{
"permissions": {
"allow": [
"Bash(git status*)", "Bash(git diff*)", "Bash(git log*)", "Bash(git pull*)",
"Bash(git grep*)", "Bash(grep *)", "Bash(ls *)", "Bash(cat scripts/*)",
"Bash(cat runbooks/*)", "Bash(cat docs/*)", "Bash(jq *)",
"Bash(juju status*)", "Bash(juju models*)", "Bash(juju machines*)",
"Bash(juju spaces*)", "Bash(juju show-*)", "Bash(juju info *)",
"Bash(maas admin * read*)",
"Bash(openstack * list*)", "Bash(openstack * show*)",
"Bash(bash scripts/repo-lint.sh*)",
"Bash(bash scripts/run-tests-all.sh*)",
"Bash(bash scripts/cloud-assert.sh)",
"Bash(bash scripts/preflight.sh*)",
"Bash(python3 scripts/repo_lint.py*)",
"Bash(python3 scripts/provider-bundle-check.py*)",
"Bash(bash tests/*)"
],
"ask": [
"Bash(juju destroy-model *)", "Bash(juju remove-machine *)",
"Bash(juju remove-application *)", "Bash(juju remove-unit *)",
"Bash(juju run *)", "Bash(juju ssh *)", "Bash(juju exec *)",
"Bash(juju config * *=*)", "Bash(juju attach-resource *)",
"Bash(juju deploy *)", "Bash(juju add-model *)",
"Bash(maas admin machine delete *)", "Bash(maas admin * update*)",
"Bash(maas admin * create*)", "Bash(maas admin * release*)",
"Bash(openstack * create*)", "Bash(openstack * delete*)",
"Bash(openstack * set*)", "Bash(openstack * unset*)",
"Bash(* --apply*)",
"Bash(git commit*)", "Bash(git push*)",
"Bash(sudo *)", "Bash(virsh *)", "Bash(rm *)"
],
"deny": [
"Bash(vault operator init*)", "Bash(vault operator rekey*)",
"Bash(vault operator generate-root*)",
"Bash(juju destroy-controller *)",
"Bash(maas list*)",
"Bash(git push --force*)", "Bash(git push -f*)",
"Read(~/vault-init/**)", "Read(~/as-executed/**)",
"Read(~/tenant-*/**)", "Read(**/*-cred.txt)", "Read(**/*appcred*)",
"Edit(~/vault-init/**)"
]
},
"hooks": {
"PreToolUse": [
{
"matcher": "Bash",
"hooks": [
{ "type": "command", "command": "python3 \"$CLAUDE_PROJECT_DIR\"/.claude/hooks/guard-destructive.py" }
]
}
]
}
}