@massu/core 1.6.3 → 1.8.0

package/README.md

@@ -31,6 +31,78 @@ npx massu doctor
 npx massu validate-config
 ```
 
+### Permission Seeding
+
+To skip the per-tool MCP permission dialog on a fresh install, `npx massu install-commands` automatically seeds the canonical glob `mcp__massu__*` into `.claude/settings.local.json`'s `permissions.allow` array. It also propagates the user-global `defaultMode` (from `~/.claude/settings.json`) into the project-local file (see "Permissions trap" below).
+
+Three lifecycle subcommands for managing the allowlist:
+
+```bash
+# Seed the canonical entry + propagate global defaultMode (idempotent)
+npx massu permissions install
+
+# Read-only check — exit 0 if all canonical entries present
+npx massu permissions verify
+
+# Extended diagnostic — surfaces 4 drift kinds with severity-mapped exit codes
+npx massu permissions check-drift
+```
+
+To opt out of automatic permission seeding during `install-commands` (e.g., when permissions are managed centrally by enterprise policy):
+
+```bash
+npx massu install-commands --skip-permissions
+```
+
+`defaultMode` validity reference (per [Claude Code docs](https://code.claude.com/docs/en/permission-modes)):
+
+| Mode | Activatable from settings file alone | Requires launch flag |
+|---|---|---|
+| `default` | ✓ | — |
+| `acceptEdits` | ✓ | — |
+| `plan` | ✓ | — |
+| `bypassPermissions` | — | `--permission-mode bypassPermissions` or `--dangerously-skip-permissions` |
+| `auto` | — | `--permission-mode auto` (plus plan/admin/model preconditions) |
+| `dontAsk` | — | `--permission-mode dontAsk` |
+
+`permissions check-drift` warns when a launch-flag-required value is set in settings without the corresponding flag (these settings are silently inert without the launch flag).
+
+### Permissions trap (settings merge)
+
+Empirically observed in Claude Code 2.1.x: a project-local `.claude/settings.local.json` that has a `permissions` object **without** a `defaultMode` key silently STRIPS the user-global `defaultMode` from `~/.claude/settings.json` during settings merge. The merge unit appears to be the entire `permissions` object's top-level keys, not individual keys within it — undocumented at `code.claude.com/docs/en/permissions`.
+
+**Before** (trap state):
+```jsonc
+// ~/.claude/settings.json (global)
+{ "permissions": { "defaultMode": "auto" } }
+
+// .claude/settings.local.json (project)
+{ "permissions": { "allow": ["mcp__massu__*"] } }
+// Effective defaultMode in this project: NONE (global "auto" silently stripped)
+```
+
+**After** (correct state, what `massu permissions install` writes):
+```jsonc
+// .claude/settings.local.json (project)
+{ "permissions": {
+    "allow": ["mcp__massu__*"],
+    "defaultMode": "auto"
+} }
+```
+
+The install writer:
+1. Reads global `~/.claude/settings.json`
+2. Reads project-local `.claude/settings.local.json`
+3. Computes merged state: `allow` = union with canonical entries; `defaultMode` = local override OR global value OR omit; `deny`/`ask` preserved from local
+4. Atomic-writes the complete merged block
+5. Post-write fail-loud assertion: re-reads disk and confirms the merge survived
+
+To audit any project for the trap (or any other permission drift):
+```bash
+npx massu permissions check-drift
+# Exit 4 + stderr "drift[strips-global-defaultmode]: ..." if the trap is present
+```
+
 ## Documentation
 
 Full documentation at [massu.ai](https://massu.ai).