Overview
The Exec capability lets CORE run shell commands on your machine. This is powerful but requires careful configuration - you control exactly which commands are allowed through allow/deny patterns.Security Model
Commands are validated against three layers before execution:- Built-in deny list — common-sense blocks like
rm -rf /,sudo,curl … | bash. Skipped only ifallowUnsafe: true. - User deny patterns — checked next; takes precedence over allow.
- User allow patterns — if configured, the command must match at least one. If empty, all non-denied commands are allowed.
dir parameter must resolve into a folder with the exec scope — otherwise the call fails with FOLDER_SCOPE_DENIED.
Configuration
Configure exec patterns through the CLI:Pattern Format
Patterns use the formatBash(<glob>):
Example Configuration
Gateway Tool
exec_command
Execute a shell command:| Parameter | Required | Description |
|---|---|---|
command | Yes | The command to execute |
dir | No | Working directory. Must resolve into an exec-scoped registered folder when folders exist. Falls back to ExecConfig.defaultDir (deprecated) otherwise. |
timeout | No | Timeout in milliseconds (default: 30000) |
Response
Use Cases
Git operations: CORE checks branch status, creates commits, pushes changes:Recommended Patterns
Development Workflow
Read-Only Access
Always Deny
Notes
- Commands run with your user permissions (the user the gateway service runs as).
- Output is captured and returned (
stdout,stderr,exitCode). - Long-running commands should set
timeout. - Commands that require user input will hang — avoid interactive commands. Use
coding_askwith the appropriate agent for interactive flows. - The
execslot can be turned off entirely incorebrain gateway config— disabled slots are not just hidden in the manifest, their HTTP route is not registered at all.
