Skip to content

Support Command Allowlists #18

Open
Open
Support Command Allowlists#18
Labels
featureCategorizes issue or PR as related to a new feature.needs-priorityIndicates a PR lacks a label and requires one.needs-triageIndicates an issue or PR lacks a label and requires one.
@kerthcet

Description

@kerthcet
kerthcet
opened on Jun 16, 2026

What would you like to be added:

User can specify what commands are allowed to execute in the daemons.

RBAC based rules look like:

# rbac-policy.yaml
  roles:
    - name: production-worker
      allowed_commands:
        - git
        - docker
        - npm
        - python3
      forbidden_patterns:
        - "rm -rf /"
        - "dd if="
        - "mkfs"
      max_timeout: 3600

    - name: ci-builder
      allowed_commands:
        - git
        - cargo
        - npm
        - make
      max_timeout: 7200

    - name: debug-shell
      allowed_commands: ["*"]  # All commands
      max_timeout: 300
      requires_approval: true

  mappings:
    - daemon_pattern: "daemon-prod-*"
      role: production-worker

    - daemon_pattern: "daemon-ci-*"
      role: ci-builder

Why is this needed:

Completion requirements:

This feature requires the following artifacts:

  • Design doc
  • API change
  • Docs update

The artifacts should be linked in subsequent comments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureCategorizes issue or PR as related to a new feature.needs-priorityIndicates a PR lacks a label and requires one.needs-triageIndicates an issue or PR lacks a label and requires one.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions