Skip to content

feat: ENABLE_<CLI> toggles + default-deny for Gemini, OpenCode, Hermes #30

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dgokeeffe wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: ENABLE_<CLI> toggles + default-deny for Gemini, OpenCode, Hermes #30

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions app.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,19 @@ env:
value: databricks-claude-opus-4-6
- name: HERMES_FALLBACK_MODEL
value: databricks-claude-opus-4-6
# Set ENABLE_HERMES=false to skip Hermes Agent install. Other CLIs are unaffected.
- name: ENABLE_HERMES
# Per-CLI install toggle. Defaults reflect a "least-trusted code in the App
# container" stance: Claude Code (Anthropic) and Codex (OpenAI) ship from
# vendors with mature signing/SBOM/advisory pipelines and are enabled by
# default. Gemini, OpenCode, and Hermes are opt-in — set ENABLE_<CLI>=true
# to install them. Claude Code is the primary CLI and isn't toggleable here.
- name: ENABLE_CODEX
value: "true"
- name: ENABLE_OPENCODE
value: "false"
- name: ENABLE_GEMINI
value: "false"
- name: ENABLE_HERMES
value: "false"
- name: CLAUDE_CODE_DISABLE_AUTO_MEMORY
value: 0
- name: MAX_CONCURRENT_SESSIONS
Expand Down
5 changes: 5 additions & 0 deletions setup_codex.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,11 @@

from utils import adapt_instructions_file, ensure_https, get_gateway_host, get_npm_version

# Opt-out: allow operators to disable Codex bundling without removing the file.
if os.environ.get("ENABLE_CODEX", "true").strip().lower() in ("false", "0", "no"):
print("ENABLE_CODEX=false — skipping Codex CLI setup")
raise SystemExit(0)

# Set HOME if not properly set
if not os.environ.get("HOME") or os.environ["HOME"] == "/":
os.environ["HOME"] = "/app/python/source_code"
Expand Down
5 changes: 5 additions & 0 deletions setup_gemini.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,11 @@

from utils import adapt_instructions_file, ensure_https, get_gateway_host, get_npm_version

# Opt-out: allow operators to disable Gemini bundling without removing the file.
if os.environ.get("ENABLE_GEMINI", "true").strip().lower() in ("false", "0", "no"):
print("ENABLE_GEMINI=false — skipping Gemini CLI setup")
raise SystemExit(0)

# Set HOME if not properly set
if not os.environ.get("HOME") or os.environ["HOME"] == "/":
os.environ["HOME"] = "/app/python/source_code"
Expand Down
5 changes: 5 additions & 0 deletions setup_opencode.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,11 @@

from utils import ensure_https, get_gateway_host, get_npm_version

# Opt-out: allow operators to disable OpenCode bundling without removing the file.
if os.environ.get("ENABLE_OPENCODE", "true").strip().lower() in ("false", "0", "no"):
print("ENABLE_OPENCODE=false — skipping OpenCode CLI setup")
raise SystemExit(0)

# content-filter proxy local proxy — sanitizes empty content blocks before reaching Databricks
# (see https://github.com/sst/opencode/issues/5028)
CONTENT_FILTER_PROXY_URL = "http://127.0.0.1:4000"
Expand Down