From 520ca2970e886ba00448a6c66187feeecfd085ac Mon Sep 17 00:00:00 2001
From: Terada Kousuke <company@cor-jp.com>
Date: Mon, 6 Apr 2026 18:02:15 +0900
Subject: [PATCH] fix(guardrails): harden infrastructure agent permissions
 (review follow-up #113)

- Add *.pem, *.key, *secret* deny to terraform-engineer, cloud-architect, deployment-engineer
- Split kubectl rollout into read-only (allow) vs mutating (ask) subcommands
- Add explicit docker push/docker compose push deny to deployment-engineer

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../guardrails/profile/agents/cloud-architect.md    |  6 ++++++
 .../profile/agents/deployment-engineer.md           | 13 ++++++++++++-
 .../guardrails/profile/agents/terraform-engineer.md |  6 ++++++
 3 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/packages/guardrails/profile/agents/cloud-architect.md b/packages/guardrails/profile/agents/cloud-architect.md
index 5186d4c5fbe9..170b9f0e0594 100644
--- a/packages/guardrails/profile/agents/cloud-architect.md
+++ b/packages/guardrails/profile/agents/cloud-architect.md
@@ -6,9 +6,15 @@ permission:
     "*": allow
     "*.env*": deny
     "*credentials*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": deny
diff --git a/packages/guardrails/profile/agents/deployment-engineer.md b/packages/guardrails/profile/agents/deployment-engineer.md
index 5251fedaa2ec..e817e80156b7 100644
--- a/packages/guardrails/profile/agents/deployment-engineer.md
+++ b/packages/guardrails/profile/agents/deployment-engineer.md
@@ -6,9 +6,15 @@ permission:
     "*": allow
     "*.env*": deny
     "*credentials*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": allow
@@ -18,13 +24,18 @@ permission:
     "*": deny
     "docker build*": allow
     "docker compose*": allow
+    "docker compose push*": deny
+    "docker push*": deny
     "docker ps*": allow
     "docker images*": allow
     "docker logs*": allow
     "kubectl get*": allow
     "kubectl describe*": allow
     "kubectl logs*": allow
-    "kubectl rollout*": allow
+    "kubectl rollout status*": allow
+    "kubectl rollout history*": allow
+    "kubectl rollout restart*": ask
+    "kubectl rollout undo*": ask
     "git diff*": allow
     "git status*": allow
     "git log*": allow
diff --git a/packages/guardrails/profile/agents/terraform-engineer.md b/packages/guardrails/profile/agents/terraform-engineer.md
index 3e98639ea557..fdb47fc3eb3c 100644
--- a/packages/guardrails/profile/agents/terraform-engineer.md
+++ b/packages/guardrails/profile/agents/terraform-engineer.md
@@ -7,10 +7,16 @@ permission:
     "*.env*": deny
     "*credentials*": deny
     "*.tfvars": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   grep:
     "*": allow
     "*.env*": deny
     "*.tfvars": deny
+    "*.pem": deny
+    "*.key": deny
+    "*secret*": deny
   glob: allow
   edit:
     "*": allow