From c907354a4f968a7e52cb8ddef124e728889e0d34 Mon Sep 17 00:00:00 2001 From: Christoph Schmatzler Date: Wed, 1 Apr 2026 18:58:43 +0000 Subject: [PATCH] flk --- flake.lock | 78 ++++++++++++++++++++-------------------- modules/ai-tools.nix | 85 +++++++++++++++++++++++++++++++++++++++++--- 2 files changed, 119 insertions(+), 44 deletions(-) diff --git a/flake.lock b/flake.lock index 99262e1..660d72f 100644 --- a/flake.lock +++ b/flake.lock @@ -114,11 +114,11 @@ ] }, "locked": { - "lastModified": 1775023938, - "narHash": "sha256-0/aPuEXIIaehfP/t9icDJUTCmAu13dfS+RNKWdMV5P0=", + "lastModified": 1775037210, + "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=", "owner": "LnL7", "repo": "nix-darwin", - "rev": "5176e2f4b45de02f1c90133854634a6c675ef41b", + "rev": "06648f4902343228ce2de79f291dd5a58ee12146", "type": "github" }, "original": { @@ -130,11 +130,11 @@ }, "den": { "locked": { - "lastModified": 1775034229, - "narHash": "sha256-BZPqamTWnWdKA+tSjt5y57EDYZnSRQYNZWQNFtqn9rw=", + "lastModified": 1775107442, + "narHash": "sha256-ScuYEFjhoHTNiOJjMJses8fCUy2Jl57EKkJfY01ORB4=", "owner": "vic", "repo": "den", - "rev": "88533ec7ac8ddda4a59243387de4b9d24d3932ae", + "rev": "afc9ac0bfda56dc03738126f0733953f34c9dafb", "type": "github" }, "original": { @@ -191,11 +191,11 @@ "rust-analyzer-src": "rust-analyzer-src" }, "locked": { - "lastModified": 1775029908, - "narHash": "sha256-QuPn+EN/097aBLeSqbQ7vOwc5TSOb68bAxg1+mknfmw=", + "lastModified": 1775115015, + "narHash": "sha256-XO7jmyFupI82Sr1M2tLfsSxslIJwUOjzhFqeffaWyNw=", "owner": "nix-community", "repo": "fenix", - "rev": "380f1969f440e683333af5746caac76811b4a1a8", + "rev": "45f82ed61800d52e27390b70823426045d982c84", "type": "github" }, "original": { @@ -302,11 +302,11 @@ ] }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -323,11 +323,11 @@ ] }, "locked": { - "lastModified": 1772408722, - "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=", + "lastModified": 1775087534, + "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3", + "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b", "type": "github" }, "original": { @@ -441,11 +441,11 @@ ] }, "locked": { - "lastModified": 1774991950, - "narHash": "sha256-kScKj3qJDIWuN9/6PMmgy5esrTUkYinrO5VvILik/zw=", + "lastModified": 1775104157, + "narHash": "sha256-rm/7k0D2J9SP30pyZ2C1HqarDncZDN6KAUI0gzgg4TA=", "owner": "nix-community", "repo": "home-manager", - "rev": "f2d3e04e278422c7379e067e323734f3e8c585a7", + "rev": "41e6e2ab37763c09db4e639033392cf40900440a", "type": "github" }, "original": { @@ -457,11 +457,11 @@ "homebrew-cask": { "flake": false, "locked": { - "lastModified": 1775034103, - "narHash": "sha256-poo46muSZsDLcnN8wY/30YeLAdRCxIwzr2s1Z12aC28=", + "lastModified": 