ash / claude-code
Policy for Claude Code AI assistant
claude-code
Policy for Claude Code AI assistant
What's Included
- Claude's support files and directories
- macOS seatbelt related files and directories
- Anthropic API and telemetry collection domains
- Claude process execution
- Anthropic API key ENV variable
# yaml-language-server: $schema=https://hub.ashell.dev/schemas/policy/v1.json
schema_version: 1
publish:
name: ash/claude-code
version: 0.0.11
description: Policy for Claude Code AI assistant
authors:
- Ash Team <team@ashell.dev>
license: MIT
files:
rules:
- path: ./**
operations:
- read
- path: ./.claude/**
- path: /
operations:
- read
- path: /Applications/Visual Studio Code.app/Contents/Resources/app/bin/code
operations:
- read
- path: /Applications/Xcode.app/Contents/Developer/**
operations:
- read
- path: /Library
operations:
- read
- path: /Library/Keychains
operations:
- read
- path: /Library/Keychains/System.keychain
operations:
- read
- path: /Library/Preferences/Logging/com.apple.diagnosticd.filter.plist
operations:
- read
- path: /Library/Preferences/com.apple.networkd.plist
operations:
- read
- path: /System
operations:
- read
- path: /System/Library
operations:
- read
- path: /System/Library/CoreServices/RawCamera.bundle
operations:
- read
- path: /System/Library/CoreServices/SystemVersion.bundle
operations:
- read
- path: /System/Library/CoreServices/SystemVersion.bundle/English.lproj
operations:
- read
- path: /System/Library/CoreServices/SystemVersion.bundle/English.lproj/SystemVersion.strings
operations:
- read
- path: /System/Library/CoreServices/SystemVersion.plist
operations:
- read
- path: /System/Library/Frameworks
operations:
- read
- path: /System/Library/Frameworks/Security.framework
operations:
- read
- path: /System/Library/Frameworks/Security.framework/Versions/**
operations:
- read
- path: /System/Library/Keychains/SystemTrustSettings.plist
operations:
- read
- path: /System/Volumes/Data
operations:
- read
- path: /System/Volumes/Preboot/**
operations:
- read
- path: /Users
operations:
- read
- path: /bin
operations:
- read
- path: /bin/bash
operations:
- read
- path: /bin/cat
operations:
- read
- path: /bin/ps
operations:
- read
- path: /bin/sh
operations:
- read
- path: /bin/zsh
operations:
- read
- path: /dev
operations:
- read
- path: /dev/autofs_nowait
operations:
- read
- path: /dev/dtracehelper
operations:
- write
- path: /dev/fd/63
operations:
- read
- path: /dev/null
operations:
- read
- write
- path: /dev/tty
operations:
- read
- write
- path: /dev/ttys014
operations:
- read
- path: /dev/ttys018
operations:
- read
- path: /dev/ttys020
operations:
- read
- path: /opt
operations:
- read
- path: /opt/homebrew
operations:
- read
- path: /opt/homebrew/Caskroom
operations:
- read
- path: /opt/homebrew/Library/Homebrew/brew.sh
operations:
- read
- path: /opt/homebrew/Library/Homebrew/cmd/shellenv.sh
operations:
- read
- path: /opt/homebrew/bin
operations:
- read
- path: /opt/homebrew/bin/brew
operations:
- read
- path: /opt/homebrew/etc/paths
operations:
- read
- path: /private/etc
operations:
- read
- path: /private/etc/paths
operations:
- read
- path: /private/etc/paths.d
operations:
- read
- path: /private/etc/paths.d/10-cryptex
operations:
- read
- path: /private/etc/paths.d/10-pmk-global
operations:
- read
- path: /private/etc/paths.d/100-rvictl
