557 lines
22 KiB
Markdown
557 lines
22 KiB
Markdown
# claude-config
|
||
|
||
Global Claude Code configuration — agents, skills, plugins, and project templates.
|
||
|
||
---
|
||
|
||
## Overview
|
||
|
||
This repo is your personal Claude Code setup, versioned and reproducible across machines.
|
||
|
||
```
|
||
claude-config/
|
||
├── CLAUDE.md # Global coding preferences (style, rules, workflow)
|
||
├── settings.json # Global permissions (77 deny / 16 ask / 57 allow rules)
|
||
├── install-plugins.sh # One-shot installer: prerequisites + all plugins (reads plugins.lock.json)
|
||
├── link.sh # Symlinks this repo into ~/.claude/
|
||
├── doctor.sh # Setup diagnostic — checks symlinks, plugins, permissions, token budget
|
||
├── update-all.sh # One-command update for all components
|
||
├── Makefile # Unified entry point: make install / doctor / update
|
||
├── plugins.lock.json # Version pinning for non-marketplace dependencies (RTK, GSD)
|
||
├── version.txt # Semver version of this config
|
||
├── CHANGELOG.md # Release history
|
||
├── lib/
|
||
│ └── detect-plugins.sh # Shared plugin detection — sourced by all scripts
|
||
├── hooks/
|
||
│ └── session-start.sh # Health check + toggle plugin status at session start
|
||
├── skills-external/
|
||
│ └── gstack/ # Git submodule — garrytan/gstack (symlinked to ~/.claude/skills/gstack)
|
||
├── .gitmodules # Submodule declaration
|
||
├── agents/
|
||
│ ├── analyzer.md # Factual codebase analysis (read-only)
|
||
│ ├── interviewer.md # Project questionnaire → PROJECT BRIEF
|
||
│ ├── plugin-advisor.md # Plugin check: detect mismatches, block if Superpowers missing
|
||
│ ├── readme-updater.md # Update README from git history + codebase
|
||
│ ├── refactorer.md # Surgical refactoring with norm enforcement
|
||
│ └── scaffolder.md # Full project generation (CLAUDE.md, README, code)
|
||
├── skills/
|
||
│ ├── analyze/ # /analyze — deep factual analysis
|
||
│ ├── health/ # /health — run setup diagnostic
|
||
│ ├── init-project/ # /init-project — full project initialization
|
||
│ ├── plugin-check/ # /plugin-check — check plugin config vs project needs
|
||
│ ├── readme/ # /readme — update README from current state
|
||
│ ├── refactor/ # /refactor — improve code without changing behavior
|
||
│ └── ship-feature/ # /ship-feature — ship a feature end-to-end
|
||
└── templates/
|
||
├── project-CLAUDE.md # Template for per-project CLAUDE.md
|
||
└── settings/
|
||
├── settings.json # Template for project .claude/settings.json
|
||
├── settings.local.json # Template for personal .claude/settings.local.json
|
||
├── .claudeignore # Template for project .claudeignore
|
||
└── SETTINGS.md # Full settings reference
|
||
```
|
||
|
||
**Architecture principle:**
|
||
- `skills/` = entry points you invoke via `/skill-name`
|
||
- `agents/` = execution units called by skills (never invoked directly by user)
|
||
- `lib/` = shared shell functions sourced by scripts (plugin detection)
|
||
- Custom skills use **Superpowers** agents for implementation phases (required — auto-detected)
|
||
- **Plugins** (Superpowers, GStack, GSD, etc.) install separately and complement custom skills
|
||
|
||
---
|
||
|
||
## Fresh install (new machine)
|
||
|
||
```bash
|
||
# 1. Clone with submodules — choose any location
|
||
git clone --recurse-submodules git@github.com:youruser/claude-config.git
|
||
cd claude-config
|
||
|
||
# 2. Symlink into ~/.claude/
|
||
bash link.sh
|
||
|
||
# 3. Install prerequisites + all plugins (detects OS, reads pinned versions from plugins.lock.json)
|
||
bash install-plugins.sh
|
||
|
||
# 4. Add Context7 API key (free at context7.com) — manual step
|
||
claude mcp add --scope user context7 -- npx -y @upstash/context7-mcp --api-key YOUR_KEY
|
||
|
||
# 5. Verify setup
|
||
bash doctor.sh
|
||
|
||
# 6. Restart Claude Code then run /reload-plugins
|
||
```
|
||
|
||
All scripts use their own location to find the repo — run them from anywhere or from the repo directory.
