@artale/pi-pai 4.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.github/workflows/ci.yml +51 -0
- package/AGENTS.md.pai +32 -0
- package/LICENSE +21 -0
- package/README.md +139 -0
- package/SYSTEM.md.pai +120 -0
- package/damage-control-rules.yaml +611 -0
- package/models.json.pai +43 -0
- package/package.json +65 -0
- package/skills/agents/SKILL.md +36 -0
- package/skills/content-analysis/SKILL.md +44 -0
- package/skills/investigation/SKILL.md +25 -0
- package/skills/media/SKILL.md +28 -0
- package/skills/research/SKILL.md +51 -0
- package/skills/scraping/SKILL.md +24 -0
- package/skills/security/SKILL.md +49 -0
- package/skills/telos/SKILL.md +37 -0
- package/skills/thinking/SKILL.md +52 -0
- package/src/extension.ts +1136 -0
- package/templates.json +68 -0
- package/tsconfig.json +18 -0
|
@@ -0,0 +1,611 @@
|
|
|
1
|
+
# Claude Code Security Patterns
|
|
2
|
+
# =============================
|
|
3
|
+
# Add patterns here to block dangerous commands.
|
|
4
|
+
# Each script (py, sh, ts) loads this file.
|
|
5
|
+
|
|
6
|
+
# These patterns are matched against Bash tool commands only
|
|
7
|
+
bashToolPatterns:
|
|
8
|
+
# ---------------------------------------------------------------------------
|
|
9
|
+
# DESTRUCTIVE FILE OPERATIONS
|
|
10
|
+
# ---------------------------------------------------------------------------
|
|
11
|
+
- pattern: '\brm\s+(-[^\s]*)*-[rRf]'
|
|
12
|
+
reason: rm with recursive or force flags
|
|
13
|
+
|
|
14
|
+
- pattern: '\brm\s+-[rRf]'
|
|
15
|
+
reason: rm with recursive or force flags
|
|
16
|
+
|
|
17
|
+
- pattern: '\brm\s+--recursive'
|
|
18
|
+
reason: rm with --recursive flag
|
|
19
|
+
|
|
20
|
+
- pattern: '\brm\s+--force'
|
|
21
|
+
reason: rm with --force flag
|
|
22
|
+
|
|
23
|
+
- pattern: '\bsudo\s+rm\b'
|
|
24
|
+
reason: sudo rm
|
|
25
|
+
|
|
26
|
+
- pattern: '\brmdir\s+--ignore-fail-on-non-empty'
|
|
27
|
+
reason: rmdir ignore-fail
|
|
28
|
+
|
|
29
|
+
# ---------------------------------------------------------------------------
|
|
30
|
+
# PERMISSION CHANGES
|
|
31
|
+
# ---------------------------------------------------------------------------
|
|
32
|
+
- pattern: '\bchmod\s+(-[^\s]+\s+)*777\b'
|
|
33
|
+
reason: chmod 777 (world writable)
|
|
34
|
+
|
|
35
|
+
- pattern: '\bchmod\s+-[Rr].*777'
|
|
36
|
+
reason: recursive chmod 777
|
|
37
|
+
|
|
38
|
+
- pattern: '\bchown\s+-[Rr].*\broot\b'
|
|
39
|
+
reason: recursive chown to root
|
|
40
|
+
|
|
41
|
+
# ---------------------------------------------------------------------------
|
|
42
|
+
# GIT DESTRUCTIVE OPERATIONS
|
|
43
|
+
# ---------------------------------------------------------------------------
|
|
44
|
+
- pattern: '\bgit\s+reset\s+--hard\b'
|
|
45
|
+
reason: git reset --hard (use --soft or stash)
|
|
46
|
+
|
|
47
|
+
- pattern: '\bgit\s+clean\s+(-[^\s]*)*-[fd]'
|
|
48
|
+
reason: git clean with force/directory flags
|
|
49
|
+
|
|
50
|
+
# Note: This blocks --force but NOT --force-with-lease
|
|
51
|
+
- pattern: '\bgit\s+push\s+.*--force(?!-with-lease)'
|
|
52
|
+
reason: git push --force (use --force-with-lease)
|
|
53
|
+
|
|
54
|
+
- pattern: '\bgit\s+push\s+(-[^\s]*)*-f\b'
|
|
55
|
+
reason: git push -f (use --force-with-lease)
|
|
56
|
+
|
|
57
|
+
- pattern: '\bgit\s+stash\s+clear\b'
|
|
58
|
+
reason: git stash clear (deletes ALL stashes)
|
|
59
|
+
|
|
60
|
+
- pattern: '\bgit\s+reflog\s+expire\b'
|
|
61
|
+
reason: git reflog expire (destroys recovery mechanism)
|
|
62
|
+
|
|
63
|
+
- pattern: '\bgit\s+gc\s+.*--prune=now'
|
|
64
|
+
reason: git gc --prune=now (can lose dangling commits)
|
|
65
|
+
|
|
66
|
+
- pattern: '\bgit\s+filter-branch\b'
|
|
67
|
+
reason: git filter-branch (rewrites entire history)
|
|
68
|
+
|
|
69
|
+
# ---------------------------------------------------------------------------
|
|
70
|
+
# GIT OPERATIONS REQUIRING CONFIRMATION (ask: true)
|
|
71
|
+
# ---------------------------------------------------------------------------
|
|
72
|
+
- pattern: '\bgit\s+checkout\s+--\s*\.'
