flk

2026-04-01 18:58:43 +00:00
parent 80ff1f8b03
commit c907354a4f
2 changed files with 119 additions and 44 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -114,11 +114,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1775023938,
-        "narHash": "sha256-0/aPuEXIIaehfP/t9icDJUTCmAu13dfS+RNKWdMV5P0=",
+        "lastModified": 1775037210,
+        "narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "5176e2f4b45de02f1c90133854634a6c675ef41b",
+        "rev": "06648f4902343228ce2de79f291dd5a58ee12146",
        "type": "github"
      },
      "original": {
@@ -130,11 +130,11 @@
    },
    "den": {
      "locked": {
-        "lastModified": 1775034229,
-        "narHash": "sha256-BZPqamTWnWdKA+tSjt5y57EDYZnSRQYNZWQNFtqn9rw=",
+        "lastModified": 1775107442,
+        "narHash": "sha256-ScuYEFjhoHTNiOJjMJses8fCUy2Jl57EKkJfY01ORB4=",
        "owner": "vic",
        "repo": "den",
-        "rev": "88533ec7ac8ddda4a59243387de4b9d24d3932ae",
+        "rev": "afc9ac0bfda56dc03738126f0733953f34c9dafb",
        "type": "github"
      },
      "original": {
@@ -191,11 +191,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1775029908,
-        "narHash": "sha256-QuPn+EN/097aBLeSqbQ7vOwc5TSOb68bAxg1+mknfmw=",
+        "lastModified": 1775115015,
+        "narHash": "sha256-XO7jmyFupI82Sr1M2tLfsSxslIJwUOjzhFqeffaWyNw=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "380f1969f440e683333af5746caac76811b4a1a8",
+        "rev": "45f82ed61800d52e27390b70823426045d982c84",
        "type": "github"
      },
      "original": {
@@ -302,11 +302,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -323,11 +323,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1772408722,
-        "narHash": "sha256-rHuJtdcOjK7rAHpHphUb1iCvgkU3GpfvicLMwwnfMT0=",
+        "lastModified": 1775087534,
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "f20dc5d9b8027381c474144ecabc9034d6a839a3",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
        "type": "github"
      },
      "original": {
@@ -441,11 +441,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774991950,
-        "narHash": "sha256-kScKj3qJDIWuN9/6PMmgy5esrTUkYinrO5VvILik/zw=",
+        "lastModified": 1775104157,
+        "narHash": "sha256-rm/7k0D2J9SP30pyZ2C1HqarDncZDN6KAUI0gzgg4TA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f2d3e04e278422c7379e067e323734f3e8c585a7",
+        "rev": "41e6e2ab37763c09db4e639033392cf40900440a",
        "type": "github"
      },
      "original": {
@@ -457,11 +457,11 @@
    "homebrew-cask": {
      "flake": false,
      "locked": {
-        "lastModified": 1775034103,
-        "narHash": "sha256-poo46muSZsDLcnN8wY/30YeLAdRCxIwzr2s1Z12aC28=",
+        "lastModified": 1775119926,
+        "narHash": "sha256-Gcm2FvwW/+76uNwj1yVzd/jjQuz4IrRoakGRNIqRAYM=",
        "owner": "homebrew",
        "repo": "homebrew-cask",
-        "rev": "0285f9dcb1dfaacde1fb6218ebe92540d9a3762d",
+        "rev": "8be2ddb2d17641a2bd5d3d309046965064cb01a5",
        "type": "github"
      },
      "original": {
@@ -473,11 +473,11 @@
    "homebrew-core": {
