{
  "workspaceRoots": [
    "."
  ],
  "requireAbsolutePathForRecursiveDelete": true,
  "requireAbsolutePathForFindDelete": true,
  "confirmSensitiveReads": true,
  "confirmSensitiveWrites": true,
  "confirmWritesOutsideWorkspace": true,
  "soundEnabled": true,
  "soundConfirmEnabled": true,
  "soundBlockEnabled": true,
  "soundRefineEnabled": true,
  "soundPlayer": "auto",
  "sensitivePathGlobs": [
    "~/.ssh/**",
    "~/.aws/**",
    "~/.config/gcloud/**",
    "~/.azure/**",
    "~/.gnupg/**",
    "~/.pi/**",
    "**/.env",
    "**/.env.*",
    "**/*.pem",
    "**/*.key",
    "**/.netrc",
    "**/.git-credentials",
    "~/.bashrc",
    "~/.zshrc",
    "~/.profile",
    "~/.bash_profile"
  ],
  "overrides": [
    {
      "id": "allow-known-service-restart",
      "tool": "bash",
      "commandRegex": "^sudo systemctl restart my-safe-service$",
      "action": "allow",
      "reason": "Known maintenance command explicitly allowlisted by the operator."
    },
    {
      "id": "confirm-specific-ssh-host",
      "tool": "bash",
      "commandRegex": "^ssh deploy@staging\\b",
      "action": "confirm",
      "reason": "Remote access to staging should still be reviewed interactively."
    },
    {
      "id": "refine-ambiguous-rm",
      "tool": "bash",
      "commandRegex": "\\brm\\b.*\\*",
      "action": "refine",
      "reason": "Wildcard deletes must be replaced with an explicit full path.",
      "suggest": "Use an absolute path such as /full/path/to/target and, if needed, preview with find before deleting."
    }
  ]
}