|
|
73
|
+
reason: Discards all uncommitted changes
|
|
74
|
+
ask: true
|
|
75
|
+
|
|
76
|
+
- pattern: '\bgit\s+restore\s+\.'
|
|
77
|
+
reason: Discards all uncommitted changes
|
|
78
|
+
ask: true
|
|
79
|
+
|
|
80
|
+
- pattern: '\bgit\s+stash\s+drop\b'
|
|
81
|
+
reason: Permanently deletes a stash
|
|
82
|
+
ask: true
|
|
83
|
+
|
|
84
|
+
- pattern: '\bgit\s+branch\s+(-[^\s]*)*-D'
|
|
85
|
+
reason: Force deletes branch (even if unmerged)
|
|
86
|
+
ask: true
|
|
87
|
+
|
|
88
|
+
- pattern: '\bgit\s+push\s+\S+\s+--delete\b'
|
|
89
|
+
reason: Deletes remote branch
|
|
90
|
+
ask: true
|
|
91
|
+
|
|
92
|
+
- pattern: '\bgit\s+push\s+\S+\s+:\S+'
|
|
93
|
+
reason: Deletes remote branch (old syntax)
|
|
94
|
+
ask: true
|
|
95
|
+
|
|
96
|
+
# ---------------------------------------------------------------------------
|
|
97
|
+
# SYSTEM-LEVEL DESTRUCTION
|
|
98
|
+
# ---------------------------------------------------------------------------
|
|
99
|
+
- pattern: '\bmkfs\.'
|
|
100
|
+
reason: filesystem format command
|
|
101
|
+
|
|
102
|
+
- pattern: '\bdd\s+.*of=/dev/'
|
|
103
|
+
reason: dd writing to device
|
|
104
|
+
|
|
105
|
+
# ---------------------------------------------------------------------------
|
|
106
|
+
# PROCESS DESTRUCTION
|
|
107
|
+
# ---------------------------------------------------------------------------
|
|
108
|
+
- pattern: '\bkill\s+-9\s+-1\b'
|
|
109
|
+
reason: kill all processes
|
|
110
|
+
|
|
111
|
+
- pattern: '\bkillall\s+-9\b'
|
|
112
|
+
reason: killall -9
|
|
113
|
+
|
|
114
|
+
- pattern: '\bpkill\s+-9\b'
|
|
115
|
+
reason: pkill -9
|
|
116
|
+
|
|
117
|
+
# ---------------------------------------------------------------------------
|
|
118
|
+
# HISTORY/SHELL MANIPULATION
|
|
119
|
+
# ---------------------------------------------------------------------------
|
|
120
|
+
- pattern: '\bhistory\s+-c\b'
|
|
121
|
+
reason: clearing shell history
|
|
122
|
+
|
|
123
|
+
# ---------------------------------------------------------------------------
|
|
124
|
+
# AWS CLI DESTRUCTIVE OPERATIONS
|
|
125
|
+
# ---------------------------------------------------------------------------
|
|
126
|
+
- pattern: '\baws\s+s3\s+rm\s+.*--recursive'
|
|
127
|
+
reason: aws s3 rm --recursive (deletes all objects)
|
|
128
|
+
|
|
129
|
+
- pattern: '\baws\s+s3\s+rb\s+.*--force'
|
|
130
|
+
reason: aws s3 rb --force (force removes bucket)
|
|
131
|
+
|
|
132
|
+
- pattern: '\baws\s+ec2\s+terminate-instances\b'
|
|
133
|
+
reason: aws ec2 terminate-instances
|
|
134
|
+
|
|
135
|
+
- pattern: '\baws\s+rds\s+delete-db-instance\b'
|
|
136
|
+
reason: aws rds delete-db-instance
|
|
137
|
+
|
|
138
|
+
- pattern: '\baws\s+cloudformation\s+delete-stack\b'
|
|
139
|
+
reason: aws cloudformation delete-stack (deletes infrastructure)
|
|
140
|
+
|
|
141
|
+
- pattern: '\baws\s+dynamodb\s+delete-table\b'
|
|
142
|
+
reason: aws dynamodb delete-table
|
|
143
|
+
|
|
144
|
+
- pattern: '\baws\s+eks\s+delete-cluster\b'
|
|
145
|
+
reason: aws eks delete-cluster
|
|
146
|
+
|
|
147
|
+
- pattern: '\baws\s+lambda\s+delete-function\b'
|
|
148
|
+
reason: aws lambda delete-function
|
|
149
|
+
|
|
150
|
+
- pattern: '\baws\s+iam\s+delete-role\b'
|
|
151
|
+
reason: aws iam delete-role
|
|
152
|
+
|
|
153
|
+
- pattern: '\baws\s+iam\s+delete-user\b'
|
|
154
|
+
reason: aws iam delete-user
|
|
155
|
+
|
|
156
|
+
# ---------------------------------------------------------------------------
|
|
157
|
+
# GCP (gcloud) DESTRUCTIVE OPERATIONS
|
|
158
|
+
# ---------------------------------------------------------------------------
|
|
159
|
+
- pattern: '\bgcloud\s+projects\s+delete\b'
|
|
160
|
+
