---
name: claude-settings-audit
description: Analyze a repository to generate recommended Claude Code settings.json permissions. Use when setting up a new project, auditing existing settings, or determining which read-only bash commands to allow. Detects tech stack, build tools, and monorepo structure.
---

# Claude Settings Audit

Analyze this repository and generate recommended Claude Code `settings.json` permissions for read-only commands.

## Phase 1: Detect Tech Stack

Run these commands to detect the repository structure:

```bash
ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50
```

Check for these indicator files:

| Category | Files to Check |
|----------|---------------|
| **Python** | `pyproject.toml`, `setup.py`, `requirements.txt`, `Pipfile`, `poetry.lock`, `uv.lock` |
| **Node.js** | `package.json`, `package-lock.json`, `yarn.lock`, `pnpm-lock.yaml` |
| **Go** | `go.mod`, `go.sum` |
| **Rust** | `Cargo.toml`, `Cargo.lock` |
| **Ruby** | `Gemfile`, `Gemfile.lock` |
| **Java** | `pom.xml`, `build.gradle`, `build.gradle.kts` |
| **Build** | `Makefile`, `Dockerfile`, `docker-compose.yml` |
| **Infra** | `*.tf` files, `kubernetes/`, `helm/` |
| **Monorepo** | `lerna.json`, `nx.json`, `turbo.json`, `pnpm-workspace.yaml` |

## Phase 2: Detect Services

Check for service integrations:

| Service | Detection |
|---------|-----------|
| **Sentry** | `sentry-sdk` in deps, `@sentry/*` packages, `.sentryclirc`, `sentry.properties` |
| **Linear** | Linear config files, `.linear/` directory |

Read dependency files to identify frameworks:
- `package.json` → check `dependencies` and `devDependencies`
- `pyproject.toml` → check `[project.dependencies]` or `[tool.poetry.dependencies]`
- `Gemfile` → check gem names
- `Cargo.toml` → check `[dependencies]`

## Phase 3: Check Existing Settings

```bash
cat .claude/settings.json 2>/dev/null || echo "No existing settings"
```

## Phase 4: Generate Recommendations

Build the allow list by combining:

### Baseline Commands (Always Include)

```json
[
  "Bash(ls:*)",
  "Bash(pwd:*)",
  "Bash(find:*)",
  "Bash(file:*)",
  "Bash(stat:*)",
  "Bash(wc:*)",
  "Bash(head:*)",
  "Bash(tail:*)",
  "Bash(cat:*)",
  "Bash(tree:*)",
  "Bash(git status:*)",
  "Bash(git log:*)",
  "Bash(git diff:*)",
  "Bash(git show:*)",
  "Bash(git branch:*)",
  "Bash(git remote:*)",
  "Bash(git tag:*)",
  "Bash(git stash list:*)",
  "Bash(git rev-parse:*)",
  "Bash(gh pr view:*)",
  "Bash(gh pr list:*)",
  "Bash(gh pr checks:*)",
  "Bash(gh pr diff:*)",
  "Bash(gh issue view:*)",
  "Bash(gh issue list:*)",
  "Bash(gh run view:*)",
  "Bash(gh run list:*)",
  "Bash(gh run logs:*)",
  "Bash(gh repo view:*)",
  "Bash(gh api:*)"
]
```

### Stack-Specific Commands

Only include commands for tools actually detected in the project.

#### Python (if any Python files or config detected)

| If Detected | Add These Commands |
|-------------|-------------------|
| Any Python | `python --version`, `python3 --version` |
| `poetry.lock` | `poetry show`, `poetry env info` |
| `uv.lock` | `uv pip list`, `uv tree` |
| `Pipfile.lock` | `pipenv graph` |
| `requirements.txt` (no other lock) | `pip list`, `pip show`, `pip freeze` |

#### Node.js (if package.json detected)

| If Detected | Add These Commands |
|-------------|-------------------|
| Any Node.js | `node --version` |
| `pnpm-lock.yaml` | `pnpm list`, `pnpm why` |
| `yarn.lock` | `yarn list`, `yarn info`, `yarn why` |
| `package-lock.json` | `npm list`, `npm view`, `npm outdated` |
| TypeScript (`tsconfig.json`) | `tsc --version` |

#### Other Languages

| If Detected | Add These Commands |
|-------------|-------------------|
| `go.mod` | `go version`, `go list`, `go mod graph`, `go env` |
| `Cargo.toml` | `rustc --version`, `cargo --version`, `cargo tree`, `cargo metadata` |
| `Gemfile` | `ruby --version`, `bundle list`, `bundle show` |
| `pom.xml` | `java --version`, `mvn --version`, `mvn dependency:tree` |
| `build.gradle` | `java --version`, `gradle --version`, `gradle dependencies` |

