Allow Claude Code to push feature branches

[tooky]

Summary

• Update .claude/settings.json to allow git push on feature branches, including git push --force-with-lease for rebase workflows. Pushes touching main, plain --force, and -f remain denied.
• Update CLAUDE.md workflow preferences to match the new policy.

Test plan

• Confirm Claude can git push a feature branch without prompting
• Confirm git push origin main (and variants) is still denied
• Confirm git push --force / git push -f is still denied
• Confirm git push --force-with-lease works on a feature branch

🤖 Generated with Claude Code

[claude]

Claude finished @tooky's task in 2m 59s —— View job

---

PR Review: Allow Claude Code to push feature branches

• Gather context and read changed files
• Run static analysis checks (go build, go vet, go mod tidy — all pass, no Go code changed)
• Review code changes
• Post review feedback

---

Static Analysis

All green — no Go code changed, go build, go vet, and go mod tidy all pass cleanly.

Review

Overall: Well-structured change. The deny-before-allow precedence model in Claude Code means the deny rules act as a hard blocklist, and the broad Bash(git push *) allow rule only applies to commands that survive the deny filter. The two commits are logically separated — first the core policy change, then hardening for --force/-f after positional args.

Security analysis of the deny rules — coverage looks solid:

Scenario	Matched deny rule	Blocked?
git push origin main	git push * main	✅
git push origin HEAD:main	git push * *:main	✅
git push origin main:feature	git push * main:*	✅
git push --force origin feature	git push --force *	✅
git push -f origin feature	git push -f *	✅
git push origin feature --force	git push * --force	✅
git push origin feature -f	git push * -f	✅
git push origin feature -f other	git push * -f *	✅
git push --force-with-lease origin main	git push * main	✅ (deny wins over allow)
git push --force-with-lease origin feature	(no deny match)	✅ Allowed — intended
git push origin feature	(no deny match)	✅ Allowed — intended
bare git push (no args)	(no pattern match)	Prompts user — fine

One minor observation (not blocking): Bash(git push * main:*) also catches git push origin main:feature-backup, which pushes local main to a remote feature branch. This is a false positive — it's a safe operation — but erring on the side of caution here is reasonable, and it's an unusual enough command that it shouldn't come up in normal workflows.

CLAUDE.md update is clear and consistent with the new policy. The guidance about --force-with-lease vs --force is helpful.

What's done well

• Defense in depth: Deny rules cover --force/-f in multiple positions (before args, between args, after args) — the second commit (bfc3edfa) specifically closes the positional-arg gap.
• Least surprise: --force-with-lease is allowed (safe rebase workflow) while --force is denied. This matches Git best practices.
• CLAUDE.md kept in sync with the settings change, so both the hard enforcement and the soft guidance tell the same story.

Looks good to merge. 👍