From 4731c606fc22d87d9b445bbbc0ed82346ebaf1b6 Mon Sep 17 00:00:00 2001 From: Kato Hiroki Date: Mon, 30 Mar 2026 10:07:49 +0000 Subject: [PATCH 1/2] chore: add sandbox and permission restrictions to Claude Code settings Co-Authored-By: Claude Sonnet 4.6 --- .claude/settings.json | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/.claude/settings.json b/.claude/settings.json index de4225dd6..d5eb3ff22 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -1,4 +1,26 @@ { + "sandbox": { + "enabled": true, + "allowUnsandboxedCommands": false, + "filesystem": { + "denyRead": ["~/.ssh"] + } + }, + "permissions": { + "deny": [ + "Bash(rm -rf *)", + "Bash(curl *)", + "Bash(wget *)", + "Bash(git push *)", + "Bash(chmod 777 *)", + "Read(./.env)", + "Read(./.env.*)", + "Read(./secrets/**)", + "Read(./config/credentials.json)", + "Read(**/*.pem)", + "Read(**/*.key)" + ] + }, "enabledPlugins": { "superpowers@superpowers-dev": true }, From c5532e7dcada434589116a61ba0e895a876c99fe Mon Sep 17 00:00:00 2001 From: Kato Hiroki Date: Mon, 30 Mar 2026 11:12:40 +0000 Subject: [PATCH 2/2] chore: fix glob patterns for Read permission deny rules Co-Authored-By: Claude Sonnet 4.6 --- .claude/settings.json | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.claude/settings.json b/.claude/settings.json index d5eb3ff22..bc49141de 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -13,10 +13,10 @@ "Bash(wget *)", "Bash(git push *)", "Bash(chmod 777 *)", - "Read(./.env)", - "Read(./.env.*)", - "Read(./secrets/**)", - "Read(./config/credentials.json)", + "Read(**/.env)", + "Read(**/.env.*)", + "Read(**/secrets/**)", + "Read(**/config/credentials.json)", "Read(**/*.pem)", "Read(**/*.key)" ]