chore: add Claude settings example file #58
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,143 @@ | ||||||
| { | ||||||
| "permissions": { | ||||||
| "allow": [ | ||||||
| "Bash(ls:*)", | ||||||
| "Bash(dir:*)", | ||||||
| "Bash(cd:*)", | ||||||
| "Bash(pwd:*)", | ||||||
| "Bash(cat:*)", | ||||||
| "Bash(head:*)", | ||||||
| "Bash(tail:*)", | ||||||
| "Bash(less:*)", | ||||||
| "Bash(more:*)", | ||||||
| "Bash(echo:*)", | ||||||
| "Bash(printf:*)", | ||||||
| "Bash(which:*)", | ||||||
| "Bash(where:*)", | ||||||
| "Bash(grep:*)", | ||||||
| "Bash(rg:*)", | ||||||
| "Bash(find:*)", | ||||||
| "Bash(findstr:*)", | ||||||
| "Bash(awk:*)", | ||||||
| "Bash(sed:*)", | ||||||
| "Bash(sort:*)", | ||||||
| "Bash(uniq:*)", | ||||||
| "Bash(wc:*)", | ||||||
| "Bash(test:*)", | ||||||
| "Bash([:*)", | ||||||
| "Bash(mkdir:*)", | ||||||
| "Bash(touch:*)", | ||||||
| "Bash(cp:*)", | ||||||
| "Bash(copy:*)", | ||||||
| "Bash(mv:*)", | ||||||
| "Bash(move:*)", | ||||||
| "Bash(git status:*)", | ||||||
| "Bash(git diff:*)", | ||||||
| "Bash(git log:*)", | ||||||
| "Bash(git show:*)", | ||||||
| "Bash(git branch:*)", | ||||||
| "Bash(git ls-files:*)", | ||||||
| "Bash(git ls-tree:*)", | ||||||
| "Bash(git rev-parse:*)", | ||||||
| "Bash(git remote:*)", | ||||||
| "Bash(git fetch:*)", | ||||||
| "Bash(git checkout:*)", | ||||||
| "Bash(git add:*)", | ||||||
| "Bash(git commit:*)", | ||||||
| "Bash(git push:*)", | ||||||
| "Bash(git stash:*)", | ||||||
| "Bash(git stash drop:*)", | ||||||
| "Bash(git stash pop:*)", | ||||||
| "Bash(git rm:*)", | ||||||
| "Bash(git mv:*)", | ||||||
| "Bash(git worktree list:*)", | ||||||
| "Bash(git worktree prune:*)", | ||||||
| "Bash(git describe:*)", | ||||||
| "Bash(git tag:*)", | ||||||
| "Bash(git -C:*)", | ||||||
| "Bash(dotnet:*)", | ||||||
|
There was a problem hiding this comment. The permission 'Bash(dotnet:*)' on line 58 is a catch-all that would allow all dotnet commands, making the more specific dotnet permission entries (lines 59-65) redundant. Additionally, this conflicts with the deny rule for 'dotnet nuget push' on line 100. The catch-all should be removed to ensure that only explicitly allowed dotnet commands can be executed and that the deny rule functions as intended.
Suggested change
|
||||||
| "Bash(dotnet build:*)", | ||||||
| "Bash(dotnet test:*)", | ||||||
| "Bash(dotnet pack:*)", | ||||||
| "Bash(dotnet restore:*)", | ||||||
| "Bash(dotnet clean:*)", | ||||||
|
There was a problem hiding this comment. The 'git clean' command appears in both the allow list (line 63 as 'dotnet clean') and the deny list (line 99). However, these are actually two different commands: 'dotnet clean' (a safe .NET build cleanup command) and 'git clean' (which can delete untracked files). While they don't technically conflict, this could cause confusion. Consider adding a comment to clarify that 'dotnet clean' is allowed but 'git clean' is denied. |
||||||
| "Bash(dotnet run:*)", | ||||||
| "Bash(dotnet sln:*)", | ||||||
| "Bash(sn:*)", | ||||||
| "Bash(powershell:*)", | ||||||
| "Bash(pwsh:*)", | ||||||
|
Comment on lines
+67
to
+68
There was a problem hiding this comment. The PowerShell and pwsh permissions (lines 67-68) are catch-all patterns that would allow execution of any PowerShell scripts or commands. This is overly permissive and could allow potentially dangerous operations. Consider either removing these entries or adding specific PowerShell commands that should be allowed, similar to how git and dotnet commands are handled.
