diff options
| author | main <main@swarm.moe> | 2026-03-23 16:51:01 -0400 |
|---|---|---|
| committer | main <main@swarm.moe> | 2026-03-23 16:51:01 -0400 |
| commit | 10d4e08bc5d18daa59ddec19a3e2bf345331ccfc (patch) | |
| tree | e0a702e4abff8059dfc7a72bbef599e1e79f896b /assets/codex-skills | |
| parent | c3ad44cf3ec3bcd080f62c19d915ac1749576302 (diff) | |
| download | phone_opus-10d4e08bc5d18daa59ddec19a3e2bf345331ccfc.zip | |
Externalize Claude sandboxing with systemd-run
Diffstat (limited to 'assets/codex-skills')
| -rw-r--r-- | assets/codex-skills/phone-opus/SKILL.md | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/assets/codex-skills/phone-opus/SKILL.md b/assets/codex-skills/phone-opus/SKILL.md index 305badb..7db836a 100644 --- a/assets/codex-skills/phone-opus/SKILL.md +++ b/assets/codex-skills/phone-opus/SKILL.md @@ -35,7 +35,8 @@ should be taken as authoritative or final. It is a pure consultant. - Pins Claude to Opus 4.6 with max effort. - Prepends a fixed consult prefix before your prompt so Opus knows it is advising another model in read-only mode and should return a prioritized actionable report. -- Uses `--permission-mode dontAsk`, so only globally preapproved read-only Bash commands can execute. +- Uses `--dangerously-skip-permissions`, but wraps Claude in an external `systemd-run --user` sandbox. +- The sandbox keeps the filesystem globally read-only, gives Claude a separate persistent home under phone-opus state, leaves `/tmp` and `/var/tmp` writable, and forces the consulted `cwd` read-only when that tree would otherwise be writable. - This surface is consultative only. Edit tools are unavailable. - The returned `session_id` is reusable: pass it back into a later `consult` call to continue that Claude conversation. - Background consults return a `job_id`; use `consult_job` to poll one job or `consult_jobs` to rediscover recent ones. |