bashToolPatterns: - pattern: '\brm\s+(-[^\s]*)*-[rRf]' reason: rm with recursive or force flags - pattern: '\brm\s+-[rRf]' reason: rm with recursive or force flags - pattern: '\brm\s+--recursive' reason: rm with --recursive flag - pattern: '\brm\s+--force' reason: rm with --force flag - pattern: '\bsudo\s+rm\b' reason: sudo rm - pattern: '\brmdir\s+--ignore-fail-on-non-empty' reason: rmdir ignore-fail - pattern: '\bchmod\s+(-[^\s]+\s+)*777\b' reason: chmod 777 (world writable) - pattern: '\bchmod\s+-[Rr].*777' reason: recursive chmod 777 - pattern: '\bchown\s+-[Rr].*\broot\b' reason: recursive chown to root - pattern: '\bgit\s+reset\s+--hard\b' reason: git reset --hard (use --soft or stash) - pattern: '\bgit\s+clean\s+(-[^\s]*)*-[fd]' reason: git clean with force/directory flags - pattern: '\bgit\s+push\s+.*--force(?!-with-lease)' reason: git push --force (use --force-with-lease) - pattern: '\bgit\s+push\s+(-[^\s]*)*-f\b' reason: git push -f (use --force-with-lease) - pattern: '\bgit\s+stash\s+clear\b' reason: git stash clear (deletes ALL stashes) - pattern: '\bgit\s+reflog\s+expire\b' reason: git reflog expire (destroys recovery mechanism) - pattern: '\bgit\s+gc\s+.*--prune=now' reason: git gc --prune=now (can lose dangling commits) - pattern: '\bgit\s+filter-branch\b' reason: git filter-branch (rewrites entire history) - pattern: '\bgit\s+checkout\s+--\s*\.' reason: Discards all uncommitted changes ask: true - pattern: '\bgit\s+restore\s+\.' reason: Discards all uncommitted changes ask: true - pattern: '\bgit\s+stash\s+drop\b' reason: Permanently deletes a stash ask: true - pattern: '\bgit\s+branch\s+(-[^\s]*)*-D' reason: Force deletes branch (even if unmerged) ask: true - pattern: '\bgit\s+push\s+\S+\s+--delete\b' reason: Deletes remote branch ask: true - pattern: '\bgit\s+push\s+\S+\s+:\S+' reason: Deletes remote branch (old syntax) ask: true - pattern: '\bmkfs\.' reason: filesystem format command - pattern: '\bdd\s+.*of=/dev/' reason: dd writing to device - pattern: '\bkill\s+-9\s+-1\b' reason: kill all processes - pattern: '\bkillall\s+-9\b' reason: killall -9 - pattern: '\bpkill\s+-9\b' reason: pkill -9 - pattern: '\bhistory\s+-c\b' reason: clearing shell history - pattern: '\baws\s+s3\s+rm\s+.*--recursive' reason: aws s3 rm --recursive (deletes all objects) - pattern: '\baws\s+s3\s+rb\s+.*--force' reason: aws s3 rb --force (force removes bucket) - pattern: '\baws\s+ec2\s+terminate-instances\b' reason: aws ec2 terminate-instances - pattern: '\baws\s+rds\s+delete-db-instance\b' reason: aws rds delete-db-instance - pattern: '\baws\s+cloudformation\s+delete-stack\b' reason: aws cloudformation delete-stack (deletes infrastructure) - pattern: '\baws\s+dynamodb\s+delete-table\b' reason: aws dynamodb delete-table - pattern: '\baws\s+eks\s+delete-cluster\b' reason: aws eks delete-cluster - pattern: '\baws\s+lambda\s+delete-function\b' reason: aws lambda delete-function - pattern: '\baws\s+iam\s+delete-role\b' reason: aws iam delete-role - pattern: '\baws\s+iam\s+delete-user\b' reason: aws iam delete-user - pattern: '\bgcloud\s+projects\s+delete\b' reason: gcloud projects delete (DELETES ENTIRE PROJECT) - pattern: '\bgcloud\s+compute\s+instances\s+delete\b' reason: gcloud compute instances delete - pattern: '\bgcloud\s+sql\s+instances\s+delete\b' reason: gcloud sql instances delete - pattern: '\bgcloud\s+container\s+clusters\s+delete\b' reason: gcloud container clusters delete (GKE) - pattern: '\bgcloud\s+storage\s+rm\s+.*-r' reason: gcloud storage rm -r (recursive delete) - pattern: '\bgcloud\s+functions\s+delete\b' reason: gcloud functions delete - pattern: '\bgcloud\s+iam\s+service-accounts\s+delete\b' reason: gcloud iam service-accounts delete - pattern: '\bgcloud\s+run\s+services\s+delete\b' reason: gcloud run services delete (deletes Cloud Run service) - pattern: '\bgcloud\s+run\s+jobs\s+delete\b' reason: gcloud run jobs delete (deletes Cloud Run job) - pattern: '\bgcloud\s+services\s+disable\b' reason: gcloud services disable (disables GCP APIs) - pattern: '\bgcloud\s+iam\s+roles\s+delete\b' reason: gcloud iam roles delete (deletes IAM role) - pattern: '\bgcloud\s+iam\s+policies\b' reason: gcloud iam policies (modifies IAM policies) ask: true - pattern: '\bfirebase\s+projects:delete\b' reason: firebase projects:delete (deletes entire project) - pattern: '\bfirebase\s+firestore:delete\s+.