Layered configuration for governance, shell policy, hooks, and MCP permissions. Schema source: crates/flock-governance/src/config.rs.
| Layer | Path | Precedence |
| User | ~/.flock/config.toml | lowest |
| Project | flock.toml (walk up from cwd) | middle |
| Local | .flock/local.toml (same repo as project flock.toml) | highest |
Later layers override earlier ones. CLI flags and environment variables override all files.
[governance]
session_spend_cap_usd = 12.5
max_risk_score = 0.85
denied_paths = ["/secret", "~/.ssh"]
[shell]
allowed_commands = ["echo", "cargo", "git"]
denied_commands = ["rm", "curl"]
denied_patterns = ["sudo .*"]
max_output_bytes = 65536
[permissions]
default_mode = "ask"
[permissions.tools]
flock_propose_mutation = "deny"
flock_deposit_signal = "allow"
[[hooks.hooks]]
event = "PreToolUse"
command = "./scripts/hooks/pre-tool.sh"
| Key | Type | Description |
session_spend_cap_usd | float | Session spend ceiling |
max_risk_score | float | Risk score threshold |
denied_paths | string[] | Paths blocked for tool/file access |
| Key | Type | Description |
allowed_commands | string[] | Allowlist for shell plugin |
denied_commands | string[] | Blocked command names |
denied_patterns | string[] | Regex patterns to block |
max_output_bytes | integer | Cap captured stdout/stderr |
| Key | Type | Description |
default_mode | allow | ask | deny | Default MCP tool policy |
[permissions.tools] | map | Per-tool overrides |
Permission modes filter tools/list before exposure to MCP clients.
| Key | Type | Description |
event | string | Hook event name |
command | string | Shell command to invoke |
See Agent hooks.
| Variable | Maps to |
FLOCK_SESSION_SPEND_CAP_USD | governance.session_spend_cap_usd |
FLOCK_MAX_RISK_SCORE | governance.max_risk_score |
FLOCK_SHELL_ALLOWED | CSV → shell.allowed_commands |
FLOCK_SHELL_DENIED | CSV → shell.denied_commands |
FLOCK_DENIED_PATHS | CSV → governance.denied_paths |
FLOCK_PERMISSION_MODE | permissions.default_mode |
Full list: Environment variables.