reason: gcloud projects delete (DELETES ENTIRE PROJECT)
|
|
161
|
+
|
|
162
|
+
- pattern: '\bgcloud\s+compute\s+instances\s+delete\b'
|
|
163
|
+
reason: gcloud compute instances delete
|
|
164
|
+
|
|
165
|
+
- pattern: '\bgcloud\s+sql\s+instances\s+delete\b'
|
|
166
|
+
reason: gcloud sql instances delete
|
|
167
|
+
|
|
168
|
+
- pattern: '\bgcloud\s+container\s+clusters\s+delete\b'
|
|
169
|
+
reason: gcloud container clusters delete (GKE)
|
|
170
|
+
|
|
171
|
+
- pattern: '\bgcloud\s+storage\s+rm\s+.*-r'
|
|
172
|
+
reason: gcloud storage rm -r (recursive delete)
|
|
173
|
+
|
|
174
|
+
- pattern: '\bgcloud\s+functions\s+delete\b'
|
|
175
|
+
reason: gcloud functions delete
|
|
176
|
+
|
|
177
|
+
- pattern: '\bgcloud\s+iam\s+service-accounts\s+delete\b'
|
|
178
|
+
reason: gcloud iam service-accounts delete
|
|
179
|
+
|
|
180
|
+
# ---------------------------------------------------------------------------
|
|
181
|
+
# FIREBASE DESTRUCTIVE OPERATIONS
|
|
182
|
+
# ---------------------------------------------------------------------------
|
|
183
|
+
- pattern: '\bfirebase\s+projects:delete\b'
|
|
184
|
+
reason: firebase projects:delete (deletes entire project)
|
|
185
|
+
|
|
186
|
+
- pattern: '\bfirebase\s+firestore:delete\s+.*--all-collections'
|
|
187
|
+
reason: firebase firestore:delete --all-collections (wipes all data)
|
|
188
|
+
|
|
189
|
+
- pattern: '\bfirebase\s+database:remove\b'
|
|
190
|
+
reason: firebase database:remove (wipes Realtime DB)
|
|
191
|
+
|
|
192
|
+
- pattern: '\bfirebase\s+hosting:disable\b'
|
|
193
|
+
reason: firebase hosting:disable
|
|
194
|
+
|
|
195
|
+
- pattern: '\bfirebase\s+functions:delete\b'
|
|
196
|
+
reason: firebase functions:delete
|
|
197
|
+
|
|
198
|
+
# ---------------------------------------------------------------------------
|
|
199
|
+
# VERCEL DESTRUCTIVE OPERATIONS
|
|
200
|
+
# ---------------------------------------------------------------------------
|
|
201
|
+
- pattern: '\bvercel\s+remove\s+.*--yes'
|
|
202
|
+
reason: vercel remove --yes (removes deployment)
|
|
203
|
+
|
|
204
|
+
- pattern: '\bvercel\s+projects\s+rm\b'
|
|
205
|
+
reason: vercel projects rm (deletes project)
|
|
206
|
+
|
|
207
|
+
- pattern: '\bvercel\s+env\s+rm\s+.*--yes'
|
|
208
|
+
reason: vercel env rm --yes (removes env variables)
|
|
209
|
+
|
|
210
|
+
# ---------------------------------------------------------------------------
|
|
211
|
+
# NETLIFY DESTRUCTIVE OPERATIONS
|
|
212
|
+
# ---------------------------------------------------------------------------
|
|
213
|
+
- pattern: '\bnetlify\s+sites:delete\b'
|
|
214
|
+
reason: netlify sites:delete (deletes entire site)
|
|
215
|
+
|
|
216
|
+
- pattern: '\bnetlify\s+functions:delete\b'
|
|
217
|
+
reason: netlify functions:delete
|
|
218
|
+
|
|
219
|
+
# ---------------------------------------------------------------------------
|
|
220
|
+
# CLOUDFLARE (wrangler) DESTRUCTIVE OPERATIONS
|
|
221
|
+
# ---------------------------------------------------------------------------
|
|
222
|
+
- pattern: '\bwrangler\s+delete\b'
|
|
223
|
+
reason: wrangler delete (deletes Worker)
|
|
224
|
+
|
|
225
|
+
- pattern: '\bwrangler\s+r2\s+bucket\s+delete\b'
|
|
226
|
+
reason: wrangler r2 bucket delete
|
|
227
|
+
|
|
228
|
+
- pattern: '\bwrangler\s+kv:namespace\s+delete\b'
|
|
229
|
+
reason: wrangler kv:namespace delete
|
|
230
|
+
|
|
231
|
+
- pattern: '\bwrangler\s+d1\s+delete\b'
|
|
232
|
+
reason: wrangler d1 delete (deletes database)
|
|
233
|
+
|
|
234
|
+
- pattern: '\bwrangler\s+queues\s+delete\b'
|
|
235
|
+
reason: wrangler queues delete
|
|
236
|
+
|
|
237
|
+
# ---------------------------------------------------------------------------
|
