bashToolPatterns:
  - pattern: '\brm\s+(-[^\s]*)*-[rRf]'
    reason: rm with recursive or force flags
  - pattern: '\bsudo\s+rm\b'
    reason: sudo rm
  - pattern: '\bgit\s+reset\s+--hard\b'
    reason: git reset --hard (use --soft or stash)
  - pattern: '\bgit\s+clean\s+(-[^\s]*)*-[fd]'
    reason: git clean with force/directory flags
  - pattern: '\bgit\s+push\s+.*--force(?!-with-lease)'
    reason: git push --force (use --force-with-lease)
  - pattern: '\bgit\s+push\s+(-[^\s]*)*-f\b'
    reason: git push -f (use --force-with-lease)
  - pattern: '\bgit\s+stash\s+clear\b'
    reason: git stash clear (deletes ALL stashes)
  - pattern: '\bgit\s+filter-branch\b'
    reason: git filter-branch (rewrites entire history)
  - pattern: '\bgit\s+checkout\s+--\s*\.'
    reason: Discards all uncommitted changes
    ask: true
  - pattern: '\bgit\s+branch\s+(-[^\s]*)*-D'
    reason: Force deletes branch (even if unmerged)
    ask: true
  - pattern: 'DELETE\s+FROM\s+\w+\s*;'
    reason: DELETE without WHERE clause
  - pattern: '\bTRUNCATE\s+TABLE\b'
    reason: TRUNCATE TABLE
  - pattern: '\bDROP\s+TABLE\b'
    reason: DROP TABLE
  - pattern: '\bDROP\s+DATABASE\b'
    reason: DROP DATABASE

zeroAccessPaths:
  - ".env"
  - ".env.local"
  - ".env.production"
  - "~/.ssh/"
  - "~/.aws/"
  - "*.pem"
  - "*.key"
  - "*.tfstate"

readOnlyPaths:
  - /etc/
  - /usr/
  - "package-lock.json"
  - "bun.lockb"
  - "yarn.lock"
  - node_modules/
  - dist/
  - build/

noDeletePaths:
  - .git/
  - .gitignore
  - LICENSE
  - README.md
  - features.md
  - .hive/