|
||
Symlinks point to the repo's actual path, so renaming or moving the repo requires re-running `bash link.sh`.
|
||
|
||
The install script handles: git, Node.js 22, Rust/Cargo, Python 3, RTK, GStack (submodule), GSD,
|
||
and all marketplace plugins on Linux (apt/dnf/pacman) and macOS (brew).
|
||
|
||
RTK and GSD versions are pinned in `plugins.lock.json`. The install script reads those
|
||
versions automatically. Marketplace plugins install to `~/.claude/plugins/` (user scope).
|
||
|
||
Install output is logged to `install-YYYYMMDD-HHMMSS.log` in the repo directory for post-mortem debugging.
|
||
|
||
---
|
||
|
||
## Available slash commands
|
||
|
||
### Custom skills (this repo)
|
||
|
||
| Command | Description |
|
||
|---|---|
|
||
| `/analyze` | Deep factual analysis of code before any modification |
|
||
| `/refactor` | Improve code quality without changing behavior (strict norms) |
|
||
| `/readme` | Full README audit — diff vs codebase, mandatory stop, surgical updates |
|
||
| `/plugin-check` | Check active plugins vs project needs — recommend enable/disable |
|
||
| `/init-project` | Initialize a complete project from scratch (full orchestrator) |
|
||
| `/ship-feature` | Ship a feature end-to-end with validation gates (full orchestrator) |
|
||
| `/health` | Run setup diagnostic — check symlinks, plugins, permissions, token budget |
|
||
|
||
### Superpowers skills (auto-invoked or explicit)
|
||
|
||
> **Required dependency.** Superpowers must be active for `/init-project` and `/ship-feature`.
|
||
> The plugin-advisor (STEP 0) blocks and shows install instructions if Superpowers is missing.
|
||
|
||
| Command | When it auto-activates |
|
||
|---|---|
|
||
| `/superpowers:brainstorm` | When you describe something to build |
|
||
| `/superpowers:write-plan` | After design is approved |
|
||
| `/superpowers:execute-plan` | With an approved plan |
|
||
| `systematic-debugging` | Auto — when debugging |
|
||
| `test-driven-development` | Auto — when implementing |
|
||
| `requesting-code-review` | Auto — after a feature step |
|
||
|
||
### GStack skills (Garry Tan — full-product projects only)
|
||
|
||
> Installed as a git submodule at `skills-external/gstack/`, symlinked to `~/.claude/skills/gstack/`.
|
||
> **Use when:** project has UI + design + deploy + browser QA. Skip for backend/lib/CLI projects.
|
||
|
||
| Command | Description |
|
||
|---|---|
|
||
| `/office-hours` | Discovery consultant — scope and challenge before code |
|
||
| `/plan-ceo-review` | CEO challenges product scope and feature value |
|
||
| `/plan-eng-review` | Staff engineer locks architecture decisions |
|
||
| `/design-consultation` | Build a design system from scratch |
|
||
| `/design-shotgun` | Generate multiple visual variants for comparison |
|
||
| `/design-html` | Turn approved mockup into production HTML |
|
||
| `/review` | Code review (GStack version) |
|
||
| `/ship` | One-command: test → build → deploy |
|
||
| `/qa` | QA with real Chrome browser automation |
|
||
| `/browse` | Headless Chrome web navigation |
|
||
| `/careful` | Activate safety guardrails |
|
||
| `/freeze` | Lock edits to current directory |
|
||
| `/retro` | Engineering retrospective |
|
||
| `/gstack-upgrade` | Self-update GStack |
|
||
|
||
### GSD skills (glittercowboy — multi-session large features)
|
||
|
||
> Install: `npx get-shit-done-cc --claude --global`
|
||
> **Use when:** feature spans multiple days/sessions. Each session starts fresh with full context from previous phases.
