claude-dev-env 1.41.0 → 1.42.0

package/skills/bugteam/scripts/_claude_permissions_common.py

@@ -12,6 +12,7 @@ import json
 import os
 import stat
 import sys
+from collections.abc import Callable
 from pathlib import Path
 from typing import NoReturn
 
@@ -26,6 +27,7 @@ for each_cached_module_name in [
     )
 
 from config.claude_permissions_common_constants import (
+    ALL_TRUST_ENTRY_PROJECT_PATH_BOUNDARY_QUOTE_CHARACTERS,
     ATOMIC_WRITE_TEMPORARY_SUFFIX,
     DEFAULT_SETTINGS_FILE_MODE,
     TEXT_FILE_ENCODING,
@@ -105,6 +107,113 @@ def build_permission_rules(
     ]
 
 
+def build_agent_config_deny_rule(
+    tool_name: str, project_path: str, agent_config_path_pattern: str
+) -> str:
+    """Construct a deny rule for a single agent-config path pattern.
+
+    Args:
+        tool_name: The permission tool name (e.g., "Edit", "Write", "Read").
+        project_path: The POSIX-style project root path.
+        agent_config_path_pattern: The agent-config path pattern under .claude/.
+
+    Returns:
+        The deny rule string Claude Code matches against tool invocations.
+    """
+    return f"{tool_name}({project_path}/.claude/{agent_config_path_pattern})"
+
+
+def build_agent_config_deny_rules(
+    project_path: str,
+    all_permission_allow_tools: tuple[str, ...],
+    all_agent_config_path_patterns: tuple[str, ...],
+) -> list[str]:
+    """Construct deny rules covering every tool and pattern pair.
+
+    Args:
+        project_path: The POSIX-style project root path.
+        all_permission_allow_tools: Tool names to build deny rules for.
+        all_agent_config_path_patterns: Agent-config path patterns to deny under .claude/.
+
+    Returns:
+        List of deny rule strings, one per tool/pattern combination.
+    """
+    return [
+        build_agent_config_deny_rule(each_tool, project_path, each_pattern)
+        for each_tool in all_permission_allow_tools
+        for each_pattern in all_agent_config_path_patterns
+    ]
+
+
+def _is_project_path_token_at_word_boundary(
+    body_after_prefix: str, token_position: int
+) -> bool:
+    if token_position == 0:
+        return True
+    preceding_character = body_after_prefix[token_position - 1]
+    if preceding_character.isspace():
+        return True
+    return preceding_character in ALL_TRUST_ENTRY_PROJECT_PATH_BOUNDARY_QUOTE_CHARACTERS
+
+
+def is_trust_entry_for_project(
+    candidate_entry: object, project_path: str, prefix: str
+) -> bool:
+    """Detect whether an autoMode.environment entry is a trust entry for the project.
+
+    The predicate matches any string entry whose prefix matches the trust-entry
+    marker and that contains the project's .claude/** path token anchored on a
+    non-path boundary (the start of the body after the prefix, a whitespace
+    character, or a quote character). The boundary anchor prevents
+    cross-project false positives where the current project's path is a path
+    suffix of an unrelated entry's path. The exact wording after the prefix is
+    allowed to vary between template revisions.
+
+    Args:
+        candidate_entry: The autoMode.environment list value to inspect.
+        project_path: The POSIX-style project root path.
+        prefix: The literal prefix that marks a trust entry.
+
+    Returns:
+        True when the entry is a prior trust entry for this project.
+    """
+    if not isinstance(candidate_entry, str):
+        return False
+    if not candidate_entry.startswith(prefix):
+        return False
+    project_path_token = f"{project_path}/.claude/**"
+    body_after_prefix = candidate_entry[len(prefix):]
+    token_position = body_after_prefix.find(project_path_token)
+    while token_position != -1:
+        if _is_project_path_token_at_word_boundary(body_after_prefix, token_position):
+            return True
+        next_search_start = token_position + 1
+        token_position = body_after_prefix.find(project_path_token, next_search_start)
+    return False
+
+
+def remove_matching_entries_from_list(
+    all_target_list: list[object],
+    match_predicate: Callable[[object], bool],
+) -> int:
+    """Remove every entry from a list that satisfies the predicate.
+
+    Args:
+        all_target_list: The list to filter in place.
+        match_predicate: Function returning True for entries to remove.
+
+    Returns:
+        Number of entries removed.
+    """
+    original_length = len(all_target_list)
+    all_target_list[:] = [
+        each_value
+        for each_value in all_target_list
+        if not match_predicate(each_value)
+    ]
+    return original_length - len(all_target_list)
+
+
 def load_settings(settings_path: Path) -> dict[str, object]:
     """Read and parse a JSON settings file from disk.
 

