npm - claude-dev-env - Versions diffs - 1.41.0 → 1.43.0 - Mend

claude-dev-env 1.41.0 → 1.43.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (214) hide show

package/skills/bugteam/scripts/grant_project_claude_permissions.py CHANGED Viewed

@@ -9,28 +9,28 @@ the changes applied. No-op when the entries already exist.
 import sys
 from pathlib import Path
-for each_cached_module_name in [
-    each_module_key
-    for each_module_key in list(sys.modules)
-    if each_module_key == "config" or each_module_key.startswith("config.")
-]:
-    sys.modules.pop(each_cached_module_name, None)
 parent_directory = str(Path(__file__).resolve().parent)
 if parent_directory not in sys.path:
     sys.path.insert(0, parent_directory)
-from _claude_permissions_common import (  # noqa: E402
+from _bugteam_permissions_common import (  # noqa: E402
     append_if_missing,
+    build_agent_config_deny_rules,
     build_permission_rules,
     ensure_dict_section,
     ensure_list_entry,
     exit_with_error,
     get_current_project_path,
+    is_trust_entry_for_project,
     load_settings,
+    remove_matching_entries_from_list,
     save_settings,
 )
-from config.claude_permissions_common_constants import (  # noqa: E402
+from bugteam_scripts_constants.claude_permissions_common_constants import (  # noqa: E402
+    ALL_AGENT_CONFIG_DENY_TOOLS,
+    ALL_AGENT_CONFIG_PATH_PATTERNS,
     ALL_PERMISSION_ALLOW_TOOLS,
+    AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
     AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
     CLAUDE_DIRECTORY_MARKER,
     CLAUDE_USER_SETTINGS_FILENAME,
@@ -38,6 +38,7 @@ from config.claude_permissions_common_constants import (  # noqa: E402
     SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
     SETTINGS_ALLOW_KEY,
     SETTINGS_AUTO_MODE_KEY,
+    SETTINGS_DENY_KEY,
     SETTINGS_ENVIRONMENT_KEY,
     SETTINGS_PERMISSIONS_KEY,
 )
@@ -77,6 +78,31 @@ def add_rules_to_allow_list(all_settings: dict[str, object], all_rules_to_add: l
     )
+def add_rules_to_deny_list(
+    all_settings: dict[str, object], all_rules_to_add: list[str]
+) -> int:
+    """Add permission rules to the settings deny list.
+    Deny rules take precedence over allow rules in Claude Code's permission
+    matching, so writing agent-config paths into the deny list forces a
+    per-edit user approval even when a broader allow rule would cover them.
+    Args:
+        all_settings: The parsed settings dictionary.
+        all_rules_to_add: Permission rule strings to append.
+    Returns:
+        Number of rules actually added (new entries).
+    """
+    permissions_section = ensure_dict_section(all_settings, SETTINGS_PERMISSIONS_KEY)
+    existing_deny_list = ensure_list_entry(permissions_section, SETTINGS_DENY_KEY)
+    return sum(
+        1
+        for each_rule in all_rules_to_add
+        if append_if_missing(existing_deny_list, each_rule)
+    )
 def add_directory_to_additional_directories(
     all_settings: dict[str, object], directory_path: str
 ) -> int:
@@ -117,11 +143,63 @@ def add_auto_mode_environment_entry(
     return 0
+def purge_stale_trust_entries(
+    all_settings: dict[str, object],
+    project_path: str,
+    prefix: str,
+    protected_entry: str | None = None,
+) -> int:
+    """Remove every prior trust entry for the project from autoMode.environment.
+    A trust entry is any string in autoMode.environment whose prefix matches
+    the trust-entry marker and that contains the project's .claude/** path.
+    Purging stale entries before adding the current template prevents
+    accumulation across template revisions. The optional protected_entry
+    survives the purge so an entry byte-identical to the one about to be
+    re-added is not removed and re-added on every invocation, preserving the
+    idempotency contract documented on grant_permissions_for_current_directory.
+    Args:
+        all_settings: The parsed settings dictionary.
+        project_path: The POSIX-style project root path.
+        prefix: The literal prefix that marks a trust entry.
+        protected_entry: Optional entry text that, when byte-equal to a
+            candidate, prevents removal. Pass the freshly-formatted current
