safe-chains 0.15.1

Auto-allow safe, read-only bash commands in agentic coding tools
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390

# Supported Commands

Auto-generated by `safe-chains --list-commands`.

Any command with only `--version` or `--help` as its sole argument is always allowed.

## Unconditionally Safe

These commands are allowed with any arguments.

| Command | Description |
|---------|-------------|
| `arch` | Print machine architecture |
| `b2sum` | BLAKE2 checksum |
| `base64` | Base64 encode/decode |
| `basename` | Strip directory from path |
| `bat` | Safe read-only utility |
| `bc` | Calculator |
| `branchdiff` | Branch diff tool |
| `cal` | Display calendar |
| `cat` | Print file contents |
| `cd` | Change directory |
| `cksum` | File checksum |
| `cloc` | Count lines of code |
| `colordiff` | Colorized diff |
| `column` | Format into columns |
| `comm` | Compare sorted files |
| `command` | Run command or check existence |
| `cucumber` | BDD test runner |
| `cut` | Extract fields from lines |
| `date` | Display date and time |
| `delta` | Safe read-only utility |
| `df` | Disk free space |
| `diff` | Compare files |
| `dig` | DNS lookup |
| `dirname` | Strip filename from path |
| `du` | Disk usage |
| `dust` | Safe read-only utility |
| `echo` | Print text |
| `exa` | Safe read-only utility |
| `expand` | Convert tabs to spaces |
| `expr` | Evaluate expression |
| `eza` | Safe read-only utility |
| `factor` | Print prime factors |
| `false` | Return failure exit code |
| `fd` | Find files |
| `file` | Detect file type |
| `fmt` | Reformat text |
| `fold` | Wrap lines |
| `getconf` | Get system configuration values |
| `grep` | Search file contents |
| `groups` | Print group memberships |
| `head` | Print first lines |
| `hexdump` | Display file in hex |
| `host` | DNS lookup |
| `hostname` | Print hostname |
| `htop` | Safe read-only utility |
| `iconv` | Convert character encoding |
| `id` | Print user/group IDs |
| `identify` | ImageMagick identify |
| `ifconfig` | Safe read-only utility |
| `ioreg` | Safe read-only utility |
| `iotop` | Safe read-only utility |
| `jq` | JSON processor |
| `last` | Safe read-only utility |
| `lastlog` | Safe read-only utility |
| `locale` | Print locale info |
| `ls` | List directory |
| `lsof` | List open files |
| `md5` | MD5 checksum (macOS) |
| `md5sum` | MD5 checksum |
| `mdfind` | Spotlight search (macOS) |
| `mdls` | File metadata (macOS) |
| `netstat` | Safe read-only utility |
| `nl` | Number lines |
| `nm` | List object file symbols |
| `nproc` | Print number of CPUs |
| `nslookup` | DNS lookup |
| `od` | Octal dump |
| `otool` | Object file tool (macOS) |
| `paste` | Merge lines of files |
| `pgrep` | Search for processes |
| `printenv` | Print environment variables |
| `printf` | Format and print text |
| `procs` | Safe read-only utility |
| `ps` | List processes |
| `pwd` | Print working directory |
| `readlink` | Resolve symlink |
| `realpath` | Resolve path |
| `rev` | Reverse lines |
| `rg` | Ripgrep search |
| `route` | Safe read-only utility |
| `safe-chains` | Safe read-only utility |
| `seq` | Print number sequence |
| `sha1sum` | SHA-1 checksum |
| `sha256sum` | SHA-256 checksum |
| `sha512sum` | SHA-512 checksum |
| `shasum` | SHA checksum |
| `shellcheck` | Shell script linter |
| `size` | Object file section sizes |
| `sleep` | Pause execution |
| `ss` | Safe read-only utility |
| `stat` | File status |
| `strings` | Find printable strings in binary |
| `sum` | File checksum |
| `sw_vers` | macOS version info |
| `system_profiler` | Safe read-only utility |
| `tac` | Print file in reverse |
| `tail` | Print last lines |
| `test` | Evaluate conditional expression |
| `tokei` | Code statistics |
| `top` | Safe read-only utility |
| `tr` | Translate characters |
| `tree` | Directory tree |
| `true` | Return success exit code |
| `tty` | Print terminal name |
| `uname` | System information |
| `unexpand` | Convert spaces to tabs |
| `uniq` | Filter duplicate lines |
| `uptime` | System uptime |
| `uuidgen` | Generate UUID |
| `vm_stat` | Safe read-only utility |
| `w` | Safe read-only utility |
| `wc` | Count lines/words/bytes |
| `which` | Locate command |
| `who` | Safe read-only utility |
| `whoami` | Print current user |
| `whois` | Domain registration lookup |
| `xxd` | Hex dump |

## Handled Commands

These commands are allowed with specific subcommands or flags.

