{
  "version": 1,
  "safe_paths": [
    "~/.claude",
    "~/projects"
  ],
  "blocked_paths": [
    "/etc",
    "/usr",
    "/var",
    "/boot",
    "/sys",
    "/proc",
    "~/.ssh",
    "~/.gnupg",
    "~/.aws"
  ],
  "rules": {
    "bash": [
      {"pattern": "rm -rf /($|[^a-zA-Z])", "action": "block", "name": "rm_rf_root"},
      {"pattern": "rm -rf ~($|[^a-zA-Z])", "action": "block", "name": "rm_rf_home"},
      {"pattern": "rm -rf \\*", "action": "block", "name": "rm_rf_wildcard"},
      {"pattern": "chmod -R 777", "action": "block", "name": "chmod_777"},
      {"pattern": ":\\(\\)\\{ :\\|:& \\};:", "action": "block", "name": "fork_bomb"},
      {"pattern": "mkfs\\.", "action": "block", "name": "mkfs"},
      {"pattern": "dd .* of=/dev/", "action": "block", "name": "dd_device"},
      {"pattern": "> /dev/sd[a-z]", "action": "block", "name": "overwrite_device"},
      {"pattern": "shutdown", "action": "confirm", "name": "shutdown"},
      {"pattern": "reboot", "action": "confirm", "name": "reboot"},
      {"pattern": "systemctl (stop|disable|mask)", "action": "confirm", "name": "systemctl_destructive"},
      {"pattern": "rm ", "action": "confirm", "name": "rm_outside_safe", "outside_safe_paths": true},
      {"pattern": "kubectl delete", "action": "confirm", "name": "kubectl_delete"},
      {"pattern": "docker rm", "action": "confirm", "name": "docker_rm"},
      {"pattern": "docker system prune", "action": "confirm", "name": "docker_prune"}
    ],
    "write": [
      {"path_match": "blocked_paths", "action": "block", "name": "write_blocked_path"},
      {"path_match": "outside_safe_paths", "action": "confirm", "name": "write_outside_safe"}
    ],
    "edit": [
      {"path_match": "blocked_paths", "action": "block", "name": "edit_blocked_path"},
      {"path_match": "outside_safe_paths", "action": "confirm", "name": "edit_outside_safe"}
    ]
  }
}