claude-settings-optimizer

# Claude Settings Optimizer

Analyzes and optimizes Claude Code permission settings with sandbox-aware WebFetch migration.

## Commands

| Command | Description |
|---------|-------------|
| `analyze` | Show report without changes |
| `clean` | Interactive cleanup with prompts |
| `auto-fix` | Auto-remove redundant permissions and migrate WebFetch to sandbox |

## Usage

```bash
UV_CACHE_DIR=/tmp/claude/uv-cache uv run SKILL_DIR/scripts/settings_optimizer.py {analyze|clean|auto-fix}
```

Optional arguments:
- `--global-settings PATH` - Custom global settings path (default: `~/.claude/settings.json`)
- `--project-settings PATH` - Custom project settings path (default: `./.claude/settings.local.json`)

## Issue Categories

### DANGEROUS
Overly broad permissions that grant unrestricted access.

Examples:
- `Bash(*:*)` - Allows any shell command
- `Read(/*)` - Allows reading any file
- `Skill(*)` - Allows any skill

**Action**: Review and remove or scope down.

### SPECIFIC
Hardcoded command arguments that should be generalized.

Example:
- `Bash(python test.py)` -> Suggest: `Bash(python:*)`

**Action**: Generalize to wildcard pattern.

### REDUNDANT
Project permission already covered by global permission.

Example:
- Global: `WebFetch`
- Project: `WebFetch(domain:api.example.com)` (redundant)

**Action**: Remove from project settings.

### MIGRATE_TO_SANDBOX
WebFetch domain permission that is redundant at tool level but needed for Bash network access.

**Scenario**:
1. Global: `WebFetch` (covers all WebFetch calls)
2. Project: `WebFetch(domain:api.example.com)` (redundant for WebFetch)
3. BUT: `curl api.example.com` needs `sandbox.permissions.network.allow`

**Detection**:
- Project-level `WebFetch(domain:X)` covered by global WebFetch
- Domain X is NOT in `sandbox.permissions.network.allow`

**Action**:
- Remove from `permissions.allow`
- Add domain to `sandbox.permissions.network.allow`

**Example migration**:

Before:
```json
{
  "permissions": {
    "allow": ["WebF