package/skills/bugteam/scripts/config/claude_permissions_common_constants.py

@@ -4,10 +4,58 @@ from __future__ import annotations
 
 TEXT_FILE_ENCODING: str = "utf-8"
 ALL_PERMISSION_ALLOW_TOOLS: tuple[str, ...] = ("Edit", "Write", "Read")
+ALL_AGENT_CONFIG_DENY_TOOLS: tuple[str, ...] = ("Edit", "Write", "Read", "Glob")
+ALL_AGENT_CONFIG_PATH_PATTERNS: tuple[str, ...] = (
+    "settings*.json",
+    "hooks/**",
+    "commands/**",
+    "agents/**",
+    "skills/**",
+    "mcp.json",
+    "CLAUDE.md",
+)
+AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX: str = "Trusted local workspace:"
+
+
+def _describe_agent_config_pattern_for_humans(agent_config_path_pattern: str) -> str:
+    glob_suffix_under_directory = "/**"
+    file_name_for_special_phrasing = "mcp.json"
+    if agent_config_path_pattern.endswith(glob_suffix_under_directory):
+        directory_name = agent_config_path_pattern[
+            : -len(glob_suffix_under_directory)
+        ]
+        return f"anything under {directory_name}/"
+    if agent_config_path_pattern == file_name_for_special_phrasing:
+        return f"the {file_name_for_special_phrasing} file"
+    return agent_config_path_pattern
+
+
+def _build_agent_config_pattern_phrase(
+    all_agent_config_path_patterns: tuple[str, ...],
+) -> str:
+    all_described_patterns: list[str] = [
+        _describe_agent_config_pattern_for_humans(each_pattern)
+        for each_pattern in all_agent_config_path_patterns
+    ]
+    if len(all_described_patterns) <= 1:
+        return ", ".join(all_described_patterns)
+    leading_phrase_parts = ", ".join(all_described_patterns[:-1])
+    final_phrase_part = all_described_patterns[-1]
+    return f"{leading_phrase_parts}, and {final_phrase_part}"
+
+
+_AGENT_CONFIG_PATTERN_PHRASE: str = _build_agent_config_pattern_phrase(
+    ALL_AGENT_CONFIG_PATH_PATTERNS
+)
+
 AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE: str = (
-    "Trusted local workspace: {project_path}/.claude/** is the user's "
-    "project Claude Code config tree; edits inside are routine"
+    f"Trusted local workspace: Files under {{project_path}}/.claude/** inherit "
+    f"the workspace's trust for Edit, Write, Read, and Glob operations EXCEPT "
+    f"for agent-config files: {_AGENT_CONFIG_PATTERN_PHRASE}. Edits to those "
+    f"agent-config files always require explicit per-edit user approval."
 )
+
+ALL_TRUST_ENTRY_PROJECT_PATH_BOUNDARY_QUOTE_CHARACTERS: tuple[str, ...] = ('"', "'")
 ATOMIC_WRITE_TEMPORARY_SUFFIX: str = ".tmp"
 GIT_DIRECTORY_MARKER: str = ".git"
 CLAUDE_DIRECTORY_MARKER: str = ".claude"
@@ -15,6 +63,7 @@ CLAUDE_USER_SETTINGS_FILENAME: str = "settings.json"
 DEFAULT_SETTINGS_FILE_MODE: int = 0o600
 SETTINGS_PERMISSIONS_KEY: str = "permissions"
 SETTINGS_ALLOW_KEY: str = "allow"
+SETTINGS_DENY_KEY: str = "deny"
 SETTINGS_ADDITIONAL_DIRECTORIES_KEY: str = "additionalDirectories"
 SETTINGS_AUTO_MODE_KEY: str = "autoMode"
 SETTINGS_ENVIRONMENT_KEY: str = "environment"

package/skills/bugteam/scripts/grant_project_claude_permissions.py

@@ -21,16 +21,22 @@ if parent_directory not in sys.path:
 
