Default posture
Two postures depending on whether the write targets an app, repo, or storage (with a known scope) or the computer’s raw filesystem. Out of the box, Kazzle ships with sensible defaults so the AI works immediately.| Category | Default | Effect |
|---|---|---|
| Terminal commands | * allow | All commands allowed, with exceptions |
| Browser domains | * allow | All domains allowed |
| File paths (app/repo) | allow | Writes are scoped, always allowed |
| File paths (computer) | /workspace/* allow | Only workspace paths, everything else blocked |
| Sensitive patterns | block | .env*, .ssh/*, *.pem, *.key blocked everywhere |
| Destructive tools | ask | Delete, deploy, push always need approval |
| Safety tools | ask (always, one-off only) | Cannot be auto-approved via “Always allow” |
/workspace/*.
Four categories
Terminal commands
Rules match by command prefix.git push matches git push origin main. The wildcard * matches everything.
Default exceptions that require approval: git push, sudo, curl, wget. Default block: git push --force.
Browser domains
Rules match by domain.*.github.com matches api.github.com. The wildcard * matches all domains.
File paths
Rules match by glob pattern./workspace/* matches any file inside workspace. *.pem matches certificate files anywhere.
Default blocks: .env*, .ssh/*, *.pem, *.key. These are blocked even inside workspace.
File path rules can be scoped to a specific computer. A rule with “All computers” applies everywhere. A rule scoped to one computer only applies when the AI is working on that machine. Computer-specific rules take priority over global ones.
Tool approvals
Individual tools can be set to allow, ask, or block. Destructive tools likeapp_delete, drive_delete, database_delete, and database_query default to ask.