chore(claude): enable sandbox and consolidate bash allowlist

Activate the harness sandbox (enabled + autoAllowBashIfSandboxed + filesystem write/deny rules) and replace the ~30 specific Bash(...) permission entries with a single Bash(*) wildcard. The existing deny list (git push --force, git reset --hard, rm -rf, sudo) and ask list (git push, docker run, curl) keep their precedence. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 09:15:32 +00:00 · 2026-05-11 02:36:28 +02:00
parent f3c15e3e1c
commit 28a796e24f
1 changed files with 6 additions and 53 deletions
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -4,52 +4,8 @@
      "Read",
      "Edit",
      "Write",
-      "Bash(git status*)",
-      "Bash(git log*)",
-      "Bash(git diff*)",
-      "Bash(git add*)",
-      "Bash(git commit*)",
-      "Bash(git checkout*)",
-      "Bash(git branch*)",
-      "Bash(git fetch*)",
-      "Bash(git stash*)",
-      "Bash(git -C:*)",
-      "Bash(make*)",
-      "Bash(python3*)",
-      "Bash(python*)",
-      "Bash(pip show*)",
-      "Bash(pip list*)",
-      "Bash(pip install*)",
-      "Bash(npm install*)",
-      "Bash(npm run*)",
-      "Bash(npx*)",
-      "Bash(docker pull*)",
-      "Bash(docker build*)",
-      "Bash(docker images*)",
-      "Bash(docker ps*)",
-      "Bash(docker inspect*)",
-      "Bash(docker logs*)",
-      "Bash(docker create*)",
-      "Bash(docker export*)",
-      "Bash(docker rm*)",
-      "Bash(docker rmi*)",
-      "Bash(docker stop*)",
-      "Bash(docker compose*)",
-      "Bash(docker-compose*)",
-      "Bash(docker container prune*)",
-      "Bash(grep*)",
-      "Bash(find*)",
-      "Bash(ls*)",
-      "Bash(cat*)",
-      "Bash(head*)",
-      "Bash(tail*)",
-      "Bash(wc*)",
-      "Bash(sort*)",
-      "Bash(tar*)",
-      "Bash(mkdir*)",
-      "Bash(cp*)",
-      "Bash(mv*)",
-      "Bash(jq*)",
+      "Bash(*)",
+      "Read(//tmp/**)",
      "WebSearch",
      "WebFetch(domain:github.com)",
      "WebFetch(domain:raw.githubusercontent.com)",
@@ -58,13 +14,8 @@
      "WebFetch(domain:pypi.org)",
      "WebFetch(domain:docs.cypress.io)",
      "WebFetch(domain:flask.palletsprojects.com)",
-      "Bash(netstat -lnt)",
-      "Bash(make test-e2e *)",
-      "Bash(echo \"EXIT=$?\")",
-      "Read(//tmp/**)",
-      "Bash(docker exec *)",
-      "Bash(docker restart *)",
-      "Bash(jobs)"
+      "Skill(update-config)",
+      "Skill(update-config:*)"
    ],
    "deny": [
      "Bash(git push --force*)",
@@ -82,6 +33,8 @@
    ]
  },
  "sandbox": {
+    "enabled": true,
+    "autoAllowBashIfSandboxed": true,
    "filesystem": {
      "allowWrite": [
        ".",