mirror of
https://github.com/kevinveenbirkenbach/homepage.veen.world.git
synced 2026-05-14 09:15:32 +00:00
Kevin Veen-Birkenbach
28a796e24f
Activate the harness sandbox (enabled + autoAllowBashIfSandboxed + filesystem write/deny rules) and replace the ~30 specific Bash(...) permission entries with a single Bash(*) wildcard. The existing deny list (git push --force, git reset --hard, rm -rf, sudo) and ask list (git push, docker run, curl) keep their precedence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
53 lines
1.1 KiB
JSON
53 lines
1.1 KiB
JSON
{
|
|
"permissions": {
|
|
"allow": [
|
|
"Read",
|
|
"Edit",
|
|
"Write",
|
|
"Bash(*)",
|
|
"Read(//tmp/**)",
|
|
"WebSearch",
|
|
"WebFetch(domain:github.com)",
|
|
"WebFetch(domain:raw.githubusercontent.com)",
|
|
"WebFetch(domain:api.github.com)",
|
|
"WebFetch(domain:docs.docker.com)",
|
|
"WebFetch(domain:pypi.org)",
|
|
"WebFetch(domain:docs.cypress.io)",
|
|
"WebFetch(domain:flask.palletsprojects.com)",
|
|
"Skill(update-config)",
|
|
"Skill(update-config:*)"
|
|
],
|
|
"deny": [
|
|
"Bash(git push --force*)",
|
|
"Bash(git reset --hard*)",
|
|
"Bash(rm -rf*)",
|
|
"Bash(sudo*)"
|
|
],
|
|
"ask": [
|
|
"Bash(git push*)",
|
|
"Bash(docker run*)",
|
|
"Bash(curl*)"
|
|
],
|
|
"additionalDirectories": [
|
|
"/tmp"
|
|
]
|
|
},
|
|
"sandbox": {
|
|
"enabled": true,
|
|
"autoAllowBashIfSandboxed": true,
|
|
"filesystem": {
|
|
"allowWrite": [
|
|
".",
|
|
"/tmp"
|
|
],
|
|
"denyRead": [
|
|
"~/.ssh",
|
|
"~/.gnupg",
|
|
"~/.kube",
|
|
"~/.aws",
|
|
"~/.config/gcloud"
|
|
]
|
|
}
|
|
}
|
|
}
|