      "flake": false,
      "locked": {
-        "lastModified": 1775034425,
-        "narHash": "sha256-nTdPP63yUkmUsx/ksOvfRs6MjXztPh6GEv6FQU5IFGA=",
+        "lastModified": 1775124084,
+        "narHash": "sha256-YHoYzOfihnb5w0ghUJBDIzYRwaUggT8xD1Iqf19Arsw=",
        "owner": "homebrew",
        "repo": "homebrew-core",
-        "rev": "da66ad06774537e48644d117e6300ad9c2db25a0",
+        "rev": "eb90a016c27a16da1e4c85a399244bcbdd9676de",
        "type": "github"
      },
      "original": {
@@ -593,11 +593,11 @@
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1775013753,
-        "narHash": "sha256-uIEYD2rwgV9EFO5x0SQ34Yj50r/4Abj28OibW404eCw=",
+        "lastModified": 1775100504,
+        "narHash": "sha256-pPN8RQzB/5wUCwJFac7JC4u3zgtyFrhd76kbvJmosUI=",
        "owner": "numtide",
        "repo": "llm-agents.nix",
-        "rev": "5a192c61b052a7713ea8eb5490a64087a996afa7",
+        "rev": "39ffaca2934a562d7702b95d01e9792401119dc5",
        "type": "github"
      },
      "original": {
@@ -637,11 +637,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1774915815,
-        "narHash": "sha256-LocQzkSjVS4G0AKMBiEIVdBKCNTMZXQFjQMWFId4Jpg=",
+        "lastModified": 1775076062,
+        "narHash": "sha256-ruqxqJtdmNm/fmjuAdwtSBNcbBeMgE1hwELlUnAFgyU=",
        "owner": "nix-community",
        "repo": "neovim-nightly-overlay",
-        "rev": "9001416dc5d0ca24c8e4b5a44bfe7cd6fbeb1dd1",
+        "rev": "215965fbe5b5dbd61bf33c8bda4a20c2b32c3df2",
        "type": "github"
      },
      "original": {
@@ -734,11 +734,11 @@
    },
    "nixpkgs_4": {
      "locked": {
-        "lastModified": 1774855581,
-        "narHash": "sha256-YkreHeMgTCYvJ5fESV0YyqQK49bHGe2B51tH6claUh4=",
+        "lastModified": 1775064974,
+        "narHash": "sha256-fp7+8MzxHrIixIIVvyORI2XpqpQnxf8NodmEHy8rczg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "15c6719d8c604779cf59e03c245ea61d3d7ab69b",
+        "rev": "6ebfbc38bdc6b22822a6f991f2d922306f33cfbc",
        "type": "github"
      },
      "original": {
@@ -750,11 +750,11 @@
    },
    "nixpkgs_5": {
      "locked": {
-        "lastModified": 1775036421,
-        "narHash": "sha256-kOAGXAqmmCmXpTJ0ZC/v0pUlyTFgwj31hEfJbcf0l70=",
+        "lastModified": 1775124194,
+        "narHash": "sha256-zNjYduf81Z9aCBZJ/FTYInSbGntWVXznlZVMrWkh1jo=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "f16ce1b999cc00aa1222578a740e74b5fbfa0284",
+        "rev": "6bf55cd7deabc6533f9c68732d856e333d1bc580",
        "type": "github"
      },
      "original": {
@@ -868,11 +868,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1774948198,
-        "narHash": "sha256-oVPo0/3CXM/5uFKu1ZwP7osSV2tiQIFU09Y3UzNbm7g=",
+        "lastModified": 1775045117,
+        "narHash": "sha256-PLZYhcg3HUZ+lUMUV+JbXs9ExOAYpZC0PAtOVHCgYss=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "63b3eff38ef1c216480147dd53b0e4365d55f269",
+        "rev": "e599ad4fc8861e0401906e4d730f74bfcc530e07",
        "type": "github"
      },
      "original": {
--- a/modules/ai-tools.nix
+++ b/modules/ai-tools.nix
@@ -28,15 +28,94 @@ in {
