From 9eb532a4611a87637b96da3537c9d31d93f9041b Mon Sep 17 00:00:00 2001
From: Ryan Yin <xiaoyin_c@qq.com>
Date: Fri, 29 May 2026 08:38:00 +0800
Subject: [PATCH] chore: remove kimi-cli, add opencode permission template

---
 agents/install-cli.md                |  12 +-
 agents/opencode-permission-tmpl.json | 175 +++++++++++++++++++++++++++
 hosts/idols-ai/README.md             |   3 +-
 hosts/idols-ai/preservation.nix      |   2 +-
 4 files changed, 180 insertions(+), 12 deletions(-)
 create mode 100644 agents/opencode-permission-tmpl.json

diff --git a/agents/install-cli.md b/agents/install-cli.md
index b7f593ab..a720920e 100644
--- a/agents/install-cli.md
+++ b/agents/install-cli.md
@@ -7,17 +7,9 @@ Reference commands for installing and updating agent CLIs. Run only the commands
 Installed via Nix:
 
 - codex
-- cursor-cli
-- claude-code
 - opencode
-
-Install Manually:
-
-```bash
-# kimi-cli
-uv tool install --python 3.13 kimi-cli
-uv tool upgrade kimi-cli --no-cache
-```
+- cursor-agent(cli)
+- claude-code
 
