chore(claude): tune permissions for safer low-friction defaults#7263
Open
jstirnaman wants to merge 5 commits into
Open
chore(claude): tune permissions for safer low-friction defaults#7263jstirnaman wants to merge 5 commits into
jstirnaman wants to merge 5 commits into
Conversation
- check-bash-worktree.sh: PreToolUse Bash matcher that blocks commands referencing the main clone instead of the active worktree (parses absolute paths from tool_input.command). - worktree-context.sh: UserPromptSubmit hook that injects a one-line reminder of the active worktree on every user prompt, so the rule survives compaction and attention decay. - settings.json: register both hooks. Reminder + deterministic block give belt-and-suspenders coverage — the reminder shapes behavior, the block catches lapses. https://claude.ai/code/session_01Wo4ETjsNM4ggHqFSqRTyPN
Move the inline yarn-install SessionStart command into a dedicated .claude/hooks/session-start.sh and add ShellCheck installation. The pre-commit `shellcheck` Lefthook step requires shellcheck >= 0.10.0 and otherwise falls back to Docker. The Claude Code on the web container ships neither, so shell-script commits previously failed until shellcheck was installed by hand. The hook now installs the pinned binary (matching .ci/shellcheck/shellcheck.sh) so linting works on a cold start. Remote-only (CLAUDE_CODE_REMOTE), idempotent, and synchronous so deps are guaranteed ready before the session begins. https://claude.ai/code/session_01Wo4ETjsNM4ggHqFSqRTyPN
- allow: add read-only shellcheck linter, its repo wrapper, and the github pull_request_read MCP tool (observed in recent sessions). - ask: add high-impact destructive ops so they prompt even under permissive modes — git reset --hard, git clean, git rebase, sudo, dd, shred, mkfs. ask takes precedence over the broad allow wildcards. - deny: broaden sensitive-file protection beyond root .env to nested env files, private keys, credential stores, and ~/.ssh|.aws|.gnupg. https://claude.ai/code/session_01Wo4ETjsNM4ggHqFSqRTyPN
…s-instructions-Y8BUd
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Tunes
.claude/settings.jsonpermissions to reduce prompts for safe, read-only commands while keeping guardrails on destructive actions and sensitive files. Follow-up to #7261 (worktree hooks + lint toolchain).Bash(shellcheck:*),Bash(.ci/shellcheck/shellcheck.sh:*)(static analysis, no mutation), andmcp__github__pull_request_read.git reset --hard,git clean,git rebase,sudo,dd,shred,mkfs.asktakes precedence over the broadallowwildcards, so these still prompt..envto nested env files, private keys (*.pem/*.key/id_*), credential stores (.netrc/.npmrc/.git-credentials/**/credentials*), and home-dir secrets (~/.ssh,~/.aws,~/.gnupg,gh/hosts.yml).Caveats (documented, not bugs)
Read()deny rules govern the Read/Edit/Write tools — they do not stop auto-allowed Bash (cat,head,grep) from reading those paths. The deny list is defense-in-depth; removing secrets from files entirely is the real fix.bash,python,node,npx,make,curl,docker, …) were intentionally left inallowto keep friction low. They remain the widest opening under Auto mode.Test plan
jq empty .claude/settings.json— valid JSONallow/ask/deny.claude/settings.jsonhttps://claude.ai/code/session_01Wo4ETjsNM4ggHqFSqRTyPN
Generated by Claude Code