From 6aef98bddf39ca91b9bd8ee9e22e376cd0e3d36e Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Tue, 24 Feb 2026 14:53:10 +1100 Subject: [PATCH 1/2] Add Claude Code deny rules for agent safety Deny destructive and production-impacting commands: gem publishing, tag creation (triggers CI publish), force push, remote branch deletion, hard reset, and the interactive release task. Plain `git push` stays allowed for PR workflows. --- Generated with the help of Claude Code, https://claude.ai/code Co-Authored-By: Claude Code Opus 4.6 --- .claude/settings.json | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .claude/settings.json diff --git a/.claude/settings.json b/.claude/settings.json new file mode 100644 index 000000000..d47b76a2c --- /dev/null +++ b/.claude/settings.json @@ -0,0 +1,23 @@ +{ + "permissions": { + "deny": [ + "Bash(gem push*)", + "Bash(gem signin*)", + "Bash(git tag*)", + "Bash(git push --tags*)", + "Bash(git push origin --tags*)", + "Bash(git push -f*)", + "Bash(git push --force*)", + "Bash(git push origin -f*)", + "Bash(git push origin --force*)", + "Bash(git push origin --delete*)", + "Bash(git push origin :*)", + "Bash(git reset --hard*)", + "Bash(git clean*)", + "Bash(git checkout -- .)", + "Bash(git restore .)", + "Bash(rake new_release*)", + "Bash(bundle exec rake new_release*)" + ] + } +} From 91d4e4594ccf1a6edb419c43a6054a076bc1ed40 Mon Sep 17 00:00:00 2001 From: Gio Lodi Date: Wed, 25 Feb 2026 13:59:40 +1100 Subject: [PATCH 2/2] Allow `git tag list` --- .claude/settings.json | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.claude/settings.json b/.claude/settings.json index d47b76a2c..e720d9cb8 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -1,5 +1,8 @@ { "permissions": { + "allow": [ + "Bash(git tag list)" + ], "deny": [ "Bash(gem push*)", "Bash(gem signin*)",