I built a thing. Relevant if you use Copilot or Claude Code in autopilot mode.
Copilot's hook system lets you intercept commands before they run, but it ships without any. No rules, no protection. If you don't install a hook, everything goes straight through.
I kept thinking about this after an agent ran rm -rf in one of my sessions.
So I wrote HAL. It sits in the hook, checks every command against a set of rules, and blocks the destructive ones. git reset --hard, rm -rf /, docker system prune -a that sort of thing. It knows --force is dangerous but --force-with-lease is fine. It knows rm -rf node_modules is safe but rm -rf src isn't.
You might say "I just won't use autopilot" or "I'll review each command myself." That works with one session. It doesn't work with several running in parallel.
And the thing that asks "allow Bash?" every time trains you to click yes without reading...
Also it parses commands as tokens, not strings. So git commit -m 'fix rm -rf bug' doesn't false-positive.
Rules are YAML files, not code. About 400 lines of Python total. Covers git, filesystem, Docker, AWS and Azure out of the box.
"Just use a deny list" is the other obvious response. You could. You'd need to write every rule yourself, maintain it, and accept that string-matching rm -rf will flag git commit -m 'fix rm -rf bug' as dangerous. Plus, this enables shared rules across our company’s engineers/teams
uchibeke•28m ago
Ok. This is interesting. I like how simple and lite it is. Is the goal to keep this only for coding agents?
otherland26•1h ago
Copilot's hook system lets you intercept commands before they run, but it ships without any. No rules, no protection. If you don't install a hook, everything goes straight through.
I kept thinking about this after an agent ran rm -rf in one of my sessions.
So I wrote HAL. It sits in the hook, checks every command against a set of rules, and blocks the destructive ones. git reset --hard, rm -rf /, docker system prune -a that sort of thing. It knows --force is dangerous but --force-with-lease is fine. It knows rm -rf node_modules is safe but rm -rf src isn't.
You might say "I just won't use autopilot" or "I'll review each command myself." That works with one session. It doesn't work with several running in parallel.
And the thing that asks "allow Bash?" every time trains you to click yes without reading...
Also it parses commands as tokens, not strings. So git commit -m 'fix rm -rf bug' doesn't false-positive.
Rules are YAML files, not code. About 400 lines of Python total. Covers git, filesystem, Docker, AWS and Azure out of the box.
pip install openhal && hal install
Open source, contributions welcome https://github.com/otherland/hal
otherland26•1h ago