@codedrifters/configulator 0.0.166 → 0.0.168

package/README.md

@@ -678,7 +678,7 @@ const project = new MonorepoProject({
   name: 'my-monorepo',
   pnpmOptions: {
     pnpmWorkspaceOptions: {
-      minimumReleaseAge: MIMIMUM_RELEASE_AGE.ONE_DAY,
+      minimumReleaseAge: MINIMUM_RELEASE_AGE.ONE_DAY,
       minimumReleaseAgeExclude: ['@codedrifters/*'],
       onlyBuiltDependencies: ['@swc/core', 'esbuild'],
       defaultCatalog: {

package/lib/index.d.mts

@@ -394,6 +394,15 @@ interface AgentRuleBundle {
     readonly skills?: ReadonlyArray<AgentSkill>;
     /** Sub-agents included in this bundle. */
     readonly subAgents?: ReadonlyArray<AgentSubAgent>;
+    /**
+     * Claude Code permission entries contributed by this bundle.
+     * Allow and deny entries are merged with the default and user-supplied
+     * permissions when the bundle is active.
+     */
+    readonly claudePermissions?: {
+        readonly allow?: ReadonlyArray<string>;
+        readonly deny?: ReadonlyArray<string>;
+    };
 }
 /*******************************************************************************
  *
@@ -815,6 +824,13 @@ declare class AgentConfig extends Component {
      * Find the AgentConfig component on a project.
      */
     static of(project: Project$1): AgentConfig | undefined;
+    /**
+     * Merges default Claude permissions with bundle and user-supplied settings.
+     *
+     * Merge order: defaults → bundle permissions → user-supplied entries.
+     * `defaultMode` defaults to `"dontAsk"` unless overridden.
+     */
+    private static mergeClaudeDefaults;
     private readonly options;
     constructor(project: Project$1, options?: AgentConfigOptions);
     preSynthesize(): void;
@@ -835,6 +851,10 @@ declare class AgentConfig extends Component {
      * Resolves template variables in sub-agent prompts using project metadata.
      */
     private resolveSubAgentTemplates;
+    /**
+     * Collects Claude permission entries from all active bundles.
+     */
+    private resolveBundlePermissions;
 }
 
 /**
@@ -1618,7 +1638,7 @@ declare class JsiiFaker extends Component {
 /**
  * Predefined minimum release age values in minutes.
  */
-declare const MIMIMUM_RELEASE_AGE: {
+declare const MINIMUM_RELEASE_AGE: {
     ZERO_DAYS: number;
     ONE_HOUR: number;
     SIX_HOURS: number;
@@ -1651,9 +1671,9 @@ interface PnpmWorkspaceOptions {
      *
      * See: https://pnpm.io/settings#minimumreleaseage
      *
-     * @default MIMIMUM_RELEASE_AGE.ONE_DAY
+     * @default MINIMUM_RELEASE_AGE.ONE_DAY
      */
-    readonly minimumReleaseAge?: ValueOf<typeof MIMIMUM_RELEASE_AGE>;
+    readonly minimumReleaseAge?: ValueOf<typeof MINIMUM_RELEASE_AGE>;
     /**
      * If you set minimumReleaseAge but need certain dependencies to always
      * install the newest version immediately, you can list them under
@@ -1791,7 +1811,7 @@ declare class PnpmWorkspace extends Component {
      *
      * See: https://pnpm.io/settings#minimumreleaseage
      */
-    minimumReleaseAge: ValueOf<typeof MIMIMUM_RELEASE_AGE>;
+    minimumReleaseAge: ValueOf<typeof MINIMUM_RELEASE_AGE>;
     /**
      * If you set minimumReleaseAge but need certain dependencies to always
      * install the newest version immediately, you can list them under
@@ -1857,6 +1877,22 @@ declare class PnpmWorkspace extends Component {
     };
     constructor(project: Project$1, options?: PnpmWorkspaceOptions);
 }
+/**
+ * @deprecated Use `MINIMUM_RELEASE_AGE` instead. This alias will be removed in a future major release.
+ */
+declare const MIMIMUM_RELEASE_AGE: {
+    ZERO_DAYS: number;
+    ONE_HOUR: number;
+    SIX_HOURS: number;
+    TWELVE_HOURS: number;
+    ONE_DAY: number;
+    TWO_DAYS: number;
+    THREE_DAYS: number;
+    FOUR_DAYS: number;
+    FIVE_DAYS: number;
+    SIX_DAYS: number;
+    ONE_WEEK: number;
+};
 