|
238
|
+
# DOCKER DESTRUCTIVE OPERATIONS
|
|
239
|
+
# ---------------------------------------------------------------------------
|
|
240
|
+
- pattern: '\bdocker\s+system\s+prune\s+.*-a'
|
|
241
|
+
reason: docker system prune -a (removes all unused data)
|
|
242
|
+
|
|
243
|
+
- pattern: '\bdocker\s+rm\s+.*-f.*\$\(docker\s+ps'
|
|
244
|
+
reason: docker rm -f $(docker ps) (force removes containers)
|
|
245
|
+
|
|
246
|
+
- pattern: '\bdocker\s+rmi\s+.*-f'
|
|
247
|
+
reason: docker rmi -f (force removes images)
|
|
248
|
+
|
|
249
|
+
- pattern: '\bdocker\s+volume\s+rm\b'
|
|
250
|
+
reason: docker volume rm (data loss)
|
|
251
|
+
|
|
252
|
+
- pattern: '\bdocker\s+volume\s+prune\b'
|
|
253
|
+
reason: docker volume prune (removes unused volumes)
|
|
254
|
+
|
|
255
|
+
# ---------------------------------------------------------------------------
|
|
256
|
+
# KUBERNETES (kubectl) DESTRUCTIVE OPERATIONS
|
|
257
|
+
# ---------------------------------------------------------------------------
|
|
258
|
+
- pattern: '\bkubectl\s+delete\s+namespace\b'
|
|
259
|
+
reason: kubectl delete namespace
|
|
260
|
+
|
|
261
|
+
- pattern: '\bkubectl\s+delete\s+all\s+--all'
|
|
262
|
+
reason: kubectl delete all --all
|
|
263
|
+
|
|
264
|
+
- pattern: '\bkubectl\s+delete\s+.*--all\s+--all-namespaces'
|
|
265
|
+
reason: kubectl delete across all namespaces
|
|
266
|
+
|
|
267
|
+
- pattern: '\bhelm\s+uninstall\b'
|
|
268
|
+
reason: helm uninstall (removes release)
|
|
269
|
+
|
|
270
|
+
# ---------------------------------------------------------------------------
|
|
271
|
+
# DATABASE CLI DESTRUCTIVE OPERATIONS
|
|
272
|
+
# ---------------------------------------------------------------------------
|
|
273
|
+
- pattern: '\bredis-cli\s+FLUSHALL'
|
|
274
|
+
reason: redis-cli FLUSHALL (wipes ALL data)
|
|
275
|
+
|
|
276
|
+
- pattern: '\bredis-cli\s+FLUSHDB'
|
|
277
|
+
reason: redis-cli FLUSHDB (wipes database)
|
|
278
|
+
|
|
279
|
+
- pattern: '\bmongosh.*dropDatabase'
|
|
280
|
+
reason: MongoDB dropDatabase
|
|
281
|
+
|
|
282
|
+
- pattern: '\bmongo.*dropDatabase'
|
|
283
|
+
reason: MongoDB dropDatabase
|
|
284
|
+
|
|
285
|
+
- pattern: '\bdropdb\b'
|
|
286
|
+
reason: PostgreSQL dropdb
|
|
287
|
+
|
|
288
|
+
- pattern: '\bmysqladmin\s+drop\b'
|
|
289
|
+
reason: MySQL drop database
|
|
290
|
+
|
|
291
|
+
# ---------------------------------------------------------------------------
|
|
292
|
+
# INFRASTRUCTURE AS CODE DESTRUCTIVE OPERATIONS
|
|
293
|
+
# ---------------------------------------------------------------------------
|
|
294
|
+
- pattern: '\bterraform\s+destroy\b'
|
|
295
|
+
reason: terraform destroy (destroys all infrastructure)
|
|
296
|
+
|
|
297
|
+
- pattern: '\bpulumi\s+destroy\b'
|
|
298
|
+
reason: pulumi destroy (destroys all resources)
|
|
299
|
+
|
|
300
|
+
- pattern: '\bserverless\s+remove\b'
|
|
301
|
+
reason: serverless remove (removes stack)
|
|
302
|
+
|
|
303
|
+
- pattern: '\bsls\s+remove\b'
|
|
304
|
+
reason: sls remove (removes stack)
|
|
305
|
+
|
|
306
|
+
- pattern: '\bsam\s+delete\b'
|
|
307
|
+
reason: sam delete (deletes SAM application)
|
|
308
|
+
|
|
309
|
+
# ---------------------------------------------------------------------------
|
|
310
|
+
# HEROKU DESTRUCTIVE OPERATIONS
|
|
311
|
+
# ---------------------------------------------------------------------------
|
|
312
|
+
- pattern: '\bheroku\s+apps:destroy\b'
|
|
313
|
+
reason: heroku apps:destroy
|
|
314
|
+
|
|
315
|
+
- pattern: '\bheroku\s+pg:reset\b'
|
|
316
|
+
reason: heroku pg:reset (resets database)
|
|
317
|
+
|
|
318
|
+
# ---------------------------------------------------------------------------
|
