leo-claude-mktplace/plugins/claude-config-maintainer/commands/config-optimize-settings.md

name, description

name	description
config-optimize-settings	Optimize settings.local.json permissions based on audit recommendations

/config-optimize-settings

Optimize Claude Code settings.local.json permission patterns and apply named profiles.

Skills to Load

Before executing, load:

• skills/visual-header.md
• skills/settings-optimization.md
• skills/pre-change-protocol.md

Visual Output

+-----------------------------------------------------------------+
|  CONFIG-MAINTAINER - Settings Optimization                       |
+-----------------------------------------------------------------+

Usage

/config-optimize-settings                    # Apply audit recommendations
/config-optimize-settings --dry-run          # Preview only, no changes
/config-optimize-settings --profile=reviewed # Apply named profile
/config-optimize-settings --consolidate-only # Only merge/dedupe, no new rules

Options

Option	Description
--dry-run	Preview changes without applying
--profile=NAME	Apply named profile (conservative, reviewed, autonomous)
--consolidate-only	Only deduplicate and merge patterns, don't add new rules
--no-backup	Skip backup (not recommended)

Workflow

Step 1: Run Audit Analysis

Execute the same analysis as /config-audit-settings:

1. Locate settings file
2. Parse permission arrays
3. Detect issues (duplicates, subsets, merge candidates, etc.)
4. Verify active review layers
5. Calculate current score

Step 2: Generate Optimization Plan

Based on audit results, create a change plan:

For --consolidate-only:

• Remove exact duplicates
• Remove subset patterns covered by broader patterns
• Merge similar patterns (4+ threshold)
• Remove stale patterns for non-existent paths
• Remove conflicting allow entries that are already denied

For --profile=NAME:

• Calculate diff between current permissions and target profile
• Show additions and removals
• Preserve any custom deny rules not in profile

For default (full optimization):

• Apply all consolidation changes
• Add recommended patterns based on verified review layers
• Suggest profile alignment if appropriate

Step 3: Show Before/After Preview

MANDATORY: Always show preview before applying changes.

Current Settings:
  allow: [12 patterns]
  deny: [4 patterns]

Proposed Changes:

  REMOVE from allow (redundant):
    - Write(plugins/projman/*) [covered by Write(plugins/**)]
    - Write(plugins/git-flow/*) [covered by Write(plugins/**)]
    - Bash(git status) [covered by Bash(git *)]

  ADD to allow (recommended):
    + Bash(npm *) [2 review layers active]
    + Bash(pytest *) [2 review layers active]

  ADD to deny (security):
    + Bash(curl * | bash*) [missing safety rule]

After Optimization:
  allow: [10 patterns]
  deny: [5 patterns]

Score Impact: 67/100 → 85/100 (+18 points)

Step 4: Request User Approval

Ask for confirmation before proceeding:

Apply these changes to .claude/settings.local.json?
  [1] Yes, apply changes
  [2] No, cancel
  [3] Apply partial (select which changes)

Step 5: Create Backup

Before any write operation:

# Backup location
.claude/backups/settings.local.json.{YYYYMMDD-HHMMSS}

Create the .claude/backups/ directory if it doesn't exist.

Step 6: Apply Changes

Write the optimized settings.local.json file.

Step 7: Verify

Re-read the file and re-calculate the score to confirm improvement.

Optimization Complete!

Backup saved: .claude/backups/settings.local.json.20260202-143022

Settings Efficiency Score: 85/100 (+18 from 67)
  Redundancy:       25/25 (+8)
  Coverage:         22/25 (+5)
  Safety Alignment: 23/25 (+3)
  Profile Fit:      15/25 (+2)

Changes applied:
  - Removed 3 redundant patterns
  - Added 2 recommended patterns
  - Added 1 safety deny rule

Profile Application

When using --profile=NAME:

conservative

Switching to conservative profile...

This profile:
  - Allows: Read, Glob, Grep, LS, basic Bash commands
  - Allows: Write/Edit only for docs/
  - Denies: .env*, secrets/, rm -rf, sudo

All other Write/Edit operations will prompt for approval.

reviewed

Switching to reviewed profile...

Prerequisites verified:
  ✓ code-sentinel hook active (PreToolUse)
  ✓ doc-guardian hook active (PostToolUse)
  ✓ 2+ review layers detected

This profile:
  - Allows: All file operations (Edit, Write, MultiEdit)
  - Allows: Scoped Bash commands (git, npm, python, etc.)
  - Denies: .env*, secrets/, rm -rf, sudo, curl|bash

autonomous

⚠️  WARNING: Autonomous profile requested

This profile allows unscoped Bash execution.
Only use in fully sandboxed environments (CI, containers).

Confirm this is a sandboxed environment?
  [1] Yes, this is sandboxed - apply autonomous profile
  [2] No, cancel

Safety Rules

1. ALWAYS backup before writing (unless --no-backup)
2. NEVER remove deny rules without explicit confirmation
3. NEVER add unscoped Bash to allow — always use scoped patterns
4. Preview is MANDATORY before applying changes
5. Verify review layers before recommending broad permissions

Output Format

Dry Run Output

+-----------------------------------------------------------------+
|  CONFIG-MAINTAINER - Settings Optimization                       |
+-----------------------------------------------------------------+

DRY RUN - No changes will be made

[... preview content ...]

To apply these changes, run:
  /config-optimize-settings

Applied Output

+-----------------------------------------------------------------+
|  CONFIG-MAINTAINER - Settings Optimization                       |
+-----------------------------------------------------------------+

Optimization Applied Successfully

Backup: .claude/backups/settings.local.json.20260202-143022

[... summary of changes ...]

Score: 67/100 → 85/100

DO NOT

• Apply changes without showing preview
• Remove deny rules silently
• Add unscoped Bash permission
• Skip backup without explicit --no-backup flag
• Apply autonomous profile without sandbox confirmation
• Recommend broad permissions without verifying review layers