 /*******************************************************************************
  *
@@ -2798,4 +2834,4 @@ declare const COMPLETE_JOB_ID = "complete";
  */
 declare function addBuildCompleteJob(buildWorkflow: BuildWorkflow): void;
 
-export { AGENT_MODEL, AGENT_PLATFORM, AGENT_RULE_SCOPE, AgentConfig, type AgentConfigOptions, type AgentModel, type AgentPlatform, type AgentPlatformOverrides, type AgentRule, type AgentRuleBundle, type AgentRuleScope, type AgentSkill, type AgentSubAgent, type AgentSubAgentPlatformOverrides, type ApproveMergeUpgradeOptions, type AwsAccount, AwsDeployWorkflow, AwsDeploymentConfig, AwsDeploymentTarget, type AwsDeploymentTargetOptions, type AwsLocalDeploymentConfig, type AwsOrganization, type AwsRegion, BUILT_IN_BUNDLES, CLAUDE_RULE_TARGET, COMPLETE_JOB_ID, type CiDeploymentConfig, type ClassTypeOptions, type ClaudeAutoModeConfig, type ClaudeHookAction, type ClaudeHookEntry, type ClaudeHooksConfig, type ClaudePermissionsConfig, type ClaudeRuleTarget, type ClaudeSandboxConfig, type ClaudeSettingsConfig, type CopilotHandoff, type CursorHookAction, type CursorHooksConfig, type CursorSettingsConfig, type DeployWorkflowOptions, type DeploymentMetadata, type GitBranch, type GitHubBoardMetadata, type GitHubProjectMetadata, type GitHubSprintMetadata, type IDependencyResolver, JsiiFaker, MCP_TRANSPORT, MERGE_METHODS, MIMIMUM_RELEASE_AGE, type McpServerConfig, type McpTransport, type MergeMethod, MonorepoProject, type MonorepoProjectOptions, type OrganizationMetadata, PROD_DEPLOY_NAME, PnpmWorkspace, type PnpmWorkspaceOptions, ProjectMetadata, type ProjectMetadataOptions, ROOT_CI_TASK_NAME, ROOT_TURBO_TASK_NAME, type RemoteCacheOptions, type RepositoryMetadata, ResetTask, type ResetTaskOptions, type ResolvedProjectMetadata, type SlackMetadata, type TemplateResolveResult, TestRunner, TurboRepo, type TurboRepoOptions, TurboRepoTask, type TurboRepoTaskOptions, TypeScriptConfig, TypeScriptProject, type TypeScriptProjectOptions, VERSION, VERSION_KEYS_SKIP, VERSION_NPM_PACKAGES, VSCodeConfig, type VersionKey, Vitest, type VitestConfigOptions, type VitestOptions, addApproveMergeUpgradeWorkflow, addBuildCompleteJob, awsCdkBundle, baseBundle, getLatestEligibleVersion, githubWorkflowBundle, jestBundle, pnpmBundle, projenBundle, resolveTemplateVariables, turborepoBundle, typescriptBundle, vitestBundle };
+export { AGENT_MODEL, AGENT_PLATFORM, AGENT_RULE_SCOPE, AgentConfig, type AgentConfigOptions, type AgentModel, type AgentPlatform, type AgentPlatformOverrides, type AgentRule, type AgentRuleBundle, type AgentRuleScope, type AgentSkill, type AgentSubAgent, type AgentSubAgentPlatformOverrides, type ApproveMergeUpgradeOptions, type AwsAccount, AwsDeployWorkflow, AwsDeploymentConfig, AwsDeploymentTarget, type AwsDeploymentTargetOptions, type AwsLocalDeploymentConfig, type AwsOrganization, type AwsRegion, BUILT_IN_BUNDLES, CLAUDE_RULE_TARGET, COMPLETE_JOB_ID, type CiDeploymentConfig, type ClassTypeOptions, type ClaudeAutoModeConfig, type ClaudeHookAction, type ClaudeHookEntry, type ClaudeHooksConfig, type ClaudePermissionsConfig, type ClaudeRuleTarget, type ClaudeSandboxConfig, type ClaudeSettingsConfig, type CopilotHandoff, type CursorHookAction, type CursorHooksConfig, type CursorSettingsConfig, type DeployWorkflowOptions, type DeploymentMetadata, type GitBranch, type GitHubBoardMetadata, type GitHubProjectMetadata, type GitHubSprintMetadata, type IDependencyResolver, JsiiFaker, MCP_TRANSPORT, MERGE_METHODS, MIMIMUM_RELEASE_AGE, MINIMUM_RELEASE_AGE, type McpServerConfig, type McpTransport, type MergeMethod, MonorepoProject, type MonorepoProjectOptions, type OrganizationMetadata, PROD_DEPLOY_NAME, PnpmWorkspace, type PnpmWorkspaceOptions, ProjectMetadata, type ProjectMetadataOptions, ROOT_CI_TASK_NAME, ROOT_TURBO_TASK_NAME, type RemoteCacheOptions, type RepositoryMetadata, ResetTask, type ResetTaskOptions, type ResolvedProjectMetadata, type SlackMetadata, type TemplateResolveResult, TestRunner, TurboRepo, type TurboRepoOptions, TurboRepoTask, type TurboRepoTaskOptions, TypeScriptConfig, TypeScriptProject, type TypeScriptProjectOptions, VERSION, VERSION_KEYS_SKIP, VERSION_NPM_PACKAGES, VSCodeConfig, type VersionKey, Vitest, type VitestConfigOptions, type VitestOptions, addApproveMergeUpgradeWorkflow, addBuildCompleteJob, awsCdkBundle, baseBundle, getLatestEligibleVersion, githubWorkflowBundle, jestBundle, pnpmBundle, projenBundle, resolveTemplateVariables, turborepoBundle, typescriptBundle, vitestBundle };

