# Claude Code Settings - Permission Groups

This document explains the permissions configured in `.claude/settings.local.json`.

**Last Updated:** 2026-01-17
**Total Permissions:** 33 (reduced from 49 by removing duplicates)

---

## Permission Categories

### System Commands (Lines 4-7)
Basic Windows/system operations needed for development tasks.

- `Bash(cd:*)` - Change directory navigation
- `Bash(del:*)` - Delete files/folders
- `Bash(echo:*)` - Output text to console
- `Bash(tree:*)` - Display directory structure

### Network & Infrastructure (Lines 8-10)
Network diagnostics and infrastructure management.

- `Bash(route print:*)` - Display routing table
- `Bash(tailscale status:*)` - Check Tailscale VPN status
- `Bash(Test-NetConnection -ComputerName 172.16.3.20 -Port 3306)` - Test database connectivity

### Database (Line 11)
Database operations and queries.

- `Bash(mysql:*)` - MySQL/MariaDB command-line client

### Python & Package Management (Lines 12-15)
Python interpreter and package installation/management.

- `Bash(api/venv/Scripts/python.exe:*)` - Project virtual environment Python
- `Bash(api/venv/Scripts/pip:*)` - Virtual environment pip commands
- `Bash(pip install:*)` - System-wide package installation
- `Bash(pip uninstall:*)` - System-wide package removal

**Note:** Consolidated from multiple duplicate paths:
- Removed: `./venv/Scripts/python.exe:*` (relative path variant)
- Removed: `D:\\ClaudeTools\\api\\venv\\Scripts\\python.exe:*` (absolute path variant)
- Removed: `api\\venv\\Scripts\\python.exe:*` (backslash variant)
- Removed: Specific pip.exe install patterns (covered by wildcard)

### Database Migrations - Alembic (Line 16)
Database schema migrations using Alembic.

- `Bash(api/venv/Scripts/alembic.exe:*)` - All Alembic commands

**Note:** Consolidated specific revision commands into general wildcard pattern.

### Testing & Development (Lines 17-18)
Test execution and development workflows.

- `Bash(api/venv/Scripts/python.exe -m pytest:*)` - Pytest test runner (all variants)
- `Bash(test:*)` - General test commands

**Note:** Removed specific test file patterns (consolidated into wildcard):
- Removed: `test_context_recall_system.py` specific commands
- Removed: `test_credential_scanner.py` specific commands
- Removed: `test_conversation_parser.py` specific commands
- Removed: `test_import_preview.py` specific commands

### Process Management (Lines 19-22)
Windows process monitoring and task management.

- `Bash(schtasks /query:*)` - Query scheduled tasks
- `Bash(tasklist:*)` - List running processes
- `Bash(wmic OS get:*)` - Get OS information
- `Bash(wmic process where:*)` - Query process details

**Note:** Consolidated WMIC process queries with multiple filters into single pattern.

### Project-Specific Commands (Lines 23-29)
Custom ClaudeTools project management commands.

- `Bash(firewall:*)` - Firewall rule management
- `Bash(infrastructure)` - Infrastructure asset tracking
- `Bash(m365:*)` - Microsoft 365 tenant management (fixed from `m365 \"`)
- `Bash(network)` - Network configuration
- `Bash(session_tag)` - Session tagging
- `Bash(site)` - Site/location management
- `Bash(task)` - Task management

**Note:** Fixed `m365` pattern from `"Bash(m365 \")"` to `"Bash(m365:*)"` for consistency.

### Scripts & Utilities (Lines 30-36)
Miscellaneous utilities and helper scripts.

- `Bash(bash scripts:*)` - Execute project scripts
- `Bash(cmd /c:*)` - Windows command processor execution
- `Bash(findstr:*)` - Windows text search utility
- `Bash(openssl rand:*)` - OpenSSL random generation
- `Bash(reg query:*)` - Windows registry queries
- `Bash(source:*)` - Source shell scripts
- `Bash(tee:*)` - Tee command for output splitting

**Note:** Generalized script patterns:
- `bash scripts:*` covers all scripts including `upgrade-to-offline-mode.sh`
- `cmd /c:*` covers batch files like `check_old_database.bat`
- `reg query:*` covers all registry queries including PuTTY sessions

---

## Optimization Summary

**Improvements Made:**
1. Reduced permissions from 49 to 33 (33% reduction)
2. Removed duplicate Python/pip paths with different formats
3. Consolidated overly specific commands into wildcard patterns
4. Alphabetically sorted within each category
5. Standardized path format (forward slashes preferred)
6. Fixed semantic issues (m365 pattern)

**Duplicates Removed:**
- 4 duplicate Python executable paths (different path formats)
- 2 duplicate pip installation patterns
- 8 specific test command patterns (consolidated into pytest wildcard)
- 2 specific alembic revision commands (consolidated into wildcard)
- 2 duplicate WMIC process queries
- 1 specific bash script (covered by general pattern)
- 1 specific batch file (covered by cmd /c pattern)

**Patterns Generalized:**
- All pytest commands: `*-m pytest:*` covers all test files
- All alembic commands: `alembic.exe:*` covers all operations
- All bash scripts: `bash scripts:*` covers all project scripts
- All registry queries: `reg query:*` covers all HKEY paths

---

## Maintenance Tips

**Adding New Permissions:**
1. Check if existing wildcard patterns already cover the command
2. Place new permission in appropriate category
3. Keep alphabetical order within category
4. Prefer wildcards over specific commands
5. Use forward slashes for paths (Windows accepts both)

**Pattern Syntax:**
- `:*` = wildcard for any arguments
- Use exact match when security requires specificity
- Avoid overly broad patterns that could be security risks

**Security Considerations:**
- Keep database connection test specific (line 10) - don't generalize
- Review wildcard patterns periodically
- Remove unused permissions
- Test after changes to ensure functionality

---

## Related Files

- **Settings File:** `.claude/settings.local.json`
- **Project Docs:** `.claude/CLAUDE.md`
- **Coding Guidelines:** `.claude/CODING_GUIDELINES.md`