Suggested change
|
||||||
| "Bash(Get-ChildItem:*)", | ||||||
| "Bash(Test-Path:*)", | ||||||
| "Bash(Get-Content:*)", | ||||||
| "Bash(Select-Object:*)", | ||||||
| "Bash(ForEach-Object:*)", | ||||||
| "Bash(Where-Object:*)", | ||||||
| "Bash(Measure-Object:*)", | ||||||
| "Bash(gh pr list:*)", | ||||||
| "Bash(gh pr view:*)", | ||||||
| "Bash(gh pr status:*)", | ||||||
| "Bash(gh pr checkout:*)", | ||||||
| "Bash(gh pr diff:*)", | ||||||
| "Bash(gh api repos/*/pulls/*/comments:*)", | ||||||
| "Bash(gh api repos/*/pulls/*/comments/*:*)", | ||||||
|
Comment on lines
+81
to
+82
There was a problem hiding this comment. The 'gh api' permission appears twice with different scoping. Line 130 has 'Bash(gh api:)' in the ask list (requiring user confirmation), while lines 81-82 have specific 'gh api repos//pulls//comments' patterns in the allow list (permitted without confirmation). The more specific patterns on lines 81-82 would be overridden by the broader 'gh api:' pattern in the ask list, potentially allowing unintended access to other API endpoints. Consider removing the catch-all from the ask list to ensure only the specific comment-reading endpoints are allowed. |
||||||
| "Bash(gh issue list:*)", | ||||||
| "Bash(gh issue view:*)", | ||||||
| "Bash(gh issue status:*)", | ||||||
| "Bash(gh repo view:*)", | ||||||
| "Bash(gh repo list:*)", | ||||||
| "Bash(gh run list:*)", | ||||||
| "Bash(gh run view:*)", | ||||||
| "Bash(gh run watch:*)", | ||||||
| "Bash(gh auth status:*)", | ||||||
| "Bash(gh release list:*)", | ||||||
| "Bash(gh release view:*)", | ||||||
| "WebSearch" | ||||||
| ], | ||||||
|
Comment on lines
+3
to
+95
There was a problem hiding this comment. This is a great set of default permissions. However, several commands in the The commands I recommend moving are:
Moving these to |
||||||
| "deny": [ | ||||||
| "Bash(git push --force:*)", | ||||||
| "Bash(git reset --hard:*)", | ||||||
| "Bash(git clean:*)", | ||||||
| "Bash(dotnet nuget push:*)", | ||||||
| "Bash(curl:*)", | ||||||
| "Bash(wget:*)", | ||||||
| "Bash(Invoke-WebRequest:*)", | ||||||
| "Bash(chmod 777:*)", | ||||||
| "Bash(sudo:*)", | ||||||
| "Bash(su:*)" | ||||||
| ], | ||||||
| "ask": [ | ||||||
| "Bash(rm -rf:*)", | ||||||
| "Bash(rm -fr:*)", | ||||||
| "Bash(rm:*)", | ||||||
| "Bash(del:*)", | ||||||
| "Bash(rmdir:*)", | ||||||
| "Bash(Remove-Item:*)", | ||||||
| "Bash(git pull:*)", | ||||||
| "Bash(git merge:*)", | ||||||
| "Bash(git rebase:*)", | ||||||
| "Bash(git reset:*)", | ||||||
| "Bash(git restore:*)", | ||||||
| "Bash(git cherry-pick:*)", | ||||||
| "Bash(git revert:*)", | ||||||
| "Bash(git apply:*)", | ||||||
| "Bash(git am:*)", | ||||||
| "Bash(git worktree add:*)", | ||||||
| "Bash(git worktree remove:*)", | ||||||
| "Bash(git branch -D:*)", | ||||||
| "Bash(git branch -d:*)", | ||||||
| "Bash(git tag -d:*)", | ||||||
| "Bash(git tag -fa:*)", | ||||||
| "Bash(gh api:*)", | ||||||
| "Bash(gh pr create:*)", | ||||||
| "Bash(gh pr merge:*)", | ||||||
| "Bash(gh pr close:*)", | ||||||
| "Bash(gh pr edit:*)", | ||||||
| "Bash(gh issue create:*)", | ||||||
| "Bash(gh issue close:*)", | ||||||
| "Bash(gh issue edit:*)", | ||||||
| "Bash(gh release create:*)", | ||||||
| "Bash(gh repo create:*)", | ||||||
| "Bash(gh repo delete:*)" | ||||||
| ] | ||||||
| } | ||||||
| } | ||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The 'git stash drop' and 'git stash pop' commands are listed separately (lines 49-50) in addition to the general 'git stash' command (line 48). Since 'Bash(git stash:*)' would already match 'git stash drop' and 'git stash pop' due to the wildcard pattern, these specific entries are redundant and can be removed.