{ "allowPty": true, "network": { "allowLocalBinding": true, "allowLocalOutbound": true, "allowedDomains": ["*"], "deniedDomains": [ // Cloud metadata APIs (prevent credential theft) "169.254.169.254", "metadata.google.internal", "instance-data.ec2.internal", // Telemetry (optional, can be removed if needed) "statsig.anthropic.com", "*.sentry.io" ] }, "filesystem": { "allowWrite": [ ".", // Temp files "/tmp", // Local cache, needed by tools like `uv` "~/.cache/**", // Claude Code state/config "~/.claude*", "~/.claude/**", // Codex state/config "~/.codex/**", // Cursor state/config "~/.cursor/**", // Package manager caches "~/.npm/_cacache", "~/.cache", "~/.bun/**", // Cargo cache (Rust, used by Codex) "~/.cargo/registry/**", "~/.cargo/git/**", "~/.cargo/.package-cache", // Shell completion cache "~/.zcompdump*", // XDG directories for app configs/data "~/.local/share/**", "~/.config/**", // OpenCode state "~/.opencode/**" ], "denyWrite": [ // Protect environment files with secrets ".env", ".env.*", "**/.env", "**/.env.*", // Protect key/certificate files "*.key", "*.pem", "*.p12", "*.pfx", "**/*.key", "**/*.pem", "**/*.p12", "**/*.pfx" ], "denyRead": [ // SSH private keys and config "~/.ssh/id_*", "~/.ssh/config", "~/.ssh/*.pem", // GPG keys "~/.gnupg/**", // Cloud provider credentials "~/.aws/**", "~/.config/gcloud/**", "~/.kube/**", // Docker config (may contain registry auth) "~/.docker/**", // GitHub CLI auth "~/.config/gh/**", // Package manager auth tokens "~/.pypirc", "~/.netrc", "~/.git-credentials", "~/.cargo/credentials", "~/.cargo/credentials.toml" ] }, "command": { "useDefaults": true, "deny": [ // Git commands that modify remote state "git push", "git reset", "git clean", "git checkout --", "git rebase", "git merge", // Package publishing commands "npm publish", "pnpm publish", "yarn publish", "cargo publish", "twine upload", "gem push", // Privilege escalation "sudo" ] } }