Default posture
Everything is blocked by default. Rules are allowlists - they open access. Out of the box, Kazzle ships with sensible defaults so the AI works immediately.| Category | Default | Effect |
|---|---|---|
| Terminal commands | * allow | All commands allowed, with exceptions |
| Browser domains | * allow | All domains allowed |
| File paths | /workspace/* allow | Only workspace files, nothing else |
| Destructive tools | ask | Delete, deploy, push always need approval |
Four categories
Terminal commands
Rules match by command prefix.git push matches git push origin main. The wildcard * matches everything.
Default exceptions that require approval: git push, sudo, curl, wget. Default block: git push --force.
Browser domains
Rules match by domain.*.github.com matches api.github.com. The wildcard * matches all domains.
File paths
Rules match by glob pattern./workspace/* matches any file inside workspace. *.pem matches certificate files anywhere.
Default blocks: .env*, .ssh/*, *.pem, *.key. These are blocked even inside workspace.
File path rules can be scoped to a specific computer. A rule with “All computers” applies everywhere. A rule scoped to one computer only applies when the AI is working on that machine. Computer-specific rules take priority over global ones.
Tool approvals
Individual tools can be set to allow, ask, or block. Destructive tools likeapp_delete, drive_delete, delete_database, and query_database default to ask.