add deny rules for curl pipe-to-shell and Write tool

akshithg · claude · akshithg · commit 7819e34ed18f · 2026-03-11T22:38:32.000-07:00
Add curl pipe-to-shell deny rules to match existing wget coverage.
curl is more common than wget and was missing from the deny list.

Add Write() deny rules for shell configs to match existing Edit()
rules. Edit and Write are separate tools with separate permission
checks — denying Edit(~/.bashrc) does not block Write(~/.bashrc).

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/settings.json b/settings.json
@@ -18,13 +18,20 @@
       "Bash(dd *)",
       "Bash(wget *|bash*)",
       "Bash(wget *| bash*)",
+      "Bash(curl *|bash*)",
+      "Bash(curl *| bash*)",
+      "Bash(curl *|sh*)",
+      "Bash(curl *| sh*)",
       "Bash(git push --force*)",
       "Bash(git push *--force*)",
       "Bash(git reset --hard*)",
 
       "Edit(~/.bashrc)",
       "Edit(~/.zshrc)",
       "Edit(~/.ssh/**)",
+      "Write(~/.bashrc)",
+      "Write(~/.zshrc)",
+      "Write(~/.ssh/**)",
 
       "Read(~/.ssh/**)",
       "Read(~/.gnupg/**)",