 from _claude_permissions_common import (  # noqa: E402
     append_if_missing,
+    build_agent_config_deny_rules,
     build_permission_rules,
     ensure_dict_section,
     ensure_list_entry,
     exit_with_error,
     get_current_project_path,
+    is_trust_entry_for_project,
     load_settings,
+    remove_matching_entries_from_list,
     save_settings,
 )
 from config.claude_permissions_common_constants import (  # noqa: E402
+    ALL_AGENT_CONFIG_DENY_TOOLS,
+    ALL_AGENT_CONFIG_PATH_PATTERNS,
     ALL_PERMISSION_ALLOW_TOOLS,
+    AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
     AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
     CLAUDE_DIRECTORY_MARKER,
     CLAUDE_USER_SETTINGS_FILENAME,
@@ -38,6 +44,7 @@ from config.claude_permissions_common_constants import (  # noqa: E402
     SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
     SETTINGS_ALLOW_KEY,
     SETTINGS_AUTO_MODE_KEY,
+    SETTINGS_DENY_KEY,
     SETTINGS_ENVIRONMENT_KEY,
     SETTINGS_PERMISSIONS_KEY,
 )
@@ -77,6 +84,31 @@ def add_rules_to_allow_list(all_settings: dict[str, object], all_rules_to_add: l
     )
 
 
+def add_rules_to_deny_list(
+    all_settings: dict[str, object], all_rules_to_add: list[str]
+) -> int:
+    """Add permission rules to the settings deny list.
+
+    Deny rules take precedence over allow rules in Claude Code's permission
+    matching, so writing agent-config paths into the deny list forces a
+    per-edit user approval even when a broader allow rule would cover them.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        all_rules_to_add: Permission rule strings to append.
+
+    Returns:
+        Number of rules actually added (new entries).
+    """
+    permissions_section = ensure_dict_section(all_settings, SETTINGS_PERMISSIONS_KEY)
+    existing_deny_list = ensure_list_entry(permissions_section, SETTINGS_DENY_KEY)
+    return sum(
+        1
+        for each_rule in all_rules_to_add
+        if append_if_missing(existing_deny_list, each_rule)
+    )
+
+
 def add_directory_to_additional_directories(
     all_settings: dict[str, object], directory_path: str
 ) -> int:
@@ -117,11 +149,63 @@ def add_auto_mode_environment_entry(
     return 0
 
 
+def purge_stale_trust_entries(
+    all_settings: dict[str, object],
+    project_path: str,
+    prefix: str,
+    protected_entry: str | None = None,
+) -> int:
+    """Remove every prior trust entry for the project from autoMode.environment.
+
+    A trust entry is any string in autoMode.environment whose prefix matches
+    the trust-entry marker and that contains the project's .claude/** path.
+    Purging stale entries before adding the current template prevents
+    accumulation across template revisions. The optional protected_entry
+    survives the purge so an entry byte-identical to the one about to be
+    re-added is not removed and re-added on every invocation, preserving the
+    idempotency contract documented on grant_permissions_for_current_directory.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        project_path: The POSIX-style project root path.
+        prefix: The literal prefix that marks a trust entry.
+        protected_entry: Optional entry text that, when byte-equal to a
+            candidate, prevents removal. Pass the freshly-formatted current
+            template entry from grant to preserve idempotency. Revoke passes
+            None so every matching entry is removed.
+
+    Returns:
+        Number of stale entries removed.
+    """
+    auto_mode_section = all_settings.get(SETTINGS_AUTO_MODE_KEY)
+    if not isinstance(auto_mode_section, dict):
+        return 0
+    existing_environment = auto_mode_section.get(SETTINGS_ENVIRONMENT_KEY)
+    if not isinstance(existing_environment, list):
+        return 0
+
+    def _should_purge_candidate(candidate_entry: object) -> bool:
+        if not is_trust_entry_for_project(candidate_entry, project_path, prefix):
+            return False
+        if protected_entry is not None and candidate_entry == protected_entry:
+            return False
+        return True
+
+    return remove_matching_entries_from_list(
+        existing_environment,
+        _should_purge_candidate,
+    )
+
+
 def grant_permissions_for_current_directory() -> None:
     """Grant Edit/Write/Read permissions for the current project directory.
 
     Reads the current project path, constructs permission rules from config
-    constants, and writes them to ~/.claude/settings.json atomically.
+    constants, and writes them to ~/.claude/settings.json atomically. Adds
+    deny rules for agent-config paths so edits to settings, hooks, commands,
+    agents, skills, mcp.json, and CLAUDE.md still require per-edit user
+    approval. Purges any prior trust entries for this project before writing
+    the current template to prevent accumulation across template revisions.
 
