Skip to content

Restructure claude config into roles/ + stacks/#5

Merged
technicalpickles merged 10 commits intomainfrom
claudeconfig-stacks-refactor
Mar 26, 2026
Merged

Restructure claude config into roles/ + stacks/#5
technicalpickles merged 10 commits intomainfrom
claudeconfig-stacks-refactor

Conversation

@technicalpickles
Copy link
Copy Markdown
Owner

@technicalpickles technicalpickles commented Mar 26, 2026

Summary

  • Restructures Claude Code config from flat permissions.*.json files into roles/ + stacks/ directories with co-located permissions and sandbox config
  • Rewrites claudeconfig.sh merge logic to load roles (base + active role) then stacks, concatenating permissions and sandbox arrays separately (not deep-merging, which would replace arrays)
  • Captures all sandbox config (network hosts, filesystem write paths) from live settings into version-controlled source files for the first time
  • New stacks: buildkite.jsonc (CI host + bktide write path), docs.jsonc (karafka.io, lima-vm.io)
  • New permission: Read(~/.claude/plugins/cache/**) for plugin progressive disclosure
  • Local keys changed from awsAuthRefresh, env to model, enabledPlugins, extraKnownMarketplaces (awsAuthRefresh and env now managed in roles/work.jsonc)

Verification

Verified output matches pre-refactor snapshot:

  • allow: 434 (was 433, +1 for new Read permission)
  • ask: 25 (unchanged)
  • deny: 25 (unchanged)
  • network hosts: 15 (was 0, newly explicit in user settings)
  • filesystem write paths: 64 (unchanged, just sorted)

Test plan

  • Run DOTPICKLES_ROLE=work ./claudeconfig.sh and verify no errors
  • Start a new Claude Code session and confirm sandbox config is active
  • Verify jq '.sandbox.network.allowedHosts | length' ~/.claude/settings.json returns 15
  • Verify jq '.permissions.allow | length' ~/.claude/settings.json returns 434

🤖 Generated with Claude Code

technicalpickles and others added 10 commits March 26, 2026 10:07
@technicalpickles @claude
feat: create role files for claudeconfig stacks refactor
f95c963 
Merges settings.*.json + permissions.{json,personal,work}.json into
roles/base.jsonc, roles/personal.jsonc, roles/work.jsonc.

Adds sandbox scalars and base network hosts (source: agent-safehouse).
Adds Read(~/.claude/plugins/cache/**) to base allow list.
Captures allowAllUnixSockets from live settings (drift from spec).
Uses live env values for work role (model names updated since source).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
feat: create permissions-only stack files (beans, mcp, skills)
8b7448e 
Migrates permissions.beans.json, permissions.mcp.json, and
permissions.skills.json into stacks/*.jsonc with nested permissions
schema. No sandbox config for these stacks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
feat: create stack files with permissions + sandbox config
fa4580d 
Migrates permissions.*.json into stacks/*.jsonc with new schema.
Adds sandbox config (network hosts, filesystem write paths) from
agent-safehouse. Creates new stacks: buildkite.jsonc, docs.jsonc.
Distributes web.json WebFetch permissions to their topic stacks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
feat: rewrite claudeconfig.sh for roles/stacks structure
d6d5166 
Replaces flat permissions.*.json merging with roles/ + stacks/ system.
Merges permissions arrays AND sandbox arrays (network hosts, filesystem
write paths) from all source files. Sandbox scalars come from roles only.

Local keys: model, enabledPlugins, extraKnownMarketplaces (was:
awsAuthRefresh, env). awsAuthRefresh and env are now managed in
roles/work.jsonc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
chore: remove old permissions.*.json and settings.*.json files
9bcdf7d 
These are replaced by claude/roles/ and claude/stacks/ directories.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
docs: update claude/README.md for roles/stacks structure
0fccbe2 
Rewrites documentation to cover the new roles/ + stacks/ architecture,
schema, merge logic, and updated common tasks.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
docs: add claudeconfig stacks refactor spec and implementation plan
e93acc7 
Spec redesigns claude/ config from flat permissions.*.json files into
roles/ + stacks/ directories with co-located permissions and sandbox
config. Implementation plan covers file creation, claudeconfig.sh
rewrite, verification, and cleanup.

Also preserves model and sandbox in claudeconfig.sh local_keys as a
stopgap until the refactor lands.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
docs: mark claudeconfig stacks refactor spec as implemented
85fbddb 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
refactor: move Read(plugins/cache) from base role to skills stack
f7d2235 
Plugin cache read access is skill/plugin-related, not a base safety
rule. Better home in stacks/skills.jsonc.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles @claude
docs: add provenance comments to sandbox config in base role
9f31c90 
Document why enableWeakerNetworkIsolation and allowAllUnixSockets
are enabled, so future readers understand the tradeoffs.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@technicalpickles technicalpickles merged commit 4bbf288 into main Mar 26, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@technicalpickles