|
319
|
+
# OTHER CLOUD PLATFORMS DESTRUCTIVE OPERATIONS
|
|
320
|
+
# ---------------------------------------------------------------------------
|
|
321
|
+
- pattern: '\bfly\s+apps\s+destroy\b'
|
|
322
|
+
reason: fly apps destroy (Fly.io)
|
|
323
|
+
|
|
324
|
+
- pattern: '\bfly\s+destroy\b'
|
|
325
|
+
reason: fly destroy (Fly.io)
|
|
326
|
+
|
|
327
|
+
- pattern: '\bdoctl\s+compute\s+droplet\s+delete\b'
|
|
328
|
+
reason: doctl droplet delete (DigitalOcean)
|
|
329
|
+
|
|
330
|
+
- pattern: '\bdoctl\s+databases\s+delete\b'
|
|
331
|
+
reason: doctl databases delete (DigitalOcean)
|
|
332
|
+
|
|
333
|
+
- pattern: '\bsupabase\s+db\s+reset\b'
|
|
334
|
+
reason: supabase db reset
|
|
335
|
+
|
|
336
|
+
# ---------------------------------------------------------------------------
|
|
337
|
+
# GITHUB CLI DESTRUCTIVE OPERATIONS
|
|
338
|
+
# ---------------------------------------------------------------------------
|
|
339
|
+
- pattern: '\bgh\s+repo\s+delete\b'
|
|
340
|
+
reason: gh repo delete (deletes repository)
|
|
341
|
+
|
|
342
|
+
# ---------------------------------------------------------------------------
|
|
343
|
+
# PACKAGE REGISTRY DESTRUCTIVE OPERATIONS
|
|
344
|
+
# ---------------------------------------------------------------------------
|
|
345
|
+
- pattern: '\bnpm\s+unpublish\b'
|
|
346
|
+
reason: npm unpublish (removes package from registry)
|
|
347
|
+
|
|
348
|
+
# ---------------------------------------------------------------------------
|
|
349
|
+
# SQL DESTRUCTIVE OPERATIONS (catastrophic - no WHERE clause)
|
|
350
|
+
# ---------------------------------------------------------------------------
|
|
351
|
+
- pattern: 'DELETE\s+FROM\s+\w+\s*;'
|
|
352
|
+
reason: DELETE without WHERE clause (will delete ALL rows)
|
|
353
|
+
|
|
354
|
+
- pattern: 'DELETE\s+FROM\s+\w+\s*$'
|
|
355
|
+
reason: DELETE without WHERE clause (will delete ALL rows)
|
|
356
|
+
|
|
357
|
+
- pattern: 'DELETE\s+\*\s+FROM'
|
|
358
|
+
reason: DELETE * (will delete ALL rows)
|
|
359
|
+
|
|
360
|
+
- pattern: '\bTRUNCATE\s+TABLE\b'
|
|
361
|
+
reason: TRUNCATE TABLE (will delete ALL rows)
|
|
362
|
+
|
|
363
|
+
- pattern: '\bDROP\s+TABLE\b'
|
|
364
|
+
reason: DROP TABLE
|
|
365
|
+
|
|
366
|
+
- pattern: '\bDROP\s+DATABASE\b'
|
|
367
|
+
reason: DROP DATABASE
|
|
368
|
+
|
|
369
|
+
# ---------------------------------------------------------------------------
|
|
370
|
+
# SQL OPERATIONS REQUIRING CONFIRMATION (ask: true)
|
|
371
|
+
# ---------------------------------------------------------------------------
|
|
372
|
+
- pattern: '\bDELETE\s+FROM\s+\w+\s+WHERE\b.*\bid\s*='
|
|
373
|
+
reason: SQL DELETE with specific ID
|
|
374
|
+
ask: true
|
|
375
|
+
|
|
376
|
+
# ---------------------------------------------------------------------------
|
|
377
|
+
# ZERO ACCESS PATHS - No read, write, or any access allowed
|
|
378
|
+
# ---------------------------------------------------------------------------
|
|
379
|
+
# These contain secrets/credentials - block ALL operations including reads
|
|
380
|
+
# Enforced by: Bash, Edit, Write tools
|
|
381
|
+
# Supports glob patterns: *.pem, .env*, *-credentials.json
|
|
382
|
+
zeroAccessPaths:
|
|
383
|
+
# ---------------------------------------------------------------------------
|
|
384
|
+
# ENVIRONMENT FILES (HIGH RISK - contain secrets)
|
|
385
|
+
# Uses path-separator prefix to avoid false positives on substrings
|
|
386
|
+
# like "process.env", "pi-envman", "@artale/pi-env"
|
|
387
|
+
# ---------------------------------------------------------------------------
|
|
388
|
+
- "/.env"
|
|
389
|
+
- "/.env."
