chore: add Claude settings example file#58
Conversation
- Add settings.local.example.json with standardized permissions - Move git add/commit/push/checkout/stash to ALLOW - Include dotnet commands and sn (strong name) tool - Expand GH CLI read commands, keep mutators in ASK - Deny dotnet nuget push to prevent accidental NuGet publish
Summary of ChangesHello @joshsmithxrm, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces a new example configuration file, "settings.local.example.json", designed to standardize and streamline the permissions for the Claude AI assistant. It refines command access by allowing common development operations, including various Git and .NET commands, while requiring explicit confirmation for potentially destructive actions and outright denying sensitive operations like force pushes and accidental NuGet package publishing. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a settings.local.example.json file, which is a great addition to help users get started with standardized permissions for Claude. The permissions are well-structured into allow, deny, and ask categories, providing a good balance between functionality and safety. My review includes one suggestion to enhance safety by moving several file-modifying commands from the allow list to the ask list. This change would help prevent accidental data loss while still providing a powerful set of default capabilities.
| "allow": [ | ||
| "Bash(ls:*)", | ||
| "Bash(dir:*)", | ||
| "Bash(cd:*)", | ||
| "Bash(pwd:*)", | ||
| "Bash(cat:*)", | ||
| "Bash(head:*)", | ||
| "Bash(tail:*)", | ||
| "Bash(less:*)", | ||
| "Bash(more:*)", | ||
| "Bash(echo:*)", | ||
| "Bash(printf:*)", | ||
| "Bash(which:*)", | ||
| "Bash(where:*)", | ||
| "Bash(grep:*)", | ||
| "Bash(rg:*)", | ||
| "Bash(find:*)", | ||
| "Bash(findstr:*)", | ||
| "Bash(awk:*)", | ||
| "Bash(sed:*)", | ||
| "Bash(sort:*)", | ||
| "Bash(uniq:*)", | ||
| "Bash(wc:*)", | ||
| "Bash(test:*)", | ||
| "Bash([:*)", | ||
| "Bash(mkdir:*)", | ||
| "Bash(touch:*)", | ||
| "Bash(cp:*)", | ||
| "Bash(copy:*)", | ||
| "Bash(mv:*)", | ||
| "Bash(move:*)", | ||
| "Bash(git status:*)", | ||
| "Bash(git diff:*)", | ||
| "Bash(git log:*)", | ||
| "Bash(git show:*)", | ||
| "Bash(git branch:*)", | ||
| "Bash(git ls-files:*)", | ||
| "Bash(git ls-tree:*)", | ||
| "Bash(git rev-parse:*)", | ||
| "Bash(git remote:*)", | ||
| "Bash(git fetch:*)", | ||
| "Bash(git checkout:*)", | ||
| "Bash(git add:*)", | ||
| "Bash(git commit:*)", | ||
| "Bash(git push:*)", | ||
| "Bash(git stash:*)", | ||
| "Bash(git stash drop:*)", | ||
| "Bash(git stash pop:*)", | ||
| "Bash(git rm:*)", | ||
| "Bash(git mv:*)", | ||
| "Bash(git worktree list:*)", | ||
| "Bash(git worktree prune:*)", | ||
| "Bash(git describe:*)", | ||
| "Bash(git tag:*)", | ||
| "Bash(git -C:*)", | ||
| "Bash(dotnet:*)", | ||
| "Bash(dotnet build:*)", | ||
| "Bash(dotnet test:*)", | ||
| "Bash(dotnet pack:*)", | ||
| "Bash(dotnet restore:*)", | ||
| "Bash(dotnet clean:*)", | ||
| "Bash(dotnet run:*)", | ||
| "Bash(dotnet sln:*)", | ||
| "Bash(sn:*)", | ||
| "Bash(powershell:*)", | ||
| "Bash(pwsh:*)", | ||
| "Bash(Get-ChildItem:*)", | ||
| "Bash(Test-Path:*)", | ||
| "Bash(Get-Content:*)", | ||
| "Bash(Select-Object:*)", | ||
| "Bash(ForEach-Object:*)", | ||
| "Bash(Where-Object:*)", | ||
| "Bash(Measure-Object:*)", | ||
| "Bash(gh pr list:*)", | ||
| "Bash(gh pr view:*)", | ||
| "Bash(gh pr status:*)", | ||
| "Bash(gh pr checkout:*)", | ||
| "Bash(gh pr diff:*)", | ||
| "Bash(gh api repos/*/pulls/*/comments:*)", | ||
| "Bash(gh api repos/*/pulls/*/comments/*:*)", | ||
| "Bash(gh issue list:*)", | ||
| "Bash(gh issue view:*)", | ||
| "Bash(gh issue status:*)", | ||
| "Bash(gh repo view:*)", | ||
| "Bash(gh repo list:*)", | ||
| "Bash(gh run list:*)", | ||
| "Bash(gh run view:*)", | ||
| "Bash(gh run watch:*)", | ||
| "Bash(gh auth status:*)", | ||
| "Bash(gh release list:*)", | ||
| "Bash(gh release view:*)", | ||
| "WebSearch" | ||
| ], |
There was a problem hiding this comment.
