canonical lockdown allow-list for git is narrower than what 8/30 repos actually use

coilysiren commented

2026-05-28 01:11:46 +00:00

Owner

Symptom

Canonical .claude/settings.json from coily lockdown splits git into per-subcommand allows (git blame:*, git branch:*, git diff:*, git log:*, git ls-files:*, git remote:*, git rev-parse:*, git show:*, git status:*, git config --get:*). 8 of ~30 catalog repos have a .claude/settings.local.json whose entire purpose is adding a single Bash(git:*) allow to widen this — eco-mods, infrastructure, galaxy-gen, luca, backend, eco-mods-public, gauntlet, website.

The locals are session residue from past prompts that hit a git verb outside the allowed list (probably git stash, git checkout, git rebase, git fetch, etc.). The pattern is so common it should either be in canonical or there should be a clear story about which verbs route through coily git ... instead.

Options

Widen canonical to Bash(git:*) and rely on the destructive-git denies (git clean -fd:*, git push --force:*, git push -f:*, git reset --hard:*) for safety. Simplest, removes the 8 stub locals.
Add the common safe verbs (git stash:*, git checkout:*, git fetch:*, git pull:*, git rebase:*, git merge:*, git switch:*, git restore:*, git add:*, git commit:*) to canonical. More surgical but more list-maintenance.
Document that broader git access goes via coily git ... and provide that route.

Context

Surfaced during a sweep to renormalize per-repo settings.json after drift (parent settings.local.json had 20+ ad-hoc allows from past sessions). The per-repo Bash(git:*) stubs were the only remaining denormalization after re-stamping with coily lockdown --apply --replace --recursive.

**Symptom** Canonical `.claude/settings.json` from `coily lockdown` splits git into per-subcommand allows (`git blame:*`, `git branch:*`, `git diff:*`, `git log:*`, `git ls-files:*`, `git remote:*`, `git rev-parse:*`, `git show:*`, `git status:*`, `git config --get:*`). 8 of ~30 catalog repos have a `.claude/settings.local.json` whose entire purpose is adding a single `Bash(git:*)` allow to widen this — eco-mods, infrastructure, galaxy-gen, luca, backend, eco-mods-public, gauntlet, website. The locals are session residue from past prompts that hit a git verb outside the allowed list (probably `git stash`, `git checkout`, `git rebase`, `git fetch`, etc.). The pattern is so common it should either be in canonical or there should be a clear story about which verbs route through `coily git ...` instead. **Options** 1. Widen canonical to `Bash(git:*)` and rely on the destructive-git denies (`git clean -fd:*`, `git push --force:*`, `git push -f:*`, `git reset --hard:*`) for safety. Simplest, removes the 8 stub locals. 2. Add the common safe verbs (`git stash:*`, `git checkout:*`, `git fetch:*`, `git pull:*`, `git rebase:*`, `git merge:*`, `git switch:*`, `git restore:*`, `git add:*`, `git commit:*`) to canonical. More surgical but more list-maintenance. 3. Document that broader git access goes via `coily git ...` and provide that route. **Context** Surfaced during a sweep to renormalize per-repo settings.json after drift (parent settings.local.json had 20+ ad-hoc allows from past sessions). The per-repo `Bash(git:*)` stubs were the only remaining denormalization after re-stamping with `coily lockdown --apply --replace --recursive`.

Rows
Columns

canonical lockdown allow-list for git is narrower than what 8/30 repos actually use #125