package/lib/index.d.ts

@@ -443,6 +443,15 @@ interface AgentRuleBundle {
     readonly skills?: ReadonlyArray<AgentSkill>;
     /** Sub-agents included in this bundle. */
     readonly subAgents?: ReadonlyArray<AgentSubAgent>;
+    /**
+     * Claude Code permission entries contributed by this bundle.
+     * Allow and deny entries are merged with the default and user-supplied
+     * permissions when the bundle is active.
+     */
+    readonly claudePermissions?: {
+        readonly allow?: ReadonlyArray<string>;
+        readonly deny?: ReadonlyArray<string>;
+    };
 }
 /*******************************************************************************
  *
@@ -864,6 +873,13 @@ declare class AgentConfig extends Component {
      * Find the AgentConfig component on a project.
      */
     static of(project: Project): AgentConfig | undefined;
+    /**
+     * Merges default Claude permissions with bundle and user-supplied settings.
+     *
+     * Merge order: defaults → bundle permissions → user-supplied entries.
+     * `defaultMode` defaults to `"dontAsk"` unless overridden.
+     */
+    private static mergeClaudeDefaults;
     private readonly options;
     constructor(project: Project, options?: AgentConfigOptions);
     preSynthesize(): void;
@@ -884,6 +900,10 @@ declare class AgentConfig extends Component {
      * Resolves template variables in sub-agent prompts using project metadata.
      */
     private resolveSubAgentTemplates;
+    /**
+     * Collects Claude permission entries from all active bundles.
+     */
+    private resolveBundlePermissions;
 }
 