This is a great set of default permissions. However, several commands in the allow list can perform file modification, overwriting, or deletion. To prevent accidental data loss or corruption if the AI makes a mistake, it would be safer to move these to the ask list to require user confirmation.
The commands I recommend moving are:
Bash(echo:*)andBash(printf:*): Can overwrite files using redirection (>).Bash(sed:*)andBash(awk:*): Can modify files in-place (e.g.,sed -i) or write to new files.Bash(cp:*),Bash(copy:*),Bash(mv:*), andBash(move:*): Can overwrite or move files, which can be destructive.Bash(git rm:*)andBash(git mv:*): These commands remove files from the working directory. For consistency withrmbeing in theasklist and for general safety, they should also require confirmation.
Moving these to ask would provide a crucial safety layer for developers using this example configuration.
There was a problem hiding this comment.
Pull request overview
This PR adds a Claude settings example file that defines permissions for automated command execution. The configuration organizes bash commands into three categories: allowed (safe read-only and basic operations), denied (dangerous operations), and ask (operations requiring user confirmation).
Key Changes:
- New settings file with comprehensive permission rules for git, dotnet, GitHub CLI, and shell commands
- Git workflow commands (add, commit, push, checkout, stash) moved to allow list for smoother automation
- .NET commands and strong name tool included with deny rule for nuget push
- GitHub CLI read commands in allow list, mutating operations in ask list
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "Bash(dotnet test:*)", | ||
| "Bash(dotnet pack:*)", | ||
| "Bash(dotnet restore:*)", | ||
| "Bash(dotnet clean:*)", |
There was a problem hiding this comment.
The 'git clean' command appears in both the allow list (line 63 as 'dotnet clean') and the deny list (line 99). However, these are actually two different commands: 'dotnet clean' (a safe .NET build cleanup command) and 'git clean' (which can delete untracked files). While they don't technically conflict, this could cause confusion. Consider adding a comment to clarify that 'dotnet clean' is allowed but 'git clean' is denied.
| "Bash(git describe:*)", | ||
| "Bash(git tag:*)", | ||
| "Bash(git -C:*)", | ||
| "Bash(dotnet:*)", |
There was a problem hiding this comment.
The permission 'Bash(dotnet:*)' on line 58 is a catch-all that would allow all dotnet commands, making the more specific dotnet permission entries (lines 59-65) redundant. Additionally, this conflicts with the deny rule for 'dotnet nuget push' on line 100. The catch-all should be removed to ensure that only explicitly allowed dotnet commands can be executed and that the deny rule functions as intended.
| "Bash(dotnet:*)", |
| "Bash(gh api repos/*/pulls/*/comments:*)", | ||
| "Bash(gh api repos/*/pulls/*/comments/*:*)", |
There was a problem hiding this comment.
The 'gh api' permission appears twice with different scoping. Line 130 has 'Bash(gh api:)' in the ask list (requiring user confirmation), while lines 81-82 have specific 'gh api repos//pulls//comments' patterns in the allow list (permitted without confirmation). The more specific patterns on lines 81-82 would be overridden by the broader 'gh api:' pattern in the ask list, potentially allowing unintended access to other API endpoints. Consider removing the catch-all from the ask list to ensure only the specific comment-reading endpoints are allowed.
| "Bash(git stash drop:*)", | ||
| "Bash(git stash pop:*)", |
There was a problem hiding this comment.
