longline 0.15.0

System-installed safety hook for Claude Code
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

# CLI tools: gh, glab, glp, git-cliff

allowlists:
  commands:
    # ── glp (GitLab Pipeline CLI): read-only invocations ──────────
    - { command: "glp status", trust: minimal }
    - { command: "glp jobs", trust: minimal }
    - { command: "glp log", trust: minimal }
    - { command: "glp --version", trust: minimal }
    - { command: "glp --help", trust: minimal }
    - { command: "glp -h", trust: minimal }
    # ── glp: remote-write operations (full trust) ────────────────
    - { command: "glp retry", trust: full, reason: "Retries a GitLab CI/CD pipeline job" }
    # ── glab (GitLab CLI): read-only invocations ──────────────────
    # Note: mutating API calls (POST/PUT/DELETE/PATCH) caught by glab-api-mutating rule
    - { command: "glab auth status", trust: minimal }
    - { command: "glab ci status", trust: minimal }
    - { command: "glab ci view", trust: minimal }
    - { command: "glab ci list", trust: minimal }
    - { command: "glab ci trace", trust: minimal }
    - { command: "glab ci get", trust: minimal }
    - { command: "glab repo list", trust: minimal }
    - { command: "glab repo view", trust: minimal }
    - { command: "glab group list", trust: minimal }
    - { command: "glab issue list", trust: minimal }
    - { command: "glab issue view", trust: minimal }
    - { command: "glab mr list", trust: minimal }
    - { command: "glab mr view", trust: minimal }
    - { command: "glab --version", trust: minimal }
    - { command: "glab --help", trust: minimal }
    # ── gh (GitHub CLI): read-only invocations ───────────────────────
    # Note: mutating API calls (POST/PUT/DELETE/PATCH) caught by gh-api-mutating rule
    - { command: "gh pr list", trust: minimal }
    - { command: "gh pr view", trust: minimal }
    - { command: "gh pr status", trust: minimal }
    - { command: "gh pr diff", trust: minimal }
    - { command: "gh pr checks", trust: minimal }
    - { command: "gh issue list", trust: minimal }
    - { command: "gh issue view", trust: minimal }
    - { command: "gh issue status", trust: minimal }
    - { command: "gh repo list", trust: minimal }
    - { command: "gh repo view", trust: minimal }
    - { command: "gh auth status", trust: minimal }
    - { command: "gh --version", trust: minimal }
    - { command: "gh --help", trust: minimal }
    - { command: "gh -h", trust: minimal }
    # ── glab/gh: standard invocations (local read, no remote mutation) ─
    - { command: "gh run list", trust: standard, reason: "Lists GitHub Actions workflow runs" }
    - { command: "gh run view", trust: standard, reason: "Views details of a GitHub Actions run" }
    - { command: "gh run watch", trust: standard, reason: "Watches a GitHub Actions run until it completes" }
    - { command: "gh workflow list", trust: standard, reason: "Lists GitHub Actions workflows" }
    - { command: "gh workflow view", trust: standard, reason: "Views details of a GitHub Actions workflow" }
    # ── gh: remote-write operations (full trust) ───────────────────
    - { command: "gh api", trust: full, reason: "Makes authenticated GitHub API requests" }
    - { command: "gh pr create", trust: full, reason: "Creates a pull request on GitHub" }
    - { command: "gh pr merge", trust: full, reason: "Merges a pull request on GitHub" }
    - { command: "gh pr close", trust: full, reason: "Closes a pull request on GitHub" }
    - { command: "gh pr reopen", trust: full, reason: "Reopens a closed pull request" }
    - { command: "gh pr comment", trust: full, reason: "Adds a comment to a pull request" }
    - { command: "gh pr review", trust: full, reason: "Submits a review on a pull request" }
    - { command: "gh pr edit", trust: full, reason: "Edits a pull request's metadata" }
    - { command: "gh pr ready", trust: full, reason: "Marks a pull request as ready for review" }
    - { command: "gh issue create", trust: full, reason: "Creates a new GitHub issue" }
    - { command: "gh issue close", trust: full, reason: "Closes a GitHub issue" }
    - { command: "gh issue reopen", trust: full, reason: "Reopens a closed GitHub issue" }
    - { command: "gh issue comment", trust: full, reason: "Adds a comment to a GitHub issue" }
    - { command: "gh issue edit", trust: full, reason: "Edits a GitHub issue's metadata" }
    - { command: "gh issue delete", trust: full, reason: "Permanently deletes a GitHub issue" }
    - { command: "gh release create", trust: full, reason: "Creates a new GitHub release" }
    - { command: "gh release delete", trust: full, reason: "Deletes a GitHub release" }
    - { command: "gh release edit", trust: full, reason: "Edits a GitHub release" }
    - { command: "gh repo create", trust: full, reason: "Creates a new GitHub repository" }
    - { command: "gh repo delete", trust: full, reason: "Permanently deletes a GitHub repository" }
    - { command: "gh repo edit", trust: full, reason: "Edits GitHub repository settings" }
    - { command: "gh repo fork", trust: full, reason: "Forks a GitHub repository" }
    - { command: "gh label create", trust: full, reason: "Creates a new label in a repository" }
    - { command: "gh label edit", trust: full, reason: "Edits an existing repository label" }
    - { command: "gh label delete", trust: full, reason: "Deletes a repository label" }
