From 5c649a58a0813efd4852a75e46996b7b1dbf72ba Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey?= Date: Sat, 4 Apr 2026 15:44:58 -0700 Subject: [PATCH] feat(home): expand claude-code read permissions for nix store and systemd MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Allow Read(/nix/store/*) for inspecting derivations and build outputs - Replace narrow systemctl entries with full read-only coverage (cat, is-active, is-enabled, is-failed, list-jobs, list-sockets, list-timers, list-unit-files, list-units, show, status) - Fix journalctl permission syntax (colon → space) Co-Authored-By: Claude Sonnet 4.6 --- modules/home/development.nix | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/modules/home/development.nix b/modules/home/development.nix index ee14b85..18fad8f 100644 --- a/modules/home/development.nix +++ b/modules/home/development.nix @@ -42,6 +42,8 @@ in { autoMemoryEnabled = false; permissions = { allow = [ + # Nix store (read-only access for inspecting derivations and build outputs) + "Read(/nix/store/*)" # File exploration "Bash(cat *)" "Bash(cut *)" @@ -155,10 +157,19 @@ in { "Bash(gt restack*)" "Bash(gt sync*)" # System - "Bash(journalctl:*)" + "Bash(journalctl *)" "Bash(mkdir *)" - "Bash(systemctl list-jobs:*)" - "Bash(systemctl status:*)" + "Bash(systemctl cat *)" + "Bash(systemctl is-active *)" + "Bash(systemctl is-enabled *)" + "Bash(systemctl is-failed *)" + "Bash(systemctl list-jobs*)" + "Bash(systemctl list-sockets*)" + "Bash(systemctl list-timers*)" + "Bash(systemctl list-unit-files*)" + "Bash(systemctl list-units*)" + "Bash(systemctl show *)" + "Bash(systemctl status *)" "WebFetch(domain:raw.githubusercontent.com)" "WebFetch(domain:github.com)" "WebSearch"