#### Build Tools

| If Detected | Add These Commands |
|-------------|-------------------|
| `Dockerfile` | `docker --version`, `docker ps`, `docker images` |
| `docker-compose.yml` | `docker-compose ps`, `docker-compose config` |
| `*.tf` files | `terraform --version`, `terraform providers`, `terraform state list` |
| `Makefile` | `make --version`, `make -n` |

### Skills (for Sentry Projects)

If this is a Sentry project (or sentry-skills plugin is installed), include:

```json
[
  "Skill(sentry-skills:commit)",
  "Skill(sentry-skills:create-pr)",
  "Skill(sentry-skills:code-review)",
  "Skill(sentry-skills:find-bugs)",
  "Skill(sentry-skills:deslop)",
  "Skill(sentry-skills:iterate-pr)",
  "Skill(sentry-skills:claude-settings-audit)"
]
```

### WebFetch Domains

#### Always Include (Sentry Projects)
```json
[
  "WebFetch(domain:docs.sentry.io)",
  "WebFetch(domain:develop.sentry.dev)",
  "WebFetch(domain:docs.github.com)",
  "WebFetch(domain:cli.github.com)"
]
```

#### Framework-Specific

| If Detected | Add Domains |
|-------------|-------------|
| **Django** | `docs.djangoproject.com` |
| **Flask** | `flask.palletsprojects.com` |
| **FastAPI** | `fastapi.tiangolo.com` |
| **React** | `react.dev` |
| **Next.js** | `nextjs.org` |
| **Vue** | `vuejs.org` |
| **Express** | `expressjs.com` |
| **Rails** | `guides.rubyonrails.org`, `api.rubyonrails.org` |
| **Go** | `pkg.go.dev` |
| **Rust** | `docs.rs`, `doc.rust-lang.org` |
| **Docker** | `docs.docker.com` |
| **Kubernetes** | `kubernetes.io` |
| **Terraform** | `registry.terraform.io` |

### MCP Server Suggestions

MCP servers are configured in `.mcp.json` (not `settings.json`). Check for existing config:

```bash
cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"
```

#### Sentry MCP (if Sentry SDK detected)

Add to `.mcp.json`:
```json
{
  "mcpServers": {
    "sentry": {
      "command": "uvx",
      "args": ["mcp-server-sentry"],
      "env": {
        "SENTRY_AUTH_TOKEN": "${SENTRY_AUTH_TOKEN}"
      }
    }
  }
}
```

#### Linear MCP (if Linear usage detected)

Add to `.mcp.json`:
```json
{
  "mcpServers": {
    "linear": {
      "command": "npx",
      "args": ["-y", "@linear/mcp-server"],
      "env": {
        "LINEAR_API_KEY": "${LINEAR_API_KEY}"
      }
    }
  }
}
```

**Note**: Never suggest GitHub MCP. Always use `gh` CLI commands for GitHub.

## Output Format

Present your findings as:

1. **Summary Table** - What was detected
2. **Recommended settings.json** - Complete JSON ready to copy
3. **MCP Suggestions** - If applicable
4. **Merge Instructions** - If existing settings found

Example output structure:

```markdown
## Detected Tech Stack

| Category | Found |
|----------|-------|
| Languages | Python 3.x |
| Package Manager | poetry |
| Frameworks | Django, Celery |
| Services | Sentry |
| Build Tools | Docker, Make |

## Recommended .claude/settings.json

\`\`\`json
{
  "permissions": {
    "allow": [
      // ... grouped by category with comments
    ],
    "deny": []
  }
}
\`\`\`

## Recommended .mcp.json (if applicable)

If you use Sentry or Linear, add the MCP config to `.mcp.json`...
```

## Important Rules

### What to Include
- Only READ-ONLY commands that cannot modify state
- Only tools that are actually used by the project (detected via lock files)
- Standard system commands (ls, cat, find, etc.)
- The `:*` suffix allows any arguments to the base command

### What to NEVER Include
- **Absolute paths** - Never include user-specific paths like `/home/user/scripts/foo` or `/Users/name/bin/bar`
- **Custom scripts** - Never include project scripts that may have side effects (e.g., `./scripts/deploy.sh`)
- **Alternative package managers** - If the project uses pnpm, do NOT include npm/yarn commands
- **Commands that modify state** - No install, build, run, write, or delete commands

### Package Manager Rules

Only include the package manager actually used by the project:

| If Detected | Include | Do NOT Include |
|-------------|---------|----------------|
| `pnpm-lock.yaml` | pnpm commands | npm, yarn |
| `yarn.lock` | yarn commands | npm, pnpm |
| `package-lock.json` | npm commands | yarn, pnpm |
| `poetry.lock` | poetry commands | pip (unless also has requirements.txt) |
| `uv.lock` | uv commands | pip, poetry |
| `Pipfile.lock` | pipenv commands | pip, poetry |

If multiple lock files exist, include only the commands for each detected manager.