    - { command: "gh run rerun", trust: full, reason: "Re-runs a GitHub Actions workflow run" }
    - { command: "gh run cancel", trust: full, reason: "Cancels a GitHub Actions workflow run" }
    - { command: "gh workflow run", trust: full, reason: "Triggers a GitHub Actions workflow" }
    - { command: "gh workflow enable", trust: full, reason: "Enables a GitHub Actions workflow" }
    - { command: "gh workflow disable", trust: full, reason: "Disables a GitHub Actions workflow" }
    # ── glab: remote-write operations (full trust) ─────────────────
    - { command: "glab api", trust: full, reason: "Makes authenticated GitLab API requests" }
    - { command: "glab mr create", trust: full, reason: "Creates a merge request on GitLab" }
    - { command: "glab mr merge", trust: full, reason: "Merges a merge request on GitLab" }
    - { command: "glab mr close", trust: full, reason: "Closes a merge request on GitLab" }
    - { command: "glab mr reopen", trust: full, reason: "Reopens a closed merge request" }
    - { command: "glab mr approve", trust: full, reason: "Approves a merge request on GitLab" }
    - { command: "glab mr revoke", trust: full, reason: "Revokes approval from a merge request" }
    - { command: "glab mr comment", trust: full, reason: "Adds a comment to a merge request" }
    - { command: "glab mr note", trust: full, reason: "Adds a note to a merge request" }
    - { command: "glab mr update", trust: full, reason: "Updates a merge request's metadata" }
    - { command: "glab mr delete", trust: full, reason: "Deletes a merge request on GitLab" }
    - { command: "glab issue create", trust: full, reason: "Creates a new GitLab issue" }
    - { command: "glab issue close", trust: full, reason: "Closes a GitLab issue" }
    - { command: "glab issue reopen", trust: full, reason: "Reopens a closed GitLab issue" }
    - { command: "glab issue comment", trust: full, reason: "Adds a comment to a GitLab issue" }
    - { command: "glab issue note", trust: full, reason: "Adds a note to a GitLab issue" }
    - { command: "glab issue update", trust: full, reason: "Updates a GitLab issue's metadata" }
    - { command: "glab issue delete", trust: full, reason: "Permanently deletes a GitLab issue" }
    - { command: "glab release create", trust: full, reason: "Creates a new GitLab release" }
    - { command: "glab release delete", trust: full, reason: "Deletes a GitLab release" }
    - { command: "glab ci run", trust: full, reason: "Triggers a GitLab CI/CD pipeline" }
    - { command: "glab ci retry", trust: full, reason: "Retries a GitLab CI/CD pipeline job" }
    - { command: "glab ci cancel", trust: full, reason: "Cancels a GitLab CI/CD pipeline" }
    - { command: "glab repo create", trust: full, reason: "Creates a new GitLab repository" }
    - { command: "glab repo fork", trust: full, reason: "Forks a GitLab repository" }
    - { command: "glab repo delete", trust: full, reason: "Permanently deletes a GitLab repository" }
    - { command: "glab label create", trust: full, reason: "Creates a new label in a GitLab project" }
    - { command: "glab label delete", trust: full, reason: "Deletes a label from a GitLab project" }
    # ── pfp (Prefect Pipeline CLI): read-only invocations ─────────
    - { command: "pfp ls", trust: minimal }
    - { command: "pfp list", trust: minimal }
    - { command: "pfp runs", trust: minimal }
    - { command: "pfp logs", trust: minimal }
    - { command: "pfp --help", trust: minimal }
    - { command: "pfp -h", trust: minimal }
    - { command: "pfp --version", trust: minimal }
    - { command: "pfp -V", trust: minimal }
    # ── pfp: mutating operations (full trust) ────────────────────
    - { command: "pfp run", trust: full, reason: "Triggers a Prefect flow run" }
    - { command: "pfp pause", trust: full, reason: "Pauses a Prefect flow run" }
    - { command: "pfp resume", trust: full, reason: "Resumes a paused Prefect flow run" }
    - { command: "pfp cancel", trust: full, reason: "Cancels a Prefect flow run" }
    # ── git-cliff: stdout-only invocations ────────────────────────
    - { command: "git-cliff", trust: standard, reason: "Generates a changelog from git history" }
    - { command: "git-cliff --unreleased", trust: standard, reason: "Generates changelog for unreleased changes" }
    - { command: "git-cliff --latest", trust: standard, reason: "Generates changelog for the latest release" }
    - { command: "git-cliff --current", trust: standard, reason: "Generates changelog for the current version" }

rules:
  # ============================================================
  # HIGH: CLI tool mutating operations
  # ============================================================
  - id: glab-api-mutating
    level: high
    match:
      command: glab
      args:
        any_of: ["POST", "PUT", "DELETE", "PATCH"]
    decision: ask
    reason: "GitLab API mutating operation (POST/PUT/DELETE/PATCH)"

  - id: gh-api-mutating
    level: high
    match:
      command: gh
      args:
        any_of: ["POST", "PUT", "DELETE", "PATCH"]
    decision: ask
    reason: "GitHub API mutating operation (POST/PUT/DELETE/PATCH)"

  - id: git-cliff-write-file
    level: high
    match:
      command: git-cliff
      flags:
        any_of: ["-o", "--output", "--init", "--tag"]
    decision: ask
    reason: "git-cliff operation that writes files or modifies state"