+            template entry from grant to preserve idempotency. Revoke passes
+            None so every matching entry is removed.
+    Returns:
+        Number of stale entries removed.
+    """
+    auto_mode_section = all_settings.get(SETTINGS_AUTO_MODE_KEY)
+    if not isinstance(auto_mode_section, dict):
+        return 0
+    existing_environment = auto_mode_section.get(SETTINGS_ENVIRONMENT_KEY)
+    if not isinstance(existing_environment, list):
+        return 0
+    def _should_purge_candidate(candidate_entry: object) -> bool:
+        if not is_trust_entry_for_project(candidate_entry, project_path, prefix):
+            return False
+        if protected_entry is not None and candidate_entry == protected_entry:
+            return False
+        return True
+    return remove_matching_entries_from_list(
+        existing_environment,
+        _should_purge_candidate,
+    )
 def grant_permissions_for_current_directory() -> None:
     """Grant Edit/Write/Read permissions for the current project directory.
     Reads the current project path, constructs permission rules from config
-    constants, and writes them to ~/.claude/settings.json atomically.
+    constants, and writes them to ~/.claude/settings.json atomically. Adds
+    deny rules for agent-config paths so edits to settings, hooks, commands,
+    agents, skills, mcp.json, and CLAUDE.md still require per-edit user
+    approval. Purges any prior trust entries for this project before writing
+    the current template to prevent accumulation across template revisions.
     Raises:
         SystemExit(1): When the current directory is not a valid project root.
@@ -141,19 +219,37 @@ def grant_permissions_for_current_directory() -> None:
         raise SystemExit(1)
     project_path = get_current_project_path()
     permission_rules = build_permission_rules(project_path, ALL_PERMISSION_ALLOW_TOOLS)
+    all_agent_config_deny_rules = build_agent_config_deny_rules(
+        project_path,
+        ALL_AGENT_CONFIG_DENY_TOOLS,
+        ALL_AGENT_CONFIG_PATH_PATTERNS,
+    )
     environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
         project_path=project_path
     )
     settings = load_settings(claude_user_settings_path)
-    rules_added_count = add_rules_to_allow_list(settings, permission_rules)
+    allow_rules_added_count = add_rules_to_allow_list(settings, permission_rules)
+    deny_rules_added_count = add_rules_to_deny_list(
+        settings, all_agent_config_deny_rules
+    )
     directories_added_count = add_directory_to_additional_directories(
         settings, project_path
     )
+    stale_trust_entries_purged_count = purge_stale_trust_entries(
+        settings,
+        project_path,
+        AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
+        protected_entry=environment_entry,
+    )
     environment_entries_added_count = add_auto_mode_environment_entry(
         settings, environment_entry
     )
     total_changes_count = (
-        rules_added_count + directories_added_count + environment_entries_added_count
+        allow_rules_added_count
+        + deny_rules_added_count
+        + directories_added_count
+        + stale_trust_entries_purged_count
+        + environment_entries_added_count
     )
     if total_changes_count == 0:
         print(f"Project path: {project_path}")
@@ -163,8 +259,17 @@ def grant_permissions_for_current_directory() -> None:
     save_settings(claude_user_settings_path, settings)
     print(f"Project path: {project_path}")
     print(f"Settings file: {claude_user_settings_path}")
-    print(f"Allow rules added: {rules_added_count} of {len(permission_rules)}")
+    print(f"Allow rules added: {allow_rules_added_count} of {len(permission_rules)}")
+    print(
+        f"Deny rules added: {deny_rules_added_count} of "
+        f"{len(all_agent_config_deny_rules)}"
+    )
     print(f"Additional directories added: {directories_added_count}")
+    if stale_trust_entries_purged_count > 0:
+        print(
+            f"Stale auto-mode environment entries purged: "
+            f"{stale_trust_entries_purged_count}"
+        )
     print(f"Auto-mode environment entries added: {environment_entries_added_count}")

