fabi/PiCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(claude): permissive project settings + gitignore local file

Browse Source 
Team-wide Claude Code permissions for the dev workflows actually
used in this repo (cargo, npm, docker, psql, curl, git, gh, jq,
exploration commands, common env-var prefixes), plus a targeted
denylist for the destructive operations that warrant explicit
confirmation (force-push, push to main, branch -D, docker prune
variants, rm -rf outside the project tree, sudo / passwd / dd).

  * .claude/settings.json — checked-in team-wide config
    (125 allow rules, 55 deny rules)
  * .claude/settings.local.json — gitignored, kept as the
    holding pen for personal in-session grants
  * .gitignore — adds the .local.json exclusion

The permissive shape is "allow everything common, deny the
specifically destructive." Mid-pattern wildcards in Bash rules
aren't actually supported by the matcher; the deny list only
uses prefix patterns that the engine respects.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
MechaCat02
2026-05-23 16:25:53 +02:00
parent 0473d295af
commit 4baaead642
2 changed files with 213 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

209
.claude/settings.json Normal file
View File

@@ -0,0 +1,209 @@
{
"$schema": "https://json.schemastore.org/claude-code-settings.json",
"permissions": {
"allow": [
"Read",
"Edit",
"Write",
"Bash(cargo *)",
"Bash(rustc *)",
"Bash(rustup *)",
"Bash(rustfmt *)",
"Bash(npm *)",
"Bash(npx *)",
"Bash(node *)",
"Bash(git *)",
"Bash(gh *)",
"Bash(docker *)",
"Bash(docker compose *)",
"Bash(psql *)",
"Bash(pg_isready *)",
"Bash(pg_dump *)",
"Bash(pg_restore *)",
"Bash(createdb *)",
"Bash(dropdb *)",
"Bash(curl *)",
"Bash(wget *)",
"Bash(nc *)",
"Bash(ss *)",
"Bash(lsof *)",
"Bash(ping *)",
"Bash(dig *)",
"Bash(host *)",
"Bash(ls)",
"Bash(ls *)",
"Bash(pwd)",
"Bash(cd *)",
"Bash(find *)",
"Bash(grep *)",
"Bash(rg *)",
"Bash(fd *)",
"Bash(head *)",
"Bash(tail *)",
"Bash(wc *)",
"Bash(file *)",
"Bash(stat *)",
"Bash(du *)",
"Bash(df *)",
"Bash(tree *)",
"Bash(realpath *)",
"Bash(readlink *)",
"Bash(basename *)",
"Bash(dirname *)",
"Bash(mkdir *)",
"Bash(touch *)",
"Bash(cp *)",
"Bash(mv *)",
"Bash(ln *)",
"Bash(chmod *)",
"Bash(diff *)",
"Bash(echo *)",
"Bash(printf *)",
"Bash(jq *)",
"Bash(sed *)",
"Bash(awk *)",
"Bash(tr *)",
"Bash(cut *)",
"Bash(sort *)",
"Bash(uniq *)",
"Bash(xargs *)",
"Bash(tee *)",
"Bash(ps *)",
"Bash(pgrep *)",
"Bash(pkill *)",
"Bash(kill *)",
"Bash(sleep *)",
"Bash(timeout *)",
"Bash(time *)",
"Bash(env)",
"Bash(env *)",
"Bash(which *)",
"Bash(whoami)",
"Bash(hostname)",
"Bash(uname *)",
"Bash(date *)",
"Bash(true)",
"Bash(false)",
"Bash(set *)",
"Bash(export *)",
"Bash(python *)",
"Bash(python3 *)",
"Bash(pip *)",
"Bash(pip3 *)",
"Bash(tar *)",
"Bash(gzip *)",
"Bash(gunzip *)",
"Bash(zip *)",
"Bash(unzip *)",
"Bash(md5sum *)",
"Bash(sha256sum *)",
"Bash(openssl *)",
"Bash(base64 *)",
"Bash(PICLOUD_*)",
"Bash(POSTGRES_*)",
"Bash(DATABASE_URL=*)",
"Bash(RUST_LOG=*)",
"Bash(RUST_BACKTRACE=*)",
"Bash(PGPASSWORD=*)",
"Bash(PGHOST=*)",
"Bash(PGPORT=*)",
"Bash(PGUSER=*)",
"Bash(PGDATABASE=*)",
"Bash(NODE_ENV=*)",
"Bash(CI=*)",
"Bash(CARGO_*)",
"Bash(rm -rf target*)",
"Bash(rm -rf node_modules*)",
"Bash(rm -rf build*)",
"Bash(rm -rf .svelte-kit*)",
"Bash(rm -rf /tmp/picloud*)",
"Bash(rm /tmp/*)",
"Bash(rm -f /tmp/*)",
"Skill(simplify)",
"Skill(review)",
"Skill(security-review)",
"Skill(init)",
"Skill(update-config)",
"Skill(update-config:*)",
"Skill(fewer-permission-prompts)",
"Skill(claude-api)"
],
"deny": [
"Bash(git push --force *)",
"Bash(git push -f *)",
"Bash(git push --force-with-lease *)",
"Bash(git push origin main)",
"Bash(git push origin main *)",
"Bash(git push origin master)",
"Bash(git push origin master *)",
"Bash(git push origin :main)",
"Bash(git push origin :master)",
"Bash(git push --delete *)",
"Bash(git push --mirror *)",
"Bash(git branch -D *)",
"Bash(git branch --force *)",
"Bash(git reset --hard *)",
"Bash(git clean -fd*)",
"Bash(git clean -fx*)",
"Bash(git filter-branch *)",
"Bash(git update-ref -d *)",
"Bash(git remote remove *)",
"Bash(docker system prune *)",
"Bash(docker volume rm *)",
"Bash(docker volume prune *)",
"Bash(docker image prune -a*)",
"Bash(docker network prune *)",
"Bash(docker builder prune *)",
"Bash(rm -rf /)",
"Bash(rm -rf /bin*)",
"Bash(rm -rf /boot*)",
"Bash(rm -rf /dev*)",
"Bash(rm -rf /etc*)",
"Bash(rm -rf /lib*)",
"Bash(rm -rf /opt*)",
"Bash(rm -rf /proc*)",
"Bash(rm -rf /root*)",
"Bash(rm -rf /sbin*)",
"Bash(rm -rf /srv*)",
"Bash(rm -rf /sys*)",
"Bash(rm -rf /usr*)",
"Bash(rm -rf /var*)",
"Bash(rm -rf /home/fabi)",
"Bash(rm -rf /home/fabi/.*)",
"Bash(rm -rf ~)",
"Bash(rm -rf ~/.*)",
"Bash(rm -rf $HOME*)",
"Bash(rm -rf ${HOME}*)",
"Bash(chmod -R 777 *)",
"Bash(chown -R *)",
"Bash(dd if=*)",
"Bash(mkfs *)",
"Bash(mkfs.*)",
"Bash(sudo *)",
"Bash(su *)",
"Bash(su)",
"Bash(passwd *)",
"Bash(passwd)"
]
}
}

4
.gitignore vendored
View File

@@ -10,6 +10,10 @@ Cargo.lock.bak
*.swo *.swo
.DS_Store .DS_Store
# Claude Code — team-wide settings go in .claude/settings.json (tracked);
# personal grants from in-session prompts live in settings.local.json.
.claude/settings.local.json
# Env / secrets # Env / secrets
.env .env
.env.* .env.*