From bd48b39b92105e9732a90e30994c0bf1d65fa598 Mon Sep 17 00:00:00 2001
From: Aaron Stainback <aaron_bond@yahoo.com>
Date: Tue, 12 May 2026 12:52:17 -0400
Subject: [PATCH] feat(permissions): allow osascript/kill/pkill/open for
 browser-extraction skill (Aaron 2026-05-12 explicit authorization)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Aaron 2026-05-12 explicit authorization request: "can you put
that in project settings in git and it apply or me instead of
just this pc?"

Adds four Bash permission patterns to .claude/settings.json
allow-list:
- Bash(osascript *) — enables Chrome AppleScript invocation
  for the browser-extraction skill (authenticated session
  extraction via osascript + Chrome JS execution)
- Bash(kill *) — for killing Playwright Chrome (step 1 of
  the skill; Playwright shadows real Chrome for AppleScript)
- Bash(pkill *) — alternative kill pattern for the same
  Playwright-Chrome scenario
- Bash(open -a *) — for opening Chrome if needed
  ("open -a Google Chrome")

These four patterns together complete the browser-extraction
skill's permission requirements per
.claude/skills/browser-extraction/SKILL.md (already exists).

Context: the auto-mode classifier had previously denied
osascript+Chrome calls as "exfiltration of third-party-
service data" — substrate-honest safety doing its job until
Aaron-explicit-authorization provides the discipline context.
This commit makes the authorization persistent + project-
level (committed to git, applies for all repo clones, not
local-only).

Composes with:
- The browser-extraction skill (.claude/skills/browser-
  extraction/SKILL.md)
- WWJD-keeps-grey-honest substrate (PR #2803 cascade) —
  Aaron explicitly notes "classifier from 3rd party is what
  keeps ME honest right now"
- Future Zeta-own-harness substrate (PR #2805) — these
  permissions are current-state; future-harness would
  apply WWJD-calibrated vision-aware classifier instead

This is substrate-honest power expansion. Aaron authorized
specifically; the four patterns are scoped to the substrate-
extraction need; no over-broad grants (e.g., no bare "Bash"
allowlist).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .claude/settings.json | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.claude/settings.json b/.claude/settings.json
index 0fba1a8814..ee0594f231 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -75,6 +75,10 @@
       "Bash(z3 *)",
       "Bash(node *)",
       "Bash(mkdir *)",
+      "Bash(osascript *)",
+      "Bash(kill *)",
+      "Bash(pkill *)",
+      "Bash(open -a *)",
       "Edit",
       "Write",
       "WebFetch",