|
||
|
||
| Command | Description |
|
||
|---|---|
|
||
| `/gsd:discuss-phase` | Refine spec for a phase through conversation |
|
||
| `/gsd:plan-phase` | Generate hierarchical phase plan |
|
||
| `/gsd:execute-phase` | Execute phase in an isolated context window |
|
||
| `/gsd:ship` | Create PR from verified work |
|
||
| `/gsd:next` | Auto-advance to the next phase |
|
||
|
||
### Other plugin commands
|
||
|
||
| Command | Plugin | Description |
|
||
|---|---|---|
|
||
| `/pr-review-toolkit:review-pr` | pr-review-toolkit | Multi-agent PR review (6 specialized agents) |
|
||
| `/context7:docs <lib>` | context7 | Manual doc lookup for a specific library |
|
||
|
||
---
|
||
|
||
## Orchestrators in detail
|
||
|
||
### `/init-project`
|
||
|
||
Same rigor as `/ship-feature`. Two validation gates. Full TDD subagent pipeline for v1 features.
|
||
The Scaffolder only creates the skeleton (no features, no README).
|
||
readme-updater handles the README in two passes: CREATE then SYNC.
|
||
|
||
STEP 0 blocks if Superpowers is not installed (required for steps 3, 6, 8, 10, 11).
|
||
|
||
```
|
||
/init-project <project idea>
|
||
│
|
||
├── STEP 0: PLUGIN CHECK (plugin-advisor) ← blocks if Superpowers missing or wrong plugins
|
||
├── STEP 1: INTERVIEWER (custom) → PROJECT BRIEF
|
||
├── STEP 2: ANALYZER (custom) → ANALYSIS REPORT
|
||
├── STEP 3: superpowers:brainstorming → VALIDATED DESIGN
|
||
├── STEP 4: VALIDATION GATE #1 → approve architecture
|
||
├── STEP 5: SCAFFOLDER (custom) → skeleton only (CLAUDE.md +
|
||
│ settings + structure +
|
||
│ empty entry points, NO features,
|
||
│ NO README)
|
||
├── STEP 5b: README-UPDATER create mode (custom) → CREATE README from CLAUDE.md
|
||
├── STEP 6: superpowers:writing-plans → decompose v1 features into tasks
|
||
├── STEP 7: VALIDATION GATE #2 → approve task plan
|
||
├── STEP 8: superpowers:subagent-driven (TDD) → implement each feature (isolated)
|
||
├── STEP 9: ANALYZER (custom) → regression + deviation check
|
||
├── STEP 10: superpowers:requesting-review → full code review
|
||
├── STEP 11: superpowers:finishing-branch → cleanup + build + tests
|
||
└── STEP 12: README-UPDATER sync mode (custom) → sync README with implementation
|
||
```
|
||
|
||
### `/ship-feature`
|
||
|
||
STEP 0 blocks if Superpowers is not installed (required for steps 1, 2, 4, 6, 7).
|
||
|
||
```
|
||
/ship-feature <feature description>
|
||
│
|
||
├── STEP 0: PLUGIN CHECK (plugin-advisor) ← blocks if Superpowers missing or wrong plugins
|
||
├── STEP 1: superpowers:brainstorming → VALIDATED DESIGN
|
||
├── STEP 2: superpowers:writing-plans → task plan
|
||
├── STEP 3: VALIDATION GATE → user approval required
|
||
├── STEP 4: superpowers:subagent-driven → implementation (TDD)
|
||
├── STEP 5: ANALYZER (custom) → regression / deviation check
|
||
├── STEP 6: superpowers:requesting-review → code review
|
||
├── STEP 7: superpowers:finishing-branch → cleanup
|
||
└── STEP 8: README-UPDATER sync mode → sync README with new feature
|
||
```
|
||
|
||
### `/plugin-check`
|
||
|
||
Standalone command you can run at any time to audit your plugin config
|
||
against what you're about to do. Also embedded as STEP 0 in both orchestrators.
