{
  "permissions": {
    "allow": [
      "Bash(git status*)", "Bash(git diff*)", "Bash(git log*)", "Bash(git pull*)",
      "Bash(git grep*)", "Bash(grep *)", "Bash(ls *)", "Bash(cat scripts/*)",
      "Bash(cat runbooks/*)", "Bash(cat docs/*)", "Bash(jq *)",
      "Bash(juju status*)", "Bash(juju models*)", "Bash(juju machines*)",
      "Bash(juju spaces*)", "Bash(juju show-*)", "Bash(juju info *)",
      "Bash(maas admin * read*)",
      "Bash(openstack * list*)", "Bash(openstack * show*)",
      "Bash(bash scripts/repo-lint.sh*)",
      "Bash(bash scripts/run-tests-all.sh*)",
      "Bash(bash scripts/cloud-assert.sh)",
      "Bash(bash scripts/preflight.sh*)",
      "Bash(python3 scripts/repo_lint.py*)",
      "Bash(python3 scripts/provider-bundle-check.py*)",
      "Bash(bash tests/*)"
    ],
    "ask": [
      "Bash(juju destroy-model *)", "Bash(juju remove-machine *)",
      "Bash(juju remove-application *)", "Bash(juju remove-unit *)",
      "Bash(juju run *)", "Bash(juju ssh *)", "Bash(juju exec *)",
      "Bash(juju config * *=*)", "Bash(juju attach-resource *)",
      "Bash(juju deploy *)", "Bash(juju add-model *)",
      "Bash(maas admin machine delete *)", "Bash(maas admin * update*)",
      "Bash(maas admin * create*)", "Bash(maas admin * release*)",
      "Bash(openstack * create*)", "Bash(openstack * delete*)",
      "Bash(openstack * set*)", "Bash(openstack * unset*)",
      "Bash(* --apply*)",
      "Bash(git commit*)", "Bash(git push*)",
      "Bash(sudo *)", "Bash(virsh *)", "Bash(rm *)"
    ],
    "deny": [
      "Bash(vault operator init*)", "Bash(vault operator rekey*)",
      "Bash(vault operator generate-root*)",
      "Bash(juju destroy-controller *)",
      "Bash(maas list*)",
      "Bash(git push --force*)", "Bash(git push -f*)",
      "Read(~/vault-init/**)", "Read(~/as-executed/**)",
      "Read(~/tenant-*/**)", "Read(**/*-cred.txt)", "Read(**/*appcred*)",
      "Edit(~/vault-init/**)"
    ]
  },
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "hooks": [
          { "type": "command", "command": "python3 \"$CLAUDE_PROJECT_DIR\"/.claude/hooks/guard-destructive.py" }
        ]
      }
    ]
  }
}
