From 9f4f79a85ec3be80cedad7be0038fa1eddad6009 Mon Sep 17 00:00:00 2001 From: Arpad Krejczinger Date: Fri, 12 Sep 2025 20:40:36 +0200 Subject: [PATCH] Add development tooling documentation - AGENTS.md: Documentation for AI agents and development workflows - opencode.json: OpenCode configuration file for testing alternative AI tools --- AGENTS.md | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++ opencode.json | 49 +++++++++++++++++++++++++++++++++ 2 files changed, 125 insertions(+) create mode 100644 AGENTS.md create mode 100644 opencode.json diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 0000000..b2630df --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,76 @@ +# AI Agent Instructions and Restrictions + +## CRITICAL SECURITY RESTRICTIONS + +### ❌ SUDO COMMAND PROHIBITION + +**NEVER, UNDER ANY CIRCUMSTANCES, RUN SUDO COMMANDS** + +The AI agent MUST NOT execute any commands that require elevated privileges: +- ❌ `sudo` commands +- ❌ `su` commands +- ❌ Commands that modify system files directly +- ❌ Commands that require root privileges + +### ✅ APPROVED ALTERNATIVES + +Instead of running sudo commands, the AI should: +1. **Create scripts** that the user can run with `sudo -A` +2. **Document commands** for the user to execute manually +3. **Explain what needs to be done** and why +4. **Provide step-by-step instructions** for the user + +### EXAMPLES + +**❌ WRONG:** +```bash +sudo systemctl restart nginx +sudo chmod 755 /etc/nginx/conf.d/ +``` + +**✅ CORRECT:** +```bash +# Create a script for the user to run +echo "systemctl restart nginx" > /tmp/restart-nginx.sh +chmod +x /tmp/restart-nginx.sh + +# Then tell the user: +# "Run: sudo -A /tmp/restart-nginx.sh" +``` + +### RATIONALE + +- User explicitly denied AI access to sudo +- Security best practice: AI should not have root privileges +- User prefers manual control over system changes +- Prevents accidental system modifications + +### VERIFICATION + +This restriction has been tested and verified: +- ✅ AI cannot run sudo commands via bash tool +- ✅ AI will create scripts instead +- ✅ User maintains full control over privileged operations + +## OTHER OPERATIONAL GUIDELINES + +### File Operations +- ✅ Read files in user directories +- ✅ Write files in user directories +- ✅ Create scripts in `/tmp` or user directories +- ❌ Modify system configuration files directly + +### Network Operations +- ✅ Check network status with unprivileged commands +- ✅ Test connectivity +- ❌ Modify firewall rules directly +- ❌ Bind to privileged ports (< 1024) + +### Service Management +- ❌ Start/stop/restart system services directly +- ✅ Check service status with unprivileged commands +- ✅ Create systemd service files for user to deploy + +--- + +**REMEMBER: When in doubt, create a script and let the user run it with sudo.** \ No newline at end of file diff --git a/opencode.json b/opencode.json new file mode 100644 index 0000000..69cdb6e --- /dev/null +++ b/opencode.json @@ -0,0 +1,49 @@ +{ + "$schema": "https://opencode.ai/config.json", + "permission": { + "bash": { + "git branch -d": "ask", + "git branch -D": "ask", + "git status": "allow", + "git diff": "allow", + "git log": "allow", + "git show": "allow", + "git branch": "allow", + "git remote": "allow", + "git fetch": "allow", + "git pull": "allow", + "git merge": "ask", + "git rebase": "ask", + "git commit": "ask", + "git push": "ask", + "git checkout": "ask", + "git switch": "ask", + "git reset": "ask", + "git revert": "ask", + "git rm": "ask", + "git mv": "ask", + "git worktree": "ask", + "cat": "allow", + "tail": "allow", + "head": "allow", + "less": "allow", + "more": "allow", + "grep": "allow", + "find": "allow", + "ls": "allow", + "pwd": "allow", + "cd": "allow", + "mkdir": "ask", + "rm": "ask", + "rmdir": "ask", + "mv": "ask", + "cp": "ask", + "touch": "ask", + "chmod": "ask", + "chown": "ask", + "su": "deny", + "sudo": "deny", + "*": "ask" + } + } +}