gog Safety Profiles
Build and deploy gog binaries with compile-time command removal. Commands that are disabled don't exist in the binary — no runtime bypass possible.
Quick Start
1. Choose a safety level
| Level | Use case | Can send email/chat? |
|---|
| L1 | Email triage, drafting, inbox organization | No |
| L2 |
L1 + commenting, RSVP, collaborative work | No |
|
L3 | Full write access, no dangerous admin ops | Yes |
For full details: �INLINECODE1
2. Build
CODEBLOCK0
Requires: Go 1.22+, git. First run clones the PR #366 branch (~30s).
3. Deploy
CODEBLOCK1
The deploy script:
- - Backs up the existing
gog as �INLINECODE3 - Installs the new binary
- Verifies version output
- Optionally tests that blocked commands are gone and allowed commands work
4. Rollback
CODEBLOCK2
How It Works
Uses gogcli's compile-time safety profiles feature (PR #366 on steipete/gogcli). A YAML file specifies which commands are enabled (true) or removed (false). The build system generates Go source files with only the enabled commands, then compiles. The resulting binary's version is tagged with -safe.
YAML Profiles
In references/:
- -
l1-draft.yaml — Draft & Organize - INLINECODE10� — Draft & Collaborate
- INLINECODE11� — Full Write (No Admin)
Custom profiles: copy any YAML, edit the true/false flags, pass to build-gog-safe.sh.
Verification
After deployment, verify with:
�CODEBLOCK3
Known Edge Cases
- - Filter forwarding:
gmail settings filters create is allowed at L1+ for inbox organization. A filter with a forward action could auto-forward email. Accepted risk for v1. - Drive sharing:
drive share is allowed at L1+ because sharing grants access without sending a message notification. The shared user sees it in "Shared with me" but doesn't get an email.
技能名称: gog-safety
详细描述:
gog 安全配置文件
通过编译时命令移除功能构建和部署 gog 二进制文件。被禁用的命令不会存在于二进制文件中——无法在运行时绕过。
快速开始
1. 选择安全级别
| 级别 | 使用场景 | 能否发送邮件/聊天消息? |
|---|
| L1 | 邮件分类、起草、收件箱整理 | 否 |
| L2 |
L1 + 评论、回复、协作工作 | 否 |
|
L3 | 完全写入权限,无危险管理操作 | 是 |
完整详情请参阅:references/levels.md
2. 构建
bash
为当前平台构建
./scripts/build-gog-safe.sh L1
交叉编译至 Linux ARM64(例如 AWS Graviton)
./scripts/build-gog-safe.sh L1 --arch arm64 --os linux
自定义输出路径
./scripts/build-gog-safe.sh L2 --output /tmp/gog-l2
前置要求:Go 1.22+、git。首次运行将克隆 PR #366 分支(约30秒)。
3. 部署
bash
通过 SSH 部署到远程主机
./scripts/deploy-gog-safe.sh spock /tmp/gogcli-safety-build/bin/gog-l1-safe
部署并验证(测试被阻止和允许的命令)
./scripts/deploy-gog-safe.sh spock /tmp/gogcli-safety-build/bin/gog-l1-safe --verify
部署脚本会:
- - 将现有 gog 备份为 gog-backup
- 安装新的二进制文件
- 验证版本输出
- 可选测试被阻止的命令已消失,允许的命令正常工作
4. 回滚
bash
ssh <主机> sudo mv /usr/local/bin/gog-backup /usr/local/bin/gog
工作原理
利用 gogcli 的编译时安全配置文件功能(steipete/gogcli 上的 PR #366)。YAML 文件指定哪些命令启用(true)或移除(false)。构建系统生成仅包含已启用命令的 Go 源文件,然后进行编译。生成的二进制文件版本会带有 -safe 标签。
YAML 配置文件
位于 references/ 目录下:
- - l1-draft.yaml — 起草与整理
- l2-collaborate.yaml — 起草与协作
- l3-standard.yaml — 完全写入(无管理权限)
自定义配置文件:复制任意 YAML 文件,编辑 true/false 标志,传递给 build-gog-safe.sh。
验证
部署后,通过以下命令验证:
bash
ssh <主机> gog --version # 应显示 -safe 后缀
ssh <主机> gog gmail send --help 2>&1 # 应失败(L1/L2)
ssh <主机> gog gmail drafts create --help # 应成功(所有级别)
已知边界情况
- - 过滤器转发: gmail settings filters create 在 L1 及以上级别允许用于收件箱整理。包含转发操作的过滤器可能自动转发邮件。v1 版本接受此风险。
- 云端硬盘共享: drive share 在 L1 及以上级别允许,因为共享仅授予访问权限而不发送消息通知。被共享的用户会在与我共享中看到内容,但不会收到邮件。
