Policy

Approvals + Sandbox：实用策略基线

用策略层控制高风险命令，建立可预期、可审计的本地运行安全基线。

步骤 1：查看当前策略状态

mosaic --project-state approvals get
mosaic --project-state sandbox get
mosaic --project-state safety get

步骤 2：设置 approvals 模式

mosaic --project-state approvals set confirm
mosaic --project-state approvals get

# 更严格
mosaic --project-state approvals set deny

# 自动化白名单模式
mosaic --project-state approvals set allowlist

步骤 3：管理 allowlist 前缀

mosaic --project-state approvals allowlist add "git status"
mosaic --project-state approvals allowlist add "git diff"
mosaic --project-state approvals allowlist list
mosaic --project-state approvals allowlist remove "git diff"

步骤 4：按命令检查 approvals 判定

mosaic --project-state approvals check --command "git status"
mosaic --project-state approvals check --command "rm -rf /tmp/x"

步骤 5：设置并解释 sandbox profile

mosaic --project-state sandbox list
mosaic --project-state sandbox set standard
mosaic --project-state sandbox explain --profile restricted
mosaic --project-state sandbox explain --profile elevated

步骤 6：按命令检查 sandbox 判定

mosaic --project-state sandbox check --command "git status"
mosaic --project-state sandbox check --command "curl https://example.com"

步骤 7：验证合并后的 safety 决策

mosaic --project-state safety check --command "git status"
mosaic --project-state safety check --command "curl https://example.com"
mosaic --project-state safety report --audit-tail 50 --compare-window 24h

步骤 8：团队默认建议

默认策略：approvals=confirm + sandbox=standard。
allowlist 仅用于明确受控的 CI 前缀命令。
发版前固定执行 doctor 与 safety report。

Models 与 Profiles Sessions 教程生产运维回归测试教程排障手册