Manifest reference

[permissions] — Claude allow/deny

Declare the Claude Code permission rules the rig needs. rig install merges them into .claude/settings.json (deny wins).

[permissions]
allow = [
  "Bash(uvx *)",
  "Read(data/templates/**)",
  "Read(data/reference/**)"
]
deny = [
  "Bash(rm -rf *)",
  "Read(.env)"
]

Fields

allow (list of strings)

Claude Code permission patterns to grant. Same syntax as .claude/settings.json: <Tool>(<pattern>). The rig author asserts these patterns are necessary for the rig to function.

deny (list of strings)

Permission patterns to forbid. Stronger than allow — see merge rules.

Why declare them

If the rig needs to run uvx yfinance-mcp-server, Claude Code will ask the user for permission the first time. That's friction. By declaring Bash(uvx *) in [permissions].allow, the rig pre-authorises the pattern, so the user doesn't face a permission dialog they don't understand.

Merge rules

During rig install, the rig's allow and deny lists are merged into the user's existing .claude/settings.json:

  • Union of allow — user's allow ∪ rig's allow.
  • Union of deny — user's deny ∪ rig's deny.
  • Deny always wins — if a pattern appears in either party's deny, it's denied even if the other party allowed it.

The result: rig cannot weaken user-imposed restrictions. A rig can ask for broad allow rules, but the user (or admin) can deny-pattern-block anything they don't trust.

Authoring guidance

Least privilege. Declare the narrowest patterns that work. Bash(uvx yfinance-mcp-server) is better than Bash(uvx *), which is better than Bash(*).

Read patterns for shipped data only. If the rig reads from data/reference/, allow Read(data/reference/**) but not Read(*). The user's other files should not be readable just because they installed a rig.

Avoid Write on user folders. A rig that needs to write should write inside its install directory; allow Write(outputs/**) rather than Write(*).

Don't grant network/exec broadly. Bash(curl *), Bash(npm install *), etc., are red flags in a published rig. Use narrower commands or split work into install hooks that the user explicitly opts into.

Examples

A safe research rig:

[permissions]
allow = [
  "Read(data/reference/**)",
  "Read(data/templates/**)",
  "Write(outputs/**)",
  "Bash(uvx yfinance-mcp-server)",
  "Bash(uvx macro-mcp-server)"
]

A rig that calls a specific script:

[permissions]
allow = [
  "Bash(./scripts/refresh-data.sh)",
  "Bash(./scripts/render-report.sh)"
]
deny = [
  "Bash(./scripts/admin-*)"
]

What rig doesn't do

  • Doesn't grant permissions outside the workspace.
  • Doesn't bypass the user's deny rules.
  • Doesn't persist the merged settings anywhere except .claude/settings.json.

See also

[plugins] — Claude Code plugins

Declare plugins your rig depends on. Advisory until the plugin format stabilises.

[local] — non-shared folders

Folders that should exist in an install but whose contents never ship in the artifact.

On this page

Fieldsallow (list of strings)deny (list of strings)Why declare themMerge rulesAuthoring guidanceExamplesWhat rig doesn't doSee also