vikingowl
ea4996c663
6 permission modes: - default: prompt for every tool invocation - accept_edits: auto-allow file ops, prompt for bash/destructive - bypass: allow everything (deny rules still enforced) - deny: deny all unless explicit allow rule - plan: read-only tools only - auto: auto-allow read-only, prompt for writes 7-step decision flow: deny rules (bypass-immune) → safety checks (.env, .git, credentials, ssh keys) → bypass → allow rules → mode-specific → prompt. Compound bash command decomposition via mvdan.cc/sh AST parser. Splits on && and || but preserves pipes as single units. Deny from any subcommand denies the entire compound. 15 permission tests.