Add development tooling documentation

- AGENTS.md: Documentation for AI agents and development workflows - opencode.json: OpenCode configuration file for testing alternative AI tools
2025-09-12 20:40:36 +02:00
parent 06f837f4a1
commit 9f4f79a85e
2 changed files with 125 additions and 0 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,76 @@
+# AI Agent Instructions and Restrictions
+
+## CRITICAL SECURITY RESTRICTIONS
+
+### ❌ SUDO COMMAND PROHIBITION
+
+**NEVER, UNDER ANY CIRCUMSTANCES, RUN SUDO COMMANDS**
+
+The AI agent MUST NOT execute any commands that require elevated privileges:
+- ❌ `sudo` commands
+- ❌ `su` commands  
+- ❌ Commands that modify system files directly
+- ❌ Commands that require root privileges
+
+### ✅ APPROVED ALTERNATIVES
+
+Instead of running sudo commands, the AI should:
+1. **Create scripts** that the user can run with `sudo -A`
+2. **Document commands** for the user to execute manually
+3. **Explain what needs to be done** and why
+4. **Provide step-by-step instructions** for the user
+
+### EXAMPLES
+
+**❌ WRONG:**
+```bash
+sudo systemctl restart nginx
+sudo chmod 755 /etc/nginx/conf.d/
+```
+
+**✅ CORRECT:**
+```bash
+# Create a script for the user to run
+echo "systemctl restart nginx" > /tmp/restart-nginx.sh
+chmod +x /tmp/restart-nginx.sh
+
+# Then tell the user:
+# "Run: sudo -A /tmp/restart-nginx.sh"
+```
+
+### RATIONALE
+
+- User explicitly denied AI access to sudo
+- Security best practice: AI should not have root privileges
+- User prefers manual control over system changes
+- Prevents accidental system modifications
+
+### VERIFICATION
+
+This restriction has been tested and verified:
+- ✅ AI cannot run sudo commands via bash tool
+- ✅ AI will create scripts instead
+- ✅ User maintains full control over privileged operations
+
+## OTHER OPERATIONAL GUIDELINES
+
+### File Operations
+- ✅ Read files in user directories
+- ✅ Write files in user directories  
+- ✅ Create scripts in `/tmp` or user directories
+- ❌ Modify system configuration files directly
+
+### Network Operations
+- ✅ Check network status with unprivileged commands
+- ✅ Test connectivity
+- ❌ Modify firewall rules directly
+- ❌ Bind to privileged ports (< 1024)
+
+### Service Management
+- ❌ Start/stop/restart system services directly
+- ✅ Check service status with unprivileged commands
+- ✅ Create systemd service files for user to deploy
+
+---
+
+**REMEMBER: When in doubt, create a script and let the user run it with sudo.**
--- a/opencode.json
+++ b/opencode.json
@@ -0,0 +1,49 @@
+{
+  "$schema": "https://opencode.ai/config.json",
+  "permission": {
+    "bash": {
+      "git branch -d": "ask",
+      "git branch -D": "ask",
+      "git status": "allow",
+      "git diff": "allow",
+      "git log": "allow",
+      "git show": "allow",
+      "git branch": "allow",
+      "git remote": "allow",
+      "git fetch": "allow",
+      "git pull": "allow",
+      "git merge": "ask",
+      "git rebase": "ask",
+      "git commit": "ask",
+      "git push": "ask",
+      "git checkout": "ask",
+      "git switch": "ask",
+      "git reset": "ask",
+      "git revert": "ask",
+      "git rm": "ask",
+      "git mv": "ask",
+      "git worktree": "ask",
+      "cat": "allow",
+      "tail": "allow",
+      "head": "allow",
+      "less": "allow",
+      "more": "allow",
+      "grep": "allow",
+      "find": "allow",
+      "ls": "allow",
+      "pwd": "allow",
+      "cd": "allow",
+      "mkdir": "ask",
+      "rm": "ask",
+      "rmdir": "ask",
+      "mv": "ask",
+      "cp": "ask",
+      "touch": "ask",
+      "chmod": "ask",
+      "chown": "ask",
+      "su": "deny",
+      "sudo": "deny",
+      "*": "ask"
+    }
+  }
+}