     Raises:
         SystemExit(1): When the current directory is not a valid project root.
@@ -141,19 +225,37 @@ def grant_permissions_for_current_directory() -> None:
         raise SystemExit(1)
     project_path = get_current_project_path()
     permission_rules = build_permission_rules(project_path, ALL_PERMISSION_ALLOW_TOOLS)
+    all_agent_config_deny_rules = build_agent_config_deny_rules(
+        project_path,
+        ALL_AGENT_CONFIG_DENY_TOOLS,
+        ALL_AGENT_CONFIG_PATH_PATTERNS,
+    )
     environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
         project_path=project_path
     )
     settings = load_settings(claude_user_settings_path)
-    rules_added_count = add_rules_to_allow_list(settings, permission_rules)
+    allow_rules_added_count = add_rules_to_allow_list(settings, permission_rules)
+    deny_rules_added_count = add_rules_to_deny_list(
+        settings, all_agent_config_deny_rules
+    )
     directories_added_count = add_directory_to_additional_directories(
         settings, project_path
     )
+    stale_trust_entries_purged_count = purge_stale_trust_entries(
+        settings,
+        project_path,
+        AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
+        protected_entry=environment_entry,
+    )
     environment_entries_added_count = add_auto_mode_environment_entry(
         settings, environment_entry
     )
     total_changes_count = (
-        rules_added_count + directories_added_count + environment_entries_added_count
+        allow_rules_added_count
+        + deny_rules_added_count
+        + directories_added_count
+        + stale_trust_entries_purged_count
+        + environment_entries_added_count
     )
     if total_changes_count == 0:
         print(f"Project path: {project_path}")
@@ -163,8 +265,17 @@ def grant_permissions_for_current_directory() -> None:
     save_settings(claude_user_settings_path, settings)
     print(f"Project path: {project_path}")
     print(f"Settings file: {claude_user_settings_path}")
-    print(f"Allow rules added: {rules_added_count} of {len(permission_rules)}")
+    print(f"Allow rules added: {allow_rules_added_count} of {len(permission_rules)}")
+    print(
+        f"Deny rules added: {deny_rules_added_count} of "
+        f"{len(all_agent_config_deny_rules)}"
+    )
     print(f"Additional directories added: {directories_added_count}")
+    if stale_trust_entries_purged_count > 0:
+        print(
+            f"Stale auto-mode environment entries purged: "
+            f"{stale_trust_entries_purged_count}"
+        )
     print(f"Auto-mode environment entries added: {environment_entries_added_count}")
 
 

package/skills/bugteam/scripts/revoke_project_claude_permissions.py

@@ -21,22 +21,28 @@ if parent_directory not in sys.path:
     sys.path.insert(0, parent_directory)
 
 from _claude_permissions_common import (  # noqa: E402
+    build_agent_config_deny_rules,
     build_permission_rules,
     exit_with_error,
     get_current_project_path,
+    is_trust_entry_for_project,
     load_settings,
     prune_empty_list_then_empty_section,
+    remove_matching_entries_from_list,
     save_settings,
 )
 from config.claude_permissions_common_constants import (  # noqa: E402
+    ALL_AGENT_CONFIG_DENY_TOOLS,
+    ALL_AGENT_CONFIG_PATH_PATTERNS,
     ALL_PERMISSION_ALLOW_TOOLS,
-    AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
+    AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
     CLAUDE_DIRECTORY_MARKER,
     CLAUDE_USER_SETTINGS_FILENAME,
     GIT_DIRECTORY_MARKER,
     SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
     SETTINGS_ALLOW_KEY,
     SETTINGS_AUTO_MODE_KEY,
+    SETTINGS_DENY_KEY,
     SETTINGS_ENVIRONMENT_KEY,
     SETTINGS_PERMISSIONS_KEY,
 )
@@ -97,6 +103,27 @@ def remove_rules_from_allow_list(
     return remove_values_from_list(existing_allow_list, set(all_rules_to_remove))
 
 
+def remove_rules_from_deny_list(
+    all_settings: dict[str, object], all_rules_to_remove: list[str]
+) -> int:
+    """Remove matching permission rules from the settings deny list.
+
+    Args:
+        all_settings: The parsed settings dictionary.
+        all_rules_to_remove: Permission rule strings to remove.
+
+    Returns:
+        Number of rules removed.
+    """
+    permissions_section = all_settings.get(SETTINGS_PERMISSIONS_KEY)
+    if not isinstance(permissions_section, dict):
+        return 0
+    existing_deny_list = permissions_section.get(SETTINGS_DENY_KEY)
+    if not isinstance(existing_deny_list, list):
+        return 0
+    return remove_values_from_list(existing_deny_list, set(all_rules_to_remove))
+
+
 def remove_directory_from_additional_directories(
     all_settings: dict[str, object], directory_path: str
 ) -> int:
@@ -118,17 +145,23 @@ def remove_directory_from_additional_directories(
     return remove_values_from_list(existing_directories, {directory_path})
 
 
-def remove_auto_mode_environment_entry(
-    all_settings: dict[str, object], entry_text: str
+def remove_trust_entries_for_project(
+    all_settings: dict[str, object], project_path: str, prefix: str
 ) -> int:
-    """Remove an auto-mode environment entry for the project.
+    """Remove every trust entry for the project from autoMode.environment.
+
+    Matches any string in autoMode.environment whose prefix matches the
+    trust-entry marker and that contains the project's .claude/** path.
+    The match is wording-agnostic so prior template revisions are removed
+    cleanly even when the current template differs.
 
