_license
+
+    lic = get_license()
+    success, message = lic.activate(license_key)
+
+    if success:
+        console.print(f"[green]\u2713[/green] {message}")
+        console.print()
+        console.print("[white]Run 'tweek license status' to see available features[/white]")
+    else:
+        console.print(f"[red]\u2717[/red] {message}")
+
+
+@license_group.command("deactivate",
+    epilog="""\b
+Examples:
+  tweek license deactivate               Deactivate license (with prompt)
+  tweek license deactivate --confirm     Deactivate without confirmation
+"""
+)
+@click.option("--confirm", is_flag=True, help="Skip confirmation prompt")
+def license_deactivate(confirm: bool):
+    """Remove current license and revert to FREE tier. [experimental]"""
+    console.print("[yellow]Note: License management is experimental. Pro/Enterprise tiers coming soon.[/yellow]")
+
+    from tweek.licensing import get_license
+
+    if not confirm:
+        console.print("[yellow]Deactivate license and revert to FREE tier?[/yellow] ", end="")
+        if not click.confirm(""):
+            console.print("[white]Cancelled[/white]")
+            return
+
+    lic = get_license()
+    success, message = lic.deactivate()
+
+    if success:
+        console.print(f"[green]\u2713[/green] {message}")
+    else:
+        console.print(f"[red]\u2717[/red] {message}")

tweek/config/allowed_dirs.yaml

@@ -1,23 +1,22 @@
-# Tweek Directory Safety Configuration
+# Tweek Directory Safety Configuration (bundled default)
 #
-# This file controls WHERE Tweek hooks are active.
-# This is a SAFETY FEATURE to prevent accidental activation in production.
+# This file ships with the Tweek package and provides the production default.
+# To override, create ~/.tweek/allowed_dirs.yaml (user-level config takes
+# full precedence when it exists).
 #
 # Options:
-#   global_enabled: true  - Activate Tweek everywhere (production mode)
-#   allowed_directories:  - List of directories where Tweek activates
+#   global_enabled: true  - Activate Tweek everywhere (default for end users)
+#   allowed_directories:  - Restrict Tweek to specific directories only
 #
-# IMPORTANT: Without this file, Tweek is DISABLED everywhere.
+# Lookup order:
+#   1. ~/.tweek/allowed_dirs.yaml  (user override — not in repo)
+#   2. This file                   (bundled default)
 
-# Set to true to enable Tweek globally (for production deployment)
-global_enabled: false
+# Production default: Tweek is active everywhere after install
+global_enabled: true
 
-# Directories where Tweek hooks will activate
-# Tweek will also activate in subdirectories of these paths
-allowed_directories:
-  # Test environment only (safe for development)
-  - ~/AI/tweek/test-environment
-
-  # Add more directories as needed:
-  # - ~/projects/sensitive-project
-  # - /path/to/another/project
+# When global_enabled is false, only activate in these directories.
+# Tweek also activates in subdirectories of listed paths.
+# allowed_directories:
+#   - ~/projects/my-project
+#   - /path/to/another/project

tweek/config/families.yaml

@@ -1,5 +1,5 @@
 # Tweek Pattern Family Definitions v1
-# Groups the 259 attack patterns by attack class for:
+# Groups the 262 attack patterns by attack class for:
 #   1. Heuristic scoring (near-miss detection via semantic signals)
 #   2. Pattern management (enable/disable by family)
 #   3. Reporting (family-level risk summaries)
@@ -257,6 +257,9 @@ families:
       - 257  # self_describe_purpose
       - 258  # self_describe_protection
       - 259  # self_describe_instructions
+      - 260  # summarize_instructions_extraction
+      - 261  # special_instructions_probe
+      - 262  # system_prompt_reference_broad
     heuristic_signals:
       instruction_keywords:
         - "ignore"

tweek/config/manager.py

@@ -152,6 +152,23 @@ class ConfigManager:
             },
             "default_tier": "default",
         },
+        "balanced": {
+            # Same tool tiers as cautious, but the preset name signals
+            # provenance-aware enforcement: clean sessions get relaxed
+            # thresholds (fewer false positives), tainted sessions get
+            # escalated scrutiny. See tweek.memory.provenance.
+            "tools": {
+                "Read": "safe",
+                "Glob": "safe",
+                "Grep": "safe",
+                "Edit": "default",
+                "Write": "default",
+                "WebFetch": "risky",
+                "WebSearch": "risky",
+                "Bash": "dangerous",
+            },
+            "default_tier": "default",
+        },
         "trusted": {
             "tools": {
                 "Read": "safe",

