logoalt Hacker News

julesrmstoday at 8:45 PM0 repliesview on HN

The default mode it uses for approving LLM tools is already read-only - it has a quite complicated (but conservative) bash parser that tries to let things that are definitely read-only get approved without bothering the user. It also has a tool for exploring the codebase where the LLM provides javascript code that runs in a sandbox with a read-only filesystem class.

But the architecture is such that this core functionality is just a plugin, and anyone can write their own custom approval filter plugin, and make it do whatever you want