以下为本文档的中文说明

该技能用于分析代码仓库并生成推荐的Claude Code settings.json权限配置。主要功能是自动检测技术栈、构建工具和单体仓库结构,然后推断出安全的只读命令白名单。使用场景包括:为新项目设置Claude Code权限;审计现有设置的安全性;确定哪些只读bash命令应该被允许访问。工作流程分为两个阶段:第一阶段是检测技术栈——运行一系列命令检测仓库结构,查找package.json、Cargo.toml、go.mod等指示文件,识别项目使用的编程语言、框架和构建工具;第二阶段是根据检测结果生成权限建议——为检测到的每种工具和操作生成对应的允许或拒绝规则。该技能还会检查现有的settings.json文件,对比当前配置与推荐配置的差异,提供具体的改进建议。其核心价值在于基于证据而非猜测来构建安全的权限模型,在保障开发效率的同时最小化安全风险。

Claude Settings Audit

Analyze this repository and generate recommended Claude Code settings.json permissions for read-only commands.

When to Use

  • You are setting up or auditing Claude Code settings.json permissions for a repository.
  • You need to infer a safe read-only allow list from the repo’s tech stack, tooling, and monorepo structure.
  • You want to review or replace an existing Claude permissions baseline with something evidence-based.

Phase 1: Detect Tech Stack

Run these commands to detect the repository structure:

ls -la
find . -maxdepth 2 \\( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \\) 2>/dev/null | head -50

Check for these indicator files:

Category Files to Check
Python pyproject.toml, setup.py, requirements.txt, Pipfile, poetry.lock, uv.lock
Node.js package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Go go.mod, go.sum
Rust Cargo.toml, Cargo.lock
Ruby Gemfile, Gemfile.lock
Java pom.xml, build.gradle, build.gradle.kts
Build Makefile, Dockerfile, docker-compose.yml
Infra *.tf files, kubernetes/, helm/
Monorepo lerna.json, nx.json, turbo.json, pnpm-workspace.yaml

Phase 2: Detect Services

Check for service integrations:

Service Detection
Sentry sentry-sdk in deps, @sentry/* packages, .sentryclirc, sentry.properties
Linear Linear config files, .linear/ directory

Read dependency files to identify frameworks:

  • package.json → check dependencies and devDependencies
  • pyproject.toml → check [project.dependencies] or [tool.poetry.dependencies]
  • Gemfile → check gem names
  • Cargo.toml → check [dependencies]

Phase 3: Check Existing Settings

cat .claude/settings.json 2>/dev/null || echo "No existing settings"

Phase 4: Generate Recommendations

Build the allow list by combining:

Baseline Commands (Always Include)

[
  "Bash(ls:*)",
  "Bash(pwd:*)",
  "Bash(find:*)",
  "Bash(file:*)",
  "Bash(stat:*)",
  "Bash(wc:*)",
  "Bash(head:*)",
  "Bash(tail:*)",
  "Bash(cat:*)",
  "Bash(tree:*)",
  "Bash(git status:*)",
  "Bash(git log:*)",
  "Bash(git diff:*)",
  "Bash(git show:*)",
  "Bash(git branch:*)",
  "Bash(git remote:*)",
  "Bash(git tag:*)",
  "Bash(git stash list:*)",
  "Bash(git rev-parse:*)",
  "Bash(gh pr view:*)",
  "Bash(gh pr list:*)",
  "Bash(gh pr checks:*)",
  "Bash(gh pr diff:*)",
  "Bash(gh issue view:*)",
  "Bash(gh issue list:*)",
  "Bash(gh run view:*)",
  "Bash(gh run list:*)",
  "Bash(gh run logs:*)",
  "Bash(gh repo view:*)",
  "Bash(gh api:*)"
]

Stack-Specific Commands

Only include commands for tools actually detected in the project.

Python (if any Python files or config detected)
If Detected Add These Commands
Any Python python --version, python3 --version
poetry.lock poetry show, poetry env info
uv.lock `uv
pip list, uv tree`
Pipfile.lock pipenv graph
requirements.txt (no other lock) pip list, pip show, pip freeze
Node.js (if package.json detected)
If Detected Add These Commands
Any Node.js node --version
pnpm-lock.yaml pnpm list, pnpm why
yarn.lock yarn list, yarn info, yarn why
package-lock.json npm list, npm view, npm outdated
TypeScript (tsconfig.json) tsc --version
Other Languages
If Detected Add These Commands
go.mod go version, go list, go mod graph, go env
Cargo.toml rustc --version, cargo --version, cargo tree, cargo metadata
Gemfile ruby --version, bundle list, bundle show
pom.xml java --version, mvn --version, mvn dependency:tree
build.gradle java --version, gradle --version, gradle dependencies
Build Tools
If Detected Add These Commands
Dockerfile docker --version, docker ps, docker images
docker-compose.yml docker-compose ps, docker-compose config
*.tf files terraform --version, terraform providers, terraform state list
Makefile make --version, make -n

Skills (for Sentry Projects)

If this is a Sentry project (or sentry-skills plugin is installed), include:

