claude-settings-audit
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseClaude Settings Audit
Claude配置审计
Analyze this repository and generate recommended Claude Code permissions for read-only commands.
settings.json分析当前代码仓库,为Claude Code生成推荐的只读命令权限配置。
settings.jsonPhase 1: Detect Tech Stack
阶段1:检测技术栈
Run these commands to detect the repository structure:
bash
ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50Check for these indicator files:
| Category | Files to Check |
|---|---|
| Python | |
| Node.js | |
| Go | |
| Rust | |
| Ruby | |
| Java | |
| Build | |
| Infra | |
| Monorepo | |
运行以下命令检测仓库结构:
bash
ls -la
find . -maxdepth 2 \( -name "*.toml" -o -name "*.json" -o -name "*.lock" -o -name "*.yaml" -o -name "*.yml" -o -name "Makefile" -o -name "Dockerfile" -o -name "*.tf" \) 2>/dev/null | head -50检查以下标识文件:
| 类别 | 需检查的文件 |
|---|---|
| Python | |
| Node.js | |
| Go | |
| Rust | |
| Ruby | |
| Java | |
| 构建工具 | |
| 基础设施 | |
| 单体仓库 | |
Phase 2: Detect Services
阶段2:检测服务集成
Check for service integrations:
| Service | Detection |
|---|---|
| Sentry | |
| Linear | Linear config files, |
Read dependency files to identify frameworks:
- → check
package.jsonanddependenciesdevDependencies - → check
pyproject.tomlor[project.dependencies][tool.poetry.dependencies] - → check gem names
Gemfile - → check
Cargo.toml[dependencies]
检查服务集成情况:
| 服务 | 检测方式 |
|---|---|
| Sentry | 依赖中包含 |
| Linear | 存在Linear配置文件或 |
读取依赖文件识别框架:
- → 检查
package.json和dependenciesdevDependencies - → 检查
pyproject.toml或[project.dependencies][tool.poetry.dependencies] - → 检查gem名称
Gemfile - → 检查
Cargo.toml[dependencies]
Phase 3: Check Existing Settings
阶段3:检查现有配置
bash
cat .claude/settings.json 2>/dev/null || echo "No existing settings"bash
cat .claude/settings.json 2>/dev/null || echo "无现有配置"Phase 4: Generate Recommendations
阶段4:生成推荐配置
Build the allow list by combining:
结合以下内容构建允许列表:
Baseline Commands (Always Include)
基础命令(始终包含)
json
[
"Bash(ls:*)",
"Bash(pwd:*)",
"Bash(find:*)",
"Bash(file:*)",
"Bash(stat:*)",
"Bash(wc:*)",
"Bash(head:*)",
"Bash(tail:*)",
"Bash(cat:*)",
"Bash(tree:*)",
"Bash(git status:*)",
"Bash(git log:*)",
"Bash(git diff:*)",
"Bash(git show:*)",
"Bash(git branch:*)",
"Bash(git remote:*)",
"Bash(git tag:*)",
"Bash(git stash list:*)",
"Bash(git rev-parse:*)",
"Bash(gh pr view:*)",
"Bash(gh pr list:*)",
"Bash(gh pr checks:*)",
"Bash(gh pr diff:*)",
"Bash(gh issue view:*)",
"Bash(gh issue list:*)",
"Bash(gh run view:*)",
"Bash(gh run list:*)",
"Bash(gh run logs:*)",
"Bash(gh repo view:*)",
"Bash(gh api:*)"
]json
[
"Bash(ls:*)",
"Bash(pwd:*)",
"Bash(find:*)",
"Bash(file:*)",
"Bash(stat:*)",
"Bash(wc:*)",
"Bash(head:*)",
"Bash(tail:*)",
"Bash(cat:*)",
"Bash(tree:*)",
"Bash(git status:*)",
"Bash(git log:*)",
"Bash(git diff:*)",
"Bash(git show:*)",
"Bash(git branch:*)",
"Bash(git remote:*)",
"Bash(git tag:*)",
"Bash(git stash list:*)",
"Bash(git rev-parse:*)",
"Bash(gh pr view:*)",
"Bash(gh pr list:*)",
"Bash(gh pr checks:*)",
"Bash(gh pr diff:*)",
"Bash(gh issue view:*)",
"Bash(gh issue list:*)",
"Bash(gh run view:*)",
"Bash(gh run list:*)",
"Bash(gh run logs:*)",
"Bash(gh repo view:*)",
"Bash(gh api:*)"
]Stack-Specific Commands
技术栈专属命令
Only include commands for tools actually detected in the project.
