llm: remove redundant repo-root Claude permission deny list#155
Merged
Conversation
Removes the permissions.deny list from the repo-root .claude/settings.json. The identical block in plugins/bitwarden-code-review/.claude/settings.json — the copy that ships with the plugin — is kept. The repo-root copy (added in #14 alongside the plugin copy, out of stated uncertainty about which layer enforces) only applies to interactive sessions whose CWD is this repo. The code-review agent runs in product repos, so this copy never constrained the agent; its actual hardening comes from the agent tools: allowlist and the plugin-level deny list, both unchanged. The repo-root copy's only effect was maintainer friction (e.g. gh pr edit), and it had drifted from the plugin copy refined in #22. A backstop for interactive sessions belongs at user-level or enterprise-managed settings, applied uniformly — not checked into one repo.
🤖 Bitwarden Claude Code ReviewOverall Assessment: APPROVE This PR removes the Code Review DetailsNo blocking findings. Notes considered and intentionally not flagged:
|
theMickster
approved these changes
Jun 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
No Jira ticket. This removes the repo-root duplicate of the
permissions.denyblock added in #14; see that PR for the original intent. cc @theMickster as the author of the original change.📔 Objective
Removes the
permissions.denylist from the repo-root.claude/settings.json. The identical block inplugins/bitwarden-code-review/.claude/settings.json— the copy that ships with the plugin — is kept.Why this is safe. #14 added the deny list in two places out of stated uncertainty about which layer enforces. The repo-root copy only applies to interactive Claude Code sessions whose working directory is this repo (plugin maintainers) — the code-review agent runs in product repos, so the repo-root copy never constrained the agent. The agent's actual hardening is unchanged:
tools:allowlist (read-onlygh pr view/diff/checks,git, MCP comment tools — nogh pr merge/destructive verbs), andThe repo-root copy's only real effect was friction on maintainers doing legitimate
ghwork in this repo (e.g.gh pr edit). It had also drifted from the plugin copy (#22 refined the plugin list to-X/--methodforms; the repo-root list still carried the oldergh api:*DELETE:*/graphql-mutation patterns), which is the tell of an unmaintained orphan.Where this control belongs instead. A backstop for interactive sessions against destructive
ghis a user-level (~/.claude/settings.json) or enterprise-managed concern, applied uniformly — not checked into one repo when our other repos don't have it.Follow-up (out of scope). The agent allowlist permits
Bash(gh api graphql -f query=:*), which could carry a GraphQL mutation; the remaining plugin deny list only blocks REST verbs. Worth tightening the plugin settings or the agent's tool pattern in a separate change. This removal does not create that gap — the repo-root copy never applied where the agent runs.Validation.
pnpm run lintpasses.