chore(perms): allow brew install + nix CLI + darwin-rebuild#4904
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 942546248a
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -1,10 +1,4 @@ | |||
| { | |||
There was a problem hiding this comment.
_ip_risk_acceptance attribution block
This change drops the only _*_acceptance metadata from .claude/settings.json, so edits to docs/research/ip-questionable/** can still proceed (via the existing broad Bash(gh api *) allow rule) without the named-human risk attribution required by .claude/rules/human-audit-and-legal-risk-acceptance-pattern-in-settings.md (“MUST attach a named human” with operator/scope/policy/see_also). That creates an auditability regression: the risk-acceptance trail documented for this scope is no longer present at the command-permission surface where it was previously anchored.
Useful? React with 👍 / 👎.
1 participant
Summary
Adds 12 Bash permission patterns to `.claude/settings.json` so the agent can run `brew install` (Nix), the full nix CLI surface, and `darwin-rebuild` for nix-darwin's `linux-builder` activation.
These are needed to build the installer ISO from the flake locally on Apple Silicon Macs via the nix-darwin `linux-builder` path — uses Apple's Virtualization.framework + Rosetta 2 for Rosetta-accelerated x86_64 Linux builds, no third-party VM software required.
Permissions added
Test plan
Co-Authored-By: Claude Opus 4.7 (1M context) noreply@anthropic.com