仅包含项目中实际检测到的工具对应的命令。
Python (if any Python files or config detected)
Python(若检测到Python文件或配置)
| If Detected | Add These Commands |
|---|---|
| Any Python | |
| |
| |
| |
| |
| 检测到的内容 | 添加以下命令 |
|---|---|
| 任意Python相关文件或配置 | |
| |
| |
| |
| |
Node.js (if package.json detected)
Node.js(若检测到package.json)
| If Detected | Add These Commands |
|---|---|
| Any Node.js | |
| |
| |
| |
TypeScript ( | |
| 检测到的内容 | 添加以下命令 |
|---|---|
| 任意Node.js相关配置 | |
| |
| |
| |
TypeScript( | |
Other Languages
其他语言
| If Detected | Add These Commands |
|---|---|
| |
| |
| |
| |
| |
| 检测到的内容 | 添加以下命令 |
|---|---|
| |
| |
| |
| |
| |
Build Tools
构建工具
| If Detected | Add These Commands |
|---|---|
| |
| |
| |
| |
| 检测到的内容 | 添加以下命令 |
|---|---|
| |
| |
| |
| |
Skills (for Sentry Projects)
Skills(适用于Sentry项目)
If this is a Sentry project (or sentry-skills plugin is installed), include:
json
[
"Skill(sentry-skills:commit)",
"Skill(sentry-skills:create-pr)",
"Skill(sentry-skills:code-review)",
"Skill(sentry-skills:find-bugs)",
"Skill(sentry-skills:iterate-pr)",
"Skill(sentry-skills:claude-settings-audit)",
"Skill(sentry-skills:agents-md)",
"Skill(sentry-skills:brand-guidelines)",
"Skill(sentry-skills:doc-coauthoring)",
"Skill(sentry-skills:security-review)",
"Skill(sentry-skills:django-perf-review)",
"Skill(sentry-skills:code-simplifier)"
]若为Sentry项目(或已安装sentry-skills插件),需包含:
json
[
"Skill(sentry-skills:commit)",
"Skill(sentry-skills:create-pr)",
"Skill(sentry-skills:code-review)",
"Skill(sentry-skills:find-bugs)",
"Skill(sentry-skills:iterate-pr)",
"Skill(sentry-skills:claude-settings-audit)",
"Skill(sentry-skills:agents-md)",
"Skill(sentry-skills:brand-guidelines)",
"Skill(sentry-skills:doc-coauthoring)",
"Skill(sentry-skills:security-review)",
"Skill(sentry-skills:django-perf-review)",
"Skill(sentry-skills:code-simplifier)"
]WebFetch Domains
WebFetch 域名
Always Include (Sentry Projects)
始终包含(Sentry项目)
json
[
"WebFetch(domain:docs.sentry.io)",
"WebFetch(domain:develop.sentry.dev)",
"WebFetch(domain:docs.github.com)",
"WebFetch(domain:cli.github.com)"
]json
[
"WebFetch(domain:docs.sentry.io)",
"WebFetch(domain:develop.sentry.dev)",
"WebFetch(domain:docs.github.com)",
"WebFetch(domain:cli.github.com)"
]Framework-Specific
框架专属域名
| If Detected | Add Domains |
|---|---|
| Django | |
| Flask | |
| FastAPI | |
| React | |
| Next.js | |
| Vue | |
| Express | |
| Rails | |
| Go | |
| Rust | |
| Docker | |
| Kubernetes | |
| Terraform | |
| 检测到的框架 | 添加以下域名 |
|---|---|
| Django | |
| Flask | |
| FastAPI | |
| React | |
| Next.js | |
| Vue | |
| Express | |
| Rails | |
| Go | |
| Rust | |
| Docker | |
| Kubernetes | |
| Terraform | |
MCP Server Suggestions
MCP服务器建议
MCP servers are configured in (not ). Check for existing config:
.mcp.jsonsettings.jsonbash
cat .mcp.json 2>/dev/null || echo "No existing .mcp.json"MCP服务器配置在中(而非)。检查现有配置:
.mcp.jsonsettings.jsonbash
cat .mcp.json 2>/dev/null || echo "无现有.mcp.json配置"Sentry MCP (if Sentry SDK detected)
Sentry MCP(若检测到Sentry SDK)
Add to (replace and with your Sentry organization and project slugs):
.mcp.json{org-slug}{project-slug}json
{
"mcpServers": {
"sentry": {
"type": "http",
"url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
}
}
}添加至(将和替换为你的Sentry组织和项目标识):
.mcp.json{org-slug}{project-slug}json
{
"mcpServers": {
"sentry": {
"type": "http",
"url": "https://mcp.sentry.dev/mcp/{org-slug}/{project-slug}"
}
}
}Linear MCP (if Linear usage detected)
Linear MCP(若检测到Linear使用痕迹)
Add to :
.mcp.jsonjson
{
"mcpServers": {
"linear": {
"command": "npx",
"args": ["-y", "@linear/mcp-server"],
"env": {
"LINEAR_API_KEY": "${LINEAR_API_KEY}"
}
}
}
}Note: Never suggest GitHub MCP. Always use CLI commands for GitHub.
