chore: remove kimi-cli, add opencode permission template

agents/install-cli.md

@@ -7,17 +7,9 @@ Reference commands for installing and updating agent CLIs. Run only the commands
 Installed via Nix:
 
 - codex
-- cursor-cli
-- claude-code
 - opencode
-
-Install Manually:
-
-```bash
-# kimi-cli
-uv tool install --python 3.13 kimi-cli
-uv tool upgrade kimi-cli --no-cache
-```
+- cursor-agent(cli)
+- claude-code
 
 ## Optional tooling
 

agents/opencode-permission-tmpl.json

@@ -0,0 +1,175 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "permission": {
+    "read": {
+      "*": "allow",
+      "*.env": "deny",
+      "*.env.*": "deny",
+      "*.env.example": "allow",
+      "*.pem": "deny",
+      "*.key": "deny",
+      "*kubeconfig*": "deny",
+      ".ssh/**": "deny",
+      ".aws/**": "deny",
+      ".kube/**": "deny",
+      ".gnupg/**": "deny"
+    },
+    "edit": "allow",
+    "glob": "allow",
+    "grep": "allow",
+    "task": "allow",
+    "lsp": "allow",
+    "skill": "allow",
+    "question": "allow",
+    "todowrite": "allow",
+    "webfetch": "allow",
+    "websearch": "allow",
+    "external_directory": "ask",
+    "doom_loop": "deny",
+    "bash": {
+      "*": "ask",
+      "git status *": "allow",
+      "git diff *": "allow",
+      "git log *": "allow",
+      "git show *": "allow",
+      "git branch *": "allow",
+      "git remote *": "allow",
+      "git tag *": "allow",
+      "git blame *": "allow",
+      "git reflog *": "allow",
+      "git stash list *": "allow",
+      "git lfs *": "allow",
+      "kubectl get *": "allow",
+      "kubectl describe *": "allow",
+      "kubectl logs *": "allow",
+      "kubectl top *": "allow",
+      "kubectl api-*": "allow",
+      "kubectl config *": "allow",
+      "kubectl explain *": "allow",
+      "kubectl kustomize *": "allow",
+      "kustomize *": "allow",
+      "terraform plan *": "allow",
+      "terraform show *": "allow",
+      "terraform state *": "allow",
+      "terraform output *": "allow",
+      "terraform version *": "allow",
+      "terraform providers *": "allow",
+      "terraform fmt *": "allow",
+      "gh repo view *": "allow",
+      "gh repo list *": "allow",
+      "gh issue view *": "allow",
+      "gh issue list *": "allow",
+      "gh pr view *": "allow",
+      "gh pr list *": "allow",
+      "gh pr diff *": "allow",
+      "gh pr checks *": "allow",
+      "gh api *": "allow",
+      "gh search *": "allow",
+      "gh gist list *": "allow",
+      "gh gist view *": "allow",
+      "gh release view *": "allow",
+      "gh release list *": "allow",
+      "gh workflow list *": "allow",
+      "gh workflow view *": "allow",
+      "gh run list *": "allow",
+      "gh run view *": "allow",
+      "gh status *": "allow",
+      "gh auth status *": "allow",
+      "helm list *": "allow",
+      "helm get *": "allow",
+      "helm show *": "allow",
+      "helm search *": "allow",
+      "helm repo *": "allow",
+      "helm status *": "allow",
+      "helm version *": "allow",
+      "helm template *": "allow",
+      "gcloud * list *": "allow",
+      "gcloud * describe *": "allow",
+      "gcloud * get-iam-policy *": "allow",
+      "gcloud config *": "allow",
+      "gcloud auth *": "allow",
+      "gcloud version *": "allow",
+      "nix eval *": "allow",
+      "nix build *": "allow",
+      "nix flake *": "allow",
+      "nix profile *": "allow",
+      "nix store *": "allow",
+      "nix search *": "allow",
+      "nix doctor *": "allow",
+      "nixos-rebuild build *": "allow",
+      "darwin-rebuild build *": "allow",
+      "nom build *": "allow",
+      "just --list *": "allow",
+      "just --show *": "allow",
+      "just --dry-run *": "allow",
+      "statix check *": "allow",
+      "deadnix *": "allow",
+      "nixfmt *": "allow",
+      "shellcheck *": "allow",
+      "hadolint *": "allow",
+      "actionlint *": "allow",
+      "ruff check *": "allow",
+      "clippy *": "allow",
+      "prettier --check *": "allow",
+      "tokei *": "allow",
+      "systemctl status *": "allow",
+      "systemctl list-*": "allow",
+      "systemctl show *": "allow",
+      "journalctl *": "allow",
+      "lspci *": "allow",
+      "lsusb *": "allow",
+      "lsblk *": "allow",
+      "df *": "allow",
+      "free *": "allow",
+      "uptime *": "allow",
+      "uname *": "allow",
+      "sensors *": "allow",
+      "lsof *": "allow",
+      "go version *": "allow",
+      "go env *": "allow",
+      "go list *": "allow",
+      "go doc *": "allow",
+      "go vet *": "allow",
+      "cargo --version *": "allow",
+      "cargo tree *": "allow",
+      "cargo metadata *": "allow",
+      "python3 --version *": "allow",
+      "python3 -m py_compile *": "allow",
+      "node --version *": "allow",
+      "pnpm list *": "allow",
+      "uv pip list *": "allow",
+      "rg *": "allow",
+      "fd *": "allow",
+      "cp *": "allow",
+      "mv *": "allow",
+      "chmod *": "allow",
+      "ls *": "allow",
+      "cat *": "allow",
+      "head *": "allow",
+      "tail *": "allow",
+      "wc *": "allow",
+      "find *": "allow",
+      "which *": "allow",
+      "echo *": "allow",
+      "pwd *": "allow",
+      "date *": "allow",
+      "env *": "allow",
+      "printenv *": "allow",
+      "file *": "allow",
+      "stat *": "allow",
+      "du *": "allow",
+      "tree *": "allow",
+      "bat *": "allow",
+      "eza *": "allow",
+      "jq *": "allow",
+      "yq *": "allow",
+      "tldr *": "allow",
+      "mkdir *": "allow",
+      "rmdir *": "allow",
+      "grep *": "allow",
+      "rm *": "ask",
+      "rm -rf *": "ask",
+      "sudo *": "deny"
+    }
+  }
+}