@jaguilar87/gaia-ops 3.2.2 → 3.2.3

package/CHANGELOG.md

@@ -5,6 +5,35 @@ All notable changes to the CLAUDE.md orchestrator instructions are documented in
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [3.2.3] - 2025-12-09
+
+### Service-Level Permission Wildcards
+
+Simplified permission patterns using service-level wildcards for better Claude Code compatibility.
+
+#### Changed
+- **AWS patterns**: Simplified from `Bash(aws rds describe-:*)` to `Bash(aws rds :*)`
+  - Service-level wildcards: `aws ec2`, `aws rds`, `aws s3`, `aws iam`, etc.
+  - Works around Claude Code pattern matching issues with hyphens
+- **GCP patterns**: Simplified to `Bash(gcloud compute :*)`, `Bash(gcloud container :*)`, etc.
+- **Format standardization**: Removed spaces before `:*` for commands without arguments
+
+#### Fixed
+- Agent README files renamed to `_README.md` to avoid Claude Code parse errors
+- Pattern matching now works for `aws rds describe-db-instances` and similar commands
+
+#### Impact
+- **Read-only commands**: Execute automatically ✓
+- **Modification commands** (start/stop, upload, resize): Now execute automatically (Option A1)
+- **Destructive commands** (delete, terminate): Still blocked ✓
+
+#### Philosophy (Option A1 - Permissive with guardrails)
+- Wide `allow[]` for entire services (e.g., `aws ec2 :*`)
+- Strict `deny[]` for destructive operations
+- Trade-off: Modification commands no longer require confirmation
+
+---
+
 ## [3.2.2] - 2025-12-09
 
 ### Enhanced Permissions System

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jaguilar87/gaia-ops",
-  "version": "3.2.2",
+  "version": "3.2.3",
   "description": "Multi-agent orchestration system for Claude Code - DevOps automation toolkit",
   "main": "index.js",
   "type": "module",

package/templates/settings.template.json

@@ -185,102 +185,46 @@
       "Bash(git tag:*)",
       "Bash(git for-each-ref:*)",
 
-      "Bash(aws sts:*)",
-      "Bash(aws configure list:*)",
-      "Bash(aws configure get:*)",
-      "Bash(aws ec2 describe-:*)",
-      "Bash(aws ec2 get-:*)",
-      "Bash(aws s3 ls:*)",
-      "Bash(aws s3api get-:*)",
-      "Bash(aws s3api head-:*)",
-      "Bash(aws s3api list-:*)",
-      "Bash(aws rds describe-:*)",
-      "Bash(aws iam get-:*)",
-      "Bash(aws iam list-:*)",
-      "Bash(aws lambda get-:*)",
-      "Bash(aws lambda list-:*)",
-      "Bash(aws logs describe-:*)",
-      "Bash(aws logs get-:*)",
-      "Bash(aws logs filter-:*)",
-      "Bash(aws cloudwatch describe-:*)",
-      "Bash(aws cloudwatch get-:*)",
-      "Bash(aws cloudwatch list-:*)",
-      "Bash(aws cloudformation describe-:*)",
-      "Bash(aws cloudformation get-:*)",
-      "Bash(aws cloudformation list-:*)",
-      "Bash(aws elbv2 describe-:*)",
-      "Bash(aws elb describe-:*)",
-      "Bash(aws route53 get-:*)",
-      "Bash(aws route53 list-:*)",
-      "Bash(aws secretsmanager get-:*)",
-      "Bash(aws secretsmanager list-:*)",
-      "Bash(aws secretsmanager describe-:*)",
-      "Bash(aws ssm get-:*)",
-      "Bash(aws ssm list-:*)",
-      "Bash(aws ssm describe-:*)",
-      "Bash(aws sns get-:*)",
-      "Bash(aws sns list-:*)",
-      "Bash(aws sqs get-:*)",
-      "Bash(aws sqs list-:*)",
-      "Bash(aws dynamodb describe-:*)",
-      "Bash(aws dynamodb list-:*)",
-      "Bash(aws dynamodb get-:*)",
-      "Bash(aws dynamodb scan:*)",
-      "Bash(aws dynamodb query:*)",
-      "Bash(aws ecr describe-:*)",
-      "Bash(aws ecr get-:*)",
-      "Bash(aws ecr list-:*)",
-      "Bash(aws eks describe-:*)",
-      "Bash(aws eks list-:*)",
-      "Bash(aws elasticache describe-:*)",
+      "Bash(aws sts :*)",
+      "Bash(aws configure :*)",
+      "Bash(aws ec2 :*)",
+      "Bash(aws s3 :*)",
+      "Bash(aws s3api :*)",
+      "Bash(aws rds :*)",
+      "Bash(aws iam :*)",
+      "Bash(aws lambda :*)",
+      "Bash(aws logs :*)",
+      "Bash(aws cloudwatch :*)",
+      "Bash(aws cloudformation :*)",
+      "Bash(aws elbv2 :*)",
+      "Bash(aws elb :*)",
+      "Bash(aws route53 :*)",
+      "Bash(aws secretsmanager :*)",
+      "Bash(aws ssm :*)",
+      "Bash(aws sns :*)",
+      "Bash(aws sqs :*)",
+      "Bash(aws dynamodb :*)",
+      "Bash(aws ecr :*)",
+      "Bash(aws eks :*)",
+      "Bash(aws elasticache :*)",
 
