m3ta-chiron
6a5d8f0011
Pi Guardrails: - Enables @aliou/pi-guardrails with strict default config - Sets onboarding.completed = true to skip onboarding prompt - Enables pathAccess in ask mode for /nix/store and /tmp - Adds noAccess policies for: SSH keys, GPG keys, AWS config, Kubernetes config, cloud CLI configs (gh/gcloud/1password/sops), agenix secrets, Pi auth/sessions, env files, private keys/certs - Adds auto-deny patterns for env leakage commands: env, printenv, /proc/*/environ, GPG secret exports, ssh-add -D, password manager reads OpenCode permissions: - Adds permission section with global security rules - external_directory: ask by default, allow /nix/store and /tmp - read/edit: allow by default, deny SSH/GPG/AWS/Kube/cloud configs, agenix secrets, Pi auth/sessions, env files, private keys/certs - glob: restrict sensitive path patterns - grep: deny SSH/GPG/agenix, ask for PASSWORD/SECRET/API_KEY/PRIVATE_KEY - bash: ask by default, allow safe git/nix commands, deny env/printenv/proc/GPG secret/sudo/ssh-add deletion/curl|sh - webfetch: ask by default, allow github/nixos search - doom_loop: ask