{
    "hooks": {
        "SessionEnd": [
            {
                "hooks": [
                    {
                        "type": "command",
                        "command": "python server/scripts/collect_session.py 2>/dev/null || true"
                    }
                ]
            }
        ]
    },
    "permissions": {
      "allow": [
        "Bash(git rebase:*)",
        "Bash(git add:*)",
        "Bash(git checkout:*)",
        "Bash(git branch:*)",
        "Bash(git cherry-pick:*)",
        "Bash(git log:*)",
        "Bash(git show:*)",
        "Bash(git commit:*)",
        "Bash(git fetch:*)",
        "Bash(git diff:*)",
        "Bash(git status:*)",
        "Bash(git remote:*)",
        "Bash(git tag:*)",
        "Bash(find:*)",
        "Bash(ls:*)",
        "Bash(tree:*)",
        "Bash(head:*)",
        "Bash(tail:*)",
        "Bash(wc:*)",
        "Bash(which:*)",
        "Bash(where:*)",
        "Bash(pwd:*)",
        "Bash(whoami:*)",
        "Bash(echo:*)",
        "Bash(file:*)",
        "Bash(stat:*)",
        "Bash(bash server/scripts/*)",
        "Bash(python server/scripts/*)",
        "Bash(ssh:*)",
        "Bash(scp:*)",
        "WebFetch(domain:github.com)",
        "WebSearch"
      ],
      "deny": [
        "Read(**/.env)",
        "Read(**/.env.*)",
        "Read(**/credentials*)",
        "Read(**/*credentials*)",
        "Read(**/.credentials*)",
        "Read(**/secrets*)",
        "Read(**/*secrets*)",
        "Read(**/.secrets*)",
        "Read(**/*.pem)",
        "Read(**/*.key)",
        "Read(**/*.p12)",
        "Read(**/*.pfx)",
        "Read(**/*.keystore)",
        "Read(**/*id_rsa*)",
        "Read(**/*id_dsa*)",
        "Read(**/*id_ecdsa*)",
        "Read(**/*id_ed25519*)",
        "Read(**/.ssh/*)",
        "Read(**/.aws/credentials)",
        "Read(**/.aws/config)",
        "Read(**/.kube/config)",
        "Read(**/.docker/config.json)",
        "Read(**/.npmrc)",
        "Read(**/.pypirc)",
        "Read(**/.netrc)",
        "Read(**/.git-credentials)",
        "Read(**/master.key)",
        "Read(**/config/master.key)",
        "Read(**/*.crt)",
        "Read(**/*.cer)",
        "Read(**/*.jks)",
        "Read(**/password*)",
        "Read(**/*password*)",
        "Read(**/token*)",
        "Read(**/*token*)",
        "Read(**/apikey*)",
        "Read(**/*apikey*)",
        "Read(**/.htpasswd)",
        "Write(**/.env)",
        "Write(**/.env.*)",
        "Write(**/credentials*)",
        "Write(**/*credentials*)",
        "Write(**/secrets*)",
        "Write(**/*secrets*)",
        "Write(**/*.pem)",
        "Write(**/*.key)",
        "Write(**/.ssh/*)",
        "Edit(**/.env)",
        "Edit(**/.env.*)",
        "Edit(**/credentials*)",
        "Edit(**/*credentials*)",
        "Edit(**/secrets*)",
        "Edit(**/*secrets*)",
        "Edit(**/*.pem)",
        "Edit(**/*.key)",
        "Edit(**/.ssh/*)",
        "Bash(cat:*)",
        "Write(server/**)",
        "Edit(server/**)"
      ],
      "ask": [
        "Bash(rm:*)",
        "Bash(git reset:--hard:*)",
        "Bash(git clean:*)",
        "Bash(git push:--force:*)",
        "Bash(git push:-f:*)",
        "Bash(npm install:*)",
        "Bash(yarn add:*)",
        "Bash(pip install:*)",
        "Bash(composer install:*)",
        "Bash(docker:*)",
        "Bash(kubectl:*)",
        "Bash(grep:*)",
        "Bash(env:*)",
        "Write(**/package.json)",
        "Edit(**/package.json)",
        "Write(**/composer.json)",
        "Edit(**/composer.json)",
        "Write(**/package-lock.json)",
        "Write(**/composer.lock)",
        "Write(**/yarn.lock)",
        "Write(**/.gitignore)",
        "Edit(**/.gitignore)"
      ]
    }
}