Ansible

Normalises inventory and connection flags so rules match regardless of target, allows read-only and dry-run tooling, and asks before runs that change remote state.

.claude/fencepost.yaml

import:
  - ansible

Full preset

presets/ansible.yaml

# Fencepost preset: ansible

meta:
  title: Ansible
  description: >-
    Normalises inventory and connection flags so rules match regardless of
    target, allows read-only and dry-run tooling, and asks before runs that
    change remote state.

tools:
  bash:
    normalise:
      - prefix: ansible-playbook
        strip:
          - '-i \S+'
          - '--inventory[= ]\S+'
          - '-l \S+'
          - '--limit[= ]\S+'
          - '-u \S+'
          - '--user[= ]\S+'
          - '--private-key[= ]\S+'
          - '--vault-password-file[= ]\S+'
      - prefix: ansible
        strip:
          - '-i \S+'
          - '--inventory[= ]\S+'
          - '-l \S+'
          - '--limit[= ]\S+'
          - '-u \S+'

    checks:
      - test: 'ansible(-playbook)?\b.*-m\s+(shell|command|raw|script)\b'
        description: "Ad-hoc shell/command/raw modules run arbitrary commands on remote hosts."
        alternative: "Use a purpose-built module (e.g. ansible.builtin.copy, service, package) or run the specific command outside fencepost."

    ask:
      - ansible-playbook
      - ansible-pull
      - ansible-vault

    # Note: playbook dry-runs (--check, --syntax-check, --list-*) are not
    # allow-listed here. Because tier precedence is deny > ask > allow, the
    # broad `ansible-playbook` ask entry above would shadow them anyway, so
    # they intentionally fall through to ask.
    allow:
      - ansible-doc
      - ansible-config
      - ansible-inventory
      - ansible-galaxy
      - ansible-lint
      - ansible --version