From 00ac88b9544d70b8ff97bdeaeeb18fd07304fc14 Mon Sep 17 00:00:00 2001 From: Dan Egan Date: Thu, 18 Jun 2026 15:38:02 -0400 Subject: [PATCH 1/3] chore(perms): allow git push, keep blocking force pushes Replace the blanket git push deny with force-push-only denies so feature branches can be pushed while history rewrites stay blocked. --- .claude/settings.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.claude/settings.json b/.claude/settings.json index 64bb3ee..601b02e 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -33,8 +33,8 @@ ], "deny": [ "Bash(rm -rf:*)", - "Bash(git push:*)", "Bash(git push --force:*)", + "Bash(git push -f:*)", "Bash(npm publish:*)", "Bash(pnpm publish:*)" ], From c7b2fc8984958331634bbdcbd193816014f9b3dd Mon Sep 17 00:00:00 2001 From: Dan Egan Date: Thu, 18 Jun 2026 15:53:04 -0400 Subject: [PATCH 2/3] fix(perms): block force pushes at any argument position The flag-adjacent deny patterns only matched when --force/-f immediately followed 'push', so 'git push origin main --force' and --force-with-lease slipped through. Use space-form wildcard patterns (colons are literal mid-pattern per Claude Code permission matching) to catch the flags anywhere without matching branch names like feature-flags. --- .claude/settings.json | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.claude/settings.json b/.claude/settings.json index 601b02e..42a75ca 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -33,8 +33,11 @@ ], "deny": [ "Bash(rm -rf:*)", - "Bash(git push --force:*)", - "Bash(git push -f:*)", + "Bash(git push *--force*)", + "Bash(git push -f)", + "Bash(git push -f *)", + "Bash(git push * -f)", + "Bash(git push * -f *)", "Bash(npm publish:*)", "Bash(pnpm publish:*)" ], From bc06e03d4e4377c492fc28898ea57cc903b6bf97 Mon Sep 17 00:00:00 2001 From: Dan Egan Date: Thu, 18 Jun 2026 15:57:13 -0400 Subject: [PATCH 3/3] correct --- .claude/settings.json | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.claude/settings.json b/.claude/settings.json index 42a75ca..388c3e9 100644 --- a/.claude/settings.json +++ b/.claude/settings.json @@ -32,7 +32,9 @@ "Bash(pnpm test:coverage)" ], "deny": [ - "Bash(rm -rf:*)", + "Bash(rm -rf:*)" + ], + "ask": [ "Bash(git push *--force*)", "Bash(git push -f)", "Bash(git push -f *)", @@ -40,7 +42,6 @@ "Bash(git push * -f *)", "Bash(npm publish:*)", "Bash(pnpm publish:*)" - ], - "ask": [] + ] } }