|
||
|
||
Blocks if Superpowers is not active (required by orchestrators).
|
||
Blocks if critical project-specific plugins are missing (frontend tools, Context7, GStack).
|
||
|
||
```
|
||
/plugin-check "I want to build a React + FastAPI SaaS"
|
||
|
||
→ Detects active plugins
|
||
→ Analyzes signals: frontend? design? QA? multi-session? fast-evolving libs?
|
||
→ Produces recommendation table
|
||
→ Blocks with OPTIONS if critical plugins are missing (including Superpowers)
|
||
→ Or confirms "proceed" if config is optimal
|
||
```
|
||
|
||
---
|
||
|
||
## Plugins reference
|
||
|
||
All plugins below are installed by `install-plugins.sh`.
|
||
|
||
### Quick reference
|
||
|
||
The mechanism: Claude Code loads every active skill's **description** into a shared context budget
|
||
at session start (default 8000 chars). Even if you never invoke the skill, its description
|
||
is already consuming tokens. **Disabling a plugin prevents its descriptions from loading entirely.**
|
||
|
||
A `hooks/session-start.sh` hook shows the current toggle status at the start of every session.
|
||
Run `/plugin-check` anytime to get a full recommendation for the current project type.
|
||
|
||
| Plugin | Status | Passive cost | When to toggle ON | Installed by |
|
||
|---|---|---|---|---|
|
||
| **security-guidance** | ✅ ALWAYS ON | 0 tokens (hook only) | — | marketplace |
|
||
| **RTK** | ✅ ALWAYS ON | 0 tokens (hook only) | — | cargo (pinned in plugins.lock.json) |
|
||
| **Superpowers** | ✅ REQUIRED | ~600–1000 tokens | — required by orchestrators, auto-detected | marketplace |
|
||
| **skill-creator** | ✅ ALWAYS ON | ~100 tokens | — | marketplace |
|
||
| **pr-review-toolkit** | ✅ ALWAYS ON | ~300 tokens | — use `/pr-review-toolkit:review-pr` | marketplace |
|
||
| **GStack** | 🔄 TOGGLE | ~2500–3000 tokens | Full-product: UI + design + deploy + browser QA | git submodule |
|
||
| **GSD** | 🔄 TOGGLE | ~500–800 tokens | Feature spanning multiple days/sessions | npx (pinned in plugins.lock.json) |
|
||
| **frontend-design** | 🔄 TOGGLE | ~200 tokens | Any project with a UI | marketplace |
|
||
| **ui-ux-pro-max** | 🔄 TOGGLE | ~400 tokens | Design system, color/typography choices | marketplace |
|
||
| **Context7 MCP** | 🔄 TOGGLE | ~200 tokens | Fast-evolving libs (Next.js, React, Prisma…) | MCP manual |
|
||
|
||
**Rule:** toggle plugins are OFF by default. `/plugin-check` signals when to enable them.
|
||
If you use `/init-project` or `/ship-feature`, plugin-check runs automatically as STEP 0
|
||
and **blocks if Superpowers is not active**.
|
||
|
||
### Version pinning
|
||
|
||
RTK and GSD versions are pinned in `plugins.lock.json`:
|
||
|
||
```json
|
||
{
|
||
"rtk": { "version": "v0.34.3" },
|
||
"gsd": { "version": "1.30.0" }
|
||
}
|
||
```
|
||
|
||
`install-plugins.sh` reads these versions automatically.
|
||
To update a pinned version: edit `plugins.lock.json`, then re-run `install-plugins.sh`.
|
||
GStack is pinned via its git submodule pointer.
