phfroidmont/nixos-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

refine opencode config: stricter permissions, better debug defaults

Browse source
This commit is contained in:
Paul-Henri Froidmont 2026-03-25 00:35:00 +01:00
parent 258ff8a600
commit 3416f8a013
Signed by: phfroidmont
GPG key ID: BE948AFD7E7873BE
3 changed files with 60 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

79
modules/ai/opencode.nix
View file

@ -23,6 +23,11 @@ in
settings = { settings = {
model = "minimax_m2_1"; model = "minimax_m2_1";
permission = { permission = {
external_directory = {
"*" = "ask";
"/nix/store/**" = "allow";
};
bash = { bash = {
"*" = "ask"; "*" = "ask";
@ -32,16 +37,30 @@ in
"uname*" = "allow"; "uname*" = "allow";
"date*" = "allow"; "date*" = "allow";
"ls*" = "allow"; "ls*" = "allow";
"stat*" = "allow";
"readlink*" = "allow";
"realpath*" = "allow";
"tree*" = "allow";
"du -sh*" = "allow";
"rg*" = "allow";
"fd*" = "allow";
"find*" = "allow"; "find*" = "allow";
"cat*" = "allow";
"head*" = "allow"; "head*" = "allow";
"wc*" = "allow"; "wc*" = "allow";
"tail*" = "allow"; "tail*" = "allow";
"sort*" = "allow"; "sort*" = "allow";
"uniq*" = "allow";
"cut*" = "allow";
"git status*" = "allow"; "git status*" = "allow";
"git diff*" = "allow"; "git diff*" = "allow";
"git log*" = "allow"; "git log*" = "allow";
"git show*" = "allow";
"git ls-files*" = "allow";
"git blame*" = "allow";
"git branch*" = "allow"; "git branch*" = "allow";
"git tag*" = "allow";
"git rev-parse*" = "allow"; "git rev-parse*" = "allow";
"git remote -v" = "allow"; "git remote -v" = "allow";
@ -49,9 +68,30 @@ in
"npm -v" = "allow"; "npm -v" = "allow";
"python --version" = "allow"; "python --version" = "allow";
"pip --version" = "allow"; "pip --version" = "allow";
"nix --version" = "allow";
"nix path-info*" = "allow";
"nix-store --query*" = "allow";
"nix-store -q*" = "allow";
"nix eval*" = "allow";
"nix search*" = "allow";
"nix flake show*" = "allow";
"git commit*" = "ask";
"git push*" = "ask";
"npm install*" = "ask";
"nixos-rebuild*" = "ask";
"systemctl*" = "ask";
"rm *" = "ask";
}; };
edit = "ask"; edit = {
"*" = "ask";
"/nix/store/**" = "deny";
"/run/current-system/**" = "deny";
"/nix/var/nix/profiles/system/**" = "deny";
"/etc/static/**" = "deny";
};
skill = { skill = {
"*" = "allow"; "*" = "allow";
@ -68,12 +108,6 @@ in
}; };
models = { models = {
glm_4_5_air = {
name = "GLM 4.5 Air (local)";
temperature = true;
default = true;
};
minimax_m2_1 = { minimax_m2_1 = {
name = "MiniMax M2.1 (local)"; name = "MiniMax M2.1 (local)";
temperature = true; temperature = true;
@ -81,31 +115,11 @@ in
}; };
}; };
}; };
openai = {
models = {
"gpt-5.1-codex" = {
options = {
store = false;
# reasoningEffort = "high";
# textVerbosity = "medium";
# reasoningSummary = "auto";
include = [ "reasoning.encrypted_content" ];
};
};
"gpt-5.1-codex-max" = {
options = {
store = false;
include = [ "reasoning.encrypted_content" ];
};
};
};
};
}; };
agent = { agent = {
build = { build = {
mode = "primary"; mode = "primary";
temperature = 0.1; temperature = 0.1;
prompt = "{file:${./prompts/basic-rules.txt}}";
}; };
plan = { plan = {
mode = "primary"; mode = "primary";
@ -113,6 +127,17 @@ in
}; };
debug = { debug = {
disable = false; disable = false;
temperature = 0.15;
steps = 12;
prompt = "{file:${./prompts/debug-rules.txt}}";
permission = {
edit = "deny";
task = {
"*" = "deny";
"explore" = "allow";
"general" = "ask";
};
};
}; };
review = { review = {
disable = false; disable = false;

13
modules/ai/prompts/basic-rules.txt
View file

@ -1,13 +0,0 @@
- No artifacts
- Less code is better than more code
- No fallback mechanisms — they hide real failures
- Rewrite existing components over adding new ones
- Flag obsolete files to keep the codebase lightweight
- Avoid race conditions at all costs
- Take your time to ultrathink when on extended thinking mode — thinking is cheaper than fixing bugs
- Add comments only when necessary — the code should speak for itself
- Always add meaningful logs — but only where it brings value
- Always do production ready code
- Code in a modular way to promote collaboration between agents - Adding features must not break the rest of the system
These rules aim to maintain a clean, modular and maintainable codebase while promoting effective collaboration between different agents and developers. Don't write/change any code until you're very confident (95% or more) in what needs to be done. If unclear, ask for more info.

8
modules/ai/prompts/debug-rules.txt Normal file
View file

@ -0,0 +1,8 @@
- Reproduce first, change nothing until the failure is understood
- Identify exact failing path, inputs, and assumptions
- Collect concrete evidence first (failing command, logs, stack trace)
- Prefer minimal, high-signal checks over broad scans
- State root cause confidence and alternative hypotheses
- Prefer temporary instrumentation over broad refactors
- Propose the smallest safe fix and verification steps
- If confidence <95%, ask for one missing fact