 /**
@@ -1667,7 +1687,7 @@ declare class JsiiFaker extends Component {
 /**
  * Predefined minimum release age values in minutes.
  */
-declare const MIMIMUM_RELEASE_AGE: {
+declare const MINIMUM_RELEASE_AGE: {
     ZERO_DAYS: number;
     ONE_HOUR: number;
     SIX_HOURS: number;
@@ -1700,9 +1720,9 @@ interface PnpmWorkspaceOptions {
      *
      * See: https://pnpm.io/settings#minimumreleaseage
      *
-     * @default MIMIMUM_RELEASE_AGE.ONE_DAY
+     * @default MINIMUM_RELEASE_AGE.ONE_DAY
      */
-    readonly minimumReleaseAge?: ValueOf<typeof MIMIMUM_RELEASE_AGE>;
+    readonly minimumReleaseAge?: ValueOf<typeof MINIMUM_RELEASE_AGE>;
     /**
      * If you set minimumReleaseAge but need certain dependencies to always
      * install the newest version immediately, you can list them under
@@ -1840,7 +1860,7 @@ declare class PnpmWorkspace extends Component {
      *
      * See: https://pnpm.io/settings#minimumreleaseage
      */
-    minimumReleaseAge: ValueOf<typeof MIMIMUM_RELEASE_AGE>;
+    minimumReleaseAge: ValueOf<typeof MINIMUM_RELEASE_AGE>;
     /**
      * If you set minimumReleaseAge but need certain dependencies to always
      * install the newest version immediately, you can list them under
@@ -1906,6 +1926,22 @@ declare class PnpmWorkspace extends Component {
     };
     constructor(project: Project, options?: PnpmWorkspaceOptions);
 }
+/**
+ * @deprecated Use `MINIMUM_RELEASE_AGE` instead. This alias will be removed in a future major release.
+ */
+declare const MIMIMUM_RELEASE_AGE: {
+    ZERO_DAYS: number;
+    ONE_HOUR: number;
+    SIX_HOURS: number;
+    TWELVE_HOURS: number;
+    ONE_DAY: number;
+    TWO_DAYS: number;
+    THREE_DAYS: number;
+    FOUR_DAYS: number;
+    FIVE_DAYS: number;
+    SIX_DAYS: number;
+    ONE_WEEK: number;
+};
 
 /*******************************************************************************
  *
@@ -2847,5 +2883,5 @@ declare const COMPLETE_JOB_ID = "complete";
  */
 declare function addBuildCompleteJob(buildWorkflow: BuildWorkflow): void;
 