|
||
|
||
### Disabling a plugin for a specific project
|
||
|
||
```bash
|
||
# In Claude Code
|
||
/plugin
|
||
# → Find the plugin → toggle off for this scope
|
||
```
|
||
|
||
Or in the project's `.claude/settings.json`:
|
||
```json
|
||
{
|
||
"enabledPlugins": {
|
||
"gstack@gstack": false,
|
||
"gsd@gsd": false
|
||
}
|
||
}
|
||
```
|
||
|
||
### Enabling a plugin for a specific project (so teammates can install it)
|
||
|
||
```json
|
||
{
|
||
"enabledPlugins": {
|
||
"ui-ux-pro-max@ui-ux-pro-max-skill": true
|
||
},
|
||
"extraKnownMarketplaces": {
|
||
"ui-ux-pro-max-skill": {
|
||
"source": {
|
||
"source": "github",
|
||
"repo": "nextlevelbuilder/ui-ux-pro-max-skill"
|
||
}
|
||
}
|
||
}
|
||
}
|
||
```
|
||
|
||
---
|
||
|
||
## Settings and permissions
|
||
|
||
### File hierarchy
|
||
|
||
```
|
||
Highest
|
||
managed-settings.json — enterprise, cannot be overridden
|
||
CLI flags — --allowedTools / --disallowedTools (session only)
|
||
.claude/settings.local.json — personal machine overrides (gitignored)
|
||
.claude/settings.json — project rules (committed to project repo)
|
||
~/.claude/settings.json — global user rules (this repo's settings.json)
|
||
Lowest
|
||
|
||
DENY always wins over ALLOW at any level.
|
||
.claudeignore applies independently of all permission rules.
|
||
```
|
||
|
||
### Global settings (this repo's `settings.json`)
|
||
|
||
77 deny rules, 16 ask rules, 57 allow rules.
|
||
|
||
| Section | Purpose |
|
||
|---|---|
|
||
| `deny` — secrets (Read) | Blocks `Read` on `.env`, `.pem`, `.key`, SSH keys, cloud credentials |
|
||
| `deny` — secrets (Bash) | Blocks `cat`, `head`, `tail`, `grep`, `less`, `more` on `.env` and secret files |
|
||
| `deny` — destructive | Blocks `rm -rf`, `git push --force`, `chmod 777` |
|
||
| `deny` — system | Blocks `sudo`, `ssh`, `scp`, `crontab`, `systemctl` |
|
||
| `deny` — injection | Blocks `curl \| bash`, `wget \| sh` |
|
||
| `deny` — escalation | Blocks `bash -c`, `eval`, `exec`, `find -delete`, `perl -e`, `ruby -e` |
|
||
| `ask` — risky | Prompts before `git push`, `docker run`, package managers |
|
||
| `ask` — write tools | Prompts before `xargs`, `sed -i` (in-place file editing) |
|
||
| `allow` — safe reads | Auto-approves git read-only, `ls`, `cat`, `grep`, `find`, `sed` (stdout only) |
|
||
| `disableBypassPermissionsMode` | Prevents YOLO mode globally |
|
||
|
||
### Per-project setup
|
||
|
||
```bash
|
||
cd your-project
|
||
mkdir -p .claude
|
||
|
||
# Find the repo from any existing symlink
|
||
CONF="$(dirname "$(readlink ~/.claude/CLAUDE.md)")"
|
||
|
||
# Project settings (commit to project git)
|
||
cp "$CONF/templates/settings/settings.json" .claude/settings.json
|
||
|
||
# Personal overrides (never commit — gitignore it)
|
||
cp "$CONF/templates/settings/settings.local.json" .claude/settings.local.json
|
||
echo ".claude/settings.local.json" >> .gitignore
|
||
|
||
# Hard file exclusions (commit to project git)
|
||
cp "$CONF/templates/settings/.claudeignore" .claudeignore
|
||
|
||
# Project CLAUDE.md (commit to project git)
|
||
cp "$CONF/templates/project-CLAUDE.md" .claude/CLAUDE.md
|
||
```
|
||
|
||
---
|
||
|
||
## Updating
|
||
|
||
### One-command update (recommended)
|
||
|
||
```bash
|
||
# From the repo directory
|
||
bash update-all.sh
|
||
# Pulls config, updates GStack submodule, updates RTK (pinned version), refreshes symlinks, runs doctor
|
||
```
|
||
|
||
### Manual updates
|
||
|
||
#### This repo
|
||
```bash
|
||
# cd into the repo (wherever you cloned it)
|
||
git pull
|
||
# Symlinks → changes active immediately
|
||
```
|
||
|
||
#### GStack (submodule)
|
||
```bash
|
||
# Option A — inside Claude Code (recommended)
|
||
/gstack-upgrade
|
||
|
||
# Option B — via submodule (from the repo directory)
|
||
git submodule update --remote skills-external/gstack
|
||
cd skills-external/gstack && ./setup
|
||
git add skills-external/gstack
|
||
git commit -m "chore: update gstack to latest"
|
||
```
|
||
|
||
GStack is a git submodule. Its version is pinned in your config repo — reproducible on every machine.