 				model = "anthropic/claude-opus-4-6";
 				small_model = "anthropic/claude-haiku-4-5";
 				theme = "rosepine";
-				plugin = ["opencode-claude-auth"];
+				plugin = [
+					"opencode-claude-auth"
+				];
 				permission = {
+					external_directory = {
+						"*" = "allow";
+						"**/.gnupg/**" = "deny";
+						"**/.ssh/**" = "deny";
+						"~/.config/gh/hosts.yml" = "deny";
+						"~/.config/sops/age/keys.txt" = "deny";
+						"~/.local/share/opencode/mcp-auth.json" = "deny";
+						"/etc/ssh/ssh_host_*" = "deny";
+						"/run/secrets/*" = "deny";
+					};
+					bash = {
+						"*" = "allow";
+						env = "deny";
+						"env *" = "deny";
+						printenv = "deny";
+						"printenv *" = "deny";
+						"export *" = "deny";
+						"gh auth *" = "deny";
+						ssh = "ask";
+						"ssh *" = "ask";
+						mosh = "ask";
+						"mosh *" = "ask";
+						"cat *.env" = "deny";
+						"cat *.env.*" = "deny";
+						"cat **/.env" = "deny";
+						"cat **/.env.*" = "deny";
+						"cat *.envrc" = "deny";
+						"cat **/.envrc" = "deny";
+						"cat .dev.vars" = "deny";
+						"cat **/.dev.vars" = "deny";
+						"cat *.pem" = "deny";
+						"cat *.key" = "deny";
+						"cat **/.gnupg/**" = "deny";
+						"cat **/.ssh/**" = "deny";
+						"cat ~/.config/gh/hosts.yml" = "deny";
+						"cat ~/.config/sops/age/keys.txt" = "deny";
+						"cat ~/.local/share/opencode/mcp-auth.json" = "deny";
+						"cat /etc/ssh/ssh_host_*" = "deny";
+						"cat /run/secrets/*" = "deny";
+					};
+					edit = {
+						"*" = "allow";
+						"**/.gnupg/**" = "deny";
+						"**/.ssh/**" = "deny";
+						"**/secrets/**" = "deny";
+						"secrets/*" = "deny";
+						"~/.config/gh/hosts.yml" = "deny";
+						"~/.config/sops/age/keys.txt" = "deny";
+						"~/.local/share/opencode/mcp-auth.json" = "deny";
+						"/etc/ssh/ssh_host_*" = "deny";
+						"/run/secrets/*" = "deny";
+					};
+					glob = "allow";
+					grep = "allow";
+					list = "allow";
+					lsp = "allow";
+					question = "allow";
 					read = {
 						"*" = "allow";
 						"*.env" = "deny";
 						"*.env.*" = "deny";
 						"*.envrc" = "deny";
+						"**/.env" = "deny";
+						"**/.env.*" = "deny";
+						"**/.envrc" = "deny";
+						".dev.vars" = "deny";
+						"**/.dev.vars" = "deny";
+						"**/.gnupg/**" = "deny";
+						"**/.ssh/**" = "deny";
+						"*.key" = "deny";
+						"*.pem" = "deny";
+						"**/secrets/**" = "deny";
 						"secrets/*" = "deny";
+						"~/.config/gh/hosts.yml" = "deny";
+						"~/.config/sops/age/keys.txt" = "deny";
+						"~/.local/share/opencode/mcp-auth.json" = "deny";
+						"/etc/ssh/ssh_host_*" = "deny";
+						"/run/secrets/*" = "deny";
 					};
+					skill = "allow";
+					task = "allow";
+					webfetch = "allow";
+					websearch = "allow";
+					codesearch = "allow";
 				};
 				agent = {
 					plan = {
@@ -90,10 +169,6 @@ in {
 				source = ./_opencode/skill;
 				recursive = true;
 			};
-			"opencode/tool" = {
-				source = ./_opencode/tool;
-				recursive = true;
-			};
 			"opencode/plugin" = {
 				source = ./_opencode/plugin;
 				recursive = true;