fix: deny opencode access to nix secret paths

2026-02-22 13:22:19 +01:00
parent 85df2e7886
commit ac23d88ca9
1 changed files with 9 additions and 0 deletions
--- a/home/modules/ai-tools.nix
+++ b/home/modules/ai-tools.nix
@@ -74,6 +74,15 @@ in
      home.packages = with pkgs; [
        opencode
      ];
+      home.file.".config/opencode/opencode.json".text = builtins.toJSON {
+        "$schema" = "https://opencode.ai/config.json";
+        permission = {
+          external_directory = {
+            "/run/secrets/" = "deny";
+            "~/.config/sops/age/keys.txt" = "deny";
+          };
+        };
+      };
    })
  ];
 }