Add Claude Code tool permissions and feedback loop instructions#25237
Add Claude Code tool permissions and feedback loop instructions#25237
Conversation
--- Generated with the help of Claude Code, https://code.claude.com Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
| App Name | Jetpack | |
| Configuration | Release-Alpha | |
| Build Number | 30872 | |
| Version | PR #25237 | |
| Bundle ID | com.jetpack.alpha | |
| Commit | 69cefa8 | |
| Installation URL | 4jh2ra0mg42fg |
|
| App Name | WordPress | |
| Configuration | Release-Alpha | |
| Build Number | 30872 | |
| Version | PR #25237 | |
| Bundle ID | org.wordpress.alpha | |
| Commit | 69cefa8 | |
| Installation URL | 5gvapgh1fm8b8 |
🤖 Build Failure AnalysisThis build has failures. Claude has analyzed them - check the build annotations for details. |
--- Generated with the help of Claude Code, https://code.claude.com Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
--- Generated with the help of Claude Code, https://code.claude.com Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
| "Bash(rake *)", | ||
| "Bash(xcodebuild *)", | ||
| "Bash(xcrun simctl *)", | ||
| "Bash(bundle exec *)", |
There was a problem hiding this comment.
This essentially grants permission to run any Ruby script, which we probably don't want.
There was a problem hiding this comment.
See my thoughts in https://github.com/Automattic/pocket-casts-ios/pull/3934/changes#r2791005452.
I see your point though, maybe there's a middle ground between this and being prompted constantly?
What about bundle exec fastlane *?
There was a problem hiding this comment.
What about
bundle exec fastlane *?
Note that even bundle exec fastlane allows to run arbitrary fastlane action—including the ones not exposed as a lane in our Fastfile—via bundle exec fastlane run …
(For example there may even be a way for the agent to run bundle exec fastlane run sh … to run arbitrary shell commands)
So even that might be too permissive?
There was a problem hiding this comment.
maybe there's a middle ground between this and being prompted constantly?
I don't see any issue in being prompted constantly, actually. You get many choices locally: allow it once, allow it within the session, allow it on your computer (if you want to live dangerously 😄).
There was a problem hiding this comment.
Is fastlane needed for the feedback loop?
If it's for background agents, can they have a separate set of permissions appropriate for the machine they are running on? For my personal machine, I'd like it to err on the safer side.
There was a problem hiding this comment.
Just a followup to thank you all for the input.
It's clear to me that I went too wide with the permissions...
In thinking about it, I begun considering adding a fine grained list of permissions (bundle exec fastlane test, bundle exec rake lint, etc.) however, maintaining such a list could quickly become tedious.
You might have noticed I closed the PR already. My current thinking (for what is worth, given I'm just learning as I go) is along the lines of @kean: it might be simpler to manage permissions on the background agent end.
mokagio
changed the title
|
Closing in favor of a smaller PR that only adds |
5 participants
Summary
Adds
rake,xcodebuild,xcrun simctl,bundle exec, andswift packageto the Claude Code team-level allow list so agents can lint, build, test, and resolve packages without manual approval.Context: https://linear.app/a8c/issue/AINFRA-1965/add-first-round-of-permissions-allow-lists-to-apple-projects
Test Plan