Claude Settings Audit
Analyze this repository and generate recommended Claude Code
permissions for read-only commands.
Phase 1: Detect Tech Stack
Run these commands to detect the repository structure:
bash
ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50
Check for these indicator files:
| Category | Files to Check |
|---|
| Python | , , , , , |
| Node.js | , , , |
| Go | , |
| Rust | , |
| Ruby | , |
| Java | , , |
| Build | , , |
| Infra | files, , |
| Monorepo | , , , |
Phase 2: Detect Services
Check for service integrations:
| Service | Detection |
|---|
| Sentry | in deps, packages, , |
| Linear | Linear config files, directory |
Read dependency files to identify frameworks:
- → check and
- → check or
[tool.poetry.dependencies]
- → check gem names
- → check
Phase 3: Check Existing Settings
bash
cat .claude/settings.json 2>/dev/null || echo "No existing settings"
Phase 4: Generate Recommendations
Build the allow list by combining:
Baseline Commands (Always Include)
json
[
"Bash(ls:*)",
"Bash(pwd:*)",
"Bash(find:*)",
"Bash(file:*)",
"Bash(stat:*)",
"Bash(wc:*)",
"Bash(head:*)",
"Bash(tail:*)",
"Bash(cat:*)",
"Bash(tree:*)",
"Bash(git status:*)",
"Bash(git log:*)",
"Bash(git diff:*)",
"Bash(git show:*)",
"Bash(git branch:*)",
"Bash(git remote:*)",
"Bash(git tag:*)",
"Bash(git stash list:*)",
"Bash(git rev-parse:*)",
"Bash(gh pr view:*)",
"Bash(gh pr list:*)",
"Bash(gh pr checks:*)",
"Bash(gh pr diff:*)",
"Bash(gh issue view:*)",
"Bash(gh issue list:*)",
"Bash(gh run view:*)",
"Bash(gh run list:*)",
"Bash(gh run logs:*)",
"Bash(gh repo view:*)",
"Bash(gh api:*)"
]
Stack-Specific Commands
Only include commands for tools actually detected in the project.
Python (if any Python files or config detected)
| If Detected | Add These Commands |
|---|
| Any Python | , |
| , |
| , |
| |
| (no other lock) | , , |
Node.js (if package.json detected)
| If Detected | Add These Commands |
|---|
| Any Node.js | |
| , |
| , , |
| , , |
| TypeScript () | |
Other Languages
| If Detected | Add These Commands |
|---|
| , , , |
| , , , |
| , , |
| , , |
| , , |
Build Tools
| If Detected | Add These Commands |
|---|
| , , |
| , |
| files | , , |
| , |
Skills (for Sentry Projects)
If this is a Sentry project (or sentry-skills plugin is installed), include:
json
[
"Skill(sentry-skills:commit)",
"Skill(sentry-skills:create-pr)",
"Skill(sentry-skills:code-review)",
"Skill(sentry-skills:find-bugs)",
"Skill(sentry-skills:iterate-pr)",
"Skill(sentry-skills:claude-settings-audit)",
"Skill(sentry-skills:agents-md)",
"Skill(sentry-skills:brand-guidelines)",
"Skill(sentry-skills:doc-coauthoring)",
"Skill(sentry-skills:security-review)",
"Skill(sentry-skills:django-perf-review)",
"Skill(sentry-skills:code-simplifier)"
]
WebFetch Domains
Always Include (Sentry Projects)
json
[
"WebFetch(domain:docs.sentry.io)",
"WebFetch(domain:develop.sentry.dev)",
"WebFetch(domain:docs.github.com)",
"WebFetch(domain:cli.github.com)"
]
Framework-Specific
| If Detected | Add Domains |
|---|
| Django | |
| Flask | flask.palletsprojects.com
|
| FastAPI | |
| React | |
| Next.js | |
| Vue | |
| Express | |
| Rails | , |
| Go | |
| Rust | , |
| Docker | |
| Kubernetes | |
| Terraform | |
MCP Server Suggestions
MCP servers are configured in
(not
). Check for existing config:
bash
cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"
Sentry MCP (if Sentry SDK detected)
Add to
(replace
and
with your Sentry organization and project slugs):
json
{
"mcpServers": {
"sentry": {
"type": "http",
"url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
}
}
}
Linear MCP (if Linear usage detected)
json
{
"mcpServers": {
"linear": {
"command": "npx",
"args": ["-y", "@linear/mcp-server"],
"env": {
"LINEAR_API_KEY": "${LINEAR_API_KEY}"
}
}
}
}
Note: Never suggest GitHub MCP. Always use
CLI commands for GitHub.
Output Format
Present your findings as:
- Summary Table - What was detected
- Recommended settings.json - Complete JSON ready to copy
- MCP Suggestions - If applicable
- Merge Instructions - If existing settings found
Example output structure:
markdown
## Detected Tech Stack
| --------------- | -------------- |
| Languages | Python 3.x |
| Package Manager | poetry |
| Frameworks | Django, Celery |
| Services | Sentry |
| Build Tools | Docker, Make |
## Recommended .claude/settings.json
\`\`\`json
{
"permissions": {
"allow": [
// ... grouped by category with comments
],
"deny": []
}
}
\`\`\`
## Recommended .mcp.json (if applicable)
If you use Sentry or Linear, add the MCP config to `.mcp.json`...
Important Rules
What to Include
- Only READ-ONLY commands that cannot modify state
- Only tools that are actually used by the project (detected via lock files)
- Standard system commands (ls, cat, find, etc.)
- The suffix allows any arguments to the base command
What to NEVER Include
- Absolute paths - Never include user-specific paths like or
- Custom scripts - Never include project scripts that may have side effects (e.g., )
- Alternative package managers - If the project uses pnpm, do NOT include npm/yarn commands
- Commands that modify state - No install, build, run, write, or delete commands
Package Manager Rules
Only include the package manager actually used by the project:
| If Detected | Include | Do NOT Include |
|---|
| pnpm commands | npm, yarn |
| yarn commands | npm, pnpm |
| npm commands | yarn, pnpm |
| poetry commands | pip (unless also has requirements.txt) |
| uv commands | pip, poetry |
| pipenv commands | pip, poetry |
If multiple lock files exist, include only the commands for each detected manager.