clash_starlark 0.7.2

Starlark policy evaluator for Clash — compiles .star files to JSON policy
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88

# Clash sandbox presets — intent-based trust levels for Bash commands.
#
# These presets express what you trust a command to do, not what
# the command literally says.  Pick a preset based on intent:
#
#   readonly     — read-only project access, network allowed
#   project      — build tools, git: read+write project, no network
#   git_safe     — git safe: worktree-aware, network + SSH
#   git_full     — git full: worktree-aware, network + SSH
#   workspace    — full home directory access, deny sensitive dirs
#   unrestricted — fully trusted: all filesystem + network access
#

UNSAFE_IN_HOME = (".ssh", ".gpg", ".config", ".aws", ".gh", ".git")


readonly = sandbox(
    name = "readonly",
    default = ask(),
    fs = {
        glob("$PWD/**"): allow("rx"),
        glob("$HOME/.claude/**"): allow("r"),
    },
    net = allow(),
    doc = "Read-only project access with network allowed.",
)

project = sandbox(
    name = "project",
    default=ask(),
    fs = {
        glob("$PWD/**"): allow(FULL),
        glob("$HOME/.claude/**"): allow("rwcd"),
        glob("$TMPDIR/**"): allow(FULL),
    },
    doc = "Build tools: read+write project and TMPDIR, no network.",
)

git_safe = sandbox(
    name = "git_safe",
    default = ask(),
    fs = {
        subpath("$PWD", follow_worktrees=True): allow("rx"),
        "$HOME": {
            ".gitconfig": allow("r"),
            glob(".config/git/**"): allow("r"),
            glob(".config/gh/**"): allow("r"),
            glob(".ssh/**"): allow("rx"),
        },
        glob("$TMPDIR/**"): allow(),
    },
    net = allow(),
    doc = "Git safe: fetch, pull, log, diff, gh. Worktree-aware, network + SSH + gh CLI enabled.",
)

git_full = sandbox(
    name = "git_full",
    default = ask(),
    fs = {
        subpath("$PWD", follow_worktrees=True): allow(FULL),
        "$HOME": {
            ".gitconfig": allow("r"),
            glob(".config/git/**"): allow("r"),
            glob(".config/gh/**"): allow("r"),
            glob(".ssh/**"): allow("rx"),
        },
        glob("$TMPDIR/**"): allow(),
    },
    net = allow(),
    doc = "Git full: commit, push, checkout, merge, gh. Worktree-aware, network + SSH + gh CLI enabled.",
)

workspace = sandbox(
    name = "workspace",
    default=deny(),
    fs = {
        glob("$HOME/**"): allow(),
        } | {
        glob("$HOME/{}/**".format(d)): deny() for d in UNSAFE_IN_HOME
    },
    doc = "Full home directory access, deny sensitive subdirs (.ssh, .gpg, .config, .aws, .gh, .git).",
)

unrestricted = sandbox(
    name = "unrestricted",
    default=allow(),
    doc = "Fully trusted: all filesystem + network access.",
)