Skip to main content
Source: command-whitelist/ This example uses a PreToolUse hook to enforce a strict allowlist of shell commands. Any command not on the list is blocked before execution. This is the whitelist approach: deny everything by default, allow only what you explicitly approve.

Allowed Commands

The bundled strict-mode plugin permits only these read-only operations:
CategoryCommands
File operationsls, cat, head, tail, file
Search & filtergrep, find, wc
System infopwd, whoami, date, uname, df, du, stat
Utilitiesecho, which, env, printenv, history, tree
Everything else — pip, npm, rm, git, curl, and anything else — is blocked.

How It Works

The hook extracts the command name from the tool invocation JSON, checks it against the approved list, and denies it if not found:
input=$(cat)
# Extract first word of the command (the binary name)
cmd=$(printf '%s' "$input" \
    | grep -o '"command"[[:space:]]*:[[:space:]]*"[^"]*"' \
    | head -1 | sed 's/.*: *"//' | sed 's/"$//' \
    | awk '{print $1}' | sed 's|.*/||')

# Check against the approved list
case "$cmd" in
    ls|cat|head|tail|file|grep|find|wc|pwd|whoami|date|uname|df|du|stat|echo|which|env|printenv|history|tree)
        exit 0  # Allow
        ;;
    *)
        printf '{"decision": "deny", "reason": "🚫 Command '\''%s'\'' is not in the approved list."}\n' "$cmd"
        exit 2  # Block
        ;;
esac
The hook lives in strict-mode/.

Try It

cd ../load-plugin

# This will be blocked (pip is not on the whitelist)
python load_plugin.py \
  --repo-path command-whitelist/strict-mode \
  --message "Install the requests package"

# This will be allowed (ls is on the whitelist)
python load_plugin.py \
  --repo-path command-whitelist/strict-mode \
  --message "List all Python files in the current directory"

Customizing the Allowlist

Edit the case statement in hooks/hooks.json to add commands for your use case:
# Add git read operations to the allowlist
ls|cat|head|tail|file|grep|find|wc|pwd|whoami|date|uname|df|du|stat|echo|which|env|printenv|history|tree|git)
    exit 0
    ;;

When to Use Whitelisting

Use caseRecommendation
General development workBlacklist — fewer blocked operations
Read-only exploration or analysisWhitelist — agent can only inspect, never modify
Regulated environmentsWhitelist — explicit control over every permitted action
Shared/multi-tenant setupsWorkspace Isolation combined with either approach

See Also

  • Command Blacklist — Block specific dangerous commands while allowing everything else
  • Workspace Isolation — Enforce directory boundaries regardless of which commands are used
  • Hooks — Full hooks documentation