From 4baaead642247ba65c3fda8ed1d087e9a3992d01 Mon Sep 17 00:00:00 2001 From: MechaCat02 Date: Sat, 23 May 2026 16:25:53 +0200 Subject: [PATCH] chore(claude): permissive project settings + gitignore local file MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Team-wide Claude Code permissions for the dev workflows actually used in this repo (cargo, npm, docker, psql, curl, git, gh, jq, exploration commands, common env-var prefixes), plus a targeted denylist for the destructive operations that warrant explicit confirmation (force-push, push to main, branch -D, docker prune variants, rm -rf outside the project tree, sudo / passwd / dd). * .claude/settings.json — checked-in team-wide config (125 allow rules, 55 deny rules) * .claude/settings.local.json — gitignored, kept as the holding pen for personal in-session grants * .gitignore — adds the .local.json exclusion The permissive shape is "allow everything common, deny the specifically destructive." Mid-pattern wildcards in Bash rules aren't actually supported by the matcher; the deny list only uses prefix patterns that the engine respects. Co-Authored-By: Claude Opus 4.7 (1M context) --- .claude/settings.json | 209 ++++++++++++++++++++++++++++++++++++++++++ .gitignore | 4 + 2 files changed, 213 insertions(+) create mode 100644 .claude/settings.json diff --git a/.claude/settings.json b/.claude/settings.json new file mode 100644 index 0000000..4f22429 --- /dev/null +++ b/.claude/settings.json @@ -0,0 +1,209 @@ +{ + "$schema": "https://json.schemastore.org/claude-code-settings.json", + "permissions": { + "allow": [ + "Read", + "Edit", + "Write", + + "Bash(cargo *)", + "Bash(rustc *)", + "Bash(rustup *)", + "Bash(rustfmt *)", + + "Bash(npm *)", + "Bash(npx *)", + "Bash(node *)", + + "Bash(git *)", + "Bash(gh *)", + + "Bash(docker *)", + "Bash(docker compose *)", + + "Bash(psql *)", + "Bash(pg_isready *)", + "Bash(pg_dump *)", + "Bash(pg_restore *)", + "Bash(createdb *)", + "Bash(dropdb *)", + + "Bash(curl *)", + "Bash(wget *)", + "Bash(nc *)", + "Bash(ss *)", + "Bash(lsof *)", + "Bash(ping *)", + "Bash(dig *)", + "Bash(host *)", + + "Bash(ls)", + "Bash(ls *)", + "Bash(pwd)", + "Bash(cd *)", + "Bash(find *)", + "Bash(grep *)", + "Bash(rg *)", + "Bash(fd *)", + "Bash(head *)", + "Bash(tail *)", + "Bash(wc *)", + "Bash(file *)", + "Bash(stat *)", + "Bash(du *)", + "Bash(df *)", + "Bash(tree *)", + "Bash(realpath *)", + "Bash(readlink *)", + "Bash(basename *)", + "Bash(dirname *)", + + "Bash(mkdir *)", + "Bash(touch *)", + "Bash(cp *)", + "Bash(mv *)", + "Bash(ln *)", + "Bash(chmod *)", + "Bash(diff *)", + + "Bash(echo *)", + "Bash(printf *)", + "Bash(jq *)", + "Bash(sed *)", + "Bash(awk *)", + "Bash(tr *)", + "Bash(cut *)", + "Bash(sort *)", + "Bash(uniq *)", + "Bash(xargs *)", + "Bash(tee *)", + + "Bash(ps *)", + "Bash(pgrep *)", + "Bash(pkill *)", + "Bash(kill *)", + "Bash(sleep *)", + "Bash(timeout *)", + "Bash(time *)", + + "Bash(env)", + "Bash(env *)", + "Bash(which *)", + "Bash(whoami)", + "Bash(hostname)", + "Bash(uname *)", + "Bash(date *)", + "Bash(true)", + "Bash(false)", + "Bash(set *)", + "Bash(export *)", + + "Bash(python *)", + "Bash(python3 *)", + "Bash(pip *)", + "Bash(pip3 *)", + + "Bash(tar *)", + "Bash(gzip *)", + "Bash(gunzip *)", + "Bash(zip *)", + "Bash(unzip *)", + "Bash(md5sum *)", + "Bash(sha256sum *)", + "Bash(openssl *)", + "Bash(base64 *)", + + "Bash(PICLOUD_*)", + "Bash(POSTGRES_*)", + "Bash(DATABASE_URL=*)", + "Bash(RUST_LOG=*)", + "Bash(RUST_BACKTRACE=*)", + "Bash(PGPASSWORD=*)", + "Bash(PGHOST=*)", + "Bash(PGPORT=*)", + "Bash(PGUSER=*)", + "Bash(PGDATABASE=*)", + "Bash(NODE_ENV=*)", + "Bash(CI=*)", + "Bash(CARGO_*)", + + "Bash(rm -rf target*)", + "Bash(rm -rf node_modules*)", + "Bash(rm -rf build*)", + "Bash(rm -rf .svelte-kit*)", + "Bash(rm -rf /tmp/picloud*)", + "Bash(rm /tmp/*)", + "Bash(rm -f /tmp/*)", + + "Skill(simplify)", + "Skill(review)", + "Skill(security-review)", + "Skill(init)", + "Skill(update-config)", + "Skill(update-config:*)", + "Skill(fewer-permission-prompts)", + "Skill(claude-api)" + ], + + "deny": [ + "Bash(git push --force *)", + "Bash(git push -f *)", + "Bash(git push --force-with-lease *)", + "Bash(git push origin main)", + "Bash(git push origin main *)", + "Bash(git push origin master)", + "Bash(git push origin master *)", + "Bash(git push origin :main)", + "Bash(git push origin :master)", + "Bash(git push --delete *)", + "Bash(git push --mirror *)", + "Bash(git branch -D *)", + "Bash(git branch --force *)", + "Bash(git reset --hard *)", + "Bash(git clean -fd*)", + "Bash(git clean -fx*)", + "Bash(git filter-branch *)", + "Bash(git update-ref -d *)", + "Bash(git remote remove *)", + + "Bash(docker system prune *)", + "Bash(docker volume rm *)", + "Bash(docker volume prune *)", + "Bash(docker image prune -a*)", + "Bash(docker network prune *)", + "Bash(docker builder prune *)", + + "Bash(rm -rf /)", + "Bash(rm -rf /bin*)", + "Bash(rm -rf /boot*)", + "Bash(rm -rf /dev*)", + "Bash(rm -rf /etc*)", + "Bash(rm -rf /lib*)", + "Bash(rm -rf /opt*)", + "Bash(rm -rf /proc*)", + "Bash(rm -rf /root*)", + "Bash(rm -rf /sbin*)", + "Bash(rm -rf /srv*)", + "Bash(rm -rf /sys*)", + "Bash(rm -rf /usr*)", + "Bash(rm -rf /var*)", + "Bash(rm -rf /home/fabi)", + "Bash(rm -rf /home/fabi/.*)", + "Bash(rm -rf ~)", + "Bash(rm -rf ~/.*)", + "Bash(rm -rf $HOME*)", + "Bash(rm -rf ${HOME}*)", + + "Bash(chmod -R 777 *)", + "Bash(chown -R *)", + "Bash(dd if=*)", + "Bash(mkfs *)", + "Bash(mkfs.*)", + "Bash(sudo *)", + "Bash(su *)", + "Bash(su)", + "Bash(passwd *)", + "Bash(passwd)" + ] + } +} diff --git a/.gitignore b/.gitignore index 7a3e394..6c00c9a 100644 --- a/.gitignore +++ b/.gitignore @@ -10,6 +10,10 @@ Cargo.lock.bak *.swo .DS_Store +# Claude Code — team-wide settings go in .claude/settings.json (tracked); +# personal grants from in-session prompts live in settings.local.json. +.claude/settings.local.json + # Env / secrets .env .env.*