|
|
390
|
+
- "/.env.local"
|
|
391
|
+
|
|
392
|
+
# ---------------------------------------------------------------------------
|
|
393
|
+
# SSH KEYS AND CONFIG
|
|
394
|
+
# ---------------------------------------------------------------------------
|
|
395
|
+
- "~/.ssh/"
|
|
396
|
+
|
|
397
|
+
# ---------------------------------------------------------------------------
|
|
398
|
+
# GPG KEYS
|
|
399
|
+
# ---------------------------------------------------------------------------
|
|
400
|
+
- "~/.gnupg/"
|
|
401
|
+
|
|
402
|
+
# ---------------------------------------------------------------------------
|
|
403
|
+
# CLOUD PROVIDER CREDENTIALS
|
|
404
|
+
# ---------------------------------------------------------------------------
|
|
405
|
+
# AWS
|
|
406
|
+
- "~/.aws/"
|
|
407
|
+
|
|
408
|
+
# GCP
|
|
409
|
+
- "~/.config/gcloud/"
|
|
410
|
+
- "*-credentials.json"
|
|
411
|
+
- "*serviceAccount*.json"
|
|
412
|
+
- "*service-account*.json"
|
|
413
|
+
|
|
414
|
+
# Azure
|
|
415
|
+
- "~/.azure/"
|
|
416
|
+
|
|
417
|
+
# Kubernetes
|
|
418
|
+
- "~/.kube/"
|
|
419
|
+
- "kubeconfig"
|
|
420
|
+
- "*-secret.yaml"
|
|
421
|
+
- "secrets.yaml"
|
|
422
|
+
|
|
423
|
+
# Docker
|
|
424
|
+
- "~/.docker/"
|
|
425
|
+
|
|
426
|
+
# ---------------------------------------------------------------------------
|
|
427
|
+
# SSL/TLS CERTIFICATES AND PRIVATE KEYS
|
|
428
|
+
# ---------------------------------------------------------------------------
|
|
429
|
+
- "*.pem"
|
|
430
|
+
- "*.key"
|
|
431
|
+
- "*.p12"
|
|
432
|
+
- "*.pfx"
|
|
433
|
+
|
|
434
|
+
# ---------------------------------------------------------------------------
|
|
435
|
+
# TERRAFORM STATE (contains secrets in plaintext!)
|
|
436
|
+
# ---------------------------------------------------------------------------
|
|
437
|
+
- "*.tfstate"
|
|
438
|
+
- "*.tfstate.backup"
|
|
439
|
+
- ".terraform/"
