1.6 KiB
1.6 KiB
exc-safety
Permission gate for exc CLI commands in pi.
The same safety model that powers the Excloud console agent, now running locally in your terminal. Every exc command the LLM tries to run is classified and gated before it ever hits the wire.
How it works
| Classification | Behavior |
|---|---|
Read-only (list, get, capacity, seriallogs, metrics, health, localip, me, quota, version) |
✅ Runs immediately |
--help / -h |
✅ Always allowed — never hits the API |
Mutating (create, update, exec, scp, resize, …) |
⚠️ Confirmed in strict mode; auto-allowed in relaxed |
Destructive (delete, terminate, release, revoke, disassociate, unprotect, remove) |
🔴 Always confirmed |
The allowlist is the same set used by the Excloud agent backend — union of every read-only verb from the live OpenAPI surface plus CLI-only commands.
Safety modes
Toggle at any time with /exc-safety:
| Mode | Behavior |
|---|---|
relaxed (default) |
Only destructive commands require confirmation |
strict |
Every mutating command requires confirmation |
off |
No interception — all commands pass through |
Install as a pi package
pi install git:git.excloud.dev/excloud-in/exc-safety
Or project-local (committed with your team's .pi/settings.json):
pi install -l git:git.excloud.dev/excloud-in/exc-safety
Uninstall
pi uninstall git:git.excloud.dev/excloud-in/exc-safety
Add -l if installed project-locally. Then run /reload in pi.
License
MIT — see LICENSE.