{
  "enabled": true,
  "network": {
    "allowNetwork": false,
    "allowLocalBinding": false,
    "allowAllUnixSockets": false,
    "allowUnixSockets": [],
    "allowedDomains": [],
    "deniedDomains": []
  },
  "filesystem": {
    "denyRead": ["/Users", "/home"],
    "allowRead": [".", "~/.gitconfig", "~/.config/git/config", "/dev/null"],
    "allowWrite": [".", "/dev/null"],
    "denyWrite": [
      "**/.env",
      "**/.env.*",
      "**/*.pem",
      "**/*.key",
      ".pi/sandbox.json",
      "~/.pi/agent/sandbox.json"
    ]
  }
}
