The latest articles on DEV Community by Tasuku Yamashita (@tasuku43). https://dev.to/tasuku43 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3747667%2Ff7501754-4d81-48fd-98b9-34812201e925.jpeg https://dev.to/tasuku43 en Tasuku Yamashita Wed, 29 Apr 2026 15:27:05 +0000 https://dev.to/tasuku43/managing-claude-code-bash-permissions-with-yaml-and-tests-ff7 https://dev.to/tasuku43/managing-claude-code-bash-permissions-with-yaml-and-tests-ff7 <p>I built <code>cc-bash-guard</code>, a small policy engine for Claude Code Bash permissions.</p> <p>It runs as a Claude Code <code>PreToolUse</code> hook. Before Claude Code executes a Bash command, <code>cc-bash-guard</code> evaluates the command and returns <code>allow</code>, <code>ask</code>, or <code>deny</code>.</p> <p>GitHub:</p> <p><a href="https://github.com/tasuku43/cc-bash-guard" rel="noopener noreferrer">https://github.com/tasuku43/cc-bash-guard</a></p> <h2> TL;DR </h2> <p>If you want to allow only <code>git status</code>, you can write a rule like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git status</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">status</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/usr/bin/git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">bash</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'git</span><span class="nv"> </span><span class="s">status'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">env</span><span class="nv"> </span><span class="s">bash</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'git</span><span class="nv"> </span><span class="s">status'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">command</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">-C</span><span class="nv"> </span><span class="s">repo</span><span class="nv"> </span><span class="s">status"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">--force</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> </code></pre> </div> <p>This rule does not match the raw string <code>git status</code>.</p> <p>It matches a parsed semantic field: the <code>git</code> command whose <code>verb</code> is <code>status</code>. That means equivalent forms such as <code>/usr/bin/git status</code> or <code>bash -c 'git status'</code> can be treated as the same intent, while <code>git push --force origin main</code> does not match this rule.</p> <p>Claude Code's native permissions are still useful. <code>cc-bash-guard</code> is not a replacement for them. It is a semantic and testable policy layer you can add as a Bash hook.</p> <h2> Why string prefixes start to hurt </h2> <p>For simple cases, native permission patterns are enough. If you only care about <code>git status</code>, a prefix like <code>Bash(git status*)</code> can work.</p> <p>The problem is that agents do not always emit commands in the exact shape you expect. The same human intent can show up in several forms:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>/usr/bin/git status bash <span class="nt">-c</span> <span class="s1">'git status'</span> <span class="nb">env </span>bash <span class="nt">-c</span> <span class="s1">'git status'</span> <span class="nb">command </span>git status git <span class="nt">-C</span> repo status </code></pre> </div> <p>To a person, these are all basically "run git status". To a string prefix, they are different.</p> <p>If you broaden the pattern too much, you risk allowing things you did not mean to allow:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git push <span class="nt">--force</span> origin main git reset <span class="nt">--hard</span> git clean <span class="nt">-fdx</span> </code></pre> </div> <p>AWS has a similar problem. You may want to allow a read-only profile, ask for a write profile, and deny especially risky operations:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>aws <span class="nt">--profile</span> <span class="nb">readonly </span>sts get-caller-identity aws <span class="nt">--profile</span> write cloudformation deploy </code></pre> </div> <p>That is not "allow AWS" or "deny AWS". It is "look at the intent inside this command family".</p> <h2> What cc-bash-guard gives you </h2> <p>The main goals are:</p> <ul> <li>write permissions by semantic intent, not only command strings</li> <li>test the permissions you write</li> <li>keep the runtime hook lightweight even as the policy grows</li> </ul> <p>The semantic parser currently supports:</p> <ul> <li><code>git</code></li> <li><code>aws</code></li> <li><code>kubectl</code></li> <li><code>gh</code></li> <li><code>gws</code></li> <li><code>helm</code></li> <li><code>helmfile</code></li> <li><code>argocd</code></li> <li><code>terraform</code></li> <li><code>docker</code></li> </ul> <p>For these commands, rules can match fields such as subcommand, profile, namespace, HTTP method, dry-run, force flags, and similar command-specific fields.