 ## Optional tooling
 
diff --git a/agents/opencode-permission-tmpl.json b/agents/opencode-permission-tmpl.json
new file mode 100644
index 00000000..585b973f
--- /dev/null
+++ b/agents/opencode-permission-tmpl.json
@@ -0,0 +1,175 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "permission": {
+    "read": {
+      "*": "allow",
+      "*.env": "deny",
+      "*.env.*": "deny",
+      "*.env.example": "allow",
+      "*.pem": "deny",
+      "*.key": "deny",
+      "*kubeconfig*": "deny",
+      ".ssh/**": "deny",
+      ".aws/**": "deny",
+      ".kube/**": "deny",
+      ".gnupg/**": "deny"
+    },
+    "edit": "allow",
+    "glob": "allow",
+    "grep": "allow",
+    "task": "allow",
+    "lsp": "allow",
+    "skill": "allow",
+    "question": "allow",
+    "todowrite": "allow",
+    "webfetch": "allow",
+    "websearch": "allow",
+    "external_directory": "ask",
+    "doom_loop": "deny",
+    "bash": {
+      "*": "ask",
+      "git status *": "allow",
+      "git diff *": "allow",
+      "git log *": "allow",
+      "git show *": "allow",
+      "git branch *": "allow",
+      "git remote *": "allow",
+      "git tag *": "allow",
+      "git blame *": "allow",
+      "git reflog *": "allow",
+      "git stash list *": "allow",
+      "git lfs *": "allow",
+      "kubectl get *": "allow",
+      "kubectl describe *": "allow",
+      "kubectl logs *": "allow",
+      "kubectl top *": "allow",
+      "kubectl api-*": "allow",
+      "kubectl config *": "allow",
+      "kubectl explain *": "allow",
+      "kubectl kustomize *": "allow",
+      "kustomize *": "allow",
+      "terraform plan *": "allow",
+      "terraform show *": "allow",
+      "terraform state *": "allow",
+      "terraform output *": "allow",
+      "terraform version *": "allow",
+      "terraform providers *": "allow",
+      "terraform fmt *": "allow",
+      "gh repo view *": "allow",
+      "gh repo list *": "allow",
+      "gh issue view *": "allow",
+      "gh issue list *": "allow",
+      "gh pr view *": "allow",
+      "gh pr list *": "allow",
+      "gh pr diff *": "allow",
+      "gh pr checks *": "allow",
+      "gh api *": "allow",
+      "gh search *": "allow",
+      "gh gist list *": "allow",
+      "gh gist view *": "allow",
+      "gh release view *": "allow",
+      "gh release list *": "allow",
+      "gh workflow list *": "allow",
+      "gh workflow view *": "allow",
+      "gh run list *": "allow",
+      "gh run view *": "allow",
+      "gh status *": "allow",
+      "gh auth status *": "allow",
+      "helm list *": "allow",
+      "helm get *": "allow",
+      "helm show *": "allow",
+      "helm search *": "allow",
+      "helm repo *": "allow",
+      "helm status *": "allow",
+      "helm version *": "allow",
+      "helm template *": "allow",
+      "gcloud * list *": "allow",
+      "gcloud * describe *": "allow",
+      "gcloud * get-iam-policy *": "allow",
+      "gcloud config *": "allow",
+      "gcloud auth *": "allow",
+      "gcloud version *": "allow",
+      "nix eval *": "allow",
+      "nix build *": "allow",
+      "nix flake *": "allow",
+      "nix profile *": "allow",
+      "nix store *": "allow",
+      "nix search *": "allow",
+      "nix doctor *": "allow",
+      "nixos-rebuild build *": "allow",
+      "darwin-rebuild build *": "allow",
+      "nom build *": "allow",
+      "just --list *": "allow",
+      "just --show *": "allow",
+      "just --dry-run *": "allow",
+      "statix check *": "allow",
+      "deadnix *": "allow",
+      "nixfmt *": "allow",
+      "shellcheck *": "allow",
+      "hadolint *": "allow",
+      "actionlint *": "allow",
+      "ruff check *": "allow",
+      "clippy *": "allow",
+      "prettier --check *": "allow",
+      "tokei *": "allow",
+      "systemctl status *": "allow",
+      "systemctl list-*": "allow",
+      "systemctl show *": "allow",
+      "journalctl *": "allow",
+      "lspci *": "allow",
+      "lsusb *": "allow",
+      "lsblk *": "allow",
+      "df *": "allow",
+      "free *": "allow",
+      "uptime *": "allow",
+      "uname *": "allow",
+      "sensors *": "allow",
+      "lsof *": "allow",
+      "go version *": "allow",
+      "go env *": "allow",
+      "go list *": "allow",
+      "go doc *": "allow",
+      "go vet *": "allow",
+      "cargo --version *": "allow",
+      "cargo tree *": "allow",
+      "cargo metadata *": "allow",
+      "python3 --version *": "allow",
+      "python3 -m py_compile *": "allow",
+      "node --version *": "allow",
+      "pnpm list *": "allow",
+      "uv pip list *": "allow",
+      "rg *": "allow",
+      "fd *": "allow",
+      "cp *": "allow",
+      "mv *": "allow",
+      "chmod *": "allow",
+      "ls *": "allow",
+      "cat *": "allow",
+      "head *": "allow",
+      "tail *": "allow",
+      "wc *": "allow",
+      "find *": "allow",
+      "which *": "allow",
+      "echo *": "allow",
+      "pwd *": "allow",
+      "date *": "allow",
+      "env *": "allow",
+      "printenv *": "allow",
+      "file *": "allow",
+      "stat *": "allow",
+      "du *": "allow",
+      "tree *": "allow",
+      "bat *": "allow",
+      "eza *": "allow",
+      "jq *": "allow",
+      "yq *": "allow",
+      "tldr *": "allow",
+      "mkdir *": "allow",
+      "rmdir *": "allow",
+      "grep *": "allow",
+      "rm *": "ask",
+      "rm -rf *": "ask",
+      "sudo *": "deny"
+    }
+  }
+}
diff --git a/hosts/idols-ai/README.md b/hosts/idols-ai/README.md
index 16514973..c4cbab53 100644
--- a/hosts/idols-ai/README.md
+++ b/hosts/idols-ai/README.md
@@ -127,7 +127,8 @@ nvme0n1           259:0    0  1.8T  0 disk
                                             /home/ryan/.kube
                                             /home/ryan/.gradle
                                             /home/ryan/.gnupg
-                                            /home/ryan/.kimi
+
+
                                             /home/ryan/.ipython
 
                                             /home/ryan/.docker
diff --git a/hosts/idols-ai/preservation.nix b/hosts/idols-ai/preservation.nix
index 491b994e..b33a7b53 100644
--- a/hosts/idols-ai/preservation.nix
+++ b/hosts/idols-ai/preservation.nix
@@ -150,7 +150,7 @@ in
         ".config/opencode"
         ".local/share/opencode"
         ".local/state/opencode"
-        ".kimi" # kimi-cli
+
         ".context7" # up-to-date docs and code examples for for LLMs & agents
 
         # nvim