-
Notifications
You must be signed in to change notification settings - Fork 414
Expand file tree
/
Copy pathfilesystem_allow_deny.yaml
More file actions
73 lines (70 loc) · 2.77 KB
/
Copy pathfilesystem_allow_deny.yaml
File metadata and controls
73 lines (70 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
# Demonstrates allow_list / deny_list for the filesystem tool.
#
# By default the filesystem toolset is unrestricted: relative paths resolve
# from the working directory, but the tools will happily read or write
# absolute paths (or `..` traversals) anywhere the agent process can reach.
# That is fine for local development but a footgun when running an agent on
# someone else's behalf.
#
# Configure `allow_list` to limit operations to a fixed set of roots, and/or
# `deny_list` to carve specific subtrees out. Tokens are expanded as follows:
#
# "." -> the agent's working directory
# "~" -> the user's home directory
# "~/foo" -> $HOME/foo
# "${env.VAR}" -> environment variable (canonical; "$VAR" / "${VAR}" also work)
# absolute -> used as-is
# relative -> joined with the working directory
#
# Symlinks are resolved before the containment check, so a symlink inside an
# allowed root cannot be used to escape it.
#
# Switch agents with `-a <name>` to try each variant.
agents:
# Strict variant: only the working directory and the user's home are
# reachable, and the SSH/AWS credential directories are explicitly off-limits
# even though they live under the home directory.
root:
model: anthropic/claude-sonnet-4-5
description: A filesystem agent restricted to its working directory and home folder.
instruction: |
You may read and write files under the current working directory and
under the user's home directory, except for the credentials folders
(~/.ssh, ~/.aws). If asked to touch a path outside that scope, refuse
and explain why.
toolsets:
- type: filesystem
allow_list:
- "."
- "~"
deny_list:
- "~/.ssh"
- "~/.aws"
- "~/.docker"
# Workspace-only variant: the agent can only see its own working tree.
workspace_only:
model: anthropic/claude-sonnet-4-5
description: A filesystem agent that cannot leave its working directory.
instruction: |
You may only read and write files inside the current working directory.
Refuse any request that would require touching files elsewhere on the
filesystem.
toolsets:
- type: filesystem
allow_list:
- "."
# Deny-only variant: keeps the default permissive behaviour but explicitly
# forbids a few sensitive directories.
guarded:
model: anthropic/claude-sonnet-4-5
description: A filesystem agent with a small set of off-limits directories.
instruction: |
You have broad filesystem access, but a few directories are off-limits.
If a request is rejected, do not retry and explain the situation to the
user.
toolsets:
- type: filesystem
deny_list:
- "~/.ssh"
- "~/.aws"
- "/etc"