The 'git stash drop' and 'git stash pop' commands are listed separately (lines 49-50) in addition to the general 'git stash' command (line 48). Since 'Bash(git stash:*)' would already match 'git stash drop' and 'git stash pop' due to the wildcard pattern, these specific entries are redundant and can be removed.
| "Bash(git stash drop:*)", | |
| "Bash(git stash pop:*)", |
| "Bash(powershell:*)", | ||
| "Bash(pwsh:*)", |
There was a problem hiding this comment.
The PowerShell and pwsh permissions (lines 67-68) are catch-all patterns that would allow execution of any PowerShell scripts or commands. This is overly permissive and could allow potentially dangerous operations. Consider either removing these entries or adding specific PowerShell commands that should be allowed, similar to how git and dotnet commands are handled.
| "Bash(powershell:*)", | |
| "Bash(pwsh:*)", |
* chore: migrate project tracking to GitHub Issues - Create 37 GitHub issues for planned features and tech debt (#58-94) - Create 8 epic labels for organization (epic:alm, epic:data, etc.) - Convert accepted tradeoffs to ADRs in docs/adr/ (7 ADRs) - Delete ROADMAP.md (GitHub Issues is now source of truth) - Delete migrated docs/future/*.md files (kept design docs) - Delete docs/technical-debt/ folder (issues + ADRs replace it) - Update CLAUDE.md references to point to GitHub Issues and docs/adr/ Closes #56 * chore: simplify .claude/ structure for UI shell pattern Remove agents, skills, examples, and workflow files that were overkill for a UI shell extension. Keep only panel templates and essential commands. Cross-repo commands (handoff, retrospective) moved to workspace level. Deleted: - .claude/agents/ (design-architect, code-guardian) - .claude/skills/ (code-cleanup, code-review-gateway) - .claude/examples/ - .claude/WORKFLOW.md - 8 obsolete commands - 3 obsolete templates Kept: - Panel development templates - prepare-pr, prepare-release, new-panel commands - TROUBLESHOOTING.md * chore: rewrite CLAUDE.md for UI shell architecture * docs: prepare changelog for v0.3.4 release * chore: bump version to 0.3.4 * docs: fix changelog formatting * chore: clean up documentation for UI shell architecture - Remove obsolete Clean Architecture docs (7 files) - Delete TROUBLESHOOTING.md (obsolete agent references) - Delete extension DOCUMENTATION_STYLE_GUIDE.md (use parent's) - Simplify .claude/ commands and templates - Fix absolute paths (C:\VS\ppds -> relative) - Update docs/README.md to reflect simplified structure * chore: remove obsolete docs for UI shell architecture Delete obsolete documentation: - Architecture: Clean Architecture patterns (SDK concern now) - ADRs: Value objects, panel coordinators (obsolete patterns) - Future: Design docs (use GitHub Issues instead) - Testing: Domain/application layer guides (overkill for UI shell) - Folders: quality, requirements, retrospective, work, design Keep webview patterns and remaining ADRs relevant to extension. * chore: renumber ADRs and fix broken references - Renumber: 0004→0002, 0005→0003, 0006→0004, 0007→0005 - Remove references to deleted architecture docs - Remove deleted .mcp.example.json and test-notebooks * chore: fix broken references to deleted architecture docs Removes references to deleted documentation files: - CLEAN_ARCHITECTURE_GUIDE.md - PANEL_ARCHITECTURE.md - TESTING_GUIDE.md - INTEGRATION_TESTING_GUIDE.md - CODE_QUALITY_GUIDE.md - MAPPER_PATTERNS.md Updated files: - CONTRIBUTING.md: Simplified testing section, removed broken links - SECURITY.md: Removed code quality guide reference - docs/architecture/*.md: Removed deleted pattern references - Source files: Removed obsolete pattern references in comments * fix: upgrade engines.vscode and remove broken ADR link - Upgrade engines.vscode from ^1.74.0 to ^1.107.0 to match @types/vscode - Remove broken reference to deleted ODATA_DOMAIN_PATTERN.md in ADR-0001
Summary
settings.local.example.jsonwith standardized permissionssn(strong name) tooldotnet nuget pushto prevent accidental NuGet publishUsage
Copy to
settings.local.jsonto use:Test Plan