176 lines
3.4 KiB
JSON
176 lines
3.4 KiB
JSON
{
|
|
"allowPty": true,
|
|
"network": {
|
|
"allowLocalBinding": true,
|
|
"allowLocalOutbound": true,
|
|
"allowedDomains": [
|
|
// LLM API providers
|
|
"api.openai.com",
|
|
"*.anthropic.com",
|
|
"api.githubcopilot.com",
|
|
"generativelanguage.googleapis.com",
|
|
"api.mistral.ai",
|
|
"api.cohere.ai",
|
|
"api.together.xyz",
|
|
"openrouter.ai",
|
|
|
|
// OpenCode
|
|
"opencode.ai",
|
|
"api.opencode.ai",
|
|
|
|
// Cursor API
|
|
"*.cursor.sh",
|
|
|
|
// Git hosting
|
|
"github.com",
|
|
"api.github.com",
|
|
"raw.githubusercontent.com",
|
|
"codeload.github.com",
|
|
"objects.githubusercontent.com",
|
|
"release-assets.githubusercontent.com",
|
|
"gitlab.com",
|
|
|
|
// Package registries
|
|
"registry.npmjs.org",
|
|
"*.npmjs.org",
|
|
"registry.yarnpkg.com",
|
|
"pypi.org",
|
|
"files.pythonhosted.org",
|
|
"crates.io",
|
|
"static.crates.io",
|
|
"index.crates.io",
|
|
"proxy.golang.org",
|
|
"sum.golang.org",
|
|
|
|
// Model registry
|
|
"models.dev"
|
|
],
|
|
|
|
"deniedDomains": [
|
|
// Cloud metadata APIs (prevent credential theft)
|
|
"169.254.169.254",
|
|
"metadata.google.internal",
|
|
"instance-data.ec2.internal",
|
|
|
|
// Telemetry (optional, can be removed if needed)
|
|
"statsig.anthropic.com",
|
|
"*.sentry.io"
|
|
]
|
|
},
|
|
|
|
"filesystem": {
|
|
"allowWrite": [
|
|
".",
|
|
// Temp files
|
|
"/tmp",
|
|
|
|
// Local cache, needed by tools like `uv`
|
|
"~/.cache/**",
|
|
|
|
// Claude Code
|
|
"~/.claude*",
|
|
"~/.claude/**",
|
|
|
|
// Codex
|
|
"~/.codex/**",
|
|
|
|
// Cursor
|
|
"~/.cursor/**",
|
|
|
|
// OpenCode
|
|
"~/.opencode/**",
|
|
"~/.local/state/**",
|
|
|
|
// Gemini CLI
|
|
"~/.gemini/**",
|
|
|
|
// Package manager caches
|
|
"~/.npm/_cacache",
|
|
"~/.cache",
|
|
"~/.bun/**",
|
|
|
|
// Cargo cache (Rust, used by Codex)
|
|
"~/.cargo/registry/**",
|
|
"~/.cargo/git/**",
|
|
"~/.cargo/.package-cache",
|
|
|
|
// Shell completion cache
|
|
"~/.zcompdump*",
|
|
|
|
// XDG directories for app configs/data
|
|
"~/.local/share/**",
|
|
"~/.config/**"
|
|
],
|
|
|
|
"denyWrite": [
|
|
// Protect environment files with secrets
|
|
".env",
|
|
".env.*",
|
|
"**/.env",
|
|
"**/.env.*",
|
|
|
|
// Protect key/certificate files
|
|
"*.key",
|
|
"*.pem",
|
|
"*.p12",
|
|
"*.pfx",
|
|
"**/*.key",
|
|
"**/*.pem",
|
|
"**/*.p12",
|
|
"**/*.pfx"
|
|
],
|
|
|
|
"denyRead": [
|
|
// SSH private keys and config
|
|
"~/.ssh/id_*",
|
|
"~/.ssh/config",
|
|
"~/.ssh/*.pem",
|
|
|
|
// GPG keys
|
|
"~/.gnupg/**",
|
|
|
|
// Cloud provider credentials
|
|
"~/.aws/**",
|
|
"~/.config/gcloud/**",
|
|
"~/.kube/**",
|
|
|
|
// Docker config (may contain registry auth)
|
|
"~/.docker/**",
|
|
|
|
// GitHub CLI auth
|
|
"~/.config/gh/**",
|
|
|
|
// Package manager auth tokens
|
|
"~/.pypirc",
|
|
"~/.netrc",
|
|
"~/.git-credentials",
|
|
"~/.cargo/credentials",
|
|
"~/.cargo/credentials.toml"
|
|
]
|
|
},
|
|
|
|
"command": {
|
|
"useDefaults": true,
|
|
"deny": [
|
|
// Git commands that modify remote state
|
|
"git push",
|
|
"git reset",
|
|
"git clean",
|
|
"git checkout --",
|
|
"git rebase",
|
|
"git merge",
|
|
|
|
// Package publishing commands
|
|
"npm publish",
|
|
"pnpm publish",
|
|
"yarn publish",
|
|
"cargo publish",
|
|
"twine upload",
|
|
"gem push",
|
|
|
|
// Privilege escalation
|
|
"sudo"
|
|
]
|
|
}
|
|
}
|