commands map to one of 20 action types like filesystem_delete, network_outbound, lang_exec, etc) matching againts JSON tables (optionally extended or overwritten via your YAML config). 3-phase lookup: 1) your config, then built-in flag classifiers for sed, awk, find etc, then the shipped defaults. First one wins.

each action type has a default policy: allow, context, ask, or block, where context means it checks where you are so rm inside your project is probably ok, but outside it gets flagged.

pipes are decomposed and each stage classified independently, and composition rules check the data flow: network | exec is blocked regardless of individual stage policies.

flag classifiers were the big unlock where instead of shipping thousands of prefixes, a few functions (about 20 commands) can handle different intents expressed in the same command.

naturally, lots of things will land outside the defaults and the flag classifiers (domain specific stuff for example) - the LLM can help disambiguate those. But sometimes, even the LLM is uncertain in which case we surface it to the human in charge. The buck stops with you.