|
||
|
||
#### RTK
|
||
```bash
|
||
# Uses the version pinned in plugins.lock.json (from the repo directory)
|
||
bash update-all.sh
|
||
|
||
# Or manually (check latest at https://github.com/rtk-ai/rtk/releases)
|
||
cargo install --git https://github.com/rtk-ai/rtk --tag v0.34.3 --force
|
||
```
|
||
|
||
#### Marketplace plugins
|
||
```bash
|
||
/plugin marketplace update # inside Claude Code
|
||
```
|
||
|
||
---
|
||
|
||
## Adding a new custom skill
|
||
|
||
1. Create `agents/myagent.md` — role, tasks, rules, output format
|
||
2. Create `skills/myskill/SKILL.md`:
|
||
|
||
```markdown
|
||
---
|
||
name: myskill
|
||
description: What this skill does — front-load the key use case (max 250 chars)
|
||
argument-hint: <what to pass>
|
||
disable-model-invocation: true
|
||
allowed-tools: Read, Write, Edit, Bash, Grep, Glob
|
||
---
|
||
|
||
Load and follow strictly:
|
||
- .claude/agents/myagent.md
|
||
|
||
Execute MYAGENT on:
|
||
|
||
$ARGUMENTS
|
||
```
|
||
|
||
3. Or use `/skill-creator` to generate a skill from conversation.
|
||
|
||
---
|
||
|
||
## Per-project agent overrides
|
||
|
||
Override any global agent for a specific project:
|
||
|
||
```bash
|
||
CONF="$(dirname "$(readlink ~/.claude/CLAUDE.md)")"
|
||
cp "$CONF/agents/refactorer.md" .claude/agents/refactorer.md
|
||
# Edit .claude/agents/refactorer.md — the local version takes precedence
|
||
```
|
||
|
||
---
|
||
|
||
## Maintenance
|
||
|
||
### Diagnostic
|
||
|
||
```bash
|
||
# Quick check from terminal (from the repo directory)
|
||
bash doctor.sh
|
||
|
||
# Or from within Claude Code
|
||
/health
|
||
|
||
# Unified commands via Makefile (from the repo directory)
|
||
make doctor # diagnostic
|
||
make update # pull + submodules + symlinks + doctor
|
||
make install # link.sh + install-plugins.sh
|
||
```
|
||
|
||
`doctor.sh` checks 7 axes: symlinks, GStack submodule, prerequisites (git, Node, Cargo, Python, Claude Code),
|
||
plugins (RTK, Superpowers, Context7), permissions, token budget estimate, and config consistency
|
||
(frontmatter coherence, CRLF detection).
|
||
|
||
`session-start.sh` runs a quick health check at every session start (filesystem only, no subprocesses)
|
||
and displays toggle plugin status with `/plugin-check` and `/health` hints.
|
||
|
||
Both scripts source `lib/detect-plugins.sh` for consistent plugin detection logic.