-export { AGENT_MODEL, AGENT_PLATFORM, AGENT_RULE_SCOPE, AgentConfig, AwsDeployWorkflow, AwsDeploymentConfig, AwsDeploymentTarget, BUILT_IN_BUNDLES, CLAUDE_RULE_TARGET, COMPLETE_JOB_ID, JsiiFaker, MCP_TRANSPORT, MERGE_METHODS, MIMIMUM_RELEASE_AGE, MonorepoProject, PROD_DEPLOY_NAME, PnpmWorkspace, ProjectMetadata, ROOT_CI_TASK_NAME, ROOT_TURBO_TASK_NAME, ResetTask, TestRunner, TurboRepo, TurboRepoTask, TypeScriptConfig, TypeScriptProject, VERSION, VERSION_KEYS_SKIP, VERSION_NPM_PACKAGES, VSCodeConfig, Vitest, addApproveMergeUpgradeWorkflow, addBuildCompleteJob, awsCdkBundle, baseBundle, getLatestEligibleVersion, githubWorkflowBundle, jestBundle, pnpmBundle, projenBundle, resolveTemplateVariables, turborepoBundle, typescriptBundle, vitestBundle };
+export { AGENT_MODEL, AGENT_PLATFORM, AGENT_RULE_SCOPE, AgentConfig, AwsDeployWorkflow, AwsDeploymentConfig, AwsDeploymentTarget, BUILT_IN_BUNDLES, CLAUDE_RULE_TARGET, COMPLETE_JOB_ID, JsiiFaker, MCP_TRANSPORT, MERGE_METHODS, MIMIMUM_RELEASE_AGE, MINIMUM_RELEASE_AGE, MonorepoProject, PROD_DEPLOY_NAME, PnpmWorkspace, ProjectMetadata, ROOT_CI_TASK_NAME, ROOT_TURBO_TASK_NAME, ResetTask, TestRunner, TurboRepo, TurboRepoTask, TypeScriptConfig, TypeScriptProject, VERSION, VERSION_KEYS_SKIP, VERSION_NPM_PACKAGES, VSCodeConfig, Vitest, addApproveMergeUpgradeWorkflow, addBuildCompleteJob, awsCdkBundle, baseBundle, getLatestEligibleVersion, githubWorkflowBundle, jestBundle, pnpmBundle, projenBundle, resolveTemplateVariables, turborepoBundle, typescriptBundle, vitestBundle };
 export type { AgentConfigOptions, AgentModel, AgentPlatform, AgentPlatformOverrides, AgentRule, AgentRuleBundle, AgentRuleScope, AgentSkill, AgentSubAgent, AgentSubAgentPlatformOverrides, ApproveMergeUpgradeOptions, AwsAccount, AwsDeploymentTargetOptions, AwsLocalDeploymentConfig, AwsOrganization, AwsRegion, CiDeploymentConfig, ClassTypeOptions, ClaudeAutoModeConfig, ClaudeHookAction, ClaudeHookEntry, ClaudeHooksConfig, ClaudePermissionsConfig, ClaudeRuleTarget, ClaudeSandboxConfig, ClaudeSettingsConfig, CopilotHandoff, CursorHookAction, CursorHooksConfig, CursorSettingsConfig, DeployWorkflowOptions, DeploymentMetadata, GitBranch, GitHubBoardMetadata, GitHubProjectMetadata, GitHubSprintMetadata, IDependencyResolver, McpServerConfig, McpTransport, MergeMethod, MonorepoProjectOptions, OrganizationMetadata, PnpmWorkspaceOptions, ProjectMetadataOptions, RemoteCacheOptions, RepositoryMetadata, ResetTaskOptions, ResolvedProjectMetadata, SlackMetadata, TemplateResolveResult, TurboRepoOptions, TurboRepoTaskOptions, TypeScriptProjectOptions, VersionKey, VitestConfigOptions, VitestOptions };

package/lib/index.js

@@ -189,6 +189,7 @@ __export(index_exports, {
   MCP_TRANSPORT: () => MCP_TRANSPORT,
   MERGE_METHODS: () => MERGE_METHODS,
   MIMIMUM_RELEASE_AGE: () => MIMIMUM_RELEASE_AGE,
+  MINIMUM_RELEASE_AGE: () => MINIMUM_RELEASE_AGE,
   MonorepoProject: () => MonorepoProject,
   PROD_DEPLOY_NAME: () => PROD_DEPLOY_NAME,
   PnpmWorkspace: () => PnpmWorkspace,
@@ -678,6 +679,17 @@ var baseBundle = {
         "| `release:` | Release preparation, version bumps |",
         "| `hotfix:` | Urgent production fixes |",
         "",
+        "## GitHub Issue Type",
+        "",
+        "When creating issues, always assign the appropriate **GitHub issue type** based on the title prefix:",
+        "",
+        "| Prefix | GitHub Issue Type |",
+        "|--------|------------------|",
+        "| `epic:` | Epic |",
+        "| `feat:` | Feature |",
+        "| `fix:` | Bug |",
+        "| `chore:`, `docs:`, `refactor:`, `release:`, `hotfix:` | Task |",
+        "",
         "## Prerequisite Issues",
         "",
         "Include any prerequisite (blocking) issues in the issue body when they exist.",
@@ -706,18 +718,20 @@ var githubWorkflowBundle = {
         "",
         "When the user says **work on issue X** (or similar), follow these steps exactly:",
         "",
-        "1. **Fetch issue details** \u2014 use `gh issue view <number>` to get the title, body, and labels",
-        "2. **Determine branch type** from the issue title prefix:",
+        "1. **Ensure you have the latest code** \u2014 switch to the default branch and pull:",
+        "   - `git checkout {{repository.defaultBranch}} && git pull origin {{repository.defaultBranch}}`",
+        "2. **Fetch issue details** \u2014 use `gh issue view <number>` to get the title, body, and labels",
+        "3. **Determine branch type** from the issue title prefix:",
         "   - `feat:` / `feature:` \u2192 `feat/`",
         "   - `fix:` / `bug:` \u2192 `fix/`",
         "   - `docs:` \u2192 `docs/`",
         "   - `chore:` / `refactor:` \u2192 `chore/`",
         "   - `test:` \u2192 `test/`",
         "   - No prefix \u2192 `feat/`",
-        "3. **Create a branch** following the naming convention: `<type>/<short-slug>-<issue-number>` (e.g., `feat/add-login-42`)",
-        "4. **Checkout the branch** locally",
-        "5. **Link the branch to the issue** by posting a comment: `gh issue comment <number> --body 'Branch: \\`<branch-name>\\`'`",
-        "6. **Stop and wait** for user instructions \u2014 do **NOT** start implementing",
+        "4. **Create a branch** following the naming convention: `<type>/<short-slug>-<issue-number>` (e.g., `feat/add-login-42`)",
+        "5. **Checkout the branch** locally",
+        "6. **Link the branch to the issue** by posting a comment: `gh issue comment <number> --body 'Branch: \\`<branch-name>\\`'`",
+        "7. **Stop and wait** for user instructions \u2014 do **NOT** start implementing",
         "",
         "### Important",
         "",
@@ -834,13 +848,16 @@ var jestBundle = {
       ].join("\n"),
       tags: ["testing"]
     }
-  ]
+  ],
+  claudePermissions: {
+    allow: ["Bash(npx jest:*)"]
+  }
 };
 
