Back to Skills
antigravityAI & Agents

claude-settings-audit

Analyze a repository to generate recommended Claude Code settings.json permissions. Use when setting up a new project, auditing existing settings, or determining which read-only bash commands to allow. Detects tech stack, build tools, and monorepo structure.

Documentation

Claude Settings Audit

Analyze this repository and generate recommended Claude Code settings.json permissions for read-only commands.

When to Use

  • You are setting up or auditing Claude Code settings.json permissions for a repository.
  • You need to infer a safe read-only allow list from the repo's tech stack, tooling, and monorepo structure.
  • You want to review or replace an existing Claude permissions baseline with something evidence-based.

Phase 1: Detect Tech Stack

Run these commands to detect the repository structure:

ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50

Check for these indicator files:

CategoryFiles to Check
Pythonpyproject.toml, setup.py, requirements.txt, Pipfile, poetry.lock, uv.lock
Node.jspackage.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Gogo.mod, go.sum
RustCargo.toml, Cargo.lock
RubyGemfile, Gemfile.lock
Javapom.xml, build.gradle, build.gradle.kts
BuildMakefile, Dockerfile, docker-compose.yml
Infra*.tf files, kubernetes/, helm/
Monorepolerna.json, nx.json, turbo.json, pnpm-workspace.yaml

Phase 2: Detect Services

Check for service integrations:

ServiceDetection
Sentrysentry-sdk in deps, @sentry/* packages, .sentryclirc, sentry.properties
LinearLinear config files, .linear/ directory

Read dependency files to identify frameworks:

  • package.json → check dependencies and devDependencies
  • pyproject.toml → check [project.dependencies] or [tool.poetry.dependencies]
  • Gemfile → check gem names
  • Cargo.toml → check [dependencies]

Phase 3: Check Existing Settings

cat .claude/settings.json 2>/dev/null || echo "No existing settings"

Phase 4: Generate Recommendations

Build the allow list by combining:

Baseline Commands (Always Include)

[
  "Bash(ls:*)",
  "Bash(pwd:*)",
  "Bash(find:*)",
  "Bash(file:*)",
  "Bash(stat:*)",
  "Bash(wc:*)",
  "Bash(head:*)",
  "Bash(tail:*)",
  "Bash(cat:*)",
  "Bash(tree:*)",
  "Bash(git status:*)",
  "Bash(git log:*)",
  "Bash(git diff:*)",
  "Bash(git show:*)",
  "Bash(git branch:*)",
  "Bash(git remote:*)",
  "Bash(git tag:*)",
  "Bash(git stash list:*)",
  "Bash(git rev-parse:*)",
  "Bash(gh pr view:*)",
  "Bash(gh pr list:*)",
  "Bash(gh pr checks:*)",
  "Bash(gh pr diff:*)",
  "Bash(gh issue view:*)",
  "Bash(gh issue list:*)",
  "Bash(gh run view:*)",
  "Bash(gh run list:*)",
  "Bash(gh run logs:*)",
  "Bash(gh repo view:*)",
  "Bash(gh api:*)"
]

Stack-Specific Commands

Only include commands for tools actually detected in the project.

Python (if any Python files or config detected)

If DetectedAdd These Commands
Any Pythonpython --version, python3 --version
poetry.lockpoetry show, poetry env info
uv.lockuv pip list, uv tree
Pipfile.lockpipenv graph
requirements.txt (no other lock)pip list, pip show, pip freeze

Node.js (if package.json detected)

If DetectedAdd These Commands
Any Node.jsnode --version
pnpm-lock.yamlpnpm list, pnpm why
yarn.lockyarn list, yarn info, yarn why
package-lock.jsonnpm list, npm view, npm outdated
TypeScript (tsconfig.json)tsc --version

Other Languages

If DetectedAdd These Commands

Use Cases

  • You are setting up or auditing Claude Code `settings.json` permissions for a repository.
  • You need to infer a safe read-only allow list from the repo's tech stack, tooling, and monorepo structure.
  • You want to review or replace an existing Claude permissions baseline with something evidence-based.