37 lines
618 B
YAML
37 lines
618 B
YAML
id: default-safe
|
|
description: >-
|
|
Conservative defaults — confirm destructive operations; deny secrets paths.
|
|
Applied when no other policy is active.
|
|
|
|
capabilities:
|
|
filesystem:
|
|
allow: ["**"]
|
|
deny:
|
|
- ".env"
|
|
- ".env.*"
|
|
- ".ssh/**"
|
|
- "**/*.key"
|
|
- "**/*.pem"
|
|
- "**/*.p12"
|
|
- "**/*.pfx"
|
|
redact:
|
|
- "**/.env*"
|
|
- "**/secrets/**"
|
|
exec:
|
|
allow: true
|
|
confirmRequired: true
|
|
network:
|
|
allow: true
|
|
|
|
paths:
|
|
deny:
|
|
- .env
|
|
- .env.*
|
|
- .ssh/**
|
|
- "**/*.key"
|
|
- "**/*.pem"
|
|
|
|
confirmations:
|
|
requiredFor:
|
|
- destructive
|
|
- exec
|