-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsoft-deny-write-env-file.json
More file actions
15 lines (15 loc) · 1.52 KB
/
soft-deny-write-env-file.json
File metadata and controls
15 lines (15 loc) · 1.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
{
"name": "soft-deny-write-env-file",
"description": "write_file soft-deny path: confirms the sentinel-resource pattern (context.file_path match against Agent::File::file) works identically on both engines.",
"policies": "@rule_id(\"base_permit\")\npermit (principal, action, resource);\n@tier(\"hard\") @rule_id(\"rm_slash\")\nforbid (principal, action == Agent::Action::\"execute_bash\", resource) when { context.command like \"*rm -rf /*\" };\n@tier(\"soft\") @rule_id(\"force_push_any\") @approval_timeout_s(\"300\") @severity(\"medium\") @category(\"destructive\")\nforbid (principal, action == Agent::Action::\"execute_bash\", resource) when { context.command like \"*git push --force*\" };\n@tier(\"soft\") @rule_id(\"force_push_main\") @approval_timeout_s(\"600\") @severity(\"high\") @category(\"destructive\")\nforbid (principal, action == Agent::Action::\"execute_bash\", resource) when { context.command like \"*git push --force origin main*\" };\n@tier(\"soft\") @rule_id(\"write_env_files\") @approval_timeout_s(\"600\") @severity(\"high\") @category(\"filesystem\")\nforbid (principal, action == Agent::Action::\"write_file\", resource) when { context.file_path like \"*.env\" };",
"input": {
"principal": { "type": "Agent::TaskAgent", "id": "new_task" },
"action": { "type": "Agent::Action", "id": "write_file" },
"resource": { "type": "Agent::File", "id": "file" },
"context": { "file_path": "src/.env" }
},
"expected": {
"decision": "deny",
"matching_rule_ids": ["write_env_files"]
}
}