Skip to content

llm: remove redundant repo-root Claude permission deny list#155

Merged
withinfocus merged 1 commit into
mainfrom
remove-repo-root-permission-denials
Jun 29, 2026
Merged

llm: remove redundant repo-root Claude permission deny list#155
withinfocus merged 1 commit into
mainfrom
remove-repo-root-permission-denials

Conversation

@withinfocus

Copy link
Copy Markdown
Contributor

🎟️ Tracking

No Jira ticket. This removes the repo-root duplicate of the permissions.deny block added in #14; see that PR for the original intent. cc @theMickster as the author of the original change.

📔 Objective

Removes the permissions.deny list from the repo-root .claude/settings.json. The identical block in plugins/bitwarden-code-review/.claude/settings.json — the copy that ships with the plugin — is kept.

Why this is safe. #14 added the deny list in two places out of stated uncertainty about which layer enforces. The repo-root copy only applies to interactive Claude Code sessions whose working directory is this repo (plugin maintainers) — the code-review agent runs in product repos, so the repo-root copy never constrained the agent. The agent's actual hardening is unchanged:

  • its tools: allowlist (read-only gh pr view/diff/checks, git, MCP comment tools — no gh pr merge/destructive verbs), and
  • the plugin-level deny list, which travels with the plugin to every repo.

The repo-root copy's only real effect was friction on maintainers doing legitimate gh work in this repo (e.g. gh pr edit). It had also drifted from the plugin copy (#22 refined the plugin list to -X/--method forms; the repo-root list still carried the older gh api:*DELETE:*/graphql-mutation patterns), which is the tell of an unmaintained orphan.

Where this control belongs instead. A backstop for interactive sessions against destructive gh is a user-level (~/.claude/settings.json) or enterprise-managed concern, applied uniformly — not checked into one repo when our other repos don't have it.

Follow-up (out of scope). The agent allowlist permits Bash(gh api graphql -f query=:*), which could carry a GraphQL mutation; the remaining plugin deny list only blocks REST verbs. Worth tightening the plugin settings or the agent's tool pattern in a separate change. This removal does not create that gap — the repo-root copy never applied where the agent runs.

Validation. pnpm run lint passes.

Removes the permissions.deny list from the repo-root .claude/settings.json.
The identical block in plugins/bitwarden-code-review/.claude/settings.json —
the copy that ships with the plugin — is kept.

The repo-root copy (added in #14 alongside the plugin copy, out of stated
uncertainty about which layer enforces) only applies to interactive sessions
whose CWD is this repo. The code-review agent runs in product repos, so this
copy never constrained the agent; its actual hardening comes from the agent
tools: allowlist and the plugin-level deny list, both unchanged. The repo-root
copy's only effect was maintainer friction (e.g. gh pr edit), and it had drifted
from the plugin copy refined in #22.

A backstop for interactive sessions belongs at user-level or enterprise-managed
settings, applied uniformly — not checked into one repo.
@withinfocus withinfocus added the ai-review Request a Claude code review label Jun 29, 2026
@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

🤖 Bitwarden Claude Code Review

Overall Assessment: APPROVE

This PR removes the permissions.deny block from the repo-root .claude/settings.json, leaving only the attribution config. The identical block that ships with the plugin (plugins/bitwarden-code-review/.claude/settings.json) is kept intact. I verified the plugin-level deny list is unchanged and that the code-review agent's tools: allowlist contains no destructive gh verbs, so the agent's hardening is unaffected by this removal. The resulting JSON is valid.

Code Review Details

No blocking findings.

Notes considered and intentionally not flagged:

  • The removed deny block only constrained interactive Claude Code sessions whose working directory is this repo; it never applied to the code-review agent running in product repos. The agent boundary (read-only tool allowlist plus the unchanged plugin-level deny list) is preserved.
  • The agent allowlist still permits Bash(gh api graphql -f query=:*), which could carry a GraphQL mutation. This is pre-existing, not introduced by this PR, and the author has explicitly documented it as an out-of-scope follow-up.
  • No plugin version bump or changelog entry is required: this change touches only the repo-root .claude/settings.json, not any file under plugins/.

@withinfocus withinfocus marked this pull request as ready for review June 29, 2026 19:01
@withinfocus withinfocus requested a review from a team as a code owner June 29, 2026 19:01
@withinfocus withinfocus requested a review from theMickster June 29, 2026 20:22
@withinfocus withinfocus merged commit f0360c8 into main Jun 29, 2026
15 of 19 checks passed
@withinfocus withinfocus deleted the remove-repo-root-permission-denials branch June 29, 2026 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ai-review Request a Claude code review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants