Document and test allowed-tools patterns in CONTRIBUTING.md

[krisrowe]

Summary

Before adding allowed-tools frontmatter to skills, we need:

1. Verified syntax — Test that scoped patterns like Bash(git*) actually work in Claude Code vs plain Bash vs no declaration. Use claude -p in /tmp/ to compare behavior with and without.

2. Documented patterns in CONTRIBUTING.md — Add a section covering:

   • allowed-tools syntax and semantics (additive only, no restriction)
   • Scoped Bash patterns: Bash(git*), Bash(gh*) vs broad Bash
   • When to use scoped vs broad vs no declaration
   • Examples and links to Claude Code docs

3. Per-skill rationale — Determine whether CONTRIBUTING.md works at subdirectory level in Claude Code / Gemini CLI for per-skill design decisions. If not, define a convention (e.g., DESIGN.md or a section in CONTRIBUTING.md linking to skills by name). Cannot use README.md at skill level — that's published on echoskill.ai.

4. Testing methodology — Document how to test skill effectiveness:

   • claude -p calls in /tmp/ test directories
   • Compare with and without allowed-tools
   • Verify scoped patterns actually scope (does Bash(git*) block Bash(rm*)?)
   • Document results alongside the pattern docs

Context

Started adding allowed-tools to all skills in PR branch review-skill-tool-approvals. Paused because:

• Broad Bash is too permissive — need scoped patterns
• The scoped syntax (Bash(git*)) is underdocumented in develop-skill
• No evidence yet that scoped patterns work as expected
• Need CONTRIBUTING.md patterns before applying across 14 skills

Blocked by

• Testing: need verified results before committing changes
• setup-agent-context skill should reference this CONTRIBUTING.md guidance

Related

• Branch review-skill-tool-approvals has 4 skills partially edited + Chris→Bob fix in pre-publish-privacy-review
• The develop-skill skill mentions allowed-tools: Bash, Read but doesn't cover scoping