[Feature Request] Custom Error Messages for Denied Commands

[ywatanabe1989]

Feature Request: Custom Error Messages for Denied Commands

Summary

Add support for command denial rules in the configuration with the ability to specify custom error messages that guide agents. For example, rm to safer alternatives.

Proposed Feature

Allow configuration of denied commands with custom error messages:

"deny": [
  "Bash(rm:*; error_message=Error: `rm` is not allowed. Use `~/.local/bin/safe-rm` instead.)"
]

Behavior

When a user attempts to run a denied command, display the specified error message:

Error: `rm` is not allowed. Use `~/.local/bin/safe-rm` instead.

Benefits

• Prevents accidental deletions and other destructive operations
• Guides users towards safer alternatives
• Customizable for different environments and workflows
• Clear communication about why a command was denied

Use Cases

• Enforcing use of safe deletion scripts instead of direct rm
• Preventing accidental git push --force on protected branches
• Guiding users to organization-specific command alternatives
• Educational environments where certain commands should be restricted

Example Configurations

"deny": [
  "Bash(rm:*; error_message=Error: `rm` is not allowed. Use `~/.local/bin/safe-rm` instead.)",
  "Bash(git push --force:*; error_message=Error: Force push is not allowed. Use `git push --force-with-lease` instead.)",
  "Bash(chmod 777:*; error_message=Error: Setting 777 permissions is not allowed. Please use more restrictive permissions.)"
]

Implementation Notes

• Should support wildcards for flexible matching
• Error messages should be clearly displayed to the user
• Consider allowing different severity levels (warning vs error)
• Could be extended to support regex patterns for more complex matching