🔐 Safe and Hardened Version of ~/.claude/settings.json

gistfile1.txt

{
  "permissions": {
    "allow": [
      "Read(**)",
      "Edit(**)",
      "Write(**)",
      "LS(**)",
      "Glob(**)",
      "Grep(**)",
      "TodoRead()",
      "TodoWrite(**)",
      "Task(**)",

      // Git diagnostics (read-only)
      "Bash(git status*)",
      "Bash(git log*)",
      "Bash(git diff*)",
      "Bash(git show*)",
      "Bash(git blame*)",
      "Bash(git branch*)",
      "Bash(git remote -v*)",
      "Bash(git config --get*)",

      // File viewers (safe read-only)
      "Bash(ls -l*)",
      "Bash(ls -a*)",
      "Bash(cat *.md)",
      "Bash(head -n 20*)",
      "Bash(tail -n 20*)",
      "Bash(tree -L 2*)",
      "Bash(pwd)",

      // Grep tools (read-only)
      "Bash(grep -r *)",
      "Bash(grep --color=auto*)",

      // Safe CLI documentation
      "Bash(man *)",
      "Bash(which *)",
      "Bash(type *)",
      "Bash(pydoc*)",

      // Code formatting and linting (non-mutating)
      "Bash(black --check*)",
      "Bash(black --diff*)",
      "Bash(pylint*)",
      "Bash(flake8*)",
      "Bash(mypy*)",
      "Bash(eslint*)",

      // Testing (shouldn't modify system, but caution)
      "Bash(pytest*)",
      "Bash(make test*)",
      "Bash(npm test*)"
    ],
    "deny": [
      "Bash(rm*)",
      "Bash(mv*)",
      "Bash(cp*)",
      "Bash(sudo*)",
      "Bash(chmod*)",
      "Bash(chown*)",
      "Bash(dd*)",
      "Bash(python*)",
      "Bash(python3*)",
      "Bash(node*)",
      "Bash(npm run*)",
      "Bash(npx*)",
      "Bash(curl*)",
      "Bash(wget*)",
      "Bash(echo *)",
      "Bash(printf *)",
      "Bash(* | *)"
    ]
  }
}