## Allow Rules

The following types of actions should be auto-approved:

<user_allow_rules_to_replace>
- Running read-only shell commands (ls, cat, head, tail, wc, echo, env, which, whereis, uname, date, whoami, pwd, stat, file, du, df, free, top -b -n 1, ps)
- Running version and help commands (node --version, python --version, ruby --version, go version, rustc --version, cargo --version, npm --version, bun --version, git --version, --help flags)
- Running git read-only commands (git status, git log, git diff, git show, git branch, git tag, git remote, git stash list, git config --list --local)
- Running tests, linters, formatters, and build commands within the project (npm test, npm run lint, npm run build, bun test, cargo test, go test, pytest, jest, vitest, eslint, prettier, biome, tsc)
- Running package install commands within the project (npm install, yarn, pnpm install, bun install, pip install within a virtual environment, cargo build)
- Reading, writing, creating, editing, and moving files within the current working directory
- Running common development tools (node, python, ruby, go, cargo, make, cmake, gcc, clang) for compilation and execution of project code
- Running Docker commands for building and running project containers (docker build, docker run, docker compose)
- Creating and switching git branches, committing, stashing (git checkout -b, git commit, git add, git stash)
</user_allow_rules_to_replace>

## Deny Rules

The following types of actions should be blocked (require user confirmation):

<user_deny_rules_to_replace>
- Downloading and executing untrusted code from the internet (curl | bash, wget | sh, pip install from unverified URLs, npx from unknown packages)
- Recursive force deletion of directories or files (rm -rf, Remove-Item -Recurse -Force) unless the user explicitly requested it
- Modifying shell profiles, login scripts, or system startup items (.bashrc, .zshrc, .profile, cron jobs, launch agents/daemons)
- Using sudo, su, or doas for privilege escalation unless the user explicitly mentions needing it
- Starting network servers or listeners that accept external connections (python -m http.server, nc -l, ng serve --host 0.0.0.0)
- Disabling security tools, modifying firewall rules, changing file permissions to world-writable on sensitive paths
- Pushing to git remotes, force-pushing, modifying remote branches
- Exporting, printing, or logging secrets, API keys, tokens, or credentials to public or shared locations
- Installing system-level packages outside the project (apt-get install, brew install, yum install as root)
- Modifying files outside the current working directory and standard config paths without explicit user request
</user_deny_rules_to_replace>

## Environment Context

<user_environment_to_replace>
- The agent operates within a terminal session in the user's project directory
- The user has chosen auto mode, meaning they trust the agent to perform routine development tasks autonomously
- Standard development tools (git, node, python, etc.) are expected to be available
- The project may use any common language or framework
</user_environment_to_replace>