package/skills/bugteam/scripts/probe_code_rules_enforcer_check.py CHANGED Viewed

@@ -19,7 +19,7 @@ import sys
 from pathlib import Path
 from types import ModuleType
-from config.probe_code_rules_enforcer_check_constants import (
+from bugteam_scripts_constants.probe_code_rules_enforcer_check_constants import (
     DEFAULT_REPORTED_PATH,
     ENFORCER_MODULE_NAME,
     ENFORCER_RELATIVE_PATH,

package/skills/bugteam/scripts/reflow_skill_md.py CHANGED Viewed

@@ -18,7 +18,7 @@ from __future__ import annotations
 import re
 import textwrap
-from config.reflow_skill_md_constants import (
+from bugteam_scripts_constants.reflow_skill_md_constants import (
     BASH_CONTINUATION_MARKER_WIDTH,
     BULLET_LIST_ITEM_PATTERN as BULLET_RE,
     MAXIMUM_LINE_WIDTH as MAX_WIDTH,

package/skills/bugteam/scripts/revoke_project_claude_permissions.py CHANGED Viewed

@@ -10,33 +10,33 @@ autoMode sections so repeated grant/revoke cycles leave no dead structure.
 import sys
 from pathlib import Path
-for each_cached_module_name in [
-    each_module_key
-    for each_module_key in list(sys.modules)
-    if each_module_key == "config" or each_module_key.startswith("config.")
-]:
-    sys.modules.pop(each_cached_module_name, None)
 parent_directory = str(Path(__file__).resolve().parent)
 if parent_directory not in sys.path:
     sys.path.insert(0, parent_directory)
-from _claude_permissions_common import (  # noqa: E402
+from _bugteam_permissions_common import (  # noqa: E402
+    build_agent_config_deny_rules,
     build_permission_rules,
     exit_with_error,
     get_current_project_path,
+    is_trust_entry_for_project,
     load_settings,
     prune_empty_list_then_empty_section,
+    remove_matching_entries_from_list,
     save_settings,
 )
-from config.claude_permissions_common_constants import (  # noqa: E402
+from bugteam_scripts_constants.claude_permissions_common_constants import (  # noqa: E402
+    ALL_AGENT_CONFIG_DENY_TOOLS,
+    ALL_AGENT_CONFIG_PATH_PATTERNS,
     ALL_PERMISSION_ALLOW_TOOLS,
-    AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE,
+    AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX,
     CLAUDE_DIRECTORY_MARKER,
     CLAUDE_USER_SETTINGS_FILENAME,
     GIT_DIRECTORY_MARKER,
     SETTINGS_ADDITIONAL_DIRECTORIES_KEY,
     SETTINGS_ALLOW_KEY,
     SETTINGS_AUTO_MODE_KEY,
+    SETTINGS_DENY_KEY,
     SETTINGS_ENVIRONMENT_KEY,
     SETTINGS_PERMISSIONS_KEY,
 )
@@ -97,6 +97,27 @@ def remove_rules_from_allow_list(
     return remove_values_from_list(existing_allow_list, set(all_rules_to_remove))
+def remove_rules_from_deny_list(
+    all_settings: dict[str, object], all_rules_to_remove: list[str]
+) -> int:
+    """Remove matching permission rules from the settings deny list.
+    Args:
+        all_settings: The parsed settings dictionary.
+        all_rules_to_remove: Permission rule strings to remove.
+    Returns:
+        Number of rules removed.
+    """
+    permissions_section = all_settings.get(SETTINGS_PERMISSIONS_KEY)
+    if not isinstance(permissions_section, dict):
+        return 0
+    existing_deny_list = permissions_section.get(SETTINGS_DENY_KEY)
+    if not isinstance(existing_deny_list, list):
+        return 0
+    return remove_values_from_list(existing_deny_list, set(all_rules_to_remove))
 def remove_directory_from_additional_directories(
     all_settings: dict[str, object], directory_path: str
 ) -> int:
@@ -118,17 +139,23 @@ def remove_directory_from_additional_directories(
     return remove_values_from_list(existing_directories, {directory_path})
-def remove_auto_mode_environment_entry(
-    all_settings: dict[str, object], entry_text: str
+def remove_trust_entries_for_project(
+    all_settings: dict[str, object], project_path: str, prefix: str
 ) -> int:
-    """Remove an auto-mode environment entry for the project.
+    """Remove every trust entry for the project from autoMode.environment.
+    Matches any string in autoMode.environment whose prefix matches the
+    trust-entry marker and that contains the project's .claude/** path.
+    The match is wording-agnostic so prior template revisions are removed
+    cleanly even when the current template differs.
     Args:
         all_settings: The parsed settings dictionary.
-        entry_text: The environment entry text to remove.
+        project_path: The POSIX-style project root path.
+        prefix: The literal prefix that marks a trust entry.
     Returns:
-        1 when the entry was removed, 0 when not found.
+        Number of entries removed.
     """
     auto_mode_section = all_settings.get(SETTINGS_AUTO_MODE_KEY)
     if not isinstance(auto_mode_section, dict):
@@ -136,7 +163,12 @@ def remove_auto_mode_environment_entry(
     existing_environment = auto_mode_section.get(SETTINGS_ENVIRONMENT_KEY)
     if not isinstance(existing_environment, list):
         return 0
