🔸 [claude] allow just shellcheck

[chicks-net]

Done

• 🔸 [claude] allow just shellcheck

Meta

(Automated in .just/gh-process.just.)

[Copilot]

Pull request overview

This PR adds permission for Claude to execute just shellcheck commands by updating the allowed bash commands in the Claude settings configuration. The change also reorganizes the order of some existing permissions.

• Added Bash(just shellcheck:*) to the list of allowed commands
• Reordered existing permissions for better organization

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[claude]

Code Review

Summary

This PR adds Bash(just shellcheck:*) to the allowed permissions in Claude Code settings, enabling Claude to run shellcheck validation on just recipes without prompting for permission. This aligns with the repository's shellcheck integration added in v3.8bis.

✅ Positive Findings

1. Appropriate Permission Scope

• The permission Bash(just shellcheck:*) is properly scoped to only allow the specific just shellcheck command
• Uses wildcard pattern to allow any arguments to the shellcheck recipe
• Consistent with existing permission patterns (e.g., Bash(gh pr view:*))

2. Alphabetical Organization Improvement

• The reordering improves logical grouping:
  • General tools first (WebFetch, WebSearch)
  • Linting tools together (markdownlint-cli2, then later shellcheck)
  • GitHub CLI tools grouped together
• However, note the alphabetical ordering isn't perfectly consistent (see suggestion below)

3. Alignment with Repository Workflow

• Matches the documented development workflow in CLAUDE.md which lists just shellcheck as a standard command
• The shellcheck module was added in v3.8bis (🐚 [just] shellcheck just recipes #37, 🟣 [just] shellcheck has purple headings #39) and errors were fixed in v3.9 (✅ [just] v3.9 fixes shellcheck errors in gh-process #40)
• Makes sense to allow Claude to run this compliance check autonomously

💡 Suggestions for Improvement

Minor: Consider Full Alphabetical Consistency

While the grouping makes logical sense, the WebSearch line was moved up but the overall order could be more consistent. Consider either:

1. Strict alphabetical (current approach is fine)
2. Or group by tool type with comments:

{
  "permissions": {
    "allow": [
      // Web tools
      "WebFetch(domain:www.chicks.net)",
      "WebFetch(domain:developers.facebook.com)",
      "WebFetch(domain:github.com)",
      "WebFetch(domain:raw.githubusercontent.com)",
      "WebFetch(domain:en.wikipedia.org)",
      "WebSearch",
      
      // Linting tools
      "Bash(markdownlint-cli2:*)",
      "Bash(just shellcheck:*)",
      
      // GitHub CLI
      "Bash(gh pr view:*)",
      "Bash(gh pr diff:*)",
      
      // Git
      "Bash(git log:*)",
      
      // Other
      "Bash(identify:*)"
    ],
    "deny": [],
    "ask": []
  }
}

Note: This is purely aesthetic - the current implementation is functionally perfect.

🔒 Security Assessment

✅ No security concerns. The permission is:

• Read-only operation (shellcheck only analyzes code)
• Scoped to a specific command
• Runs on locally checked-out code
• Consistent with the principle of least privilege

📊 Overall Assessment

Verdict: ✅ LGTM (Looks Good To Me)

This is a clean, focused change that:

• Has a clear purpose
• Follows existing patterns
• Improves Claude's ability to autonomously maintain code quality
• Introduces no security risks
• Aligns with repository best practices

The minor reordering is actually an improvement for readability. This PR is ready to merge.

---

Review performed by Claude Code