add allowedBashPatterns NixOS option for finer-grained Bash tool approval

2026-05-20 13:08:15 +02:00 · 2026-05-20 13:08:15 +02:00 · 3c672ed6b2
commit 3c672ed6b2
parent c05a750409
3 changed files with 88 additions and 10 deletions
--- a/nix/templates/harness-base.nix
+++ b/nix/templates/harness-base.nix
@ -15,6 +15,29 @@
  # only opts in from its own `agent.nix`.
  imports = [ ./weston-rdp.nix ];

+  options.hyperhive.allowedBashPatterns = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    default = [ ];
+    example = [
+      "git *"
+      "ls *"
+      "cat /agents/*/state/*"
+    ];
+    description = ''
+      Shell command patterns auto-approved for the `Bash` built-in tool.
+      Empty list (the default) grants wholesale `Bash` approval —
+      claude can run any shell command without a prompt. Non-empty list
+      replaces `Bash` in `--allowedTools` with one `Bash(pattern)` entry
+      per item; only commands matching a pattern are auto-approved; all
+      others require confirmation (which in `--print` mode means they
+      will not run). Use to sandbox agents to a known-safe command
+      vocabulary.
+
+      Patterns use the same glob syntax claude accepts in `Bash(…)`:
+      `*` matches any string within a word, shell-style.
+    '';
+  };
+
  options.hyperhive.allowedRecipients = lib.mkOption {
    type = lib.types.listOf lib.types.str;
    default = [ ];
@ -170,6 +193,9 @@
  config = {
    environment.etc."hyperhive/extra-mcp.json".text = builtins.toJSON config.hyperhive.extraMcpServers;

+    environment.etc."hyperhive/bash-allow.json".text =
+      builtins.toJSON config.hyperhive.allowedBashPatterns;
+
    environment.etc."hyperhive/send-allow.json".text =
      builtins.toJSON config.hyperhive.allowedRecipients;