From 06bb6387375452e88b0aca6c1cd7491c2ff687f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krist=C3=B3f=20T=C3=B3th?= Date: Wed, 22 Apr 2026 20:47:11 +0200 Subject: [PATCH] Document all config options with commented examples --- config-example.toml | 31 +++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) diff --git a/config-example.toml b/config-example.toml index 5de799c..a59a330 100644 --- a/config-example.toml +++ b/config-example.toml @@ -1,8 +1,19 @@ +# Globals; [profile.] overrides them when --profile is passed. +# CLI flags override both. + whitelist = true +# blacklist = true +# hardened = true # implied by whitelist +# unshare-net = true +# seccomp = false # default: true +# env-filter = false # default: true +# dry-run = true +# chdir = "~/projects/my-repo" + ro = [ "~/.local/share/claude-code", "~/.local/share/codex-cli", - "~/.config/AGENTS.md", + "~/dev/agent-config/AGENTS.md", "/etc/alsa", "/run/user/1000/pulse", "/run/user/1000/pipewire-0", @@ -12,9 +23,21 @@ rw = [ "~/.cargo", "~/.rustup", ] -setenv = { DATABASE_URL = "postgres://localhost/dev" } -unsetenv = ["HTTP_PROXY", "HTTPS_PROXY"] -entrypoint = ["claude", "--dangerously-skip-permissions"] +# mask = ["~/.ssh"] # hide path with tmpfs/over /dev/null +env = [ + "XDG_RUNTIME_DIR", # KEY -> pass through from host if set + # "DEBUG=", # KEY= -> set to empty string + # "DATABASE_URL=dev", # KEY=VALUE -> set explicitly +] +# unsetenv = ["SOME_LEAKED_VAR"] + +entrypoint = ["claude", "--dangerously-skip-permissions"] +# command = ["--model", "opus"] # default trailing args +# bwrap-args = ["--tmpfs /opt/scratch"] # raw bwrap escape hatch + +# Profiles inherit all globals above and override keys they set. Select one at +# runtime with `--profile `. Vec fields (ro/rw/mask/env/unsetenv) append +# to the globals; scalar fields replace. Profile-less runs use just the globals. [profile.blacklist] blacklist = true