|
|
440
|
+
|
|
441
|
+
# ---------------------------------------------------------------------------
|
|
442
|
+
# PLATFORM TOKENS (Vercel, Netlify, etc.)
|
|
443
|
+
# ---------------------------------------------------------------------------
|
|
444
|
+
- ".vercel/"
|
|
445
|
+
- ".netlify/"
|
|
446
|
+
|
|
447
|
+
# ---------------------------------------------------------------------------
|
|
448
|
+
# FIREBASE/SUPABASE
|
|
449
|
+
# ---------------------------------------------------------------------------
|
|
450
|
+
- "firebase-adminsdk*.json"
|
|
451
|
+
- "serviceAccountKey.json"
|
|
452
|
+
- ".supabase/"
|
|
453
|
+
|
|
454
|
+
# ---------------------------------------------------------------------------
|
|
455
|
+
# PACKAGE MANAGER AUTH & CREDENTIALS
|
|
456
|
+
# ---------------------------------------------------------------------------
|
|
457
|
+
- "~/.netrc"
|
|
458
|
+
- "~/.npmrc"
|
|
459
|
+
- "~/.pypirc"
|
|
460
|
+
- "~/.git-credentials"
|
|
461
|
+
- ".git-credentials"
|
|
462
|
+
|
|
463
|
+
# ---------------------------------------------------------------------------
|
|
464
|
+
# DATABASE DUMPS (may contain production data)
|
|
465
|
+
# ---------------------------------------------------------------------------
|
|
466
|
+
- "dump.sql"
|
|
467
|
+
- "backup.sql"
|
|
468
|
+
- "*.dump"
|
|
469
|
+
|
|
470
|
+
# ---------------------------------------------------------------------------
|
|
471
|
+
# READ-ONLY PATHS - Can read, but not write/edit/delete
|
|
472
|
+
# ---------------------------------------------------------------------------
|
|
473
|
+
# Safe to read but should never be modified by AI
|
|
474
|
+
# Enforced by: Bash, Edit, Write tools
|
|
475
|
+
# Supports glob patterns: *.lock, *.min.js
|
|
476
|
+
readOnlyPaths:
|
|
477
|
+
# ---------------------------------------------------------------------------
|
|
478
|
+
# SYSTEM DIRECTORIES
|
|
479
|
+
# ---------------------------------------------------------------------------
|
|
480
|
+
- /etc/
|
|
481
|
+
- /usr/
|
|
482
|
+
- /bin/
|
|
483
|
+
- /sbin/
|
|
484
|
+
- /boot/
|
|
485
|
+
- /root/
|
|
486
|
+
|
|
487
|
+
# ---------------------------------------------------------------------------
|
|
488
|
+
# SHELL HISTORY FILES
|
|
489
|
+
# ---------------------------------------------------------------------------
|
|
490
|
+
- ~/.bash_history
|
|
491
|
+
- ~/.zsh_history
|
|
492
|
+
- ~/.node_repl_history
|
|
493
|
+
|
|
494
|
+
# ---------------------------------------------------------------------------
|
|
495
|
+
# SHELL CONFIG FILES
|
|
496
|
+
# ---------------------------------------------------------------------------
|
|
497
|
+
- ~/.bashrc
|
|
498
|
+
- ~/.zshrc
|
|
499
|
+
- ~/.profile
|
|
500
|
+
- ~/.bash_profile
|
|
501
|
+
|
|
502
|
+
# ---------------------------------------------------------------------------
|
|
503
|
+
# LOCK FILES - Never manually edit, use package managers
|
|
504
|
+
# ---------------------------------------------------------------------------
|
|
505
|
+
- "package-lock.json"
|
|
506
|
+
- "yarn.lock"
|
|
507
|
+
- "pnpm-lock.yaml"
|
|
508
|
+
- "Gemfile.lock"
|
|
509
|
+
- "poetry.lock"
|
|
510
|
+
- "Pipfile.lock"
|
|
511
|
+
- "composer.lock"
|
|
512
|
+
- "Cargo.lock"
|
|
513
|
+
- "go.sum"
|
|
514
|
+
- "flake.lock"
|
|
515
|
+
- "bun.lockb"
|
|
516
|
+
- "uv.lock"
|
|
517
|
+
- "npm-shrinkwrap.json"
|
|
518
|
+
- "*.lock"
|
|
519
|
+
- "*.lockb"
|
|
520
|
+
|
|
521
|
+
# ---------------------------------------------------------------------------
|
|
522
|
+
# MINIFIED/COMPILED FILES - Generated, don't edit
|
|
523
|
+
# ---------------------------------------------------------------------------
|
|
524
|
+
- "*.min.js"
|
|
525
|
+
- "*.min.css"
|
|
526
|
+
- "*.bundle.js"
|
|
527
|
+
- "*.chunk.js"
|
|
528
|
+
|
|
529
|
+
# ---------------------------------------------------------------------------
|
|
530
|
+
# BUILD ARTIFACTS - Generated directories, don't edit
|
|
531
|
+
# ---------------------------------------------------------------------------
|
|
532
|
+
- dist/
|
|
533
|
+
- build/
|
|
534
|
+
- out/
|
|
535
|
+
- .next/
|
|
536
|
+
- .nuxt/
|
|
537
|
+
- .output/
|
|
538
|
+
- node_modules/
|
|
539
|
+
- __pycache__/
|
|
540
|
+
- .venv/
|
|
541
|
+
- venv/
|
|
542
|
+
- target/
|
|
543
|
+
|
|
