--- name: claude-config audit-settings description: Audit settings.local.json for permission optimization opportunities --- # /claude-config audit-settings Audit Claude Code `settings.local.json` permissions with 100-point scoring across redundancy, coverage, safety alignment, and profile fit. ## Skills to Load Before executing, load: - `skills/visual-header.md` - `skills/settings-optimization.md` ## Visual Output ``` +-----------------------------------------------------------------+ | CONFIG-MAINTAINER - Settings Audit | +-----------------------------------------------------------------+ ``` ## Usage ``` /claude-config audit-settings # Full audit with recommendations /claude-config audit-settings --diagram # Include Mermaid diagram of review layer coverage ``` ## Workflow ### Step 1: Locate Settings Files Search in order: 1. `.claude/settings.local.json` (primary target) 2. `.claude/settings.json` (shared config) 3. `~/.claude.json` project entry (legacy) Report which format is in use. ### Step 2: Parse Permission Arrays Extract and analyze: - `permissions.allow` array - `permissions.deny` array - `permissions.ask` array (if present) - Legacy `allowedTools` array (if legacy format) ### Step 3: Run Pattern Consolidation Analysis Using `settings-optimization.md` Section 3, detect: | Check | Description | |-------|-------------| | Duplicates | Exact same pattern appearing multiple times | | Subsets | Narrower patterns covered by broader ones | | Merge candidates | 4+ similar patterns that could be consolidated | | Overly broad | Unscoped tool permissions (e.g., `Bash` without pattern) | | Stale entries | Patterns referencing non-existent paths | | Conflicts | Same pattern in both allow and deny | ### Step 4: Detect Active Marketplace Hooks Read `plugins/*/hooks/hooks.json` files (post-Decision #29 — only PreToolUse safety hooks and UserPromptSubmit quality hooks exist): ```bash # Check each plugin's hooks (exhaustive post-v8.1.0 inventory) plugins/code-sentinel/hooks/hooks.json # PreToolUse: Write|Edit|MultiEdit → security-check.sh plugins/git-flow/hooks/hooks.json # PreToolUse: Bash → branch-check.sh, commit-msg-check.sh plugins/cmdb-assistant/hooks/hooks.json # PreToolUse: MCP create/update → validate-input.sh plugins/clarity-assist/hooks/hooks.json # UserPromptSubmit → vagueness-check.sh ``` Parse each to identify: - Hook event type (PreToolUse or UserPromptSubmit only — no other types should exist) - Tool matchers (Write, Edit, MultiEdit, Bash, MCP patterns) - Whether hook is command type (must be — prompt type is forbidden) ### Step 5: Map Review Layers to Directory Scopes For each directory scope in `settings-optimization.md` Section 4: 1. Count how many review layers are verified active 2. Determine if auto-allow is justified (≥2 layers required) 3. Note any scopes that lack coverage ### Step 6: Compare Against Recommended Profile Based on review layer count: - 0-1 layers: Recommend `conservative` profile - 2+ layers: Recommend `reviewed` profile - CI/sandboxed: May recommend `autonomous` profile Calculate profile fit percentage. ### Step 7: Generate Scored Report Calculate scores using `settings-optimization.md` Section 6. ## Output Format ``` Settings Efficiency Score: XX/100 Redundancy: XX/25 Coverage: XX/25 Safety Alignment: XX/25 Profile Fit: XX/25 Current Profile: [closest match or "custom"] Recommended Profile: [target based on review layers] Issues Found: 🔴 CRITICAL: [description] 🟠 HIGH: [description] 🟡 MEDIUM: [description] 🔵 LOW: [description] Active Review Layers Detected: ✓ code-sentinel (PreToolUse: Write|Edit|MultiEdit) ✓ git-flow (PreToolUse: Bash — branch naming + commit format) ✓ cmdb-assistant (PreToolUse: MCP create/update) ✓ clarity-assist (UserPromptSubmit: vagueness detection) Recommendations: 1. [specific action with pattern] 2. [specific action with pattern] ... Follow-Up Actions: 1. Run /claude-config optimize-settings to apply recommendations 2. Run /claude-config optimize-settings --dry-run to preview first 3. Run /claude-config optimize-settings --profile=reviewed to apply profile ``` ## Diagram Output (--diagram flag) When `--diagram` is specified, generate a Mermaid flowchart showing: **Before generating:** Read `/mnt/skills/user/mermaid-diagrams/SKILL.md` for diagram requirements. **Diagram structure:** - Left column: File operation types (Write, Edit, Bash) - Middle: Review layers that intercept each operation - Right column: Current permission status (auto-allowed, prompted, denied) **Color coding:** - PreToolUse hooks: Blue - UserPromptSubmit hooks: Green - Sprint Approval: Amber - PR Review: Purple Example structure: ```mermaid flowchart LR subgraph Operations W[Write] E[Edit] B[Bash] end subgraph Review Layers CS[code-sentinel] GF[git-flow] PR[pr-review] end subgraph Permission A[Auto-allowed] P[Prompted] D[Denied] end W --> CS E --> CS B --> GF CS --> A GF --> A B --> P classDef preHook fill:#e3f2fd classDef userPrompt fill:#e8f5e9 classDef prReview fill:#f3e5f5 class CS preHook class GF preHook class PR prReview ``` ## Issue Severity Levels | Severity | Icon | Examples | |----------|------|----------| | CRITICAL | 🔴 | Unscoped `Bash` in allow, missing deny for secrets | | HIGH | 🟠 | Overly broad patterns, missing MCP coverage | | MEDIUM | 🟡 | Subset redundancy, merge candidates | | LOW | 🔵 | Exact duplicates, minor optimizations | ## DO NOT - Modify any files (this is audit only) - Recommend `autonomous` profile unless explicitly sandboxed environment - Recommend auto-allow for scopes with <2 verified review layers - Skip hook verification before making recommendations