operations:
- read
- path: /private/etc/paths.d/40-XQuartz
operations:
- read
- path: /private/etc/ssl/cert.pem
operations:
- read
- path: /private/etc/zprofile
operations:
- read
- path: /private/tmp/**
operations:
- read
- create
- delete
- path: /private/var/db/mds/messages/501/se_SecurityMessages
operations:
- read
- path: /private/var/db/timezone/**
operations:
- read
- path: /private/var/folders/**
operations:
- read
- path: /usr/bin
operations:
- read
- path: /usr/bin/caffeinate
operations:
- read
- path: /usr/bin/clang
operations:
- read
- path: /usr/bin/env
operations:
- read
- path: /usr/bin/git
operations:
- read
- path: /usr/bin/grep
operations:
- read
- path: /usr/bin/security
operations:
- read
- path: /usr/bin/sw_vers
operations:
- read
- path: /usr/lib/dyld
operations:
- read
- path: /usr/libexec
operations:
- read
- path: /usr/libexec/path_helper
operations:
- read
- path: /usr/share/i18n/**
operations:
- read
- path: /usr/share/icu/icudt78l.dat
operations:
- read
- path: /usr/share/locale/C.UTF-8/LC_CTYPE
operations:
- read
- path: '~'
operations:
- read
- path: ~/.CFUserTextEncoding
operations:
- read
- path: ~/.cache/claude/staging
- path: ~/.cargo/**
- path: ~/.claude.json
- path: ~/.claude.json.backup
- path: ~/.claude.json.backup.*
- path: ~/.claude.json.lock
- path: ~/.claude.json.tmp.*
- path: ~/.claude.lock
- path: ~/.claude/**
- path: ~/.config/git/ignore
operations:
- read
- path: ~/.gitconfig
operations:
- read
- path: ~/.local/share/claude/**
- path: ~/.local/state/claude/**
- path: ~/.zprofile
operations:
- read
- path: ~/Applications/Claude Code URL Handler.app/**
- path: ~/Library
operations:
- read
- path: ~/Library/Application Support/Arc/User Data
operations:
- read
- path: ~/Library/Application Support/BraveSoftware/Brave-Browser
operations:
- read
- path: ~/Library/Application Support/Chromium
operations:
- read
- path: ~/Library/Application Support/Google/Chrome
operations:
- read
- path: ~/Library/Application Support/Microsoft Edge
operations:
- read
- path: ~/Library/Application Support/Vivaldi
operations:
- read
- path: ~/Library/Application Support/com.operasoftware.Opera
operations:
- read
- path: ~/Library/Keychains/**
- path: ~/Projects
operations:
- read
- path: ~/Projects/.gitignore
operations:
- read
network:
rules:
- host: 0.0.0.0
ports:
- 443
- host: '::'
ports:
- 443
- host: api.anthropic.com
ports:
- 443
- host: mcp-proxy.anthropic.com
ports:
- 443
- host: statsig.anthropic.com
ports:
- 443
- host: formulae.brew.sh
ports:
- 443
- host: downloads.claude.ai
ports:
- 443
- host: platform.claude.com
ports:
- 443
- host: http-intake.logs.us5.datadoghq.com
ports:
- 443
- host: storage.googleapis.com
ports:
- 443
- host: registry.npmjs.org
ports:
- 443
- host: api.segment.io
ports:
- 443
exec:
rules:
- path: /Applications/Xcode.app/Contents/Developer/usr/bin/git
- path: /bin/bash
- path: /bin/cat
- path: /bin/ps
- path: /bin/sh
- path: /bin/zsh
- path: /opt/homebrew/Caskroom/claude-code/**/claude
- path: /private/var/run/mDNSResponder
- path: /private/var/run/syslog
- path: /usr/bin/caffeinate
- path: /usr/bin/clang
- path: /usr/bin/env
- path: /usr/bin/git
- path: /usr/bin/grep
- path: /usr/bin/security
- path: /usr/bin/sw_vers
- path: /usr/libexec/path_helper
environment:
rules:
allow:
- ANTHROPIC_API_KEYThis policy has no dependencies.