[
  "Skill(sentry-skills:agents-md)",
  "Skill(sentry-skills:blog-writing-guide)",
  "Skill(sentry-skills:brand-guidelines)",
  "Skill(sentry-skills:claude-settings-audit)",
  "Skill(sentry-skills:code-review)",
  "Skill(sentry-skills:code-simplifier)",
  "Skill(sentry-skills:commit)",
  "Skill(sentry-skills:create-branch)",
  "Skill(sentry-skills:create-pr)",
  "Skill(sentry-skills:django-access-review)",
  "Skill(sentry-skills:django-perf-review)",
  "Skill(sentry-skills:doc-coauthoring)",
  "Skill(sentry-skills:find-bugs)",
  "Skill(sentry-skills:gh-review-requests)",
  "Skill(sentry-skills:gha-security-review)",
  "Skill(sentry-skills:iterate-pr)",
  "Skill(sentry-skills:pr-writer)",
  "Skill(sentry-skills:security-review)",
  "Skill(sentry-skills:skill-creator)",
  "Skill(sentry-skills:skill-scanner)",
  "Skill(sentry-skills:skill-writer)",
  "Skill(sentry-skills:sred-project-organizer)",
  "Skill(sentry-skills:sred-work-summary)"
]

WebFetch Domains

Always Include (Sentry Projects)
[
  "WebFetch(domain:docs.sentry.io)",
  "WebFetch(domain:develop.sentry.dev)",
  "WebFetch(domain:docs.github.com)",
  "WebFetch(domain:cli.github.com)"
]
Framework-Specific
If Detected Add Domains
Django docs.djangoproject.com
Flask flask.palletsprojects.com
FastAPI fastapi.tiangolo.com
React react.dev
Next.js nextjs.org
Vue vuejs.org
Express expressjs.com
Rails guides.rubyonrails.org, api.rubyonrails.org
Go pkg.go.dev
Rust docs.rs, doc.rust-lang.org
Docker docs.docker.com
Kubernetes kubernetes.io
Terraform registry.terraform.io

MCP Server Suggestions

MCP servers are configured in .mcp.json (not settings.json). Check for existing config:

cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"
Sentry MCP (if Sentry SDK detected)

Add to .mcp.json (replace {org-slug} and {project-slug} with your Sentry organization and project slugs):

{
  "mcpServers": {
    "sentry": {
      "type": "http",
      "url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
    }
  }
}
Linear MCP (if Linear usage detected)

Add to .mcp.json:

{
  "mcpServers": {
    "linear": {
      "command": "npx",
      "args": ["-y", "@linear/mcp-server"],
      "env": {
        "LINEAR_API_KEY": "${LINEAR_API_KEY}"
      }
    }
  }
}

Note: Never suggest GitHub MCP. Always use gh CLI commands for GitHub.

Output Format

Present your findings as:

  1. Summary Table - What was detected
  2. Recommended settings.json - Complete JSON ready to copy
  3. MCP Suggestions - If applicable
  4. Merge Instructions - If existing settings found

Example output structure:

## Detected Tech Stack

| Category        | Found          |
| --------------- | -------------- |
| Languages       | Python 3.x     |
| Package Manager | poetry         |
| Frameworks      | Django, Celery |
| Services        | Sentry         |
| Build Tools     | Docker, Make   |

## Recommended .claude/settings.json

\\`\\`\\`json
{
"permissions": {
"allow": [
// ... grouped by category with comments
],
"deny": []
}
}
\\`\\`\\`

## Recommended .mcp.json (if applicable)

If you use Sentry or Linear, add the MCP config to `.mcp.json`...

Important Rules

What to Include

  • Only READ-ONLY commands that cannot modify state
  • Only tools that are actually used by the project (detected via lock files)
  • Standard system commands (ls, cat, find, etc.)
  • The :* suffix allows any arguments to the base command

What to NEVER Include

  • Absolute paths - Never include user-specific paths like /home/user/scripts/foo or /Users/name/bin/bar
  • Custom scripts - Never include project scripts that may have side effects (e.g., ./scripts/deploy.sh)
  • Alternative package managers - If the project uses pnpm, do NOT include npm/yarn commands
  • Commands that modify state - No install, build, run, write, or delete commands

Package Manager Rules

Only include the package manager actually used by the project:

If Detected Include Do NOT Include
pnpm-lock.yaml pnpm commands npm, yarn
yarn.lock yarn commands npm, pnpm
package-lock.json npm commands yarn, pnpm
poetry.lock poetry commands pip (unless also has requirements.txt)
uv.lock uv commands pip, poetry
Pipfile.lock pipenv commands pip, poetry

If multiple lock files exist, include only the commands for each detected manager.

Limitations

  • Use this skill only when the task clearly matches the scope described above.
  • Do not treat the output as a substitute for environment-specific validation, testing, or expert review.
  • Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.
# windows
Logo
https://edu.csdn.net/learn/39067/627173?utm_source=2019755004

汇聚全球AI编程工具,助力开发者即刻编程。

更多推荐

cover

# Codex CLI 配置笔记:自定义 Base URL、API Key 和默认模型

avatar AI编程社区
cover

AI推荐榜单变了,你的品牌还在原来的位置吗?——2026年GEO监测工具实战指南

avatar AI编程社区

大模型核心概念梳理

这篇文章系统性地解析了大模型应用开发中的核心概念体系。文章从模型底座(如GPT、Claude等预训练模型)作为无状态推理引擎出发,逐步拆解了上下文(工作记忆)、Harness(运行框架)、Loop(多步迭代)、ToolUse(工具调用)、MCP(标准化工具协议)、Agent(自主执行体)和Skill(领域专长)等关键组件的功能边界与协作关系。重点阐明了"模型本身无状态"的本质特

avatar AI编程社区