chore(claude): expand harness allowlist and ignore local state

Add permissions for read-only test/inspection commands (make test-e2e, docker exec/restart, /tmp reads) and gitignore everything under .claude except the shared settings/gitignore. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 09:15:32 +00:00 · 2026-05-11 02:15:04 +02:00
parent 03f17a6e05
commit c9fe7d8583
3 changed files with 18 additions and 6 deletions
--- a/.claude/.gitignore
+++ b/.claude/.gitignore
@@ -0,0 +1,3 @@
+*
+!.gitignore
+!.settings.json
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -57,18 +57,27 @@
      "WebFetch(domain:docs.docker.com)",
      "WebFetch(domain:pypi.org)",
      "WebFetch(domain:docs.cypress.io)",
-      "WebFetch(domain:flask.palletsprojects.com)"
-    ],
-    "ask": [
-      "Bash(git push*)",
-      "Bash(docker run*)",
-      "Bash(curl*)"
+      "WebFetch(domain:flask.palletsprojects.com)",
+      "Bash(netstat -lnt)",
+      "Bash(make test-e2e *)",
+      "Bash(echo \"EXIT=$?\")",
+      "Read(//tmp/**)",
+      "Bash(docker exec *)",
+      "Bash(docker restart *)"
    ],
    "deny": [
      "Bash(git push --force*)",
      "Bash(git reset --hard*)",
      "Bash(rm -rf*)",
      "Bash(sudo*)"
+    ],
+    "ask": [
+      "Bash(git push*)",
+      "Bash(docker run*)",
+      "Bash(curl*)"
+    ],
+    "additionalDirectories": [
+      "/tmp"
    ]
  },
  "sandbox": {
--- a/.codex
+++ b/.codex