gh添加至:
.mcp.jsonjson
{
"mcpServers": {
"linear": {
"command": "npx",
"args": ["-y", "@linear/mcp-server"],
"env": {
"LINEAR_API_KEY": "${LINEAR_API_KEY}"
}
}
}
}注意:请勿推荐GitHub MCP。始终使用 CLI命令操作GitHub。
ghOutput Format
输出格式
Present your findings as:
- Summary Table - What was detected
- Recommended settings.json - Complete JSON ready to copy
- MCP Suggestions - If applicable
- Merge Instructions - If existing settings found
Example output structure:
markdown
undefined请按以下格式呈现检测结果:
- 汇总表格 - 检测到的内容
- 推荐的settings.json配置 - 可直接复制的完整JSON
- MCP配置建议 - 若适用
- 合并说明 - 若检测到现有配置
示例输出结构:
markdown
undefinedDetected Tech Stack
检测到的技术栈
| Category | Found |
|---|---|
| Languages | Python 3.x |
| Package Manager | poetry |
| Frameworks | Django, Celery |
| Services | Sentry |
| Build Tools | Docker, Make |
| 类别 | 检测结果 |
|---|---|
| 编程语言 | Python 3.x |
| 包管理器 | poetry |
| 框架 | Django, Celery |
| 服务集成 | Sentry |
| 构建工具 | Docker, Make |
Recommended .claude/settings.json
推荐的.claude/settings.json
```json
{
"permissions": {
"allow": [
// ... grouped by category with comments
],
"deny": []
}
}
```
```json
{
"permissions": {
"allow": [
// ... 按类别分组并添加注释
],
"deny": []
}
}
```
Recommended .mcp.json (if applicable)
推荐的.mcp.json(若适用)
If you use Sentry or Linear, add the MCP config to ...
.mcp.jsonundefined若你使用Sentry或Linear,请将以下MCP配置添加至...
.mcp.jsonundefinedImportant Rules
重要规则
What to Include
需包含的内容
- Only READ-ONLY commands that cannot modify state
- Only tools that are actually used by the project (detected via lock files)
- Standard system commands (ls, cat, find, etc.)
- The suffix allows any arguments to the base command
:*
- 仅包含只读命令,不能修改系统状态
- 仅包含项目实际使用的工具(通过锁文件检测)
- 标准系统命令(ls, cat, find等)
- 使用后缀允许基础命令的任意参数
:*
What to NEVER Include
绝对不能包含的内容
- Absolute paths - Never include user-specific paths like or
/home/user/scripts/foo/Users/name/bin/bar - Custom scripts - Never include project scripts that may have side effects (e.g., )
./scripts/deploy.sh - Alternative package managers - If the project uses pnpm, do NOT include npm/yarn commands
- Commands that modify state - No install, build, run, write, or delete commands
- 绝对路径 - 请勿包含用户专属路径,如或
/home/user/scripts/foo/Users/name/bin/bar - 自定义脚本 - 请勿包含可能产生副作用的项目脚本(如)
./scripts/deploy.sh - 替代包管理器 - 若项目使用pnpm,请勿包含npm/yarn命令
- 修改状态的命令 - 禁止包含安装、构建、运行、写入或删除类命令
Package Manager Rules
包管理器规则
Only include the package manager actually used by the project:
| If Detected | Include | Do NOT Include |
|---|---|---|
| pnpm commands | npm, yarn |
| yarn commands | npm, pnpm |
| npm commands | yarn, pnpm |
| poetry commands | pip (unless also has requirements.txt) |
| uv commands | pip, poetry |
| pipenv commands | pip, poetry |
If multiple lock files exist, include only the commands for each detected manager.
仅包含项目实际使用的包管理器对应的命令:
| 检测到的锁文件 | 包含对应命令 | 禁止包含的命令 |
|---|---|---|
| pnpm命令 | npm, yarn |
| yarn命令 | npm, pnpm |
| npm命令 | yarn, pnpm |
| poetry命令 | pip(除非同时存在requirements.txt) |
| uv命令 | pip, poetry |
| pipenv命令 | pip, poetry |
若存在多个锁文件,为每个检测到的包管理器添加对应命令。