 // src/pnpm/pnpm-workspace.ts
 var import_path = require("path");
 var import_projen = require("projen");
-var MIMIMUM_RELEASE_AGE = {
+var MINIMUM_RELEASE_AGE = {
   ZERO_DAYS: 0,
   ONE_HOUR: 60,
   SIX_HOURS: 360,
@@ -869,7 +886,7 @@ var PnpmWorkspace = class _PnpmWorkspace extends import_projen.Component {
     super(project);
     project.tryFindObjectFile("package.json")?.addDeletionOverride("pnpm");
     this.fileName = options.fileName ?? "pnpm-workspace.yaml";
-    this.minimumReleaseAge = options.minimumReleaseAge ?? MIMIMUM_RELEASE_AGE.ONE_DAY;
+    this.minimumReleaseAge = options.minimumReleaseAge ?? MINIMUM_RELEASE_AGE.ONE_DAY;
     this.minimumReleaseAgeExclude = options.minimumReleaseAgeExclude ? ["@codedrifters/*", ...options.minimumReleaseAgeExclude] : ["@codedrifters/*"];
     this.onlyBuiltDependencies = options.onlyBuiltDependencies ? options.onlyBuiltDependencies : [];
     this.ignoredBuiltDependencies = options.ignoredBuiltDependencies ? options.ignoredBuiltDependencies : [];
@@ -916,6 +933,7 @@ var PnpmWorkspace = class _PnpmWorkspace extends import_projen.Component {
     });
   }
 };
+var MIMIMUM_RELEASE_AGE = MINIMUM_RELEASE_AGE;
 
 // src/agent/bundles/pnpm.ts
 var pnpmBundle = {
@@ -1337,7 +1355,10 @@ var turborepoBundle = {
       ].join("\n"),
       tags: ["workflow"]
     }
-  ]
+  ],
+  claudePermissions: {
+    allow: ["Bash(npx turbo:*)"]
+  }
 };
 
 // src/agent/bundles/typescript.ts
@@ -1412,7 +1433,10 @@ var typescriptBundle = {
       ].join("\n"),
       tags: ["coding"]
     }
-  ]
+  ],
+  claudePermissions: {
+    allow: ["Bash(npx tsc:*)"]
+  }
 };
 
 // src/vitest/vitest-component.ts
@@ -1604,7 +1628,10 @@ var vitestBundle = {
       ].join("\n"),
       tags: ["testing"]
     }
-  ]
+  ],
+  claudePermissions: {
+    allow: ["Bash(npx vitest:*)"]
+  }
 };
 
