Rule Conditions
Rules are the building blocks of policies. Each rule specifies a field to check, an operator, and a value to compare against.
Available Fields
Tool Information
| Field | Description | Example Values |
|---|---|---|
tool_name | The name of the tool being called | Bash, Edit, Write, Read |
hook_event_name | The type of hook event | preToolUse, postToolUse |
Tool Input Fields
Access nested values using dot notation:
| Field | Description | Example |
|---|---|---|
tool_input.command | Bash command being run | rm -rf ./tests |
tool_input.file_path | File being accessed | /etc/passwd |
tool_input.content | Content being written | File contents |
tool_input.pattern | Glob pattern | **/*.ts |
Context Fields
| Field | Description | Example |
|---|---|---|
cwd | Current working directory | /Users/dev/project |
session_id | Current session ID | abc-123 |
Operators
String Operators
| Operator | Description | Example |
|---|---|---|
equals | Exact match | tool_name equals "Bash" |
not_equals | Not an exact match | tool_name not_equals "Read" |
contains | Substring match | tool_input.command contains "rm" |
not_contains | Does not contain | cwd not_contains "node_modules" |
starts_with | Prefix match | tool_input.file_path starts_with "/etc" |
ends_with | Suffix match | tool_input.file_path ends_with ".env" |
matches | Regex match | tool_input.command matches "rm.*-rf" |
List Operators
| Operator | Description | Example |
|---|---|---|
in | Value is in list | tool_name in ["Bash", "Edit", "Write"] |
not_in | Value is not in list | tool_name not_in ["Read", "Glob"] |
Existence Operators
| Operator | Description | Example |
|---|---|---|
exists | Field is present | tool_input.file_path exists |
not_exists | Field is not present | tool_input.timeout not_exists |
Combining Rules
AND Logic
All rules must match:
tool_name equals "Bash"
AND
tool_input.command contains "rm"
AND
cwd contains "production"
OR Logic
Any rule can match:
tool_input.file_path ends_with ".env"
OR
tool_input.file_path ends_with ".secret"
OR
tool_input.file_path contains "credentials"
Nested Groups
Combine AND and OR for complex conditions:
(tool_name equals "Bash" AND tool_input.command contains "rm")
OR
(tool_name equals "Write" AND tool_input.file_path contains "config")
Common Patterns
Block Destructive Commands
tool_name equals "Bash"
AND
tool_input.command matches "(rm|rmdir|del).*(-rf|-r|-f)"
Protect Sensitive Files
tool_input.file_path matches "\.(env|secret|key|pem)$"
OR
tool_input.file_path contains "credentials"
OR
tool_input.file_path contains "password"
Restrict by Directory
cwd starts_with "/var/www/production"
AND
tool_name in ["Edit", "Write", "Bash"]
Warning
Regex patterns use standard regex syntax. Test your patterns carefully to avoid unintended matches.