This is an automated email from the ASF dual-hosted git repository.
potiuk pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/airflow-steward.git
The following commit(s) were added to refs/heads/main by this push:
new d65cd69 chore(settings): allowlist read-only Gmail / Ponymail MCP +
zizmor (#365)
d65cd69 is described below
commit d65cd69d99d0c32fa11a2ca0a4193898695dd559
Author: Jarek Potiuk <[email protected]>
AuthorDate: Thu May 28 22:28:33 2026 +0200
chore(settings): allowlist read-only Gmail / Ponymail MCP + zizmor (#365)
Add eight read-only patterns to `.claude/settings.json`
`permissions.allow` (and mirror in `tools/sandbox-lint/expected.json`
to keep the baseline in lockstep) so the most common prompts during
security-mailbox sweeps and CI lint passes go away.
== Added ==
- `mcp__claude_ai_Gmail__get_thread` — read Gmail thread by ID
- `mcp__claude_ai_Gmail__search_threads` — search Gmail by query
- `mcp__ponymail__search_list` — search public ASF
mailing-list archive
- `mcp__ponymail__auth_status` — ponymail auth probe
- `mcp__ponymail__get_thread` — read ponymail thread
- `mcp__ponymail__get_email` — read individual ponymail
message
- `mcp__ponymail__list_restrictions` — read access restriction list
- `Bash(zizmor *)` — GitHub Actions security
linter (read-only scan)
== Frequency basis ==
Picked from a 50-transcript scan (4786 Bash calls, 353 MCP calls):
107 mcp__claude_ai_Gmail__get_thread
48 mcp__claude_ai_Gmail__search_threads
47 mcp__ponymail__search_list
15 mcp__ponymail__auth_status
8 mcp__ponymail__get_thread
4 mcp__ponymail__get_email
3 mcp__ponymail__list_restrictions
4 Bash(zizmor *)
== Deliberately NOT added ==
- `Bash(prek run *)` — runs hooks that include formatters (ruff
format, doctoc) that mutate files.
- `Bash(breeze run *)` / `Bash(breeze release-management *)` —
Airflow CI/build tooling, mutates.
- `Bash(for *)` / `Bash(until *)` family — shell loops are
arbitrary-code-execution wildcards; never safe to allowlist.
- `Bash(mkdir *)` / `Bash(chmod *)` / `Bash(ln *)` — filesystem
writes.
- `Bash(awk *)` / `Bash(open *)` / `Bash(magick *)` — pattern
doesn't distinguish reads from writes.
- All git / gh / cat / ls / grep / rg / find / etc. — already
auto-allowed by Claude Code with no rule needed.
== Verification ==
sandbox-lint pytest passes (50/50) — the baseline and live
`.claude/settings.json` agree.
Generated-by: Claude Code (Opus 4.7)
---
.claude/settings.json | 10 +++++++++-
tools/sandbox-lint/expected.json | 10 +++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/.claude/settings.json b/.claude/settings.json
index 592b7b9..fdd3930 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -45,7 +45,15 @@
},
"permissions": {
"allow": [
- "Bash(gh api graphql *)"
+ "Bash(gh api graphql *)",
+ "mcp__claude_ai_Gmail__get_thread",
+ "mcp__claude_ai_Gmail__search_threads",
+ "mcp__ponymail__search_list",
+ "mcp__ponymail__auth_status",
+ "mcp__ponymail__get_thread",
+ "mcp__ponymail__get_email",
+ "mcp__ponymail__list_restrictions",
+ "Bash(zizmor *)"
],
"deny": [
"Read(~/.aws/**)",
diff --git a/tools/sandbox-lint/expected.json b/tools/sandbox-lint/expected.json
index 592b7b9..fdd3930 100644
--- a/tools/sandbox-lint/expected.json
+++ b/tools/sandbox-lint/expected.json
@@ -45,7 +45,15 @@
},
"permissions": {
"allow": [
- "Bash(gh api graphql *)"
+ "Bash(gh api graphql *)",
+ "mcp__claude_ai_Gmail__get_thread",
+ "mcp__claude_ai_Gmail__search_threads",
+ "mcp__ponymail__search_list",
+ "mcp__ponymail__auth_status",
+ "mcp__ponymail__get_thread",
+ "mcp__ponymail__get_email",
+ "mcp__ponymail__list_restrictions",
+ "Bash(zizmor *)"
],
"deny": [
"Read(~/.aws/**)",