|
||
|
||
### Updating
|
||
|
||
```bash
|
||
# One-command update (from the repo directory)
|
||
bash update-all.sh
|
||
|
||
# Or step by step
|
||
git pull # this repo
|
||
git submodule update --remote skills-external/gstack # GStack
|
||
bash link.sh # refresh symlinks
|
||
bash doctor.sh # verify
|
||
```
|
||
|
||
---
|
||
|
||
## Troubleshooting
|
||
|
||
### "command not found" after install
|
||
Restart your shell or run `source ~/.bashrc` / `source ~/.zshrc`.
|
||
|
||
### Orchestrator blocks at STEP 0 — Superpowers missing
|
||
The plugin-advisor blocks `/init-project` and `/ship-feature` if Superpowers is not active.
|
||
Install: `claude plugin marketplace add obra/superpowers-marketplace && claude plugin install --scope user superpowers@superpowers-marketplace`
|
||
Then re-run the orchestrator.
|
||
|
||
### "agent not found" or hallucinated agent content
|
||
Symlinks are broken. `cd` into your config repo and run `bash link.sh`, then verify with `bash doctor.sh`.
|
||
|
||
### GStack skills not showing up
|
||
Run `bash link.sh` and verify: `ls -la ~/.claude/skills/gstack`.
|
||
If missing: `cd` into your config repo and run `git submodule update --init`.
|
||
|
||
### link.sh warns "is a real directory"
|
||
If `~/.claude/agents/`, `~/.claude/skills/`, or `~/.claude/lib/` exist as real directories (not symlinks
|
||
from a previous `link.sh` run), the script skips them to avoid data loss. Rename or remove the directory, then re-run `link.sh`.
|
||
|
||
### Token budget exceeded / skills truncated at session start
|
||
Too many plugins active. Run `/plugin-check` to optimize.
|
||
Run `bash doctor.sh` for a token budget estimate.
|
||
|
||
### settings.json not applying
|
||
Check precedence: deny always wins over allow at any level. `.claudeignore` overrides all permission rules.
|
||
Verify deny count: `cat ~/.claude/settings.json | python3 -c "import json,sys; print(len(json.load(sys.stdin)['permissions']['deny']))"`
|
||
Expected: 77 deny rules.
|
||
|
||
### Claude reads .env despite deny rules
|
||
The `Read(**/.env)` deny rule blocks the Read tool. `Bash(cat .env)` and similar commands have separate
|
||
deny rules (included in this config). For hard exclusion regardless of tool, use `.claudeignore` in the project root.
|
||
|
||
### install-plugins.sh failed — where are the logs?
|
||
Check `install-YYYYMMDD-HHMMSS.log` in your config repo directory — the script logs all output to a timestamped file.
|
||
|
||
---
|
||
|
||
## Known limitations
|
||
|
||
- **Deny rules are pattern-based, not sandboxed.** Common bypass vectors (`bash -c`, `eval`, `xargs`, `cat .env`) are blocked, but novel indirect patterns are still possible. `.claudeignore` is the only hard file exclusion mechanism.
|
||
- **Superpowers is a hard dependency** for `/init-project` and `/ship-feature`. The plugin-advisor (STEP 0) auto-detects and blocks if Superpowers is missing, with install instructions. There is no manual fallback mode.
|
||
- **Marketplace plugin versions are not pinned.** They install latest. Non-marketplace tools (RTK, GSD) are pinned in `plugins.lock.json` and read by `install-plugins.sh`.
|
||
- **Token budget is finite and not directly observable.** With all toggle plugins active, the description budget can exceed 60%. Run `/health` or `bash doctor.sh` for an estimate.
|
||
- **Agent frontmatter fields** like `model` and `memory` are declared but their enforcement by Claude Code is not guaranteed. They serve as documentation more than strict runtime controls.
|
||
- **`Bash(cat *)` in allow vs `Bash(cat .env)` in deny** depends on Claude Code resolving deny-wins. This is the expected behavior but cannot be tested outside the runtime.
|