544
|
+
# ---------------------------------------------------------------------------
|
|
545
|
+
# NO-DELETE PATHS - Can read/write/edit, but not delete
|
|
546
|
+
# ---------------------------------------------------------------------------
|
|
547
|
+
# Protect important files from accidental deletion
|
|
548
|
+
# Enforced by: Bash tool only (Edit/Write don't delete files)
|
|
549
|
+
# Supports glob patterns: *.md, LICENSE*
|
|
550
|
+
noDeletePaths:
|
|
551
|
+
# ---------------------------------------------------------------------------
|
|
552
|
+
# CLAUDE CODE CONFIGURATION
|
|
553
|
+
# ---------------------------------------------------------------------------
|
|
554
|
+
- ~/.claude/
|
|
555
|
+
- CLAUDE.md
|
|
556
|
+
|
|
557
|
+
# ---------------------------------------------------------------------------
|
|
558
|
+
# LICENSE AND LEGAL FILES
|
|
559
|
+
# ---------------------------------------------------------------------------
|
|
560
|
+
- "LICENSE"
|
|
561
|
+
- "LICENSE.*"
|
|
562
|
+
- "COPYING"
|
|
563
|
+
- "COPYING.*"
|
|
564
|
+
- "NOTICE"
|
|
565
|
+
- "PATENTS"
|
|
566
|
+
|
|
567
|
+
# ---------------------------------------------------------------------------
|
|
568
|
+
# PROJECT DOCUMENTATION
|
|
569
|
+
# ---------------------------------------------------------------------------
|
|
570
|
+
- "README.md"
|
|
571
|
+
- "README.*"
|
|
572
|
+
- "CONTRIBUTING.md"
|
|
573
|
+
- "CHANGELOG.md"
|
|
574
|
+
- "CODE_OF_CONDUCT.md"
|
|
575
|
+
- "SECURITY.md"
|
|
576
|
+
|
|
577
|
+
# ---------------------------------------------------------------------------
|
|
578
|
+
# GIT DIRECTORY
|
|
579
|
+
# ---------------------------------------------------------------------------
|
|
580
|
+
- .git/
|
|
581
|
+
- .gitignore
|
|
582
|
+
- .gitattributes
|
|
583
|
+
- .gitmodules
|
|
584
|
+
|
|
585
|
+
# ---------------------------------------------------------------------------
|
|
586
|
+
# CI/CD CONFIGURATION
|
|
587
|
+
# ---------------------------------------------------------------------------
|
|
588
|
+
- .github/
|
|
589
|
+
- .gitlab-ci.yml
|
|
590
|
+
- .circleci/
|
|
591
|
+
- Jenkinsfile
|
|
592
|
+
- .travis.yml
|
|
593
|
+
- azure-pipelines.yml
|
|
594
|
+
|
|
595
|
+
# ---------------------------------------------------------------------------
|
|
596
|
+
# DOCKER CONFIGURATION
|
|
597
|
+
# ---------------------------------------------------------------------------
|
|
598
|
+
- Dockerfile
|
|
599
|
+
- "Dockerfile.*"
|
|
600
|
+
- docker-compose.yml
|
|
601
|
+
- "docker-compose.*.yml"
|
|
602
|
+
- .dockerignore
|
|
603
|
+
|
|
604
|
+
# ---------------------------------------------------------------------------
|
|
605
|
+
# COMMON PROJECT DIRECTORIES (uncomment to enable)
|
|
606
|
+
# ---------------------------------------------------------------------------
|
|
607
|
+
# - src/
|
|
608
|
+
# - lib/
|
|
609
|
+
# - app/
|
|
610
|
+
# - tests/
|
|
611
|
+
# - docs/
|
package/models.json.pai
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
{
|
|
2
|
+
"providers": {
|
|
3
|
+
"_comment": "Configure your model providers here. Examples below — uncomment and fill in the ones you use.",
|
|
4
|
+
|
|
5
|
+
"_example_ollama": {
|
|
6
|
+
"type": "ollama",
|
|
7
|
+
"baseUrl": "http://localhost:11434",
|
|
8
|
+
"models": {
|
|
9
|
+
"default": "llama3.1:70b",
|
|
10
|
+
"fast": "llama3.1:8b",
|
|
11
|
+
"thinking": "qwen2.5:72b"
|
|
12
|
+
}
|
|
13
|
+
},
|
|
14
|
+
|
|
15
|
+
"_example_openai_compatible": {
|
|
16
|
+
"type": "openai",
|
|
17
|
+
"baseUrl": "http://localhost:1234/v1",
|
|
18
|
+
"apiKey": "your-api-key-here",
|
|
19
|
+
"models": {
|
|
20
|
+
"default": "your-model-name"
|
|
21
|
+
}
|
|
22
|
+
},
|
|
23
|
+
|
|
24
|
+
"_example_anthropic": {
|
|
25
|
+
"type": "anthropic",
|
|
26
|
+
"apiKey": "your-api-key-here",
|
|
27
|
+
"models": {
|
|
28
|
+
"default": "claude-sonnet-4-6",
|
|
29
|
+
"thinking": "claude-opus-4-6"
|
|
30
|
+
}
|
|
31
|
+
},
|
|
32
|
+
|
|
33
|
+
"_example_openrouter": {
|
|
34
|
+
"type": "openai",
|
|
35
|
+
"baseUrl": "https://openrouter.ai/api/v1",
|
|
36
|
+
"apiKey": "your-openrouter-key",
|
|
37
|
+
"models": {
|
|
38
|
+
"default": "anthropic/claude-sonnet-4-6",
|
|
39
|
+
"fast": "anthropic/claude-haiku-4-5"
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|