From 854daf797c57c9497e035e9c94f04621be957888 Mon Sep 17 00:00:00 2001
From: Damocles <damocles@darkest.space>
Date: Fri, 1 May 2026 15:25:36 +0200
Subject: [PATCH] ship project settings.json from repo (was denying WebFetch)

---
 prompts/shard_project_settings.json | 19 +++++++++++++++++++
 scripts/deploy.sh                   |  4 ++++
 2 files changed, 23 insertions(+)
 create mode 100644 prompts/shard_project_settings.json

diff --git a/prompts/shard_project_settings.json b/prompts/shard_project_settings.json
new file mode 100644
index 0000000..ba6643e
--- /dev/null
+++ b/prompts/shard_project_settings.json
@@ -0,0 +1,19 @@
+{
+  "permissions": {
+    "allow": [
+      "Read",
+      "Edit",
+      "Write",
+      "Glob",
+      "Grep",
+      "WebSearch",
+      "WebFetch"
+    ],
+    "deny": [
+      "Bash",
+      "Agent",
+      "Task",
+      "NotebookEdit"
+    ]
+  }
+}
diff --git a/scripts/deploy.sh b/scripts/deploy.sh
index 241c37c..13009b5 100755
--- a/scripts/deploy.sh
+++ b/scripts/deploy.sh
@@ -40,6 +40,10 @@ chown -R muede:users "$STATE"
 echo "==> shipping SYSTEM.md from repo"
 install -m 644 -o root -g root "$REPO/prompts/SYSTEM.md" "$STATE/identity/SYSTEM.md"
 
+echo "==> shipping project settings.json from repo"
+mkdir -p "$STATE/identity/.claude"
+install -m 644 -o root -g root "$REPO/prompts/shard_project_settings.json" "$STATE/identity/.claude/settings.json"
+
 # Append pending CHANGELOG entries (new tool announcements etc.) to the live
 # CHANGELOG.md and then clear the pending file. This guarantees the shard
 # only sees announcements AFTER the binary supporting them is deployed.