91911973d6
Critical: - Add Bash Parser Strategy section with 3 options (bash Hex, tree-sitter, shlex) and validation plan for adversarial inputs - Fix evaluation order: explicitly document strategy-grouped (regex first, then AST) rather than claiming pure file order Important: - Define reads_file, writes_file, sets_env detection semantics - Define validator module behaviour/callback interface - Add dual timeouts: 200ms steady-state, 3000ms cold start - Define config.local.toml merge semantics for MCP servers (by name) - Reframe "non-evasible" regex rules as "common pattern" detection - Add XDG_RUNTIME_DIR unset fallback (/tmp/security-hooks-$UID/) - Add match_server_not_in for MCP rules (clearer than overloading match_base_command_not_in) - Add complete edit.rules and mcp.rules DSL examples Suggestions: - Add CLI commands: status, test, reload, log - Note Burrito binary size expectations in parser strategy section Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>