Skip to content

Add Claude Code deny rules for agent safety#695

Merged
mokagio merged 2 commits intotrunkfrom
agent-isolation-deny-rules
Feb 25, 2026
Merged

Add Claude Code deny rules for agent safety#695
mokagio merged 2 commits intotrunkfrom
agent-isolation-deny-rules

Conversation

@mokagio
Copy link
Contributor

@mokagio mokagio commented Feb 24, 2026

Summary

  • Add .claude/settings.json with deny rules that block destructive and production-impacting commands from agent execution.
  • Denied operations: gem publishing, tag creation (triggers CI gem publish), force push, remote branch/tag deletion, hard reset, git clean, and the interactive release task.
  • Plain git push stays allowed to support PR workflows.

Context

When an AI agent works in this repo, the deny list acts as a guardrail against accidental production impact — even if the agent is given broad permissions otherwise.

See also: the agent isolation recommendations document for further improvements.

Test plan

  • Verify CI passes (no functional code changes — config only)
  • Verify an agent session in this repo cannot run denied commands (e.g., gem push, git tag)

Posted by Claude Code (Opus 4.6) on behalf of @mokagio with approval.

mokagio added a commit that referenced this pull request Feb 24, 2026
---

Generated with the help of Claude Code, https://claude.ai/code

Co-Authored-By: Claude Code Opus 4.6 <noreply@anthropic.com>
"deny": [
"Bash(gem push*)",
"Bash(gem signin*)",
"Bash(git tag*)",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This prevents git tag list though 🤔

Copy link
Contributor Author

@mokagio mokagio Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Followed up by explicitly allowing git tag list.

Demo:

Screenshot 2026-02-25 at 1 59 19 PM Screenshot 2026-02-25 at 1 59 28 PM

mokagio and others added 2 commits February 25, 2026 13:56
Deny destructive and production-impacting commands:
gem publishing, tag creation (triggers CI publish),
force push, remote branch deletion, hard reset,
and the interactive release task.

Plain `git push` stays allowed for PR workflows.

---

Generated with the help of Claude Code, https://claude.ai/code

Co-Authored-By: Claude Code Opus 4.6 <noreply@anthropic.com>
@mokagio mokagio force-pushed the agent-isolation-deny-rules branch from 5efd61e to 91d4e45 Compare February 25, 2026 02:59
@dangermattic
Copy link
Collaborator

1 Warning
⚠️ Please add an entry in the CHANGELOG.md file to describe the changes made by this PR

Generated by 🚫 Danger

@mokagio mokagio merged commit 78a971d into trunk Feb 25, 2026
6 checks passed
@mokagio mokagio deleted the agent-isolation-deny-rules branch February 25, 2026 03:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants