Small Go library/CLI for classifying and running proven read-only shell commands.
- Classifies a narrow allowlist of read-only bash commands.
- Returns
askfor unknown, mutating, network-capable, or hard-to-parse commands. - Creates single-use approvals for safe commands.
- Runs approved commands through a hardened no-arg runner.
readonly-bash classify < request.json
readonly-bash prepare < request.json
readonly-bash run --config ./readonly-bash.jsonreadonly-bash-runner is the no-arg runner mode, intended for host integrations that need one exact allowlisted command.
inputs.readonly-bash.url = "github:blackhat-7/readonly-bash";Use inputs.readonly-bash.lib.mkPackage { inherit pkgs; defaultConfigPath = "/path/to/config.json"; } to bake a default runner config path.