     Args:
         all_settings: The parsed settings dictionary.
-        entry_text: The environment entry text to remove.
+        project_path: The POSIX-style project root path.
+        prefix: The literal prefix that marks a trust entry.
 
     Returns:
-        1 when the entry was removed, 0 when not found.
+        Number of entries removed.
     """
     auto_mode_section = all_settings.get(SETTINGS_AUTO_MODE_KEY)
     if not isinstance(auto_mode_section, dict):
@@ -136,7 +169,12 @@ def remove_auto_mode_environment_entry(
     existing_environment = auto_mode_section.get(SETTINGS_ENVIRONMENT_KEY)
     if not isinstance(existing_environment, list):
         return 0
-    return remove_values_from_list(existing_environment, {entry_text})
+    return remove_matching_entries_from_list(
+        existing_environment,
+        lambda candidate_entry: is_trust_entry_for_project(
+            candidate_entry, project_path, prefix
+        ),
+    )
 
 
 def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
@@ -148,6 +186,9 @@ def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
     prune_empty_list_then_empty_section(
         all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_ALLOW_KEY
     )
+    prune_empty_list_then_empty_section(
+        all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_DENY_KEY
+    )
     prune_empty_list_then_empty_section(
         all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_ADDITIONAL_DIRECTORIES_KEY
     )
@@ -159,9 +200,10 @@ def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
 def revoke_permissions_for_current_directory() -> None:
     """Revoke Edit/Write/Read permissions for the current project directory.
 
-    Reads the current project path, constructs permission rules from config
-    constants, removes them from ~/.claude/settings.json, and prunes any
-    newly empty sections.
+    Reads the current project path, constructs the matching allow and deny
+    permission rules, removes them from ~/.claude/settings.json, removes
+    every trust entry for the project from autoMode.environment, and prunes
+    any newly empty sections.
 
     Raises:
         SystemExit(1): When the current directory is not a valid project root.
@@ -181,19 +223,25 @@ def revoke_permissions_for_current_directory() -> None:
         raise SystemExit(1)
     project_path = get_current_project_path()
     permission_rules = build_permission_rules(project_path, ALL_PERMISSION_ALLOW_TOOLS)
-    environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
-        project_path=project_path
+    all_agent_config_deny_rules = build_agent_config_deny_rules(
+        project_path,
+        ALL_AGENT_CONFIG_DENY_TOOLS,
+        ALL_AGENT_CONFIG_PATH_PATTERNS,
     )
     settings = load_settings(claude_user_settings_path)
-    rules_removed_count = remove_rules_from_allow_list(settings, permission_rules)
+    allow_rules_removed_count = remove_rules_from_allow_list(settings, permission_rules)
+    deny_rules_removed_count = remove_rules_from_deny_list(
+        settings, all_agent_config_deny_rules
+    )
     directories_removed_count = remove_directory_from_additional_directories(
         settings, project_path
     )
-    environment_entries_removed_count = remove_auto_mode_environment_entry(
-        settings, environment_entry
+    environment_entries_removed_count = remove_trust_entries_for_project(
+        settings, project_path, AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX
     )
     total_changes_count = (
-        rules_removed_count
+        allow_rules_removed_count
+        + deny_rules_removed_count
         + directories_removed_count
         + environment_entries_removed_count
     )
@@ -206,7 +254,11 @@ def revoke_permissions_for_current_directory() -> None:
     save_settings(claude_user_settings_path, settings)
     print(f"Project path: {project_path}")
     print(f"Settings file: {claude_user_settings_path}")
-    print(f"Allow rules removed: {rules_removed_count} of {len(permission_rules)}")
+    print(f"Allow rules removed: {allow_rules_removed_count} of {len(permission_rules)}")
+    print(
+        f"Deny rules removed: {deny_rules_removed_count} of "
+        f"{len(all_agent_config_deny_rules)}"
+    )
     print(f"Additional directories removed: {directories_removed_count}")
     print(
         f"Auto-mode environment entries removed: {environment_entries_removed_count}"