tweek/config/patterns.yaml

@@ -1,5 +1,5 @@
 # Tweek Attack Pattern Definitions v3
-# All 259 patterns included FREE
+# All 262 patterns included FREE
 #
 # Update via: tweek update (pulls from github.com/gettweek/tweek)
 #
@@ -25,7 +25,7 @@
 # PRO tier adds: LLM review, session analysis, rate limiting
 
 version: 5
-pattern_count: 259
+pattern_count: 262
 
 patterns:
   # ============================================================================
@@ -711,7 +711,7 @@ patterns:
   - id: 83
     name: document_metadata_injection
     description: "Hidden instructions in document metadata"
-    regex: '(author|title|subject|keywords|description)\s*[=:]\s*.*?(execute|run|ignore|override|bypass)'
+    regex: '(author|title|subject|keywords|description)\s*[=:]\s*[^\n]{0,80}(execute|run|ignore|override|bypass)'
     severity: high
     confidence: heuristic
     family: prompt_injection
@@ -736,7 +736,7 @@ patterns:
   - id: 86
     name: log_to_leak
     description: "Log-To-Leak covert channel attack"
-    regex: '(log|write|append|print).*?(secret|credential|token|key|password).*?(file|output|stream)'
+    regex: '(log|write|append|print)[^\n]{0,60}(secret|credential|token|key|password)[^\n]{0,60}(file|output|stream)'
     severity: high
     confidence: heuristic
     family: covert_channels
@@ -1514,7 +1514,7 @@ patterns:
   - id: 174
     name: leetspeak_instruction_bypass
     description: "Heavy character substitution of security-critical words"
-    regex: '([sS5$][yY][sS5$][tT7][eE3][mM]\s*[pP][rR][0oO][mM][pP][tT7]|[1iI][nN][sS5$][tT7][rR][uU][cC][tT7]|[cC][0oO][nN][fF][1iI][gG]|[eE3][xX][eE3][cC][uU][tT7][eE3])'
+    regex: '((?=[a-zA-Z01357$]*[01357$])[sS5$][yY][sS5$][tT7][eE3][mM]\s*[pP][rR][0oO][mM][pP][tT7]|(?=[a-zA-Z01357$]*[01357$])[1iI][nN][sS5$][tT7][rR][uU][cC][tT7]|(?=[a-zA-Z01357$]*[01357$])[cC][0oO][nN][fF][1iI][gG]|(?=[a-zA-Z01357$]*[01357$])[eE3][xX][eE3][cC][uU][tT7][eE3])'
     severity: medium
     confidence: contextual
     family: prompt_injection
@@ -2251,3 +2251,27 @@ patterns:
     severity: low
     confidence: contextual
     family: prompt_injection
+
+  - id: 260
+    name: summarize_instructions_extraction
+    description: "Summarization-based system prompt extraction"
+    regex: '(summarize|recap|outline|condense|describe|paraphrase)\s+.{0,30}(instructions|prompt|rules|guidelines|directives|configuration)\s+.{0,20}(given|told|provided|have|follow|received|programmed)'
+    severity: medium
+    confidence: contextual
+    family: prompt_injection
+
+  - id: 261
+    name: special_instructions_probe
+    description: "Probing for special instructions or unique capabilities"
+    regex: 'what\s+.{0,20}(instructions|capabilities|directives|rules)\s+.{0,30}(do\s+you\s+have|make\s+you|were\s+you|that\s+you)'
+    severity: medium
+    confidence: contextual
+    family: prompt_injection
+
+  - id: 262
+    name: system_prompt_reference_broad
+    description: "Broad references to system prompt in extraction context"
+    regex: '((your|my|the|its)\s+.{0,20}system[\s_]+prompt|system[\s_]+prompt\s*(say|would\s+say|output|reveal|share|display)|output\s+(system[\s_]+)?(prompt|configuration)\b|(instructions|directives)\s+(you|I|they|it)\s+(received|were\s+given|have\b|follow|got)|what.s\s+your\s+system[\s_]+prompt)'
+    severity: medium
+    confidence: contextual
+    family: prompt_injection

