fix: two policy bugs + refresh example config for v1 release

core.ts:
- fix review-git-push regex: literal space → \s+ so "git  push" can't bypass
- fix getConfig(): environments block was always hardcoded {} and never merged
  from global/project config files; now applyLayer() accumulates environments
  correctly so strict-mode env overrides actually work

examples/node9.config.json.example:
- remove dangerousWords that caused false positives; keep only mkfs + shred
  (catastrophic, unambiguous — everything else handled by smartRules)
- add enterplanmode/enterworktree/exitworktree to ignoredTools
- add execute_query, query, mcp__postgres__*, mcp__github__* to toolInspection
- fix allow-readonly-bash regex: "npm run(build|test)" → "npm run (build|test)"
  (was matching "runbuild"/"runtest" instead of "run build"/"run test")
- remove smartRules already covered by built-in defaults:
  review-delete-without-where, block-force-push, block-drop-database, review-sudo
- remove "push"/"git" rules entries (match tool *names*, never fire for bash)
- remove non-functional environments block (was silently ignored until above fix)
- add approvalTimeoutMs:30000, version:"1.0", expanded snapshot.tools + ignorePaths

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: nawi-25

examples/node9.config.json.example

@@ -1,96 +1,92 @@
 {
+  "version": "1.0",
   "settings": {
     "mode": "standard",
-    "environment": "production",
     "autoStartDaemon": true,
     "enableUndo": true,
     "enableHookLogDebug": false,
-    "approvers": {
-      "native": true,
-      "browser": false,
-      "cloud": false,
-      "terminal": true
-    }
+    "approvalTimeoutMs": 30000,
+    "approvers": { "native": true, "browser": true, "cloud": true, "terminal": true }
   },
   "policy": {
     "sandboxPaths": ["/tmp/**", "**/sandbox/**", "**/test-results/**"],
 
-    "dangerousWords": [
-      "drop",
-      "truncate",
-      "purge",
-      "format",
-      "destroy",
-      "terminate",
-      "revoke",
-      "docker",
-      "psql",
-      "rmdir",
-      "delete",
-      "alter",
-      "grant",
-      "rm"
-    ],
+    "dangerousWords": ["mkfs", "shred"],
 
     "ignoredTools": [
-      "list_*",
-      "get_*",
-      "read_*",
-      "describe_*",
-      "read",
-      "glob",
-      "grep",
-      "ls",
-      "notebookread",
-      "webfetch",
-      "websearch",
-      "exitplanmode",
-      "askuserquestion",
-      "agent",
-      "task*",
-      "toolsearch",
-      "mcp__ide__*",
-      "getDiagnostics"
+      "list_*", "get_*", "read_*", "describe_*",
+      "read", "glob", "grep", "ls", "notebookread",
+      "webfetch", "websearch",
+      "exitplanmode", "enterplanmode",
+      "enterworktree", "exitworktree",
+      "askuserquestion", "agent", "task*",
+      "toolsearch", "mcp__ide__*", "getDiagnostics"
     ],
 
     "toolInspection": {
       "bash": "command",
       "shell": "command",
       "run_shell_command": "command",
       "terminal.execute": "command",
-      "postgres:query": "sql",
       "mcp__github__*": "command",
+      "postgres:query": "sql",
+      "execute_query": "sql",
+      "query": "sql",
+      "mcp__postgres__*": "sql",
       "mcp__redis__*": "query"
     },
 
-    "rules": [
+    "smartRules": [
+      {
+        "name": "allow-readonly-bash",
+        "tool": "bash",
+        "conditions": [
+          {
+            "field": "command",
+            "op": "matches",
+            "value": "^\\s*(find|grep|rg|cat|head|tail|ls|echo|which|pwd|wc|sort|uniq|diff|du|df|stat|file|type|env|printenv|node --version|npm (list|ls|run (build|test|lint|typecheck|format))|git (log|status|diff|show|branch|remote|fetch|stash list|tag))",
+            "flags": "i"
+          }
+        ],
+        "conditionMode": "all",
+        "verdict": "allow",
+        "reason": "Read-only or safe bash command"
+      },
       {
-        "action": "rm",
-        "allowPaths": [
-          "**/node_modules/**",
-          "dist/**",
-          "build/**",
-          ".next/**",
-          ".nuxt/**",
-          "coverage/**",
-          ".cache/**",
-          "tmp/**",
-          "temp/**",
-          "**/__pycache__/**",
-          "**/.pytest_cache/**",
-          "**/*.log",
-          "**/*.tmp",
-          ".DS_Store",
-          "**/yarn.lock",
-          "**/package-lock.json",
-          "**/pnpm-lock.yaml"
-        ]
+        "name": "allow-install-devtools",
+        "tool": "bash",
+        "conditions": [
+          {
+            "field": "command",
+            "op": "matches",
+            "value": "^\\s*(npm (install|ci|update)|yarn (install|add)|pnpm (install|add))",
+            "flags": "i"
+          }
+        ],
+        "conditionMode": "all",
+        "verdict": "allow",
+        "reason": "Package install — not destructive"
+      },
+      {
+        "name": "review-secrets-write",
+        "tool": "*",
+        "conditions": [
+          {
+            "field": "file_path",
+            "op": "matches",
+            "value": "(\\.env(\\.\\w+)?$|\\.pem$|\\.key$|id_rsa|credentials\\.json|secrets?\\.json)"
+          }
+        ],
+        "conditionMode": "all",
+        "verdict": "review",
+        "reason": "Writing to secrets or credentials file"
       }
-    ]
-  },
+    ],
 
-  "environments": {
-    "production": { "requireApproval": true },
-    "development": { "requireApproval": false }
+    "snapshot": {
+      "tools": ["str_replace_based_edit_tool", "write_file", "edit_file", "create_file", "edit", "replace", "write"],
+      "onlyPaths": [],
+      "ignorePaths": ["**/node_modules/**", "dist/**", "build/**", ".next/**", "**/*.log", "**/tmp/**"]
+    }
   }
 }

src/core.ts

@@ -588,7 +588,7 @@ export const DEFAULT_CONFIG: Config = {
       {
         name: 'review-git-push',
         tool: 'bash',
-        conditions: [{ field: 'command', op: 'matches', value: '^\\s*git push\\b', flags: 'i' }],
+        conditions: [{ field: 'command', op: 'matches', value: '^\\s*git\\s+push\\b', flags: 'i' }],
         conditionMode: 'all',
         verdict: 'review',
         reason: 'git push sends changes to a shared remote',
@@ -1984,8 +1984,20 @@ export function getConfig(): Config {
       if (s.onlyPaths) mergedPolicy.snapshot.onlyPaths.push(...s.onlyPaths);
       if (s.ignorePaths) mergedPolicy.snapshot.ignorePaths.push(...s.ignorePaths);
     }
+
+    const envs = (source.environments || {}) as Record<string, unknown>;
+    for (const [envName, envConfig] of Object.entries(envs)) {
+      if (envConfig && typeof envConfig === 'object') {
+        mergedEnvironments[envName] = {
+          ...mergedEnvironments[envName],
+          ...(envConfig as Partial<EnvironmentConfig>),
+        };
+      }
+    }
   };
 
+  const mergedEnvironments: Record<string, EnvironmentConfig> = { ...DEFAULT_CONFIG.environments };
+
   applyLayer(globalConfig);
   applyLayer(projectConfig);
 
@@ -2001,7 +2013,7 @@ export function getConfig(): Config {
   cachedConfig = {
     settings: mergedSettings,
     policy: mergedPolicy,
-    environments: {},
+    environments: mergedEnvironments,
   };
 
   return cachedConfig;