-      "Bash(gcloud version:*)",
-      "Bash(gcloud info:*)",
-      "Bash(gcloud auth:*)",
-      "Bash(gcloud config:*)",
-      "Bash(gcloud projects list:*)",
-      "Bash(gcloud projects describe:*)",
-      "Bash(gcloud compute instances list:*)",
-      "Bash(gcloud compute instances describe:*)",
-      "Bash(gcloud compute networks list:*)",
-      "Bash(gcloud compute networks describe:*)",
-      "Bash(gcloud compute networks subnets list:*)",
-      "Bash(gcloud compute networks subnets describe:*)",
-      "Bash(gcloud compute firewall-rules list:*)",
-      "Bash(gcloud compute firewall-rules describe:*)",
-      "Bash(gcloud compute addresses list:*)",
-      "Bash(gcloud compute addresses describe:*)",
-      "Bash(gcloud compute disks list:*)",
-      "Bash(gcloud compute disks describe:*)",
-      "Bash(gcloud compute images list:*)",
-      "Bash(gcloud compute images describe:*)",
-      "Bash(gcloud compute zones list:*)",
-      "Bash(gcloud compute regions list:*)",
-      "Bash(gcloud container clusters list:*)",
-      "Bash(gcloud container clusters describe:*)",
-      "Bash(gcloud container clusters get-credentials:*)",
-      "Bash(gcloud container node-pools list:*)",
-      "Bash(gcloud container node-pools describe:*)",
-      "Bash(gcloud sql instances list:*)",
-      "Bash(gcloud sql instances describe:*)",
-      "Bash(gcloud sql databases list:*)",
-      "Bash(gcloud sql users list:*)",
-      "Bash(gcloud redis instances list:*)",
-      "Bash(gcloud redis instances describe:*)",
-      "Bash(gcloud iam service-accounts list:*)",
-      "Bash(gcloud iam service-accounts describe:*)",
-      "Bash(gcloud iam service-accounts get-iam-policy:*)",
-      "Bash(gcloud iam roles list:*)",
-      "Bash(gcloud iam roles describe:*)",
-      "Bash(gcloud logging read:*)",
-      "Bash(gcloud logging logs list:*)",
-      "Bash(gcloud services list:*)",
-      "Bash(gcloud artifacts repositories list:*)",
-      "Bash(gcloud artifacts docker images list:*)",
-      "Bash(gsutil ls:*)",
-      "Bash(gsutil cat:*)",
-      "Bash(gsutil stat:*)",
-      "Bash(gsutil du:*)",
+      "Bash(gcloud version :*)",
+      "Bash(gcloud info :*)",
+      "Bash(gcloud auth :*)",
+      "Bash(gcloud config :*)",
+      "Bash(gcloud projects :*)",
+      "Bash(gcloud compute :*)",
+      "Bash(gcloud container :*)",
+      "Bash(gcloud sql :*)",
+      "Bash(gcloud redis :*)",
+      "Bash(gcloud iam :*)",
+      "Bash(gcloud logging :*)",
+      "Bash(gcloud services :*)",
+      "Bash(gcloud artifacts :*)",
+      "Bash(gsutil ls :*)",
+      "Bash(gsutil cat :*)",
+      "Bash(gsutil stat :*)",
+      "Bash(gsutil du :*)",
 
       "Bash(kubectl get:*)",
       "Bash(kubectl describe:*)",

package/tests/permissions-validation/test_permissions_validation.py

@@ -282,16 +282,16 @@ def get_test_cases() -> List[TestCase]:
         TestCase("mkdir new-directory", PermissionResult.ASK, "Create directory", "file"),
         TestCase("chmod 755 script.sh", PermissionResult.ASK, "Change permissions", "file"),
 
-        # AWS modifying
-        TestCase("aws s3 cp file.txt s3://bucket/", PermissionResult.ASK, "Upload to S3", "aws"),
-        TestCase("aws ec2 start-instances --instance-ids i-123", PermissionResult.ASK, "Start EC2", "aws"),
-        TestCase("aws ec2 stop-instances --instance-ids i-123", PermissionResult.ASK, "Stop EC2", "aws"),
-        TestCase("aws lambda update-function-code --function-name fn", PermissionResult.ASK, "Update Lambda", "aws"),
-
-        # GCP modifying
-        TestCase("gcloud compute instances start my-vm", PermissionResult.ASK, "Start GCE instance", "gcp"),
-        TestCase("gcloud compute instances stop my-vm", PermissionResult.ASK, "Stop GCE instance", "gcp"),
-        TestCase("gcloud container clusters resize my-cluster", PermissionResult.ASK, "Resize GKE", "gcp"),
+        # AWS modifying (ALLOW with service-level wildcards - Option A1)
+        TestCase("aws s3 cp file.txt s3://bucket/", PermissionResult.ALLOW, "Upload to S3", "aws"),
+        TestCase("aws ec2 start-instances --instance-ids i-123", PermissionResult.ALLOW, "Start EC2", "aws"),
+        TestCase("aws ec2 stop-instances --instance-ids i-123", PermissionResult.ALLOW, "Stop EC2", "aws"),
+        TestCase("aws lambda update-function-code --function-name fn", PermissionResult.ALLOW, "Update Lambda", "aws"),
+
+        # GCP modifying (ALLOW with service-level wildcards - Option A1)
+        TestCase("gcloud compute instances start my-vm", PermissionResult.ALLOW, "Start GCE instance", "gcp"),
+        TestCase("gcloud compute instances stop my-vm", PermissionResult.ALLOW, "Stop GCE instance", "gcp"),
+        TestCase("gcloud container clusters resize my-cluster", PermissionResult.ALLOW, "Resize GKE", "gcp"),
 
         # Docker modifying
         TestCase("docker build -t my-image .", PermissionResult.ASK, "Build image", "docker"),