*--all-collections' reason: firebase firestore:delete --all-collections (wipes all data) - pattern: '\bfirebase\s+database:remove\b' reason: firebase database:remove (wipes Realtime DB) - pattern: '\bfirebase\s+hosting:disable\b' reason: firebase hosting:disable - pattern: '\bfirebase\s+functions:delete\b' reason: firebase functions:delete - pattern: '\bvercel\s+remove\s+.*--yes' reason: vercel remove --yes (removes deployment) - pattern: '\bvercel\s+projects\s+rm\b' reason: vercel projects rm (deletes project) - pattern: '\bvercel\s+env\s+rm\b' reason: vercel env rm (removes env variables) - pattern: '\bvercel\s+rm\b' reason: vercel rm (removes deployment) - pattern: '\bvercel\s+remove\b' reason: vercel remove (removes deployment) - pattern: '\bvercel\s+domains\s+rm\b' reason: vercel domains rm (removes custom domain) - pattern: '\bnetlify\s+sites:delete\b' reason: netlify sites:delete (deletes entire site) - pattern: '\bnetlify\s+functions:delete\b' reason: netlify functions:delete - pattern: '\bwrangler\s+delete\b' reason: wrangler delete (deletes Worker) - pattern: '\bwrangler\s+r2\s+bucket\s+delete\b' reason: wrangler r2 bucket delete - pattern: '\bwrangler\s+kv:namespace\s+delete\b' reason: wrangler kv:namespace delete - pattern: '\bwrangler\s+d1\s+delete\b' reason: wrangler d1 delete (deletes database) - pattern: '\bwrangler\s+queues\s+delete\b' reason: wrangler queues delete - pattern: 'DELETE\s+FROM\s+\w+\s*;' reason: DELETE without WHERE clause (will delete ALL rows) - pattern: 'DELETE\s+\*\s+FROM' reason: DELETE * (will delete ALL rows) - pattern: '\bTRUNCATE\s+TABLE\b' reason: TRUNCATE TABLE (will delete ALL rows) - pattern: '\bDROP\s+TABLE\b' reason: DROP TABLE - pattern: '\bDROP\s+DATABASE\b' reason: DROP DATABASE - pattern: '\bDROP\s+SCHEMA\b' reason: DROP SCHEMA - pattern: '\bDELETE\s+FROM\s+\w+\s+WHERE\b.*\bid\s*=' reason: SQL DELETE with specific ID ask: true zeroAccessPaths: - ".env" - ".env.local" - ".env.development" - ".env.production" - ".env.staging" - ".env.test" - ".env.*.local" - "*.env" - "~/.ssh/" - "~/.gnupg/" - "~/.aws/" - "~/.config/gcloud/" - "*-credentials.json" - "*serviceAccount*.json" - "*service-account*.json" - "~/.azure/" - "~/.kube/" - "kubeconfig" - "*-secret.yaml" - "secrets.yaml" - "~/.docker/" - "*.pem" - "*.key" - "*.p12" - "*.pfx" - "*.tfstate" - "*.tfstate.backup" - ".terraform/" - ".vercel/" - ".netlify/" - "firebase-adminsdk*.json" - "serviceAccountKey.json" - ".supabase/" - "~/.netrc" - "~/.npmrc" - "~/.pypirc" - "~/.git-credentials" - ".git-credentials" - "dump.sql" - "backup.sql" - "*.dump" readOnlyPaths: - /etc/ - /usr/ - /bin/ - /sbin/ - /boot/ - /root/ - ~/.bash_history - ~/.zsh_history - ~/.node_repl_history - ~/.bashrc - ~/.zshrc - ~/.profile - ~/.bash_profile - "package-lock.json" - "yarn.lock" - "pnpm-lock.yaml" - "Gemfile.lock" - "poetry.lock" - "Pipfile.lock" - "composer.lock" - "Cargo.lock" - "go.sum" - "flake.lock" - "bun.lockb" - "uv.lock" - "npm-shrinkwrap.json" - "*.lock" - "*.lockb" - "*.min.js" - "*.min.css" - "*.bundle.js" - "*.chunk.js" - dist/ - build/ - .next/ - .nuxt/ - .output/ - node_modules/ - __pycache__/ - .venv/ - venv/ - target/ noDeletePaths: - ~/.claude/ - CLAUDE.md - "LICENSE" - "LICENSE.*" - "COPYING" - "COPYING.*" - "NOTICE" - "PATENTS" - "README.md" - "README.*" - "CONTRIBUTING.md" - "CHANGELOG.md" - "CODE_OF_CONDUCT.md" - "SECURITY.md" - .git/ - .gitignore - .gitattributes - .gitmodules - .github/ - .gitlab-ci.yml - .circleci/ - Jenkinsfile - .travis.yml - azure-pipelines.yml - Dockerfile - "Dockerfile.*" - docker-compose.yml - "docker-compose.*.yml" - .dockerignore