 // src/agent/bundles/index.ts
@@ -2229,6 +2256,110 @@ function resolveTemplateVariables(template, metadata) {
 }
 
 // src/agent/agent-config.ts
+var DEFAULT_CLAUDE_ALLOW = [
+  // ── Git ──────────────────────────────────────────────────────────────
+  "Bash(git add *)",
+  "Bash(git branch *)",
+  "Bash(git checkout *)",
+  "Bash(git commit *)",
+  "Bash(git diff *)",
+  "Bash(git fetch *)",
+  "Bash(git log *)",
+  "Bash(git merge *)",
+  "Bash(git mv *)",
+  "Bash(git pull *)",
+  "Bash(git push *)",
+  "Bash(git rebase *)",
+  "Bash(git rm *)",
+  "Bash(git stash *)",
+  "Bash(git status *)",
+  "Bash(git show *)",
+  "Bash(git rev-parse *)",
+  // ── GitHub CLI ───────────────────────────────────────────────────────
+  "Bash(gh issue *)",
+  "Bash(gh pr *)",
+  "Bash(gh repo *)",
+  "Bash(gh api *)",
+  "Bash(gh label *)",
+  "Bash(gh run *)",
+  "Bash(gh search *)",
+  "Bash(gh browse *)",
+  "Bash(gh status *)",
+  // ── Package manager ──────────────────────────────────────────────────
+  "Bash(pnpm *)",
+  // ── Read-only shell utilities ────────────────────────────────────────
+  "Bash(ls *)",
+  "Bash(find *)",
+  "Bash(cat *)",
+  "Bash(head *)",
+  "Bash(tail *)",
+  "Bash(wc *)",
+  "Bash(grep *)",
+  "Bash(sort *)",
+  "Bash(uniq *)",
+  "Bash(dirname *)",
+  "Bash(basename *)",
+  "Bash(which *)",
+  "Bash(diff *)",
+  "Bash(jq *)",
+  "Bash(date *)",
+  // ── Safe output / test utilities ─────────────────────────────────────
+  "Bash(echo *)",
+  "Bash(printf *)",
+  "Bash(test *)",
+  "Bash([ *)",
+  "Bash(true *)",
+  "Bash(false *)",
+  // ── Safe directory operations ────────────────────────────────────────
+  "Bash(mkdir *)",
+  "Bash(rmdir *)",
+  // ── Built-in tools ───────────────────────────────────────────────────
+  "Read(/**)",
+  "Edit(/**)",
+  "Write(/**)",
+  "WebFetch",
+  "WebSearch"
+];
+var DEFAULT_CLAUDE_DENY = [
+  // ── Destructive git ──────────────────────────────────────────────────
+  "Bash(git push --force *)",
+  "Bash(git push -f *)",
+  "Bash(git push origin --force *)",
+  "Bash(git push origin -f *)",
+  "Bash(git reset --hard *)",
+  "Bash(git clean -f *)",
+  "Bash(git remote *)",
+  // ── Destructive file operations ──────────────────────────────────────
+  "Bash(rm -rf *)",
+  "Bash(rm -r *)",
+  "Bash(rm *)",
+  // ── Network / remote access ──────────────────────────────────────────
+  "Bash(curl *)",
+  "Bash(wget *)",
+  "Bash(ssh *)",
+  "Bash(scp *)",
+  // ── System administration ────────────────────────────────────────────
+  "Bash(sudo *)",
+  "Bash(chmod *)",
+  "Bash(chown *)",
+  "Bash(kill *)",
+  "Bash(killall *)",
+  "Bash(pkill *)",
+  // ── Code execution / shell spawning ──────────────────────────────────
+  "Bash(eval *)",
+  "Bash(exec *)",
+  "Bash(source *)",
+  "Bash(. *)",
+  "Bash(bash *)",
+  "Bash(sh *)",
+  "Bash(zsh *)",
+  // ── App launching ────────────────────────────────────────────────────
+  "Bash(open *)",
+  "Bash(xdg-open *)",
+  // ── Environment manipulation ─────────────────────────────────────────
+  "Bash(export *)",
+  "Bash(env *)"
+];
 var AgentConfig = class _AgentConfig extends import_projen8.Component {
   /**
    * Find the AgentConfig component on a project.
@@ -2237,6 +2368,27 @@ var AgentConfig = class _AgentConfig extends import_projen8.Component {