### `asdf`

Allowed: current, which, help, list, --version, plugin-list, plugin-list-all. Multi-word: plugin list.

### `awk / gawk / mawk / nawk`

Safe unless program contains system, getline, |, >, >>, or -f flag (file-based program).

### `bash / sh`

Only `bash -c` / `sh -c` with a safe inner command. Scripts denied.

### `brew`

Allowed: list, info, --version, search, deps, uses, leaves, outdated, cat, desc, home, formulae, casks, config, doctor, log, tap, shellenv.

### `bun`

Allowed: --version, test, outdated. Multi-word: pm ls/hash/cache/bin, x (delegates to bunx logic).

### `bundle`

Read-only: list, info, show, check. Guarded: exec (rspec, standardrb, cucumber, brakeman, erb_lint, herb only).

### `bunx`

Whitelisted packages only: eslint, @herb-tools/linter, karma. Guarded: tsc (requires --noEmit). Skips flags: --bun/--no-install/--package/-p.

### `cargo`

Allowed: clippy, test, build, check, doc, search, --version, bench, tree, metadata, verify-project, pkgid, locate-project, read-manifest, audit, deny, license. Guarded: fmt (requires --check).

### `cmake`

Allowed: --version, --system-information (single argument only).

### `codesign`

Allowed: -d/--display, -v/--verify. Denied if -s/--sign, --remove-signature, or -f/--force present.

### `composer`

Allowed: show, info, diagnose, outdated, licenses, check-platform-reqs, suggests, fund, audit, --version, about, help.

### `conda`

Allowed: list, info, --version. Guarded: config (--show/--show-sources only).

### `csrutil`

Allowed: status, report, authenticated-root.

### `defaults`

Allowed: read, read-type, domains, find, export.

### `deno`

Allowed: --version, info, doc, lint, check, test. Guarded: fmt (requires --check).

### `diskutil`

Allowed: list, info, activity, listFilesystems. Multi-word: apfs list, apfs listCryptoUsers, apfs listSnapshots, apfs listVolumeGroups.

### `docker / podman`

Read-only: ps, images, logs, inspect, info, version, top, stats, history, port, diff. Multi-word: network ls/inspect, volume ls/inspect, container ls/list/inspect/logs/top/stats/diff/port, image ls/list/inspect/history, system info/df, compose config/ps/ls/top/images/version, context ls/inspect/show, manifest inspect, buildx ls/inspect/version.

### `dotnet`

Allowed: --version, --info, --list-sdks, --list-runtimes, build, test, list.

### `env`

Strips flags (-i, -u) and KEY=VALUE pairs, then recursively validates the inner command. Bare `env` allowed.

### `find`

Safe unless dangerous flags: -delete, -ok, -okdir, -fls, -fprint, -fprint0, -fprintf. -exec/-execdir allowed when the executed command is itself safe.

### `fnm`

Allowed: list, current, default, --version, ls-remote.

### `gem`

Allowed: list, info, environment, which, pristine, search, specification, dependency, contents, sources, stale, outdated, help.

### `gh`

Read-only subcommands (view/list/status/diff/checks/verify): pr, issue, repo, release, run, workflow, label, codespace, variable, extension, cache, attestation, gpg-key, ssh-key. Always safe: search, status. Guarded: auth (status/token only), browse (requires --no-browser), api (GET only, no body flags).

### `git`

Read-only: log, diff, show, status, ls-tree, grep, rev-parse, merge-base, merge-tree, fetch, help, shortlog, describe, blame, reflog, ls-files, ls-remote, diff-tree, cat-file, name-rev, for-each-ref, count-objects, verify-commit, verify-tag. Guarded: remote (deny add/remove/rename/set-url/prune), branch (deny -d/-m/-c/--delete/--move/--copy), stash (list, show only), tag (list only, deny -d/-a/-s/-f), config (--list/--get/--get-all/--get-regexp/-l only), worktree (list only), notes (show, list only). Supports `-C <dir>` prefix.

### `go`

Allowed: version, env, list, vet, test, build, doc.

### `gradle / gradlew`

Allowed: tasks, dependencies, properties, --version, test, build, check.

