fix claude code global permissions

2025-11-20 19:46:03 +01:00 · 2025-11-20 19:46:03 +01:00 · d94ed74d60
commit d94ed74d60
parent 88abed561e
1 changed files with 94 additions and 97 deletions
--- a/modules/claude-code.nix
+++ b/modules/claude-code.nix
@ -27,54 +27,55 @@ let
      # Git operations (read-only and safe operations)
      "Bash(git status)"
-      "Bash(git log*)"
+      "Bash(git status:*)"
-      "Bash(git diff*)"
+      "Bash(git log:*)"
-      "Bash(git show*)"
+      "Bash(git diff:*)"
-      "Bash(git branch*)"
+      "Bash(git show:*)"
-      "Bash(git remote*)"
+      "Bash(git branch:*)"
-      "Bash(git ls-files*)"
+      "Bash(git remote:*)"
-      
+      "Bash(git ls-files:*)"
      # Development tools - testing and linting
-      "Bash(npm run test*)"
+      "Bash(npm run test:*)"
-      "Bash(npm run lint*)"
+      "Bash(npm run lint:*)"
-      "Bash(npm run format*)"
+      "Bash(npm run format:*)"
-      "Bash(npm run check*)"
+      "Bash(npm run check:*)"
-      
+
      # Package managers (read-only operations)
-      "Bash(npm list*)"
+      "Bash(npm list:*)"
-      "Bash(npm outdated*)"
+      "Bash(npm outdated:*)"
      "Bash(cargo --version)"
-      "Bash(pip list*)"
+      "Bash(pip list:*)"
-      "Bash(pip show*)"
+      "Bash(pip show:*)"
-      
+
      # Nix operations
-      "Bash(nix-shell*)"
+      "Bash(nix-shell:*)"
-      "Bash(nix develop*)"
+      "Bash(nix develop:*)"
-      "Bash(nix build*)"
+      "Bash(nix build:*)"
-      "Bash(nix run*)"
+      "Bash(nix run:*)"
-      "Bash(nix-env -q*)"
+      "Bash(nix-env -q:*)"
-      "Bash(nix search*)"
+      "Bash(nix search:*)"
-      
+
      # File operations (safe read operations)
-      "Bash(ls*)"
+      "Bash(ls:*)"
-      "Bash(find*)"
+      "Bash(find:*)"
-      "Bash(grep*)"
+      "Bash(grep:*)"
-      "Bash(cat*)"
+      "Bash(cat:*)"
-      "Bash(head*)"
+      "Bash(head:*)"
-      "Bash(tail*)"
+      "Bash(tail:*)"
-      "Bash(wc*)"
+      "Bash(wc:*)"
-      "Bash(file*)"
+      "Bash(file:*)"
-      "Bash(du*)"
+      "Bash(du:*)"
-      "Bash(tree*)"
+      "Bash(tree:*)"
-      
+
      # Development environment info
-      "Bash(which*)"
+      "Bash(which:*)"
-      "Bash(whereis*)"
+      "Bash(whereis:*)"
      "Bash(whoami)"
      "Bash(pwd)"
-      "Bash(uname*)"
+      "Bash(uname:*)"
      "Bash(date)"
-      "Bash(echo*)"
+      "Bash(echo:*)"
    ];
    deny = [
@ -94,75 +95,76 @@ let
      "Read(*/node_modules/.cache/**)"
      # Prevent dangerous system operations
-      "Bash(rm -rf*)"
+      "Bash(rm -rf:*)"
-      "Bash(sudo*)"
+      "Bash(sudo:*)"
-      "Bash(su*)"
+      "Bash(su:*)"
-      "Bash(chmod +x*)"
+      "Bash(chmod +x:*)"
-      "Bash(chown*)"
+      "Bash(chown:*)"
-      "Bash(passwd*)"
+      "Bash(passwd:*)"
-      "Bash(userdel*)"
+      "Bash(userdel:*)"
-      "Bash(useradd*)"
+      "Bash(useradd:*)"
-      "Bash(usermod*)"
+      "Bash(usermod:*)"