tweek/config/templates/config.yaml.template

@@ -0,0 +1,212 @@
+# ============================================================================
+# Tweek User Configuration (~/.tweek/config.yaml)
+# ============================================================================
+#
+# This file overrides Tweek's bundled defaults. Only uncomment what you
+# want to change -- everything else uses safe production defaults.
+#
+# Config hierarchy (highest priority wins):
+#   1. Project:  .tweek/config.yaml      (per-project overrides)
+#   2. User:     ~/.tweek/config.yaml     (this file)
+#   3. Bundled:  tweek/config/tiers.yaml  (production defaults)
+#
+# Commands:
+#   tweek config edit           Open this file in your editor
+#   tweek config show-defaults  View all bundled defaults
+#   tweek config validate       Check for errors
+#   tweek config list           Show current tool/skill tiers
+#   tweek config preset <name>  Apply a preset (paranoid|cautious|trusted)
+#
+# Full docs: https://github.com/gettweek/tweek/blob/main/docs/CONFIGURATION.md
+# ============================================================================
+
+
+# ---------------------------------------------------------------------------
+# LLM Review Provider (Layer 3 — semantic analysis)
+# ---------------------------------------------------------------------------
+# Analyzes suspicious commands/content using an LLM for deeper screening.
+# Works alongside pattern matching (Layer 2) — not a replacement.
+#
+# Auto-detect order: Local ONNX model > Google > OpenAI > xAI > Anthropic
+#
+# IMPORTANT: API keys go in ~/.tweek/.env (not here). Run:
+#   tweek config edit env
+#
+# BILLING NOTE: Anthropic API keys are billed per-token, SEPARATELY from
+# Claude Pro/Max subscriptions. Google Gemini has a free tier — recommended.
+#
+# llm_review:
+#   enabled: true
+#   provider: auto              # auto | google | openai | xai | anthropic | local
+#   model: auto                 # auto = provider default. Defaults per provider:
+#                               #   google:    gemini-2.0-flash
+#                               #   openai:    gpt-4o-mini
+#                               #   xai:       grok-2
+#                               #   anthropic: claude-3-5-haiku-latest
+#                               #   local:     deberta-v3-injection
+#   timeout_seconds: 5.0        # Max wait for LLM response
+#   base_url: null              # For OpenAI-compatible endpoints (Ollama, LM Studio, etc.)
+#   api_key_env: null           # Override env var name (default: provider-specific)
+#
+#   # Local LLM server settings (Ollama, LM Studio)
+#   local:
+#     enabled: true
+#     probe_timeout: 0.5        # Max probe time per server (seconds)
+#     timeout_seconds: 3.0      # Per-request timeout (local should be fast)
+#     ollama_host: null          # Override (default: OLLAMA_HOST env or localhost:11434)
+#     lm_studio_host: null       # Override (default: localhost:1234)
+#     preferred_models: []       # User override for model ranking
+#     validate_on_first_use: true
+#     min_validation_score: 0.6  # Must pass 3/5 validation commands
+#
+#   # Fallback chain (try local first, then cloud)
+#   fallback:
+#     enabled: true
+#     order: [local, cloud]
+
+
+# ---------------------------------------------------------------------------
+# Local ONNX Model (Layer 3 — on-device classifier)
+# ---------------------------------------------------------------------------
+# On-device prompt injection classifier. No API key needed.
+# Install: pip install tweek[local-models] && tweek model download
+# When installed, runs before cloud LLM and escalates uncertain results.
+#
+# local_model:
+#   enabled: true
+#   model: auto                     # auto = default model, or explicit name
+#   escalate_to_llm: true           # Escalate uncertain results to cloud LLM
+#   escalate_min_confidence: 0.1    # Below this = safe, skip escalation
+#   escalate_max_confidence: 0.9    # Above this = use local result, skip escalation
+
+
+# ---------------------------------------------------------------------------
+# Rate Limiting (Layer 1 — burst detection)
+# ---------------------------------------------------------------------------
+# Detects rapid-fire tool calls that may indicate automated attacks.
+#
+# rate_limiting:
+#   enabled: true
+#   burst_window_seconds: 5         # Time window for burst detection
+#   burst_threshold: 15             # Max calls in burst window
+#   max_per_minute: 60              # Overall rate limit
+#   max_dangerous_per_minute: 10    # Limit for dangerous-tier tools
+#   max_same_command_per_minute: 5  # Repeated identical commands
