# Claude Code Permissions Audit

**Date:** 2026-03-18
**Purpose:** Document current state before migrating to permission-manager plugin

## Current Approach

Flat allow/deny lists in `~/.claude/settings.json` with ~100+ individual entries.
No cmd-gate hook patterns. Bash is fully open.

---

## Allow-list: Tool Permissions

### Fully open (wildcard)
| Permission | Notes |
|---|---|
| `Bash` | No restrictions on any Bash command |
| `Read(*)` | All files |
| `Glob(*)`, `Grep(*)`, `LS(*)` | All search/list |
| `WebFetch(domain:*)` | All web domains |
| `WebSearch` | Unrestricted |
| `TodoWrite(*)`, `Task(*)` | All task operations |
| `Skill(*)`, `SlashCommand(*)` | All skills |
| `NotebookRead(*)`, `NotebookEdit(*)` | All notebooks |
| `MultiEdit(*)`, `ExitPlanMode(*)` | Unrestricted |

### MCP servers (full access)
| Permission | Server |
|---|---|
| `mcp__n8n-mcp__*` | n8n workflow automation |
| `mcp__gitea-mcp__*` | Gitea git hosting |
| `mcp__tui-driver__*` | TUI automation |
| `mcp__cognitive-memory__*` | Cognitive memory (DECOMMISSIONED) |
| `mcp__memorygraph__*` | Memory graph (DECOMMISSIONED) |

### MCP servers (specific tools)
| Permission | Notes |
|---|---|
| `mcp__notion__API-retrieve-a-page` | Read-only Notion |
| `mcp__notion__API-get-block-children` | Read-only Notion |
| `mcp__notion__API-post-database-query` | Read-only Notion |
| `mcp__notediscovery__get_notes_by_tag` | Note discovery |
| `mcp__docker-mcp-gateway__mcp-find` | Docker MCP gateway |
| `mcp__docker-mcp-gateway__mcp-config-set` | Docker MCP gateway |
| `mcp__docker-mcp-gateway__mcp-add` | Docker MCP gateway |
| `mcp__docker-mcp-gateway__mcp-exec` | Docker MCP gateway |

### Specific Bash commands
These were added before `Bash` was opened fully — now redundant:
- `Bash(git add:*)`
- `Bash(sudo systemctl status:*)`, `Bash(sudo journalctl:*)`
- `Bash(ping:*)`, `Bash(mkdir:*)`
- `Bash(podman exec tdarr-node-gpu ls:*)`, `Bash(podman exec tdarr-node-gpu tail:*)`
- `Bash(podman exec tdarr-node-gpu-unmapped ls:*)`, `Bash(podman exec tdarr-node-gpu-unmapped find:*)`
- `Bash(ssh tdarr "docker inspect":*)`
- `Bash(podman logs:*)`, `Bash(sudo podman logs:*)`, `Bash(sudo podman ps:*)`

### Specific WebFetch domains
All redundant given `WebFetch(domain:*)` wildcard:
- github.com, docs.tdarr.io, superuser.com, docs.podman.io
- platform.openai.com, docs.n8n.io, help.ko-fi.com, n8n.io
- custom-system-builder.gitlab.io, foundryvtt.com, 10.10.0.174
- docs.openclaw.ai, pve.proxmox.com, git.manticorum.com
- developers.cloudflare.com, uptime-kuma-api.readthedocs.io
- www.enworld.org, 2minutetabletop.com, www.forgotten-adventures.net
- www.doodlesanddragons.com, www.drivethrurpg.com, forums.rptools.net
- www.fantasygrounds.com, gmkeros.wordpress.com, inkwellideas.com
- itch.io, opengameart.org, store.paizo.com
- forum.gitea.com, docs.gitea.com, gitea.com, about.gitea.com
- docs.anthropic.com, raw.githubusercontent.com, ra-h.app, ollama.com
- community.teamspeak.com, docs.docker.com, forums.docker.com

