security: per-campaign permission policy template (`.claude/settings.json`)

[sriumcp]

TL;DR

Replace --dangerously-skip-permissions with a fine-grained per-campaign permission policy. Allow only what experiment_plan.yaml actually needs; deny writes outside the worktree by default.

Why this matters

cli_dispatch.py:222 uses --dangerously-skip-permissions, which auto-approves every tool call including ones the user might want to gate (writes outside the worktree, network calls). Claude Code has finer-grained mechanisms — dontAsk lists, deny rules, allowOnly paths — that we should be using.

This is also the foundation for #8 (PreToolUse plan enforcer).

What's already shipped

• The --dangerously-skip-permissions invocation (the thing this replaces).

Proposed approach

1. Generate a per-campaign .claude/settings.json template at campaign init:
   • allowOnly for the worktree path.
   • Allowlist of expected binaries (go build, ./blis run, python, etc.).
   • Deny network access except to localhost / configured proxies.
   • PreToolUse hook from Phase 2: Agent prompts + review protocol #8 attached.
2. Drop --dangerously-skip-permissions from the default invocation; pass --settings <campaign>/.claude/settings.json instead.
3. Document an nous-permissions.json library of templates per common target (Go binary, Python pipeline, Node service).

Acceptance criteria

• No campaign in examples/ runs with --dangerously-skip-permissions after this lands.
• An attempt to write outside the worktree is denied (and surfaces in retry_log.jsonl as a structured failure).
• The template story is documented in docs/security.md.

Out of scope

• Changing the existing --dangerously-skip-permissions flag — keep it for emergency use behind an explicit opt-in.

---

Part of #120.

[sriumcp]

Closed by #153 (squash-merge 3e69b85, merged into reflective 2026-05-24). The merged commit message contains an explicit Closes #135. GitHub auto-close didn't fire because the PR targets reflective rather than the repo's default branch.