Flo
4c2226ae57
Address spec review iteration 4: config keys, match targets, launchd
Important fixes:
- Document config key resolution (allowed_executables -> executables.allowed,
mcp_allowed_servers -> names from [[mcp.servers]])
- Clarify CLAUDE_PROJECT_DIR source (derived from payload cwd field)
- MCP rules: regex match_any operates on serialized tool_input, not tool_name
- Add with_args_matching semantics (joined argument string)
Suggestions also addressed:
- Fix launchd plist: use absolute paths, note install.sh expands placeholders
- Fix launchd socket path: use $TMPDIR for per-user isolation
- Rename SECURITY_HOOKS_CONFIG -> SECURITY_HOOKS_HOME (contains both
rules/ and config/ subdirectories)
- Document directory discovery via single env var
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>