Clean up the allow list in .claude/settings.local.json by removing redundant permission entries.
Rules
A permission entry is redundant if a broader wildcard pattern already covers it. Apply these rules:
- •
Wildcard subsumes specific: If
Bash(gh pr create:*)exists, remove any entry that is a specificgh pr createinvocation (e.g., a fullgh pr create --title "..." --body "..."command). - •
Broader wildcard subsumes narrower: If
Bash(git push:*)exists, removeBash(git push)(no args variant). IfBash(Rscript:*)exists, remove entries likeBash(SCRATCHPAD="..." Rscript:*)that are session-specific wrappers around the same command. - •
git
-Cworktree consolidation: Path-specificgit -C <path> <subcommand>entries (e.g.,Bash(git -C /some/worktree status)) are subsumed by the wildcard variantBash(git -C * <subcommand> *). Remove any path-specific-Centries. Everygitsubcommand should have two permission lines — the naked form and the-Cworktree form:code"Bash(git <subcommand>:*)", "Bash(git -C * <subcommand> *)",
- •
Garbled entries: Remove entries that appear to be fragments of commit messages, PR bodies, or other text that was accidentally saved as a permission (e.g., entries starting mid-sentence or containing prose paragraphs).
- •
Exact duplicates: Remove duplicate entries, keeping only one copy.
Steps
- •Read
.claude/settings.local.json. - •Identify all wildcard patterns (entries ending in
:*)). - •For each non-wildcard entry, check if any wildcard pattern already covers it.
- •Flag garbled/broken entries that don't look like valid permission patterns.
- •Remove all redundant and garbled entries.
- •Group the remaining entries logically:
- •General shell utilities (
wc,ls, etc.) - •
Rscript - •
gitcommands (alphabetical) - •
ghcommands grouped by subcommand:issue,pr,run,workflow,api,search,repo(alphabetical within groups) - •Web tools (
WebSearch,WebFetch)
- •General shell utilities (
- •Apply the edit and report what was removed.