π File detail
utils/permissions/dangerousPatterns.ts
π― Use case
This file lives under βutils/β, which covers cross-cutting helpers (shell, tempfiles, settings, messages, process input, β¦). On the API surface it exposes CROSS_PLATFORM_CODE_EXEC and DANGEROUS_BASH_PATTERNS β mainly types, interfaces, or factory objects. Dependencies touch npm. What the file header says: Pattern lists for dangerous shell-tool allow-rule prefixes. An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model run arbitrary code via that interpreter, bypassing the auto-mode classifier. These lists feed the isDangerous{Bash,PowerShell}Permission predicat.
Generated from folder role, exports, dependency roots, and inline comments β not hand-reviewed for every path.
π§ Inline summary
Pattern lists for dangerous shell-tool allow-rule prefixes. An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model run arbitrary code via that interpreter, bypassing the auto-mode classifier. These lists feed the isDangerous{Bash,PowerShell}Permission predicates in permissionSetup.ts, which strip such rules at auto-mode entry. The matcher in each predicate handles the rule-shape variants (exact, `:*`, trailing `*`, ` *`, ` -β¦*`). PS-specific cmdlet strings live in isDangerousPowerShellPermission (permissionSetup.ts).
π€ Exports (heuristic)
CROSS_PLATFORM_CODE_EXECDANGEROUS_BASH_PATTERNS
π External import roots
Package roots from from "β¦" (relative paths omitted).
npm
π₯οΈ Source preview
/**
* Pattern lists for dangerous shell-tool allow-rule prefixes.
*
* An allow rule like `Bash(python:*)` or `PowerShell(node:*)` lets the model
* run arbitrary code via that interpreter, bypassing the auto-mode classifier.
* These lists feed the isDangerous{Bash,PowerShell}Permission predicates in
* permissionSetup.ts, which strip such rules at auto-mode entry.
*
* The matcher in each predicate handles the rule-shape variants (exact, `:*`,
* trailing `*`, ` *`, ` -β¦*`). PS-specific cmdlet strings live in
* isDangerousPowerShellPermission (permissionSetup.ts).
*/
/**
* Cross-platform code-execution entry points present on both Unix and Windows.
* Shared to prevent the two lists drifting apart on interpreter additions.
*/
export const CROSS_PLATFORM_CODE_EXEC = [
// Interpreters
'python',
'python3',
'python2',
'node',
'deno',
'tsx',
'ruby',
'perl',
'php',
'lua',
// Package runners
'npx',
'bunx',
'npm run',
'yarn run',
'pnpm run',
'bun run',
// Shells reachable from both (Git Bash / WSL on Windows, native on Unix)
'bash',
'sh',
// Remote arbitrary-command wrapper (native OpenSSH on Win10+)
'ssh',
] as const
export const DANGEROUS_BASH_PATTERNS: readonly string[] = [
...CROSS_PLATFORM_CODE_EXEC,
'zsh',
'fish',
'eval',
'exec',
'env',
'xargs',
'sudo',
// Anthropic internal: ant-only tools plus general tools that ant sandbox
// dotfile data shows are commonly over-allowlisted as broad prefixes.
// These stay ant-only β external users don't have coo, and the rest are
// an empirical-risk call grounded in ant sandbox data, not a universal
// "this tool is unsafe" judgment. PS may want these once it has usage data.
...(process.env.USER_TYPE === 'ant'
? [
'fa run',
// Cluster code launcher β arbitrary code on the cluster
'coo',
// Network/exfil: gh gist create --public, gh api arbitrary HTTP,
// curl/wget POST. gh api needs its own entry β the matcher is
// exact-shape, not prefix, so pattern 'gh' alone does not catch
// rule 'gh api:*' (same reason 'npm run' is separate from 'npm').
'gh',
'gh api',
'curl',
'wget',
// git config core.sshCommand / hooks install = arbitrary code
'git',
// Cloud resource writes (s3 public buckets, k8s mutations)
'kubectl',
'aws',
'gcloud',
'gsutil',
]
: []),
]