Prune .claude/settings.local.json: drop accumulated one-off allows #2

Closed
opened 2026-05-26 05:04:18 +00:00 by coilysiren · 1 comment
Owner

Symptom

.claude/settings.local.json has 56 allow entries accumulated from one-off "Always allow" clicks. Many are mod.io curl invocations with the literal API key embedded, ilspycmd invocations against specific Eco assembly types, multi-line python -c blobs for json walking, and find+sed pipelines for one-shot bulk edits in eco-mods/Mods/UserCode.

Why now

The PreToolUse hook (.claude/lockdown-deny.shcoily hook pre-tool-use) does authoritative enforcement on every Bash call. The Claude Code permissions.allow list is UX-only - it suppresses the "Allow this?" modal but does not grant capability beyond what the hook permits. Local allowlist can be aggressively pruned without changing what commands actually succeed.

Plan

Rewrite .claude/settings.local.json keeping only repeating-pattern allows:

  • git add/commit:*
  • gh search/api:*
  • dotnet build/list/package:*
  • WebSearch, WebFetch(domain:docs.mod.io), WebFetch(domain:github.com)
  • python3 -m json.tool

Drop ~47 entries: ilspycmd-on-specific-type one-shots, mod.io curl with embedded API key (use coily ops modio instead), find+sed bulk-edit pipelines, multi-line python -c blobs, unzip-this-specific-file one-shots. Most readonly git/ls/find/wc/file/tree entries are also redundant - those live in the canonical lockdown template's allow list already.

Out of scope

  • Per-repo settings.json deny block prune (53 identical entries duplicating coily lockdown). Separate sweep, needs coily template change.
  • Generic git add/commit/push + gh search/api recurring across every coilysiren repo's local file should promote to the canonical lockdown template instead of being re-listed per repo. Separate issue.
  • Migrate mod.io curl flow to coily ops modio so the embedded API key stops landing in allowlists. Separate issue.
## Symptom `.claude/settings.local.json` has 56 allow entries accumulated from one-off "Always allow" clicks. Many are mod.io curl invocations with the literal API key embedded, ilspycmd invocations against specific Eco assembly types, multi-line python -c blobs for json walking, and find+sed pipelines for one-shot bulk edits in `eco-mods/Mods/UserCode`. ## Why now The PreToolUse hook (`.claude/lockdown-deny.sh` → `coily hook pre-tool-use`) does authoritative enforcement on every Bash call. The Claude Code `permissions.allow` list is UX-only - it suppresses the "Allow this?" modal but does not grant capability beyond what the hook permits. Local allowlist can be aggressively pruned without changing what commands actually succeed. ## Plan Rewrite `.claude/settings.local.json` keeping only repeating-pattern allows: - `git add/commit:*` - `gh search/api:*` - `dotnet build/list/package:*` - `WebSearch`, `WebFetch(domain:docs.mod.io)`, `WebFetch(domain:github.com)` - `python3 -m json.tool` Drop ~47 entries: ilspycmd-on-specific-type one-shots, mod.io curl with embedded API key (use `coily ops modio` instead), find+sed bulk-edit pipelines, multi-line python -c blobs, unzip-this-specific-file one-shots. Most readonly git/ls/find/wc/file/tree entries are also redundant - those live in the canonical lockdown template's allow list already. ## Out of scope - Per-repo `settings.json` `deny` block prune (53 identical entries duplicating coily lockdown). Separate sweep, needs coily template change. - Generic `git add/commit/push` + `gh search/api` recurring across every coilysiren repo's local file should promote to the canonical lockdown template instead of being re-listed per repo. Separate issue. - Migrate mod.io curl flow to `coily ops modio` so the embedded API key stops landing in allowlists. Separate issue.
Author
Owner

Done. Rewrote .claude/settings.local.json from 56 entries to 11 (git add/commit, gh search/api, dotnet build/list/package, python3 -m json.tool, WebSearch, WebFetch docs.mod.io + github.com). Dropped 45 hyperspecific one-shots: ilspycmd-on-specific-type, mod.io curl with embedded API key, find+sed bulk pipelines, multi-line python -c blobs. File is gitignored, closing manually.

Done. Rewrote .claude/settings.local.json from 56 entries to 11 (git add/commit, gh search/api, dotnet build/list/package, python3 -m json.tool, WebSearch, WebFetch docs.mod.io + github.com). Dropped 45 hyperspecific one-shots: ilspycmd-on-specific-type, mod.io curl with embedded API key, find+sed bulk pipelines, multi-line python -c blobs. File is gitignored, closing manually.
Commenting is not possible because the repository is archived.
No description provided.