longline 0.13.0

System-installed safety hook for Claude Code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277

# Git operations: read/write commands and destructive operations

allowlists:
  commands:
    # ── Git: read operations ──────────────────────────────────────
    - { command: "git status", trust: minimal }
    - { command: "git diff", trust: minimal }
    - { command: "git log", trust: minimal }
    - { command: "git show", trust: minimal }
    - { command: "git branch", trust: minimal }
    - { command: "git stash list", trust: minimal }
    - { command: "git remote", trust: minimal }
    - { command: "git tag", trust: minimal }
    - { command: "git rev-parse", trust: minimal }
    - { command: "git blame", trust: minimal }
    - { command: "git describe", trust: minimal }
    - { command: "git shortlog", trust: minimal }
    - { command: "git reflog", trust: minimal }
    - { command: "git ls-files", trust: minimal }
    - { command: "git ls-tree", trust: minimal }
    - { command: "git cat-file", trust: minimal }
    - { command: "git grep", trust: minimal }
    - { command: "git archive", trust: minimal }
    - { command: "git check-ignore", trust: minimal }
    - { command: "git symbolic-ref", trust: minimal }
    - { command: "git show-ref", trust: minimal }
    - { command: "git diff-tree", trust: minimal }
    # ── Git: info/help commands ───────────────────────────────────
    - { command: "git --version", trust: minimal }
    - { command: "git -v", trust: minimal }
    - { command: "git help", trust: minimal }
    - { command: "git -h", trust: minimal }
    # ── Git: history/ref commands ─────────────────────────────────
    - { command: "git merge-base", trust: minimal }
    - { command: "git rev-list", trust: minimal }
    - { command: "git for-each-ref", trust: minimal }
    - { command: "git name-rev", trust: minimal }
    - { command: "git verify-pack", trust: minimal }
    - { command: "git fsck", trust: minimal }
    # ── Git: safe write operations ────────────────────────────────
    - { command: "git config", trust: standard, reason: "Reads or modifies local git configuration" }
    - { command: "git bisect", trust: standard, reason: "Binary searches commit history to find a bug" }
    - { command: "git add", trust: standard, reason: "Stages file changes for the next commit" }
    - { command: "git commit", trust: standard, reason: "Creates a new commit from staged changes" }
    - { command: "git fetch", trust: standard, reason: "Downloads objects and refs from a remote" }
    - { command: "git pull", trust: standard, reason: "Fetches and merges changes from a remote branch" }
    - { command: "git push", trust: full, reason: "Pushes local commits to a remote repository" }
    - { command: "git stash", trust: standard, reason: "Temporarily shelves uncommitted changes" }
    - { command: "git checkout", trust: standard, reason: "Switches branches or restores files" }
    - { command: "git switch", trust: standard, reason: "Switches to a different branch" }
    - { command: "git restore", trust: standard, reason: "Restores working tree files from a source" }
    - { command: "git merge", trust: standard, reason: "Merges another branch into the current branch" }
    - { command: "git cherry-pick", trust: standard, reason: "Applies changes from specific commits" }
    - { command: "git worktree", trust: standard, reason: "Manages multiple working trees" }
    - { command: "git clone", trust: standard, reason: "Clones a repository into a new directory" }
    - { command: "git init", trust: standard, reason: "Creates a new git repository" }
    # ── Git: safe file operations ────────────────────────────────────
    - { command: "git mv", trust: standard, reason: "Moves or renames a file tracked by git" }
    - { command: "git rm", trust: standard, reason: "Removes files from the working tree and index" }
    # ── Git: stash operations ────────────────────────────────────────
    - { command: "git stash pop", trust: standard, reason: "Applies and removes the top stashed changes" }
    - { command: "git stash apply", trust: standard, reason: "Applies stashed changes without removing them" }
    # ── Git: maintenance commands ──────────────────────────────────
    - { command: "git revert", trust: standard, reason: "Creates a new commit that undoes a previous commit" }
    - { command: "git gc", trust: full, reason: "Runs garbage collection on the repository" }

rules:
  # ============================================================
  # HIGH: VCS destructive operations
  # ============================================================
  - id: git-force-push-main
    level: high
    match:
      command: git
      flags:
        any_of: ["--force", "-f", "--force-with-lease", "--force-if-includes"]
      args:
        any_of: ["main", "master"]
    decision: ask
    reason: "Force pushing to main/master branch"