### `hyperfine`

Recursively validates each benchmarked command. Denied if --prepare, --cleanup, or --setup flags are used (arbitrary shell execution).

### `jj`

Read-only: log, diff, show, status, st, help, --version. Multi-word: op log, file show, config get/list, bookmark list, git remote list.

### `launchctl`

Allowed: list, print, print-cache, print-disabled, dumpstate, blame, hostinfo, resolveport, examine, version, help, error.

### `lipo`

Allowed: -info, -detailed_info, -archs, -verify_arch. Denied if -output flag present.

### `llm`

Allowed: models, plugins, templates, aliases, logs, collections. Denied: prompt, chat, keys, install, embed.

### `log`

Allowed: help, show, stats, stream. Denied: config, erase, collect.

### `mise`

Allowed: ls, list, current, which, doctor, --version. Multi-word: settings get.

### `mvn / mvnw`

Allowed: --version, -v, dependency:tree, dependency:list, help:describe, validate, test, compile, verify, test-compile.

### `networksetup`

Allowed: subcommands starting with -list, -get, -show, -print, plus -version and -help.

### `nice / ionice`

Skips priority flags (-n/--adjustment), then recursively validates the inner command.

### `npm`

Read-only: view, info, list, ls, test, audit, outdated, explain, why, fund, prefix, root, doctor. Guarded: config (list/get only), run/run-script (test/test:* only).

### `npx`

Whitelisted packages only: eslint, @herb-tools/linter, karma. Guarded: tsc (requires --noEmit). Skips flags: --yes/-y/--no/--package/-p.

### `nvm`

Allowed: ls, list, current, which, version, --version, ls-remote.

### `ollama`

Allowed: list, show, ps. Denied: run, pull, rm, create, serve, push, cp.

### `pip / pip3`

Read-only: list, show, freeze, check, index, debug, inspect, help. Guarded: config (list/get only).

### `pkgutil`

Allowed: --pkgs/--packages, --pkgs-plist, --files, --export-plist, --pkg-info, --pkg-groups, --groups, --group-pkgs, --file-info, --payload-files, --check-signature. Denied: --forget, --learn, --expand, --flatten.

### `plutil`

Allowed: -lint, -p, -type, -help. Denied: -convert, -insert, -replace, -remove, -create.

### `pnpm`

Allowed: list, why, audit, outdated, --version.

### `poetry`

Allowed: show, check, --version. Multi-word: env info/list.

### `pyenv`

Allowed: versions, version, which, root, shims, --version, help.

### `rbenv`

Allowed: versions, version, which, root, shims, --version, help.

### `rustup`

Allowed: show, which, doc, --version. Multi-word: component/target/toolchain list.

### `security`

Allowed: find-identity, find-certificate, find-generic-password, find-internet-password, show-keychain-info, dump-keychain, list-keychains, dump-trust-settings, smartcard, verify-cert, cms.

### `sed`

Safe unless -i/--in-place flag or 'e' modifier on substitutions (executes replacement as shell command).

### `sort`

Safe unless -o/--output or --compress-program flag.

### `swift`

Allowed: --version, test, build. Multi-word: package describe/dump-package/show-dependencies.

### `sysctl`

Safe unless -w/--write flag or key=value assignment syntax.

### `time`

Skips -p flag, then recursively validates the inner command.

### `timeout`

Skips timeout flags (-s/--signal, -k/--kill-after, --preserve-status), then recursively validates the inner command.

### `uv`

Allowed: --version. Multi-word: pip list/show/freeze/check, tool list, python list.

### `volta`

Allowed: list, which, --version.

### `xargs`

Recursively validates the inner command. Skips xargs-specific flags (-I, -L, -n, -P, -s, -E, -d, -0, -r, -t, -p, -x).

### `xcode-select`

Allowed: -p/--print-path, -v/--version. Denied: -s/--switch, -r/--reset, --install.

### `xcodebuild`

Allowed: -version, -showsdks, -showBuildSettings, -showdestinations, -list.

### `xcrun`

Allowed: --find, --show-sdk-path, --show-sdk-version, --show-sdk-build-version, --show-sdk-platform-path, --show-sdk-platform-version, --show-toolchain-path, simctl list. Skips flags: --sdk/--toolchain (with arg), -v/-l/-n.

### `xmllint`

Safe unless --output flag.

### `yarn`

Read-only: list, ls, info, why, --version. Also allowed: test, test:*.

### `yq`

Safe unless -i/--inplace flag.