feat(claude): 更新Claude安全权限配置

mudssky · mudssky · commit 45e08596e997 · 2026-05-14T10:01:06.000+08:00
将权限设置从允许所有操作改为默认拒绝敏感操作，并添加安全检查机制。
具体包括：禁止读取环境变量和密钥文件、限制危险bash命令执行、对高风险操作
进行询问确认，提升AI编码助手的安全性。
diff --git a/ai/coding/claude/.claude/settings.json b/ai/coding/claude/.claude/settings.json
@@ -18,29 +18,23 @@
   },
   "includeCoAuthoredBy": false,
   "permissions": {
-    "allow": [
-      "Bash",
-      "Edit",
-      "Glob",
-      "Grep",
-      "KillShell",
-      "NotebookEdit",
-      "Read",
-      "TodoWrite",
-      "WebFetch",
-      "WebSearch",
-      "Write",
-      "mcp__ide",
-      "mcp__exa",
-      "mcp__context7",
-      "mcp__mcp-deepwiki",
-      "mcp__Playwright",
-      "mcp__spec-workflow",
-      "mcp__open-websearch",
-      "mcp__serena"
+    "deny": [
+      "Read(.env)",
+      "Read(.env.*)",
+      "Read(**/secrets/**)",
+      "Read(~/.ssh/**)",
+      "Read(~/.aws/**)",
+      "Read(~/.gnupg/**)",
+      "Bash(sudo:*)",
+      "Bash(curl:*|*sh*)",
+      "Bash(wget:*|*sh*)"
     ],
-    "deny": [],
-    "defaultMode": "bypassPermissions"
+    "ask": [
+      "Bash(git:push*)",
+      "Bash(rm:-rf*)",
+      "Bash(git:reset:--hard*)",
+      "WebFetch"
+    ]
   },
   "hooks": {},
   "statusLine": {
diff --git a/ai/coding/claude/config/settings.json b/ai/coding/claude/config/settings.json
@@ -10,29 +10,23 @@
   },
   "includeCoAuthoredBy": false,
   "permissions": {
-    "allow": [
-      "Bash",
-      "Edit",
-      "Glob",
-      "Grep",
-      "KillShell",
-      "NotebookEdit",
-      "Read",
-      "TodoWrite",
-      "WebFetch",
-      "WebSearch",
-      "Write",
-      "mcp__ide",
-      "mcp__exa",
-      "mcp__context7",
-      "mcp__mcp-deepwiki",
-      "mcp__Playwright",
-      "mcp__spec-workflow",
-      "mcp__open-websearch",
-      "mcp__serena"
+    "deny": [
+      "Read(.env)",
+      "Read(.env.*)",
+      "Read(**/secrets/**)",
+      "Read(~/.ssh/**)",
+      "Read(~/.aws/**)",
+      "Read(~/.gnupg/**)",
+      "Bash(sudo:*)",
+      "Bash(curl:*|*sh*)",
+      "Bash(wget:*|*sh*)"
     ],
-    "deny": [],
-    "defaultMode": "acceptEdits"
+    "ask": [
+      "Bash(git:push*)",
+      "Bash(rm:-rf*)",
+      "Bash(git:reset:--hard*)",
+      "WebFetch"
+    ]
   },
   "model": "opus[1m]",
   "hooks": {},
@@ -50,4 +44,4 @@
   "outputStyle": "engineer-professional",
   "language": "chinese",
   "plansDirectory": ".claude/plans"
-}
+}