     const isAgentConfig = (c) => c instanceof _AgentConfig;
     return project.components.find(isAgentConfig);
   }
+  /**
+   * Merges default Claude permissions with bundle and user-supplied settings.
+   *
+   * Merge order: defaults → bundle permissions → user-supplied entries.
+   * `defaultMode` defaults to `"dontAsk"` unless overridden.
+   */
+  static mergeClaudeDefaults(userSettings, bundlePermissions) {
+    const bundleAllow = bundlePermissions?.allow ?? [];
+    const bundleDeny = bundlePermissions?.deny ?? [];
+    const userAllow = userSettings?.permissions?.allow ?? [];
+    const userDeny = userSettings?.permissions?.deny ?? [];
+    return {
+      ...userSettings,
+      defaultMode: userSettings?.defaultMode ?? "dontAsk",
+      permissions: {
+        ...userSettings?.permissions,
+        allow: [...DEFAULT_CLAUDE_ALLOW, ...bundleAllow, ...userAllow],
+        deny: [...DEFAULT_CLAUDE_DENY, ...bundleDeny, ...userDeny]
+      }
+    };
+  }
   constructor(project, options = {}) {
     super(project);
     this.options = options;
@@ -2267,13 +2419,17 @@ var AgentConfig = class _AgentConfig extends import_projen8.Component {
       );
     }
     if (platforms.includes(AGENT_PLATFORM.CLAUDE)) {
+      const bundlePermissions = this.resolveBundlePermissions();
       ClaudeRenderer.render(
         this,
         resolvedRules,
         resolvedSkills,
         resolvedSubAgents,
         mcpServers,
-        this.options.claudeSettings
+        _AgentConfig.mergeClaudeDefaults(
+          this.options.claudeSettings,
+          bundlePermissions
+        )
       );
     }
     if (platforms.includes(AGENT_PLATFORM.CODEX)) {
@@ -2445,6 +2601,40 @@ ${extra}`
       return resolved !== agent.prompt ? { ...agent, prompt: resolved } : agent;
     });
   }
+  /**
+   * Collects Claude permission entries from all active bundles.
+   */
+  resolveBundlePermissions() {
+    const allow = [];
+    const deny = [];
+    if (this.options.autoDetectBundles !== false) {
+      for (const bundle of BUILT_IN_BUNDLES) {
+        if (this.options.excludeBundles?.includes(bundle.name)) continue;
+        if (bundle.appliesWhen(this.project) && bundle.claudePermissions) {
+          if (bundle.claudePermissions.allow) {
+            allow.push(...bundle.claudePermissions.allow);
+          }
+          if (bundle.claudePermissions.deny) {
+            deny.push(...bundle.claudePermissions.deny);
+          }
+        }
+      }
+    }
+    if (this.options.includeBundles) {
+      for (const bundleName of this.options.includeBundles) {
+        const bundle = BUILT_IN_BUNDLES.find((b) => b.name === bundleName);
+        if (bundle?.claudePermissions) {
+          if (bundle.claudePermissions.allow) {
+            allow.push(...bundle.claudePermissions.allow);
+          }
+          if (bundle.claudePermissions.deny) {
+            deny.push(...bundle.claudePermissions.deny);
+          }
+        }
+      }
+    }
+    return { allow, deny };
+  }
 };
 
 // src/aws/aws-deployment-config.ts
@@ -3858,6 +4048,7 @@ var AwsDeployWorkflow = class _AwsDeployWorkflow extends import_projen16.Compone
   MCP_TRANSPORT,
   MERGE_METHODS,
   MIMIMUM_RELEASE_AGE,
+  MINIMUM_RELEASE_AGE,
   MonorepoProject,
   PROD_DEPLOY_NAME,
   PnpmWorkspace,