  - id: git-reset-hard
    level: high
    match:
      command: git
      args:
        any_of: ["--hard"]
    decision: ask
    reason: "git reset --hard discards uncommitted changes"

  - id: git-clean-force
    level: high
    match:
      command: git
      args:
        any_of: ["clean"]
      flags:
        any_of: ["-f", "--force"]
    decision: ask
    reason: "git clean -f permanently removes untracked files"

  - id: git-branch-delete-force
    level: high
    match:
      command: git
      args:
        any_of: ["branch"]
      flags:
        any_of: ["-D"]
    decision: ask
    reason: "Force deleting a git branch"

  - id: git-commit-amend
    level: high
    match:
      command: git
      args:
        any_of: ["commit"]
      flags:
        any_of: ["--amend"]
    decision: ask
    reason: "git commit --amend rewrites the previous commit"

  - id: git-remote-modify
    level: high
    match:
      command: git
      args:
        any_of: ["remote"]
      flags:
        any_of: ["add", "remove", "rm", "set-url", "rename"]
    decision: ask
    reason: "Modifying git remote configuration"

  - id: git-tag-delete
    level: high
    match:
      command: git
      args:
        any_of: ["tag"]
      flags:
        any_of: ["-d", "--delete"]
    decision: ask
    reason: "Deleting git tag"

  - id: git-push-delete
    level: high
    match:
      command: git
      args:
        any_of: ["push"]
      flags:
        any_of: ["--delete", "-d"]
    decision: ask
    reason: "Deleting remote branch or tag"

  - id: git-config-global
    level: high
    match:
      command: git
      args:
        any_of: ["config"]
      flags:
        any_of: ["--global", "--system"]
    decision: ask
    reason: "Modifying global/system git configuration"

  - id: git-stash-drop
    level: high
    match:
      command: git
      args:
        any_of: ["stash"]
      flags:
        any_of: ["drop", "clear"]
    decision: ask
    reason: "Dropping stashed changes (data loss)"

  - id: git-reflog-delete
    level: high
    match:
      command: git
      args:
        any_of: ["reflog"]
      flags:
        any_of: ["delete", "expire"]
    decision: ask
    reason: "Deleting reflog entries (history loss)"

  - id: git-gc-prune
    level: high
    match:
      command: git
      args:
        any_of: ["gc"]
      flags:
        starts_with: ["--prune"]
    decision: ask
    reason: "git gc with pruning can remove unreachable objects"

  - id: git-worktree-remove
    level: high
    match:
      command: git
      args:
        any_of: ["worktree"]
      flags:
        any_of: ["remove", "prune"]
    decision: ask
    reason: "Removing git worktree"

  - id: git-bisect-reset
    level: high
    match:
      command: git
      args:
        any_of: ["bisect"]
      flags:
        any_of: ["reset"]
    decision: ask
    reason: "Exiting bisect mode (changes HEAD)"

  - id: git-pull-force
    level: high
    match:
      command: git
      args:
        any_of: ["pull"]
      flags:
        any_of: ["--force", "-f"]
    decision: ask
    reason: "git pull --force can overwrite local changes"

  - id: git-rebase
    level: high
    match:
      command: git
      args:
        any_of: ["rebase"]
    decision: ask
    reason: "git rebase rewrites history and can cause data loss"

  - id: git-symbolic-ref-delete
    level: high
    match:
      command: git
      args:
        any_of: ["symbolic-ref"]
      flags:
        any_of: ["--delete", "-d"]
    decision: ask
    reason: "git symbolic-ref --delete removes symbolic references"

  - id: git-force-push-any
    level: high
    match:
      command: git
      flags:
        any_of: ["--force", "-f", "--force-with-lease", "--force-if-includes"]
      args:
        any_of: ["push"]
    decision: ask
    reason: "Force pushing (any branch)"

  # ============================================================
  # STRICT: Cautionary git operations
  # ============================================================
  - id: git-checkout-dot
    level: strict
    match:
      command: git
      args:
        any_of: ["checkout", "restore"]
      flags:
        any_of: [".", "--"]
    decision: ask
    reason: "Discarding all local changes"