1775119926, + "narHash": "sha256-Gcm2FvwW/+76uNwj1yVzd/jjQuz4IrRoakGRNIqRAYM=", "owner": "homebrew", "repo": "homebrew-cask", - "rev": "0285f9dcb1dfaacde1fb6218ebe92540d9a3762d", + "rev": "8be2ddb2d17641a2bd5d3d309046965064cb01a5", "type": "github" }, "original": { @@ -473,11 +473,11 @@ "homebrew-core": { "flake": false, "locked": { - "lastModified": 1775034425, - "narHash": "sha256-nTdPP63yUkmUsx/ksOvfRs6MjXztPh6GEv6FQU5IFGA=", + "lastModified": 1775124084, + "narHash": "sha256-YHoYzOfihnb5w0ghUJBDIzYRwaUggT8xD1Iqf19Arsw=", "owner": "homebrew", "repo": "homebrew-core", - "rev": "da66ad06774537e48644d117e6300ad9c2db25a0", + "rev": "eb90a016c27a16da1e4c85a399244bcbdd9676de", "type": "github" }, "original": { @@ -593,11 +593,11 @@ "treefmt-nix": "treefmt-nix" }, "locked": { - "lastModified": 1775013753, - "narHash": "sha256-uIEYD2rwgV9EFO5x0SQ34Yj50r/4Abj28OibW404eCw=", + "lastModified": 1775100504, + "narHash": "sha256-pPN8RQzB/5wUCwJFac7JC4u3zgtyFrhd76kbvJmosUI=", "owner": "numtide", "repo": "llm-agents.nix", - "rev": "5a192c61b052a7713ea8eb5490a64087a996afa7", + "rev": "39ffaca2934a562d7702b95d01e9792401119dc5", "type": "github" }, "original": { @@ -637,11 +637,11 @@ ] }, "locked": { - "lastModified": 1774915815, - "narHash": "sha256-LocQzkSjVS4G0AKMBiEIVdBKCNTMZXQFjQMWFId4Jpg=", + "lastModified": 1775076062, + "narHash": "sha256-ruqxqJtdmNm/fmjuAdwtSBNcbBeMgE1hwELlUnAFgyU=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "9001416dc5d0ca24c8e4b5a44bfe7cd6fbeb1dd1", + "rev": "215965fbe5b5dbd61bf33c8bda4a20c2b32c3df2", "type": "github" }, "original": { @@ -734,11 +734,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1774855581, - "narHash": "sha256-YkreHeMgTCYvJ5fESV0YyqQK49bHGe2B51tH6claUh4=", + "lastModified": 1775064974, + "narHash": "sha256-fp7+8MzxHrIixIIVvyORI2XpqpQnxf8NodmEHy8rczg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "15c6719d8c604779cf59e03c245ea61d3d7ab69b", + "rev": "6ebfbc38bdc6b22822a6f991f2d922306f33cfbc", "type": "github" }, "original": { @@ -750,11 +750,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1775036421, - "narHash": "sha256-kOAGXAqmmCmXpTJ0ZC/v0pUlyTFgwj31hEfJbcf0l70=", + "lastModified": 1775124194, + "narHash": "sha256-zNjYduf81Z9aCBZJ/FTYInSbGntWVXznlZVMrWkh1jo=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f16ce1b999cc00aa1222578a740e74b5fbfa0284", + "rev": "6bf55cd7deabc6533f9c68732d856e333d1bc580", "type": "github" }, "original": { @@ -868,11 +868,11 @@ "rust-analyzer-src": { "flake": false, "locked": { - "lastModified": 1774948198, - "narHash": "sha256-oVPo0/3CXM/5uFKu1ZwP7osSV2tiQIFU09Y3UzNbm7g=", + "lastModified": 1775045117, + "narHash": "sha256-PLZYhcg3HUZ+lUMUV+JbXs9ExOAYpZC0PAtOVHCgYss=", "owner": "rust-lang", "repo": "rust-analyzer", - "rev": "63b3eff38ef1c216480147dd53b0e4365d55f269", + "rev": "e599ad4fc8861e0401906e4d730f74bfcc530e07", "type": "github" }, "original": { diff --git a/modules/ai-tools.nix b/modules/ai-tools.nix index 7f03748..419644c 100644 --- a/modules/ai-tools.nix +++ b/modules/ai-tools.nix @@ -28,15 +28,94 @@ in { model = "anthropic/claude-opus-4-6"; small_model = "anthropic/claude-haiku-4-5"; theme = "rosepine"; - plugin = ["opencode-claude-auth"]; + plugin = [ + "opencode-claude-auth" + ]; permission = { + external_directory = { + "*" = "allow"; + "**/.gnupg/**" = "deny"; + "**/.ssh/**" = "deny"; + "~/.config/gh/hosts.yml" = "deny"; + "~/.config/sops/age/keys.txt" = "deny"; + "~/.local/share/opencode/mcp-auth.json" = "deny"; + "/etc/ssh/ssh_host_*" = "deny"; + "/run/secrets/*" = "deny"; + }; + bash = { + "*" = "allow"; + env = "deny"; + "env *" = "deny"; + printenv = "deny"; + "printenv *" = "deny"; + "export *" = "deny"; + "gh auth *" = "deny"; + ssh = "ask"; + "ssh *" = "ask"; + mosh = "ask"; + "mosh *" = "ask"; + "cat *.env" = "deny"; + "cat *.env.*" = "deny"; + "cat **/.env" = "deny"; + "cat **/.env.*" = "deny"; + "cat *.envrc" = "deny"; + "cat **/.envrc" = "deny"; + "cat .dev.vars" = "deny"; + "cat **/.dev.vars" = "deny"; + "cat *.pem" = "deny"; + "cat *.key" = "deny"; + "cat **/.gnupg/**" = "deny"; + "cat **/.ssh/**" = "deny"; + "cat ~/.config/gh/hosts.yml" = "deny"; + "cat ~/.config/sops/age/keys.txt" = "deny"; + "cat ~/.local/share/opencode/mcp-auth.json" = "deny"; + "cat /etc/ssh/ssh_host_*" = "deny"; + "cat /run/secrets/*" = "deny"; + }; + edit = { + "*" = "allow"; + "**/.gnupg/**" = "deny"; + "**/.ssh/**" = "deny"; + "**/secrets/**" = "deny"; + "secrets/*" = "deny"; + "~/.config/gh/hosts.yml" = "deny"; + "~/.config/sops/age/keys.txt" = "deny"; + "~/.local/share/opencode/mcp-auth.json" = "deny"; + "/etc/ssh/ssh_host_*" = "deny"; + "/run/secrets/*" = "deny"; + }; + glob = "allow"; + grep = "allow"; + list = "allow"; + lsp = "allow"; + question = "allow"; read = { "*" = "allow"; "*.env" = "deny"; "*.env.*" = "deny"; "*.envrc" = "deny"; + "**/.env" = "deny"; + "**/.env.*" = "deny"; + "**/.envrc" = "deny"; + ".dev.vars" = "deny"; + "**/.dev.vars" = "deny"; + "**/.gnupg/**" = "deny"; + "**/.ssh/**" = "deny"; + "*.key" = "deny"; + "*.pem" = "deny"; + "**/secrets/**" = "deny"; "secrets/*" = "deny"; + "~/.config/gh/hosts.yml" = "deny"; + "~/.config/sops/age/keys.txt" = "deny"; + "~/.local/share/opencode/mcp-auth.json" = "deny"; + "/etc/ssh/ssh_host_*" = "deny"; + "/run/secrets/*" = "deny"; }; + skill = "allow"; + task = "allow"; + webfetch = "allow"; + websearch = "allow"; + codesearch = "allow"; }; agent = { plan = { @@ -90,10 +169,6 @@ in { source = ./_opencode/skill; recursive = true; }; - "opencode/tool" = { - source = ./_opencode/tool; - recursive = true; - }; "opencode/plugin" = { source = ./_opencode/plugin; recursive = true;