-      "Bash(groupadd*)"
+      "Bash(groupadd:*)"
-      "Bash(groupdel*)"
+      "Bash(groupdel:*)"
-      "Bash(mount*)"
+      "Bash(mount:*)"
-      "Bash(umount*)"
+      "Bash(umount:*)"
-      "Bash(fdisk*)"
+      "Bash(fdisk:*)"
-      "Bash(mkfs*)"
+      "Bash(mkfs:*)"
-      "Bash(dd*)"
+      "Bash(dd:*)"
-      "Bash(curl*http*)"
+      "Bash(curl:*)"
-      "Bash(wget*http*)"
+      "Bash(wget:*)"
-      
+
      # Prevent network/security risks
-      "Bash(nc*)"
+      "Bash(nc:*)"
-      "Bash(netcat*)"
+      "Bash(netcat:*)"
-      "Bash(telnet*)"
+      "Bash(telnet:*)"
-      "Bash(ssh*)"
+      "Bash(ssh:*)"
-      "Bash(scp*)"
+      "Bash(scp:*)"
-      "Bash(rsync*)"
+      "Bash(rsync:*)"
-      "Bash(nmap*)"
+      "Bash(nmap:*)"
-      
+
      # Prevent package installations without confirmation
-      "Bash(npm install*)"
+      "Bash(npm install:*)"
-      "Bash(npm uninstall*)"
+      "Bash(npm uninstall:*)"
-      "Bash(pip install*)"
+      "Bash(pip install:*)"
-      "Bash(pip uninstall*)"
+      "Bash(pip uninstall:*)"
-      "Bash(cargo install*)"
+      "Bash(cargo install:*)"
-      "Bash(brew install*)"
+      "Bash(brew install:*)"
-      "Bash(apt install*)"
+      "Bash(apt install:*)"
-      "Bash(yum install*)"
+      "Bash(yum install:*)"
-      "Bash(pacman -S*)"
+      "Bash(pacman -S:*)"
-      
+
      # Prevent system service manipulation
-      "Bash(systemctl*)"
+      "Bash(systemctl:*)"
-      "Bash(service*)"
+      "Bash(service:*)"
-      "Bash(launchctl*)"
+      "Bash(launchctl:*)"
    ];
    ask = [
      # File system modifications
      "Write(*)"
      "Edit(*)"
-      "Bash(mkdir*)"
+      "Bash(mkdir:*)"
-      "Bash(rmdir*)"
+      "Bash(rmdir:*)"
-      "Bash(mv*)"
+      "Bash(mv:*)"
-      "Bash(cp*)"
+      "Bash(cp:*)"
-      "Bash(touch*)"
+      "Bash(touch:*)"
-      
+
      # Nix system operations
-      "Bash(nixos-rebuild*)"
+      "Bash(nixos-rebuild:*)"
-      "Bash(nix-collect-garbage*)"
+      "Bash(nix-collect-garbage:*)"
-      "Bash(nix-channel*)"
+      "Bash(nix-channel:*)"
-      "Bash(oss*)"
+      "Bash(oss:*)"
-      "Bash(hms*)"
+      "Bash(hms:*)"
    ];
  };
-  # Global settings configuration
+  # Global settings configuration (merged with permissions)
  globalSettings = {
    spinnerTipsEnabled = false;
    todoEnabled = true;
    autoCompactEnabled = true;
    permissions = defaultPermissions;
  };
 in
@ -172,16 +174,11 @@ in
    # Install Claude Code package
    home.packages = [ claudePackage ];
-    # Create global settings file
+    # Create global settings file (with permissions included)
    home.file.".claude/settings.json" = {
      text = builtins.toJSON globalSettings;
    };
    # Create global permissions file
    home.file.".claude/permissions.json" = {
      text = builtins.toJSON { permissions = defaultPermissions; };
    };
    # Create global memory file
    home.file.".claude/CLAUDE.md" = {
      text = "";