From 3416f8a01324f83aa0dd871c31f56a558daae032 Mon Sep 17 00:00:00 2001 From: Paul-Henri Froidmont Date: Wed, 25 Mar 2026 00:35:00 +0100 Subject: [PATCH] refine opencode config: stricter permissions, better debug defaults --- modules/ai/opencode.nix | 79 ++++++++++++++++++++---------- modules/ai/prompts/basic-rules.txt | 13 ----- modules/ai/prompts/debug-rules.txt | 8 +++ 3 files changed, 60 insertions(+), 40 deletions(-) delete mode 100644 modules/ai/prompts/basic-rules.txt create mode 100644 modules/ai/prompts/debug-rules.txt diff --git a/modules/ai/opencode.nix b/modules/ai/opencode.nix index d6d6709..58a917d 100644 --- a/modules/ai/opencode.nix +++ b/modules/ai/opencode.nix @@ -23,6 +23,11 @@ in settings = { model = "minimax_m2_1"; permission = { + external_directory = { + "*" = "ask"; + "/nix/store/**" = "allow"; + }; + bash = { "*" = "ask"; @@ -32,16 +37,30 @@ in "uname*" = "allow"; "date*" = "allow"; "ls*" = "allow"; + "stat*" = "allow"; + "readlink*" = "allow"; + "realpath*" = "allow"; + "tree*" = "allow"; + "du -sh*" = "allow"; + "rg*" = "allow"; + "fd*" = "allow"; "find*" = "allow"; + "cat*" = "allow"; "head*" = "allow"; "wc*" = "allow"; "tail*" = "allow"; "sort*" = "allow"; + "uniq*" = "allow"; + "cut*" = "allow"; "git status*" = "allow"; "git diff*" = "allow"; "git log*" = "allow"; + "git show*" = "allow"; + "git ls-files*" = "allow"; + "git blame*" = "allow"; "git branch*" = "allow"; + "git tag*" = "allow"; "git rev-parse*" = "allow"; "git remote -v" = "allow"; @@ -49,9 +68,30 @@ in "npm -v" = "allow"; "python --version" = "allow"; "pip --version" = "allow"; + "nix --version" = "allow"; + + "nix path-info*" = "allow"; + "nix-store --query*" = "allow"; + "nix-store -q*" = "allow"; + "nix eval*" = "allow"; + "nix search*" = "allow"; + "nix flake show*" = "allow"; + + "git commit*" = "ask"; + "git push*" = "ask"; + "npm install*" = "ask"; + "nixos-rebuild*" = "ask"; + "systemctl*" = "ask"; + "rm *" = "ask"; }; - edit = "ask"; + edit = { + "*" = "ask"; + "/nix/store/**" = "deny"; + "/run/current-system/**" = "deny"; + "/nix/var/nix/profiles/system/**" = "deny"; + "/etc/static/**" = "deny"; + }; skill = { "*" = "allow"; @@ -68,12 +108,6 @@ in }; models = { - glm_4_5_air = { - name = "GLM 4.5 Air (local)"; - temperature = true; - default = true; - }; - minimax_m2_1 = { name = "MiniMax M2.1 (local)"; temperature = true; @@ -81,31 +115,11 @@ in }; }; }; - openai = { - models = { - "gpt-5.1-codex" = { - options = { - store = false; - # reasoningEffort = "high"; - # textVerbosity = "medium"; - # reasoningSummary = "auto"; - include = [ "reasoning.encrypted_content" ]; - }; - }; - "gpt-5.1-codex-max" = { - options = { - store = false; - include = [ "reasoning.encrypted_content" ]; - }; - }; - }; - }; }; agent = { build = { mode = "primary"; temperature = 0.1; - prompt = "{file:${./prompts/basic-rules.txt}}"; }; plan = { mode = "primary"; @@ -113,6 +127,17 @@ in }; debug = { disable = false; + temperature = 0.15; + steps = 12; + prompt = "{file:${./prompts/debug-rules.txt}}"; + permission = { + edit = "deny"; + task = { + "*" = "deny"; + "explore" = "allow"; + "general" = "ask"; + }; + }; }; review = { disable = false; diff --git a/modules/ai/prompts/basic-rules.txt b/modules/ai/prompts/basic-rules.txt deleted file mode 100644 index 87799ef..0000000 --- a/modules/ai/prompts/basic-rules.txt +++ /dev/null @@ -1,13 +0,0 @@ -- No artifacts -- Less code is better than more code -- No fallback mechanisms — they hide real failures -- Rewrite existing components over adding new ones -- Flag obsolete files to keep the codebase lightweight -- Avoid race conditions at all costs -- Take your time to ultrathink when on extended thinking mode — thinking is cheaper than fixing bugs -- Add comments only when necessary — the code should speak for itself -- Always add meaningful logs — but only where it brings value -- Always do production ready code -- Code in a modular way to promote collaboration between agents - Adding features must not break the rest of the system - -These rules aim to maintain a clean, modular and maintainable codebase while promoting effective collaboration between different agents and developers. Don't write/change any code until you're very confident (95% or more) in what needs to be done. If unclear, ask for more info. diff --git a/modules/ai/prompts/debug-rules.txt b/modules/ai/prompts/debug-rules.txt new file mode 100644 index 0000000..e651bc1 --- /dev/null +++ b/modules/ai/prompts/debug-rules.txt @@ -0,0 +1,8 @@ +- Reproduce first, change nothing until the failure is understood +- Identify exact failing path, inputs, and assumptions +- Collect concrete evidence first (failing command, logs, stack trace) +- Prefer minimal, high-signal checks over broad scans +- State root cause confidence and alternative hypotheses +- Prefer temporary instrumentation over broad refactors +- Propose the smallest safe fix and verification steps +- If confidence <95%, ask for one missing fact