chore: add project allowlist for read-only gh search and npm view

[chitcommit]

Summary

• Adds project-level .claude/settings.json with read-only allowlist for gh search * and npm view *
• Reduces permission prompts surfaced by /fewer-permission-prompts (8x gh search, 3x npm view in transcripts)

Test plan

• File is project-scoped, additive — does not modify .claude/settings.local.json (per-developer)
• Allowlist contains only read-only commands; no mutating operations
• No code changes; permissions config only

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added development tooling configuration to manage command permissions.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	chittyfinance	6f8fe48	May 01 2026, 07:01 AM

[github-actions]

@coderabbitai review

Please evaluate:

• Security implications
• Credential exposure risk
• Dependency supply chain concerns
• Breaking API changes

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d3763730-08a3-4237-9517-e1f0be7289d6

📥 Commits

Reviewing files that changed from the base of the PR and between f4ccefa and 6f8fe48.

📒 Files selected for processing (1)

• .claude/settings.json

---

📝 Walkthrough

Walkthrough

A new .claude/settings.json configuration file is introduced that sets up Claude tool permissions, specifically allowing Bash commands for gh search and npm view operations.

Changes

Cohort / File(s)	Summary
Configuration .claude/settings.json	Adds Claude tool permissions configuration allowing Bash commands matching gh search * and npm view *.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Add Claude Code GitHub Workflow #6: Related configuration change that modifies Claude tool permissions and allowed CLI tools settings.

Poem

🐰 Hop! Settings spring to life,
Permissions clear the tooling strife,
GitHub search and npm's grace,
Claude's powers find their place! 🔑✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and clearly describes the main change: adding a project allowlist configuration for read-only gh search and npm view commands.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/claude-allowlist-readonly

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review — PR #112

Overview: Adds .claude/settings.json with a project-level allowlist for two read-only commands (gh search *, npm view *) to reduce permission prompts surfaced by /fewer-permission-prompts. 8 lines added, no code touched.

---

✅ What's Good

• Correctly scoped: Project-level settings.json (committed) vs. developer-local settings.local.json (gitignored) is the right split — this change will benefit all contributors, not just one machine.
• Read-only only: Both gh search and npm view are purely read commands. No mutation risk.
• Well-documented PR: The description clearly explains the motivation (transcript evidence) and what was deliberately excluded.
• Minimal blast radius: Purely additive, no code changed, no schema touched.

---

⚠️ Issues / Suggestions

1. Pattern syntax inconsistency with settings.local.json

The existing settings.local.json uses colon-separated patterns:

"Bash(ls:*)", "Bash(curl:*)", "Bash(npm run check:*)"

This PR uses space-separated patterns:

"Bash(gh search *)", "Bash(npm view *)"

Claude Code permission matching treats these differently — the colon form (Bash(cmd:*)) may behave as a substring anchor, while the space form (Bash(gh search *)) is a standard glob prefix match. Both may work in practice, but the inconsistency is worth harmonizing. Recommend confirming which format the Claude Code version in use expects, and aligning settings.local.json to the same convention in a follow-up.

2. gh search code * is implicitly allowed

gh search * covers all search subcommands including gh search code, which performs GitHub code search and can surface snippets from any repository your token has access to (including private org repos). For a team token or shared CI context this is probably fine, but worth a conscious acknowledgement — if this runs in an automated/agentic context with a broad-scoped token, code search could leak sensitive patterns.

Mitigation (optional, not blocking): Enumerate subcommands explicitly if the only observed usage was gh search repos / gh search issues:

"Bash(gh search issues *)",
"Bash(gh search repos *)",
"Bash(gh search prs *)"

3. Consider bundling other frequent read-only commands

Since this PR was generated from transcript analysis, it's a good moment to also add other safe read-only commands that show up frequently in this repo (e.g., gh pr view *, gh pr list, npm ls *, npx tsc --noEmit). Not required, but avoids needing a follow-up PR for each one.

---

🔒 Security Summary

Command	Risk	Verdict
gh search *	Read-only; search code could surface private code	Low — acceptable for dev workflow
npm view *	Read-only registry queries	None

---

Verdict

Approve with minor notes. The change is correct and well-motivated. The pattern syntax inconsistency (#1) is worth a follow-up cleanup but isn't a blocker. The gh search code surface (#2) is a known trade-off, acceptable here.

🤖 Reviewed with Claude Code

[Copilot]

Pull request overview

Adds a project-scoped Claude Code permissions allowlist intended to reduce repeated prompts for common read-only CLI queries used during development workflows.

Changes:

• Introduce .claude/settings.json with an allowlist for gh search * and npm view *

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.