Skip to main content

Safety Model

Kalami protects your project with three layers of defense. Each layer works independently — you can customize any without affecting the others.

Layer 1: Deny patterns (mechanical block)

17 patterns are installed by default. These are enforced by Claude Code's permission system — they block operations before they execute, not after.

.env file access (7 patterns)

Read(.env), Read(.env.*), Read(.env.local), Read(.env.production)
Edit(.env), Edit(.env.*), Edit(.env.local)

Destructive operations (4 patterns)

Bash(rm -rf /), Bash(rm -rf ~), Bash(rm -rf .), Bash(rm -rf *)

Git force operations (3 patterns)

Bash(git push --force*), Bash(git push -f*), Bash(git reset --hard*)

Privileged access (3 patterns)

Bash(sudo *), Read(~/.ssh/*), Read(~/.aws/*)

Removing a pattern

npx kalami allow .env         # Remove all .env deny patterns
npx kalami allow force-push   # Allow force push

Layer 2: Verify chain (quality gate)

Kalami auto-detects your project's quality commands and enforces them before every git commit and git push:

  1. Typecheck — e.g., npx tsc --noEmit
  2. Lint — e.g., npm run lint
  3. Test — e.g., npm test
  4. Build — e.g., npm run build

If any check fails, the commit or push is blocked. Fix the issue, then try again.

These commands are detected during install and stored in .kalami/config.json.

Layer 3: Harden (upgrade mechanism)

When a prose rule isn't enough — the same pattern keeps getting violated — you can upgrade it to a mechanical deny:

npx kalami harden force-push    # 100% enforcement, no AI judgment
npx kalami unharden force-push  # Revert to prose-only

Available recipes (8)

RecipeWhat it blocks
.envRead/Edit all .env files
npmnpm install, ci, run, exec
force-pushgit push --force, -f, --force-with-lease
rm-rfAll rm -rf commands
sudoAll sudo commands
hard-resetgit reset --hard
sshRead/Edit ~/.ssh/*
awsRead/Edit AWS credentials and config

Upgrade suggestions

npx kalami status detects patterns violated 3+ times and suggests hardening:

Upgrade available:
  npx kalami harden force-push  (violated 4 times)

How the layers work together

Claude wants to run a command

  ├─ Deny pattern match? → BLOCKED (Layer 1)

  ├─ git commit/push? → Run verify chain
  │     └─ Any check fails? → BLOCKED (Layer 2)

  └─ Prose rules in context
        └─ AI uses judgment (but can be wrong)
              └─ Violated 3+ times? → Suggest harden (Layer 3)

Layer 1 is mechanical (100%). Layer 2 is quality-based. Layer 3 is how you promote rules from "AI judgment" to "mechanical enforcement" when judgment isn't enough.