Add code-relaxed template, handle wildcard network allow

2025-12-29 01:39:41 -08:00
parent d8e55d9515
commit 90cd0a0a4b
10 changed files with 535 additions and 12 deletions
--- a/internal/templates/code-relaxed.json
+++ b/internal/templates/code-relaxed.json
@@ -0,0 +1,127 @@
+{
+    "allowPty": true,
+    "network": {
+      "allowLocalBinding": true,
+      "allowLocalOutbound": true,
+      "allowedDomains": ["*"],  
+      "deniedDomains": [
+        // Cloud metadata APIs (prevent credential theft)
+        "169.254.169.254",
+        "metadata.google.internal",
+        "instance-data.ec2.internal",
+  
+        // Telemetry (optional, can be removed if needed)
+        "statsig.anthropic.com",
+        "*.sentry.io"
+      ]
+    },
+  
+    "filesystem": {
+      "allowWrite": [
+        ".",
+        // Temp files
+        "/tmp",
+  
+        // Claude Code state/config
+        "~/.claude*",
+        "~/.claude/**",
+  
+        // Codex state/config
+        "~/.codex/**",
+  
+        // Cursor state/config
+        "~/.cursor/**",
+  
+        // Package manager caches
+        "~/.npm/_cacache",
+        "~/.cache",
+        "~/.bun/**",
+  
+        // Cargo cache (Rust, used by Codex)
+        "~/.cargo/registry/**",
+        "~/.cargo/git/**",
+        "~/.cargo/.package-cache",
+  
+        // Shell completion cache
+        "~/.zcompdump*",
+  
+        // XDG directories for app configs/data
+        "~/.local/share/**",
+        "~/.config/**",
+  
+        // OpenCode state
+        "~/.opencode/**"
+      ],
+  
+      "denyWrite": [
+        // Protect environment files with secrets
+        ".env",
+        ".env.*",
+        "**/.env",
+        "**/.env.*",
+  
+        // Protect key/certificate files
+        "*.key",
+        "*.pem",
+        "*.p12",
+        "*.pfx",
+        "**/*.key",
+        "**/*.pem",
+        "**/*.p12",
+        "**/*.pfx"
+      ],
+  
+      "denyRead": [
+        // SSH private keys and config
+        "~/.ssh/id_*",
+        "~/.ssh/config",
+        "~/.ssh/*.pem",
+  
+        // GPG keys
+        "~/.gnupg/**",
+  
+        // Cloud provider credentials
+        "~/.aws/**",
+        "~/.config/gcloud/**",
+        "~/.kube/**",
+  
+        // Docker config (may contain registry auth)
+        "~/.docker/**",
+  
+        // GitHub CLI auth
+        "~/.config/gh/**",
+  
+        // Package manager auth tokens
+        "~/.pypirc",
+        "~/.netrc",
+        "~/.git-credentials",
+        "~/.cargo/credentials",
+        "~/.cargo/credentials.toml"
+      ]
+    },
+  
+    "command": {
+      "useDefaults": true,
+      "deny": [
+        // Git commands that modify remote state
+        "git push",
+        "git reset",
+        "git clean",
+        "git checkout --",
+        "git rebase",
+        "git merge",
+  
+        // Package publishing commands
+        "npm publish",
+        "pnpm publish",
+        "yarn publish",
+        "cargo publish",
+        "twine upload",
+        "gem push",
+  
+        // Privilege escalation
+        "sudo"
+      ]
+    }
+  }
+