# METADATA
# scope: package
# title: Block Python Linter Config (Bash)
# description: Blocks Bash edits to Python linter config files
# custom:
#   routing:
#     required_events: ["PreToolUse"]
#     required_tools: ["Bash"]
package cupcake.policies.opencode.block_linter_config_python_bash
import rego.v1

pattern := `(rm|mv|cp|sed|awk|chmod|chown|touch|truncate|tee|>|>>)\s.*(?:pyproject\.toml|\.?ruff\.toml|\.?pyrightconfig\.json|\.?mypy\.ini|setup\.cfg|\.flake8|tox\.ini|\.?pylintrc)`

deny contains decision if {
    input.hook_event_name == "PreToolUse"
    input.tool_name == "Bash"

    command := input.tool_input.command
    regex.match(pattern, command)

    decision := {
        "rule_id": "PY-CONFIG-001",
        "reason": "Python linter/config file edits are prohibited.",
        "severity": "HIGH"
    }
}