-
-
Save iannuttall/a7570cee412cc05d32d7a039830f28c7 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "permissions": { | |
| "allow": [ | |
| "Read(**)", | |
| "Edit(**)", | |
| "MultiEdit(**)", | |
| "Write(**)", | |
| "Glob(**)", | |
| "Grep(**)", | |
| "LS(**)", | |
| "WebSearch(**)", | |
| "TodoRead()", | |
| "TodoWrite(**)", | |
| "Task(**)", | |
| "Bash(git status*)", | |
| "Bash(git log*)", | |
| "Bash(git diff*)", | |
| "Bash(git show*)", | |
| "Bash(git blame*)", | |
| "Bash(git branch*)", | |
| "Bash(git remote -v*)", | |
| "Bash(git config --get*)", | |
| "Bash(ls*)", | |
| "Bash(cat *)", | |
| "Bash(less *)", | |
| "Bash(head*)", | |
| "Bash(tail*)", | |
| "Bash(grep*)", | |
| "Bash(find*)", | |
| "Bash(tree*)", | |
| "Bash(pwd*)", | |
| "Bash(wc*)", | |
| "Bash(diff *)", | |
| "Bash(sed -n*)", | |
| "Bash(awk*)", | |
| "Bash(cut*)", | |
| "Bash(sort*)", | |
| "Bash(uniq*)", | |
| "Bash(basename *)", | |
| "Bash(dirname *)", | |
| "Bash(realpath *)", | |
| "Bash(readlink *)", | |
| "Bash(curl*)", | |
| "Bash(jq*)", | |
| "Bash(yq eval*)", | |
| "Bash(python*)", | |
| "Bash(python3*)", | |
| "Bash(node*)", | |
| "Bash(npm list*)", | |
| "Bash(npm run*)", | |
| "Bash(npx*)", | |
| "Bash(black --check*)", | |
| "Bash(black --diff*)", | |
| "Bash(pylint*)", | |
| "Bash(flake8*)", | |
| "Bash(mypy*)", | |
| "Bash(eslint*)", | |
| "Bash(pytest*)", | |
| "Bash(make test*)", | |
| "Bash(npm test*)", | |
| "Bash(make -n*)", | |
| "Bash(man *)", | |
| "Bash(pydoc*)", | |
| "Bash(which *)", | |
| "Bash(type *)", | |
| "Bash(echo *)", | |
| "Bash(printf *)", | |
| "Bash(test *)", | |
| "Bash(true*)", | |
| "Bash(false*)", | |
| "Bash(* | grep*)", | |
| "Bash(* | jq*)", | |
| "Bash(* | head*)", | |
| "Bash(* | tail*)", | |
| "Bash(* | wc*)", | |
| "Bash(* | sort*)", | |
| "Bash(* | uniq*)" | |
| ] | |
| "deny": [] | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here's my π Safe and Hardened ~/.claude/settings.json
π§ Explanation of Key Changes
β Still allowed:
Safe inspection tools: git, ls, cat, tree, head, tail
Static checks: black --check, flake8, mypy, etc.
Testing commands (pytest, make test) are kept but can be moved to deny if you want zero mutation.
β Now blocked:
rm, mv, cp, chmod, chown, dd β classic dangerous commands
curl, wget, python*, node*, npm run*, npx* β may pull or execute code
echo, printf β harmless alone but could be part of chaining to do damage
Bash(* | ) β blocks all generic pipelines like Bash( | jq*), which are too permissive
π‘οΈ Tips to Keep It Safe
Only allow commands with known, non-destructive flags (e.g., --check, -n, --dry-run)
Prefer exact matches over globs where possible
Avoid Bash() and Bash( | something) patterns unless scoped