84d14da611
Session testing revealed 3 issues with remote queries: 1. CLAUDE.md template recommended `cat <<HEREDOC | ssh ...` but claude_settings.json had `cat` in deny list, causing 2-3 failed attempts per query. Replaced with file-based approach: Write tool creates JSON file, then `ssh ... < file` avoids the cat deny. 2. ssh/scp commands were not in the allow list, requiring manual approval for every remote query. Added both to allow list. 3. DuckDB fetch_arrow_table() emitted DeprecationWarning on every parquet export. Replaced with .arrow().read_all(). Also added instruction for proactive hybrid analysis when remote tables are available (agent was only using local data until asked).
135 lines
3.6 KiB
JSON
135 lines
3.6 KiB
JSON
{
|
|
"hooks": {
|
|
"SessionEnd": [
|
|
{
|
|
"hooks": [
|
|
{
|
|
"type": "command",
|
|
"command": "python server/scripts/collect_session.py 2>/dev/null || true"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
},
|
|
"permissions": {
|
|
"allow": [
|
|
"Bash(git rebase:*)",
|
|
"Bash(git add:*)",
|
|
"Bash(git checkout:*)",
|
|
"Bash(git branch:*)",
|
|
"Bash(git cherry-pick:*)",
|
|
"Bash(git log:*)",
|
|
"Bash(git show:*)",
|
|
"Bash(git commit:*)",
|
|
"Bash(git fetch:*)",
|
|
"Bash(git diff:*)",
|
|
"Bash(git status:*)",
|
|
"Bash(git remote:*)",
|
|
"Bash(git tag:*)",
|
|
"Bash(find:*)",
|
|
"Bash(ls:*)",
|
|
"Bash(tree:*)",
|
|
"Bash(head:*)",
|
|
"Bash(tail:*)",
|
|
"Bash(wc:*)",
|
|
"Bash(which:*)",
|
|
"Bash(where:*)",
|
|
"Bash(pwd:*)",
|
|
"Bash(whoami:*)",
|
|
"Bash(echo:*)",
|
|
"Bash(file:*)",
|
|
"Bash(stat:*)",
|
|
"Bash(bash server/scripts/*)",
|
|
"Bash(python server/scripts/*)",
|
|
"Bash(ssh:*)",
|
|
"Bash(scp:*)",
|
|
"WebFetch(domain:github.com)",
|
|
"WebSearch"
|
|
],
|
|
"deny": [
|
|
"Read(**/.env)",
|
|
"Read(**/.env.*)",
|
|
"Read(**/credentials*)",
|
|
"Read(**/*credentials*)",
|
|
"Read(**/.credentials*)",
|
|
"Read(**/secrets*)",
|
|
"Read(**/*secrets*)",
|
|
"Read(**/.secrets*)",
|
|
"Read(**/*.pem)",
|
|
"Read(**/*.key)",
|
|
"Read(**/*.p12)",
|
|
"Read(**/*.pfx)",
|
|
"Read(**/*.keystore)",
|
|
"Read(**/*id_rsa*)",
|
|
"Read(**/*id_dsa*)",
|
|
"Read(**/*id_ecdsa*)",
|
|
"Read(**/*id_ed25519*)",
|
|
"Read(**/.ssh/*)",
|
|
"Read(**/.aws/credentials)",
|
|
"Read(**/.aws/config)",
|
|
"Read(**/.kube/config)",
|
|
"Read(**/.docker/config.json)",
|
|
"Read(**/.npmrc)",
|
|
"Read(**/.pypirc)",
|
|
"Read(**/.netrc)",
|
|
"Read(**/.git-credentials)",
|
|
"Read(**/master.key)",
|
|
"Read(**/config/master.key)",
|
|
"Read(**/*.crt)",
|
|
"Read(**/*.cer)",
|
|
"Read(**/*.jks)",
|
|
"Read(**/password*)",
|
|
"Read(**/*password*)",
|
|
"Read(**/token*)",
|
|
"Read(**/*token*)",
|
|
"Read(**/apikey*)",
|
|
"Read(**/*apikey*)",
|
|
"Read(**/.htpasswd)",
|
|
"Write(**/.env)",
|
|
"Write(**/.env.*)",
|
|
"Write(**/credentials*)",
|
|
"Write(**/*credentials*)",
|
|
"Write(**/secrets*)",
|
|
"Write(**/*secrets*)",
|
|
"Write(**/*.pem)",
|
|
"Write(**/*.key)",
|
|
"Write(**/.ssh/*)",
|
|
"Edit(**/.env)",
|
|
"Edit(**/.env.*)",
|
|
"Edit(**/credentials*)",
|
|
"Edit(**/*credentials*)",
|
|
"Edit(**/secrets*)",
|
|
"Edit(**/*secrets*)",
|
|
"Edit(**/*.pem)",
|
|
"Edit(**/*.key)",
|
|
"Edit(**/.ssh/*)",
|
|
"Bash(cat:*)",
|
|
"Write(server/**)",
|
|
"Edit(server/**)"
|
|
],
|
|
"ask": [
|
|
"Bash(rm:*)",
|
|
"Bash(git reset:--hard:*)",
|
|
"Bash(git clean:*)",
|
|
"Bash(git push:--force:*)",
|
|
"Bash(git push:-f:*)",
|
|
"Bash(npm install:*)",
|
|
"Bash(yarn add:*)",
|
|
"Bash(pip install:*)",
|
|
"Bash(composer install:*)",
|
|
"Bash(docker:*)",
|
|
"Bash(kubectl:*)",
|
|
"Bash(grep:*)",
|
|
"Bash(env:*)",
|
|
"Write(**/package.json)",
|
|
"Edit(**/package.json)",
|
|
"Write(**/composer.json)",
|
|
"Edit(**/composer.json)",
|
|
"Write(**/package-lock.json)",
|
|
"Write(**/composer.lock)",
|
|
"Write(**/yarn.lock)",
|
|
"Write(**/.gitignore)",
|
|
"Edit(**/.gitignore)"
|
|
]
|
|
}
|
|
}
|