### Specific Skills
- `Skill(youtube-transcriber)`, `Skill(proxmox)`, `Skill(mcp-manager)`, `Skill(notediscovery)`
- All redundant given `Skill(*)`

### Specific Read paths
- `Read(//home/cal/.claude/**)` — redundant given `Read(*)`
- `Read(//home/cal/.local/share/Steam/userdata/32759396/1144200/**)` — Ready or Not save data

---

## Deny-list

### Destructive disk operations (macOS — NOT APPLICABLE on Linux)
- `diskutil partitionDisk`, `eraseDisk`, `eraseVolume`, `reformat`, `zeroDisk`
- `diskutil appleRAID`, `randomDisk`, `coreStorage`, `cs`
- `diskutil disableJournal`, `resetFusion`, `disableOwnership`
- `diskutil apfs deleteContainer`, `eraseVolume`, `decryptVolume`
- `diskutil apfs changePassphrase`, `deleteVolume`, `deleteVolumeGroup`, `deleteSnapshot`

### Destructive Linux operations (KEEP)
- `rm -rf /`, `rm -rf /*`, `rm -rf ~`, `rm -rf $HOME`
- `rm -rf $PAI_HOME`, `rm -rf $PAI_DIR`
- `sudo rm -rf /`, `sudo rm -rf /*`
- `fork bomb`
- `dd if=/dev/zero of=/dev/sda`
- `mkfs.ext4 /dev/sda`

---

## Hooks

| Event | Matcher | Script | Status |
|---|---|---|---|
| PostToolUse | `Edit\|Write\|MultiEdit` | `~/.claude/hooks/format-code.sh` | Active |
| SubagentStop | (all) | `~/.claude/hooks/notify-subagent-done.sh` | Active |
| SessionEnd | (all) | `/mnt/NV2/Development/cognitive-memory/scripts/session_memory.py` | **REMOVE** (decommissioned) |

---

## Plugins

| Plugin | Source | Status |
|---|---|---|
| `permission-manager@agent-toolkit` | St0nefish/agent-toolkit | Installed, cmd-gate has no custom patterns |
| `session@agent-toolkit` | St0nefish/agent-toolkit | Installed |
| `format-on-save@agent-toolkit` | St0nefish/agent-toolkit | Installed (overlaps PostToolUse hook) |
| `playground@claude-plugins-official` | Official | Active |
| `claude-code-setup@claude-plugins-official` | Official | Active |
| `frontend-design@claude-plugins-official` | Official | Active |
| `rust-analyzer-lsp@claude-plugins-official` | Official | Active |
| `pyright-lsp@claude-plugins-official` | Official | Active |

---

## Additional Directories

- `/home/cal/.config/steamtinkerlaunch/`
- `/mnt/NV2/SteamLibrary/`

---

## Migration Recommendations

### Cleanup (do first)
1. Remove all `diskutil` deny entries — not on macOS
2. Remove all specific `Bash(...)` entries — redundant with `Bash` wildcard
3. Remove all specific `WebFetch(domain:...)` entries — redundant with `domain:*`
4. Remove all specific `Skill(...)` entries — redundant with `Skill(*)`
5. Remove specific `Read(...)` entries — redundant with `Read(*)`
6. Remove `mcp__cognitive-memory__*` and all individual cognitive-memory entries
7. Remove `mcp__memorygraph__*`
8. Remove `mcp__notediscovery__get_notes_by_tag` and `Skill(notediscovery)`
9. Remove `mcp__docker-mcp-gateway__*` if not actively used
10. Remove `SessionEnd` cognitive-memory hook

### Migration to cmd-gate (do second)
1. Remove `Bash` wildcard from allow-list
2. Define cmd-gate custom patterns for common safe operations
3. Replace `WebFetch(domain:*)` with explicit domain groups
4. Test workflow to ensure nothing breaks

### Hook deduplication
- `format-on-save@agent-toolkit` may overlap with existing `PostToolUse(Edit|Write|MultiEdit)` → `format-code.sh` hook — pick one