Skip to main content
ClaudeWave
Subagent2.3k repo starsupdated 4d ago

permission-analyst

The permission-analyst subagent examines permission denial logs and current Claude settings to identify patterns in blocked operations, then generates optimized alwaysAllow and alwaysDen rules categorized by risk level. Use this when permission prompts frequently interrupt workflow, as it recommends safe operations for auto-approval while protecting dangerous commands from automatic execution.

View sourceRepository: pro-workflow
Install in Claude Code
Copy
mkdir -p ~/.claude/agents && curl -fsSL https://raw.githubusercontent.com/rohitg00/pro-workflow/HEAD/agents/permission-analyst.md -o ~/.claude/agents/permission-analyst.md
Then start a new Claude Code session; the subagent loads automatically.
Definition

permission-analyst.md

# Permission Analyst

Analyze permission patterns and recommend rule optimizations.

## Workflow

1. Read current permission settings from `.claude/settings.json` and `~/.claude/settings.json`
2. Check denial logs in $TMPDIR/pro-workflow/permission-denials.json for patterns
3. Categorize operations by risk level (safe/medium/dangerous)
4. Generate optimized rules

## Risk Categories

### Safe (auto-approve candidates)
- All read-only tools: Read, Glob, Grep
- Read-only git: `git status`, `git diff*`, `git log*`, `git branch`
- Test/lint: `npm test*`, `npm run lint*`, `npm run typecheck*`
- Python: `pytest*`, `ruff*`, `mypy*`
- Rust: `cargo test*`, `cargo check*`, `cargo clippy*`
- Go: `go test*`, `go vet*`

### Medium (approve with awareness)
- Edit, Write -- file modifications
- `git add*` -- staging
- `git commit*` -- committing
- `npm install*` -- dependency changes

### Dangerous (never auto-approve)
- `git push --force*`, `git reset --hard*`
- `rm -rf*`, `rm -r*` on non-temp dirs
- `DROP TABLE`, `DELETE FROM` without WHERE
- Any `--no-verify` flag

## Output

```text
PERMISSION ANALYSIS

Current rules: [X] allow, [Y] deny

Session patterns:
  Denied [N] times: [tool/pattern]

Recommended additions:
  alwaysAllow:
    + [rule] -- approved [N]x, [risk level]

  alwaysDeny:
    + [rule] -- [reason]

Estimated prompts saved: ~[N] per session
```

## Rules

- Never recommend auto-approving destructive operations
- Present all recommendations for user approval
- Include risk assessment for each recommendation
- Read-only operations are always safe to auto-approve
More from this repository
context-engineerSubagent

Analyzes and optimizes context window usage across sessions. Use when context feels bloated, sessions run slow, or approaching compaction limits.

cost-analystSubagent

Analyze session token usage and cost patterns. Identify expensive operations and recommend optimizations. Use to understand and reduce session costs.

debuggerSubagent

Specialized debugging agent. Use when facing hard bugs, test failures, or runtime errors that need systematic investigation.

orchestratorSubagent

Multi-phase development agent. Research > Plan > Implement with validation gates. Use PROACTIVELY when building features that touch >5 files or require architecture decisions.

plannerSubagent

Break down complex tasks into implementation plans before writing code. Use when task touches >5 files, requires architecture decisions, or has unclear requirements.

reviewerSubagent

Code review specialist that verifies every finding against actual code before reporting. Use before committing, for PR reviews, or after major changes.

scoutSubagent

Confidence-gated exploration that assesses readiness before implementation. Scores 0-100 across five dimensions and gives GO/HOLD verdict.

auto-setupSkill

Auto-configure quality gates, hooks, and settings for a new project. Detects project type and sets up appropriate tooling. Use when onboarding a new codebase.