Add code-relaxed template, handle wildcard network allow

internal/templates/code-relaxed.json

@@ -0,0 +1,127 @@
+{
+    "allowPty": true,
+    "network": {
+      "allowLocalBinding": true,
+      "allowLocalOutbound": true,
+      "allowedDomains": ["*"],  
+      "deniedDomains": [
+        // Cloud metadata APIs (prevent credential theft)
+        "169.254.169.254",
+        "metadata.google.internal",
+        "instance-data.ec2.internal",
+  
+        // Telemetry (optional, can be removed if needed)
+        "statsig.anthropic.com",
+        "*.sentry.io"
+      ]
+    },
+  
+    "filesystem": {
+      "allowWrite": [
+        ".",
+        // Temp files
+        "/tmp",
+  
+        // Claude Code state/config
+        "~/.claude*",
+        "~/.claude/**",
+  
+        // Codex state/config
+        "~/.codex/**",
+  
+        // Cursor state/config
+        "~/.cursor/**",
+  
+        // Package manager caches
+        "~/.npm/_cacache",
+        "~/.cache",
+        "~/.bun/**",
+  
+        // Cargo cache (Rust, used by Codex)
+        "~/.cargo/registry/**",
+        "~/.cargo/git/**",
+        "~/.cargo/.package-cache",
+  
+        // Shell completion cache
+        "~/.zcompdump*",
+  
+        // XDG directories for app configs/data
+        "~/.local/share/**",
+        "~/.config/**",
+  
+        // OpenCode state
+        "~/.opencode/**"
+      ],
+  
+      "denyWrite": [
+        // Protect environment files with secrets
+        ".env",
+        ".env.*",
+        "**/.env",
+        "**/.env.*",
+  
+        // Protect key/certificate files
+        "*.key",
+        "*.pem",
+        "*.p12",
+        "*.pfx",
+        "**/*.key",
+        "**/*.pem",
+        "**/*.p12",
+        "**/*.pfx"
+      ],
+  
+      "denyRead": [
+        // SSH private keys and config
+        "~/.ssh/id_*",
+        "~/.ssh/config",
+        "~/.ssh/*.pem",
+  
+        // GPG keys
+        "~/.gnupg/**",
+  
+        // Cloud provider credentials
+        "~/.aws/**",
+        "~/.config/gcloud/**",
+        "~/.kube/**",
+  
+        // Docker config (may contain registry auth)
+        "~/.docker/**",
+  
+        // GitHub CLI auth
+        "~/.config/gh/**",
+  
+        // Package manager auth tokens
+        "~/.pypirc",
+        "~/.netrc",
+        "~/.git-credentials",
+        "~/.cargo/credentials",
+        "~/.cargo/credentials.toml"
+      ]
+    },
+  
+    "command": {
+      "useDefaults": true,
+      "deny": [
+        // Git commands that modify remote state
+        "git push",
+        "git reset",
+        "git clean",
+        "git checkout --",
+        "git rebase",
+        "git merge",
+  
+        // Package publishing commands
+        "npm publish",
+        "pnpm publish",
+        "yarn publish",
+        "cargo publish",
+        "twine upload",
+        "gem push",
+  
+        // Privilege escalation
+        "sudo"
+      ]
+    }
+  }
+  

internal/templates/code.json

@@ -14,6 +14,9 @@
       "api.together.xyz",
       "openrouter.ai",
 
+      // Cursor API
+      "*.cursor.sh",
+
       // Git hosting
       "github.com",
       "api.github.com",
@@ -63,6 +66,9 @@
       // Codex state/config
       "~/.codex/**",
 
+      // Cursor state/config
+      "~/.cursor/**",
+
       // Package manager caches
       "~/.npm/_cacache",
       "~/.cache",

internal/templates/templates.go

@@ -32,6 +32,7 @@ var templateDescriptions = map[string]string{
 	"local-dev-server":  "Allow binding and localhost outbound; allow writes to workspace/tmp",
 	"git-readonly":      "Blocks destructive commands like git push, rm -rf, etc.",
 	"code":              "Production-ready config for AI coding agents (Claude Code, Codex, Copilot, etc.)",
+	"code-relaxed":      "Like 'code' but allows direct network for apps that ignore HTTP_PROXY (cursor-agent, opencode)",
 }
 
 // List returns all available template names sorted alphabetically.