Wildcards
runok supports two kinds of wildcards: token wildcards and glob patterns.
Token Wildcard (*)
Section titled “Token Wildcard (*)”A standalone * matches zero or more tokens in the command.
# Matches: git status, git push origin main, git log --oneline -n 5- allow: 'git *'
# Matches: docker run hello-world, docker run -it ubuntu bash- allow: 'docker run *'The token wildcard tries all possible token counts to find a valid match.
Wildcard as Command Name
Section titled “Wildcard as Command Name”When * is in the command position, it matches any command:
# Matches: git --help, docker --help, curl --help# Also matches: docker compose --help (multi-token command name)- allow: '* --help'
# Matches any single command with no arguments- allow: '*'A wildcard command pattern tries all possible splits — the command name can span one or more tokens. For example, * --help matches both git --help and docker compose --help.
Trailing Wildcard with Flags
Section titled “Trailing Wildcard with Flags”When * appears at the end of a pattern after a flag, it remains an independent wildcard rather than being consumed as the flag’s value:
# -f|--force is a boolean flag, * matches remaining tokens- allow: 'git push -f|--force *'However, when * appears between a flag and another token, it is consumed as the flag’s value:
# First * is the value of -X|--request, second * matches remaining tokens- allow: 'curl -X|--request * *'# Matches: curl -X GET /api/endpointGlob Patterns
Section titled “Glob Patterns”When * appears inside a literal token (not as a standalone token), it acts as a glob and matches zero or more characters:
# Matches: list-buckets, list-objects, list-users- allow: 'aws s3api list-*'
# Matches: file.txt, readme.txt, notes.txt- deny: 'rm *.txt'
# Matches: pre-middle-suf, pre-suf, pre123suf- allow: 'echo pre*suf'Quoted Literals Disable Glob
Section titled “Quoted Literals Disable Glob”Wrapping a token in quotes ("..." or '...') disables glob expansion. The * is matched literally:
# Only matches the exact string "WIP*" (including the asterisk character)- deny: 'git commit -m "WIP*"'
# Matches the literal token hello*world- allow: "echo 'hello*world'"Related
Section titled “Related”- Matching Behavior — How commands are parsed and matched against patterns.
- Alternation — Pipe-separated alternatives.