fs_guard

Filesystem topology constraints. Limits access to safe paths and blocks sensitive locations.


What it mitigates


Profileallowed rootsblocked paths
local${workspace}, /tmpstrict
standard${workspace}, /tmpstrict
unboundedworkspace-centricmonitor mode

Minimal config

moduleConfig:
  fs_guard:
    allowedPaths:
      - "${workspace}"
      - "/tmp"
    blockedPaths:
      - "~/.ssh"
      - "~/.aws"
      - "/etc"
    blockedBasenames:
      - ".env"
      - ".env.local"
      - ".envrc"

Hardening tips