m3tam3re/AGENTS
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(agents): refine permissions for Chiron and Chriton-Forge with security hardening

Browse Source
This commit is contained in:
m3tm3re
2026-02-02 19:06:49 +01:00
parent 468673c125
commit c58c28aef5
1 changed files with 76 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

93
agents/agents.json
View File

@@ -5,6 +5,10 @@
"model": "zai-coding-plan/glm-4.7",
"prompt": "{file:./prompts/chiron.txt}",
"permission": {
"external_directory": {
"~/p/**": "allow",
"*": "ask"
},
"read": {
"*": "allow",
"*.env": "deny",
@@ -17,11 +21,40 @@
"*.pem": "deny",
"*.key": "deny",
"*/.aws/*": "deny",
"*/.kube/*": "deny"
"*/.kube/*": "deny",
"/run/agenix/*": "deny",
".local/share/*": "deny",
".cache/*": "deny",
"*.db": "deny",
"*.keychain": "deny",
"*.p12": "deny"
},
"edit": "deny",
"bash": {
"*": "deny",
"bd *": "allow",
"echo * > *": "deny",
"cat * > *": "deny",
"printf * > *": "deny",
"tee": "deny",
"*>*": "deny",
">*>*": "deny",
"eval *": "deny",
"source *": "deny",
"$(*": "deny",
"`*": "deny",
"git add *.env*": "deny",
"git commit *.env*": "deny",
"git add *credentials*": "deny",
"git add *secrets*": "deny"
},
"task": {
"*": "deny",
"explore": "allow",
"librarian": "allow",
"athena": "allow",
"chiron-forge": "allow"
},
"edit": "ask",
"bash": "ask",
"external_directory": "ask",
"doom_loop": "ask"
}
},
@@ -43,7 +76,13 @@
"*.pem": "deny",
"*.key": "deny",
"*/.aws/*": "deny",
"*/.kube/*": "deny"
"*/.kube/*": "deny",
"/run/agenix/*": "deny",
".local/share/*": "deny",
".cache/*": "deny",
"*.db": "deny",
"*.keychain": "deny",
"*.p12": "deny"
},
"edit": "allow",
"bash": {
@@ -53,7 +92,6 @@
"mv *": "ask",
"chmod *": "ask",
"chown *": "ask",
"git *": "ask",
"git status*": "allow",
"git log*": "allow",
"git diff*": "allow",
@@ -63,29 +101,41 @@
"git remote -v": "allow",
"git add *": "allow",
"git commit *": "allow",
"git push *": "ask",
"git config *": "deny",
"git add *.env*": "deny",
"git commit *.env*": "deny",
"git add *credentials*": "deny",
"git add *secrets*": "deny",
"jj *": "ask",
"jj status": "allow",
"jj log*": "allow",
"jj diff*": "allow",
"jj show*": "allow",
"npm *": "ask",
"npm install *": "ask",
"npm i *": "ask",
"npx *": "ask",
"bun *": "ask",
"bun install *": "ask",
"bun i *": "ask",
"bunx *": "ask",
"pip install *": "ask",
"pip3 install *": "ask",
"uv *": "ask",
"pip *": "ask",
"pip3 *": "ask",
"yarn *": "ask",
"pnpm *": "ask",
"cargo *": "ask",
"go *": "ask",
"make *": "ask",
"yarn install *": "ask",
"yarn add *": "ask",
"pnpm install *": "ask",
"pnpm add *": "ask",
"cargo install *": "ask",
"go install *": "ask",
"make install": "ask",
"dd *": "deny",
"mkfs*": "deny",
"fdisk *": "deny",
"parted *": "deny",
"eval *": "deny",
"source *": "deny",
"$(*": "deny",
"`*": "deny",
"curl *|*sh": "deny",
"wget *|*sh": "deny",
"sudo *": "deny",
@@ -96,9 +146,18 @@
"reboot*": "deny",
"init *": "deny",
"> /dev/*": "deny",
"cat * > /dev/*": "deny"
"cat * > /dev/*": "deny",
"echo * > *": "deny",
"cat * > *": "deny",
"printf * > *": "deny",
"tee": "deny",
"*>*": "deny",
">*>*": "deny"
},
"external_directory": {
"~/p/**": "allow",
"*": "ask"
},
"external_directory": "ask",
"doom_loop": "ask"
}
},