Address spec review iteration 3: parser strategy, semantics, examples
Critical:
- Add Bash Parser Strategy section with 3 options (bash Hex, tree-sitter,
shlex) and validation plan for adversarial inputs
- Fix evaluation order: explicitly document strategy-grouped (regex first,
then AST) rather than claiming pure file order
Important:
- Define reads_file, writes_file, sets_env detection semantics
- Define validator module behaviour/callback interface
- Add dual timeouts: 200ms steady-state, 3000ms cold start
- Define config.local.toml merge semantics for MCP servers (by name)
- Reframe "non-evasible" regex rules as "common pattern" detection
- Add XDG_RUNTIME_DIR unset fallback (/tmp/security-hooks-$UID/)
- Add match_server_not_in for MCP rules (clearer than overloading
match_base_command_not_in)
- Add complete edit.rules and mcp.rules DSL examples
Suggestions:
- Add CLI commands: status, test, reload, log
- Note Burrito binary size expectations in parser strategy section
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
91911973d6