{
  "permissions": {
    "allow": [
      "Read(.env.example)",
      "Read(**/.env.example)"
    ],
    "deny": [
      "Bash(*git commit*)",
      "Bash(*git push*)",
      "Bash(*sudo *)",
      "Bash(*mkfs*)",
      "Bash(*dd if=*)",
      "Bash(*git reset --hard*)",
      "Read(**/.env*)",
      "Edit(**/.env*)",
      "Write(**/.env*)",
      "Read(**/secrets/**)",
      "Read(**/*.pem)",
      "Read(**/*.key)",
      "Read(**/.ssh/**)",
      "Read(**/.aws/**)",
      "Read(**/.docker/config.json)",
      "Read(**/.gnupg/**)",
      "Read(**/.npmrc)",
      "Read(**/.pypirc)",
      "Read(**/*.pfx)",
      "Read(**/credentials*)",
      "Read(**/.kube/config)",
      "Write(**/secrets/**)",
      "Write(**/*.pem)",
      "Write(**/*.key)",
      "Write(**/.ssh/**)",
      "Write(**/.aws/**)",
      "Write(**/.docker/config.json)",
      "Write(**/.gnupg/**)",
      "Write(**/.npmrc)",
      "Write(**/.pypirc)",
      "Write(**/*.pfx)",
      "Write(**/credentials*)",
      "Write(**/.kube/config)",
      "Edit(**/secrets/**)",
      "Edit(**/*.pem)",
      "Edit(**/*.key)",
      "Edit(**/.ssh/**)",
      "Edit(**/.aws/**)",
      "Edit(**/.docker/config.json)",
      "Edit(**/.gnupg/**)",
      "Edit(**/.npmrc)",
      "Edit(**/.pypirc)",
      "Edit(**/*.pfx)",
      "Edit(**/credentials*)",
      "Edit(**/.kube/config)"
    ]
  },
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          {
            "type": "command",
            "command": "bash -c 'root=\"$(git rev-parse --show-toplevel 2>/dev/null || true)\"; [ -f \"$root/.goat-flow/hooks/deny-dangerous.sh\" ] || root=\"${CLAUDE_PROJECT_DIR:-}\"; [ -f \"$root/.goat-flow/hooks/deny-dangerous.sh\" ] || { printf '\\''BLOCKED: Policy hook unavailable: git repository root unavailable.\\n'\\'' >&2; exit 2; }; cd \"$root\" || { printf '\\''BLOCKED: Policy hook unavailable: git repository root unavailable.\\n'\\'' >&2; exit 2; }; bash \"$root/.goat-flow/hooks/deny-dangerous.sh\"'"
          }
        ]
      }
    ]
  }
}