{ "$schema": "https://opencode.ai/config.json", "permission": { "read": { "*": "allow", "*.env": "deny", "*.env.*": "deny", "*.env.example": "allow", "*.pem": "deny", "*.key": "deny", "*kubeconfig*": "deny", ".ssh/**": "deny", ".aws/**": "deny", ".kube/**": "deny", ".gnupg/**": "deny" }, "edit": "allow", "glob": "allow", "grep": "allow", "task": "allow", "lsp": "allow", "skill": "allow", "question": "allow", "todowrite": "allow", "webfetch": "allow", "websearch": "allow", "external_directory": "ask", "doom_loop": "deny", "bash": { "*": "ask", "git status *": "allow", "git diff *": "allow", "git log *": "allow", "git show *": "allow", "git branch *": "allow", "git remote *": "allow", "git tag *": "allow", "git blame *": "allow", "git reflog *": "allow", "git stash list *": "allow", "git lfs *": "allow", "kubectl get *": "allow", "kubectl describe *": "allow", "kubectl logs *": "allow", "kubectl top *": "allow", "kubectl api-*": "allow", "kubectl config *": "allow", "kubectl explain *": "allow", "kubectl kustomize *": "allow", "kustomize *": "allow", "terraform plan *": "allow", "terraform show *": "allow", "terraform state *": "allow", "terraform output *": "allow", "terraform version *": "allow", "terraform providers *": "allow", "terraform fmt *": "allow", "gh repo view *": "allow", "gh repo list *": "allow", "gh issue view *": "allow", "gh issue list *": "allow", "gh pr view *": "allow", "gh pr list *": "allow", "gh pr diff *": "allow", "gh pr checks *": "allow", "gh api *": "allow", "gh search *": "allow", "gh gist list *": "allow", "gh gist view *": "allow", "gh release view *": "allow", "gh release list *": "allow", "gh workflow list *": "allow", "gh workflow view *": "allow", "gh run list *": "allow", "gh run view *": "allow", "gh status *": "allow", "gh auth status *": "allow", "helm list *": "allow", "helm get *": "allow", "helm show *": "allow", "helm search *": "allow", "helm repo *": "allow", "helm status *": "allow", "helm version *": "allow", "helm template *": "allow", "gcloud * list *": "allow", "gcloud * describe *": "allow", "gcloud * get-iam-policy *": "allow", "gcloud config *": "allow", "gcloud auth *": "allow", "gcloud version *": "allow", "nix eval *": "allow", "nix build *": "allow", "nix flake *": "allow", "nix profile *": "allow", "nix store *": "allow", "nix search *": "allow", "nix doctor *": "allow", "nixos-rebuild build *": "allow", "darwin-rebuild build *": "allow", "nom build *": "allow", "just --list *": "allow", "just --show *": "allow", "just --dry-run *": "allow", "statix check *": "allow", "deadnix *": "allow", "nixfmt *": "allow", "shellcheck *": "allow", "hadolint *": "allow", "actionlint *": "allow", "ruff check *": "allow", "clippy *": "allow", "prettier --check *": "allow", "tokei *": "allow", "systemctl status *": "allow", "systemctl list-*": "allow", "systemctl show *": "allow", "journalctl *": "allow", "lspci *": "allow", "lsusb *": "allow", "lsblk *": "allow", "df *": "allow", "free *": "allow", "uptime *": "allow", "uname *": "allow", "sensors *": "allow", "lsof *": "allow", "go version *": "allow", "go env *": "allow", "go list *": "allow", "go doc *": "allow", "go vet *": "allow", "cargo --version *": "allow", "cargo tree *": "allow", "cargo metadata *": "allow", "python3 --version *": "allow", "python3 -m py_compile *": "allow", "node --version *": "allow", "pnpm list *": "allow", "uv pip list *": "allow", "rg *": "allow", "fd *": "allow", "cp *": "allow", "mv *": "allow", "chmod *": "allow", "ls *": "allow", "cat *": "allow", "head *": "allow", "tail *": "allow", "wc *": "allow", "find *": "allow", "which *": "allow", "echo *": "allow", "pwd *": "allow", "date *": "allow", "env *": "allow", "printenv *": "allow", "file *": "allow", "stat *": "allow", "du *": "allow", "tree *": "allow", "bat *": "allow", "eza *": "allow", "jq *": "allow", "yq *": "allow", "tldr *": "allow", "mkdir *": "allow", "rmdir *": "allow", "grep *": "allow", "rm *": "ask", "rm -rf *": "ask", "sudo *": "deny" } } }