-    return remove_values_from_list(existing_environment, {entry_text})
+    return remove_matching_entries_from_list(
+        existing_environment,
+        lambda candidate_entry: is_trust_entry_for_project(
+            candidate_entry, project_path, prefix
+        ),
+    )
 def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
@@ -148,6 +180,9 @@ def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
     prune_empty_list_then_empty_section(
         all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_ALLOW_KEY
     )
+    prune_empty_list_then_empty_section(
+        all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_DENY_KEY
+    )
     prune_empty_list_then_empty_section(
         all_settings, SETTINGS_PERMISSIONS_KEY, SETTINGS_ADDITIONAL_DIRECTORIES_KEY
     )
@@ -159,9 +194,10 @@ def prune_settings_after_revoke(all_settings: dict[str, object]) -> None:
 def revoke_permissions_for_current_directory() -> None:
     """Revoke Edit/Write/Read permissions for the current project directory.
-    Reads the current project path, constructs permission rules from config
-    constants, removes them from ~/.claude/settings.json, and prunes any
-    newly empty sections.
+    Reads the current project path, constructs the matching allow and deny
+    permission rules, removes them from ~/.claude/settings.json, removes
+    every trust entry for the project from autoMode.environment, and prunes
+    any newly empty sections.
     Raises:
         SystemExit(1): When the current directory is not a valid project root.
@@ -181,19 +217,25 @@ def revoke_permissions_for_current_directory() -> None:
         raise SystemExit(1)
     project_path = get_current_project_path()
     permission_rules = build_permission_rules(project_path, ALL_PERMISSION_ALLOW_TOOLS)
-    environment_entry = AUTO_MODE_ENVIRONMENT_ENTRY_TEMPLATE.format(
-        project_path=project_path
+    all_agent_config_deny_rules = build_agent_config_deny_rules(
+        project_path,
+        ALL_AGENT_CONFIG_DENY_TOOLS,
+        ALL_AGENT_CONFIG_PATH_PATTERNS,
     )
     settings = load_settings(claude_user_settings_path)
-    rules_removed_count = remove_rules_from_allow_list(settings, permission_rules)
+    allow_rules_removed_count = remove_rules_from_allow_list(settings, permission_rules)
+    deny_rules_removed_count = remove_rules_from_deny_list(
+        settings, all_agent_config_deny_rules
+    )
     directories_removed_count = remove_directory_from_additional_directories(
         settings, project_path
     )
-    environment_entries_removed_count = remove_auto_mode_environment_entry(
-        settings, environment_entry
+    environment_entries_removed_count = remove_trust_entries_for_project(
+        settings, project_path, AUTO_MODE_ENVIRONMENT_ENTRY_PREFIX
     )
     total_changes_count = (
-        rules_removed_count
+        allow_rules_removed_count
+        + deny_rules_removed_count
         + directories_removed_count
         + environment_entries_removed_count
     )
@@ -206,7 +248,11 @@ def revoke_permissions_for_current_directory() -> None:
     save_settings(claude_user_settings_path, settings)
     print(f"Project path: {project_path}")
     print(f"Settings file: {claude_user_settings_path}")
-    print(f"Allow rules removed: {rules_removed_count} of {len(permission_rules)}")
+    print(f"Allow rules removed: {allow_rules_removed_count} of {len(permission_rules)}")
+    print(
+        f"Deny rules removed: {deny_rules_removed_count} of "
+        f"{len(all_agent_config_deny_rules)}"
+    )
     print(f"Additional directories removed: {directories_removed_count}")
     print(
         f"Auto-mode environment entries removed: {environment_entries_removed_count}"

package/skills/bugteam/scripts/{test__claude_permissions_common.py → test__bugteam_permissions_common.py} RENAMED Viewed

@@ -1,10 +1,10 @@
-"""TDD-pair tests for the underscore-prefixed _claude_permissions_common module.
+"""TDD-pair tests for the underscore-prefixed _bugteam_permissions_common module.
 The TDD enforcer matches a production filename ``X.py`` to ``test_X.py``;
-``_claude_permissions_common.py`` carries a leading underscore that the
+``_bugteam_permissions_common.py`` carries a leading underscore that the
 enforcer treats as part of the name. This file's tests are the canonical
 match. The broader behavioral suite continues to live alongside, in
-``test_claude_permissions_common.py``.
+``test_bugteam_permissions_common.py``.
 """
 from __future__ import annotations
@@ -18,7 +18,7 @@ _script_directory = str(Path(__file__).resolve().parent)
 if _script_directory not in sys.path:
     sys.path.insert(0, _script_directory)
-import _claude_permissions_common as common_module
+import _bugteam_permissions_common as common_module
 import grant_project_claude_permissions as grant_module
 import revoke_project_claude_permissions as revoke_module