建立使用acceptEdits的权限模式,配合沙箱做好权限管理。
json
{
"permissions": {
"allow": [
"Read(/home/ruize/code/simulator/**)",
"Read(/home/ruize/code/github/**)",
"Write(/home/ruize/code/simulator/**)",
"Bash(ls:*)",
"Bash(cat:*)",
"Bash(grep:*)",
"Bash(find:*)",
"Bash(pwd)",
"Bash(npm install)",
"Bash(npm test)",
"Bash(npm run *)",
"Bash(git status)",
"Bash(git diff)",
"Bash(git log:*)"
],
"deny": [
"Write(/home/ruize/code/utils/**)",
"Read(~/.ssh/**)",
"Read(~/.aws/**)",
"Read(~/.kube/**)",
"Read(~/.config/gcloud/**)",
"Read(~/.npmrc)",
"Read(**/.env)",
"Write(**/.env)",
"Write(.claude/settings.json)",
"Bash(rm:*)",
"Bash(sudo:*)",
"Bash(curl:*)",
"Bash(wget:*)",
"Bash(ssh:*)",
"Bash(scpm:*)"
],
"additionalDirectories": [
"/home/ruize/code/github"
],
"defaultMode": "acceptEdits"
},
"sandbox": {
"enabled": true,
"allowUnsandboxedCommands": false,
"network": {
"allowedDomains": [
"registry.npmjs.org",
"*.npmjs.org",
"github.com",
"*.github.com"
]
},
"filesystem": {
"allowWrite": [
"/home/ruize/code/simulator",
"/tmp"
],
"denyWrite": [
".env",
"**/.env",
".claude/settings.json"
],
"denyRead": [
"~/.ssh",
"~/.aws",
"~/.kube",
"~/.config/gcloud",
"~/.npmrc",
".env",
"**/.env"
],
"allowRead": [
"/home/ruize/code/simulator",
"/home/ruize/code/github"
]
},
"autoAllowBashIfSandboxed": true
}
}