Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 79 additions & 0 deletions .claude/settings.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"sandbox": {
"enabled": true,
"filesystem": {
"denyRead": ["~/"],
"allowRead": [
".",
"~/.gitconfig",
"~/.config/git/",
"~/.config/gh/",
"~/.cache/uv/",
"~/.local/share/uv/",
"~/.local/bin/",
"~/.config/apache-steward/"
]
},
"network": {
"allowedDomains": [
"github.com",
"api.github.com",
"raw.githubusercontent.com",
"objects.githubusercontent.com",
"codeload.github.com",
"uploads.github.com",
"pypi.org",
"files.pythonhosted.org",
"lists.apache.org",
"cveprocess.apache.org",
"cve.org",
"www.cve.org",
"oauth2.googleapis.com",
"gmail.googleapis.com"
]
}
},
"permissions": {
"deny": [
"Read(~/.aws/**)",
"Read(~/.ssh/**)",
"Read(~/.netrc)",
"Read(~/.docker/**)",
"Read(~/.kube/**)",
"Read(~/.config/gh/**)",
"Read(~/.config/apache-steward/**)",
"Read(~/.config/gcloud/**)",
"Read(~/.azure/**)",
"Read(//**/.env)",
"Read(//**/.env.local)",
"Read(//**/.env.*.local)",
"Bash(curl *)",
"Bash(wget *)",
"Bash(aws *)",
"Bash(gcloud *)",
"Bash(az *)",
"Bash(kubectl *)",
"Bash(docker login *)",
"Bash(npm publish *)",
"Bash(pip install --upgrade *)",
"Bash(uv self update *)"
],
"ask": [
"Bash(git push *)",
"Bash(git push --force *)",
"Bash(git push --force-with-lease *)",
"Bash(gh pr create *)",
"Bash(gh pr edit *)",
"Bash(gh pr merge *)",
"Bash(gh issue create *)",
"Bash(gh issue edit *)",
"Bash(gh issue close *)",
"Bash(gh issue comment *)",
"Bash(gh release create *)",
"Bash(gh api * -X *)",
"Bash(gh api * -f *)",
"Bash(gh api * -F *)"
]
}
}
9 changes: 9 additions & 0 deletions AGENTS.md
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,15 @@ projects is a config change, not a code change.

## Local setup

**Run the agent in the credential-isolation setup.** The skills
operate against pre-disclosure CVE content; running Claude Code (or
another `SKILL.md`-aware agent) with default-permissive access to
`~/`, env vars, and arbitrary network egress is a real exfiltration
risk. See [`secure-agent-setup.md`](secure-agent-setup.md) for the
layered defence the framework dogfoods (`.claude/settings.json`
sandbox + tool permissions + clean-env wrapper, with system tools
pinned at a 7-day upstream cooldown).

This repository uses [`prek`](https://github.com/j178/prek) (a fast, Rust-based drop-in
replacement for `pre-commit`) to run pre-commit hooks that keep the documentation
consistent — regenerating the `doctoc` tables of contents, stripping trailing whitespace,
Expand Down
12 changes: 12 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,18 @@ the `.claude/skills/*/SKILL.md` files and follows their step-by-step
instructions should work; there is no hard dependency on Claude Code
specifically.

The agent runs against pre-disclosure CVE content (private mail
threads, draft advisories, in-flight tracker discussions). Run it
with the credential-isolation setup documented in
[`secure-agent-setup.md`](secure-agent-setup.md) — a layered
defence built around Claude Code's filesystem sandbox, tool-level
permission rules, and a clean-env wrapper that strips credential-
shaped variables from the agent's environment. The required system
tools (`bubblewrap`, `socat`, `claude-code` itself) are pinned with
a 7-day upstream-release cooldown, mirroring the same convention the
framework uses for its `[tool.uv] exclude-newer` and Dependabot
configs.

### 2. Email connection (Gmail MCP, today)

The import, sync, and allocate-cve skills **read the security-list
Expand Down
Loading
Loading