Filesystem
Read-only and inspection shell commands: directory listing, file viewing, and text processing. Mutating commands (rm, mv, chmod, ...) are deliberately excluded, and the destructive flags of find and sed are guarded.
.claude/fencepost.yaml
import:
- filesystem
Full preset
presets/filesystem.yaml
# Fencepost preset: filesystem
meta:
title: Filesystem
description: >-
Read-only and inspection shell commands: directory listing, file viewing,
and text processing. Mutating commands (rm, mv, chmod, ...) are
deliberately excluded, and the destructive flags of find and sed are
guarded.
tools:
bash:
checks:
- test: '\bfind\b.*\s-(delete|exec|execdir|ok|okdir)\b'
description: "find with -delete or -exec runs destructive actions across every match."
alternative: "List matches first (find ... -print), then act on the specific paths you mean."
- test: '\bsed\b.*\s(-i|--in-place)\b'
description: "sed -i edits files in place."
alternative: "Run sed without -i to preview the output, then write the result explicitly."
# Limitation: this is prefix matching, and shell output redirection (>, >>)
# is NOT parsed. `echo x > /etc/hosts` would still match the `echo` allow
# and write a file. Keep destructive-write rules in place if that matters.
allow:
# Navigation / listing
- ls
- pwd
- cd
- tree
- find
- du
- df
- realpath
- readlink
- basename
- dirname
# Viewing
- cat
- head
- tail
- less
- more
- wc
- stat
- file
- nl
# Text processing
- grep
- egrep
- fgrep
- rg
- diff
- cmp
- comm
- sort
- uniq
- cut
- tr
- tac
- rev
- column
- fold
- fmt
- jq
- yq
- awk
- sed
# Misc read-only info
- echo
- printf
- which
- type
- env
- printenv
- date
- hostname
- whoami
- id
- uname