From 9d5b227408cf35e0a81beccf9c3aa477b6d0266b Mon Sep 17 00:00:00 2001 From: Re-bin Date: Fri, 6 Feb 2026 09:34:11 +0000 Subject: [PATCH] docs: add security config section and remove redundant full config example --- README.md | 58 ++++++++----------------------------------------------- 1 file changed, 8 insertions(+), 50 deletions(-) diff --git a/README.md b/README.md index e2019fe..3408003 100644 --- a/README.md +++ b/README.md @@ -361,58 +361,16 @@ Config file: `~/.nanobot/config.json` | `gemini` | LLM (Gemini direct) | [aistudio.google.com](https://aistudio.google.com) | -
-Full config example +### Security -```json -{ - "agents": { - "defaults": { - "model": "anthropic/claude-opus-4-5" - } - }, - "providers": { - "openrouter": { - "apiKey": "sk-or-v1-xxx" - }, - "groq": { - "apiKey": "gsk_xxx" - } - }, - "channels": { - "telegram": { - "enabled": true, - "token": "123456:ABC...", - "allowFrom": ["123456789"] - }, - "discord": { - "enabled": false, - "token": "YOUR_DISCORD_BOT_TOKEN", - "allowFrom": ["YOUR_USER_ID"] - }, - "whatsapp": { - "enabled": false - }, - "feishu": { - "enabled": false, - "appId": "cli_xxx", - "appSecret": "xxx", - "encryptKey": "", - "verificationToken": "", - "allowFrom": [] - } - }, - "tools": { - "web": { - "search": { - "apiKey": "BSA..." - } - } - } -} -``` +> [!TIP] +> For production deployments, set `"restrictToWorkspace": true` in your config to sandbox the agent. + +| Option | Default | Description | +|--------|---------|-------------| +| `tools.restrictToWorkspace` | `false` | When `true`, restricts **all** agent tools (shell, file read/write/edit, list) to the workspace directory. Prevents path traversal and out-of-scope access. | +| `channels.*.allowFrom` | `[]` (allow all) | Whitelist of user IDs. Empty = allow everyone; non-empty = only listed users can interact. | -
## CLI Reference