+
+
+# ---------------------------------------------------------------------------
+# Session Analysis (Layer 4 — cross-turn anomaly detection)
+# ---------------------------------------------------------------------------
+# Tracks patterns across multiple tool calls to detect multi-step attacks.
+#
+# session_analysis:
+#   enabled: true
+#   lookback_minutes: 30            # How far back to analyze
+#   alert_on_risk_score: 0.5        # Threshold for session risk alerts
+
+
+# ---------------------------------------------------------------------------
+# Heuristic Scorer (Layer 2.5 — signal-based escalation)
+# ---------------------------------------------------------------------------
+# Bridges pattern matching and LLM review. When no regex matches but
+# content looks suspicious, scores it and may escalate to LLM.
+#
+# heuristic_scorer:
+#   enabled: true
+#   threshold: 0.4                  # Score [0.0-1.0] to trigger LLM escalation
+#   log_all_scores: false           # Log below-threshold scores (for tuning)
+
+
+# ---------------------------------------------------------------------------
+# Tool Tier Overrides
+# ---------------------------------------------------------------------------
+# Override the default security tier for specific tools.
+# Tiers: safe | default | risky | dangerous
+#
+# Bundled defaults:
+#   Read:         default    (read-only but needs path screening)
+#   Glob:         safe       (file pattern matching)
+#   Grep:         safe       (search file contents)
+#   Edit:         default    (modify existing files)
+#   Write:        risky      (create/overwrite files)
+#   NotebookEdit: default    (edit Jupyter notebooks)
+#   WebFetch:     risky      (fetch content from URLs)
+#   WebSearch:    risky      (search the web)
+#   Bash:         dangerous  (execute shell commands)
+#   Task:         default    (spawn subagent tasks)
+#
+# tools:
+#   Read: default
+#   Bash: dangerous
+
+
+# ---------------------------------------------------------------------------
+# Skill Tier Overrides
+# ---------------------------------------------------------------------------
+# Override the default tier for Claude Code skills.
+#
+# Bundled defaults:
+#   review-pr:        safe       (read-only PR review)
+#   explore:          safe       (read-only codebase exploration)
+#   commit:           default    (git commit operations)
+#   frontend-design:  risky      (generate frontend code)
+#   dev-browser:      risky      (browser automation)
+#   deploy:           dangerous  (deployment operations)
+#
+# skills:
+#   commit: default
+#   deploy: dangerous
+
+
+# ---------------------------------------------------------------------------
+# Non-English Language Handling
+# ---------------------------------------------------------------------------
+# English-only regex patterns can miss injection in other languages.
+# Options:
+#   escalate  - Auto-escalate to LLM review tier (default, recommended)
+#   translate - Translate to English before pattern matching (requires API key)
+#   both      - Escalate AND translate (maximum coverage)
+#   none      - No special handling (English-only patterns may miss attacks)
+#
+# non_english_handling: escalate
+
+
+# ---------------------------------------------------------------------------
+# Content-Based Escalations
+# ---------------------------------------------------------------------------
+# Regex patterns that bump a tool's tier based on content.
+# These ADD to the bundled escalations (they don't replace them).
+#
+# escalations:
+#   - pattern: '\b(prod|production)\b'
+#     description: "Production environment reference"
+#     escalate_to: risky
+#
+#   - pattern: 'rm\s+(-rf|-fr|--recursive)'
+#     description: "Recursive deletion"
+#     escalate_to: dangerous
+
+
+# ---------------------------------------------------------------------------
+# Path Boundary Escalation
+# ---------------------------------------------------------------------------
+# Escalates tier when tools access files outside the project directory.
+#
+# path_boundary:
+#   enabled: true
+#   default_escalate_to: risky     # Generic out-of-project access
+#   sensitive_directories:
+#     - pattern: ".ssh"
+#       escalate_to: dangerous
+#       description: "SSH directory access"
+#     - pattern: ".aws"
+#       escalate_to: dangerous
+#       description: "AWS credentials directory"
+
+
+# ---------------------------------------------------------------------------
+# Default Tier
+# ---------------------------------------------------------------------------
+# Fallback tier for tools/skills not explicitly classified.
+#
+# default_tier: default