</p> <p>For commands without semantic support, you can still use <code>command.name</code>, <code>command.name_in</code>, or narrow raw regex <code>patterns</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">basic read-only tools</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name_in</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">pwd</span> <span class="pi">-</span> <span class="s">ls</span> <span class="pi">-</span> <span class="s">wc</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">pwd"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">ls"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">rm</span><span class="nv"> </span><span class="s">-rf</span><span class="nv"> </span><span class="s">tmp"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">narrow fallback pattern</span> <span class="na">patterns</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">^custom-tool</span><span class="se">\\</span><span class="s">s+status(</span><span class="se">\\</span><span class="s">s|$)"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">custom-tool</span><span class="nv"> </span><span class="s">status"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">custom-tool</span><span class="nv"> </span><span class="s">delete</span><span class="nv"> </span><span class="s">all"</span> </code></pre> </div> <p>The important part is to keep <code>allow</code> narrow. Prefer semantic rules when available. For unsupported commands, prefer <code>command.name</code> or <code>command.name_in</code>. Use <code>patterns</code> only when you really need raw string matching.</p> <h2> Verify once, evaluate fast </h2> <p>Policies tend to grow. If tests are part of the policy, an obvious question is:</p> <blockquote> <p>Does the hook run all those tests every time Claude Code executes Bash?</p> </blockquote> <p>No.</p> <p>You edit YAML files, then run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cc-bash-guard verify </code></pre> </div> <p><code>verify</code> checks the policy and tests, then writes verified data for the hook. At runtime, the hook uses that verified data instead of re-reading every YAML include and rerunning every test.</p> <p>Claude Code settings permissions are still part of the final decision. They are not bundled into the artifact, but their contents are part of the artifact fingerprint. If Claude Code settings change, you need to run <code>cc-bash-guard verify</code> again.</p> <p>If the verified data is missing, stale, or incompatible, the hook fails closed.</p> <p>The main commands are:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cc-bash-guard suggest <span class="s2">"git status"</span> <span class="c"># print a pasteable starter rule</span> cc-bash-guard verify <span class="c"># validate policy and write hook data</span> cc-bash-guard explain <span class="s2">"bash -c 'git status'"</span> <span class="c"># inspect why a command is allow/ask/deny</span> cc-bash-guard hook <span class="c"># evaluate Claude Code Bash calls</span> </code></pre> </div> <h2> Splitting read-only and destructive Git operations </h2> <p>The first example allowed only <code>git status</code>. In practice, you may want to allow several read-only Git verbs:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git read-only</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">verb_in</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">status</span> <span class="pi">-</span> <span class="s">diff</span> <span class="pi">-</span> <span class="s">log</span> <span class="pi">-</span> <span class="s">show</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">read-only</span><span class="nv"> </span><span class="s">commands"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">diff</span><span class="nv"> </span><span class="s">--cached"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">log</span><span class="nv"> </span><span class="s">--oneline"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">show</span><span class="nv"> </span><span class="s">HEAD"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> </code></pre> </div> <p><code>verb</code> matches a single semantic value. <code>verb_in</code> matches any value in a list.</p> <p>This rule allows common read-only Git commands. It does not match <code>git push</code>.</p> <p>For operations you explicitly want to block, add <code>deny</code> rules:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git force push</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">push</span> <span class="na">force</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">deny</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">force</span><span class="nv"> </span><span class="s">push"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">--force</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">-f</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git destructive cleanup</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">verb_in</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">reset</span> <span class="pi">-</span> <span class="s">clean</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">deny</span><span class="nv"> </span><span class="s">destructive</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">cleanup"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">reset</span><span class="nv"> </span><span class="s">--hard"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">clean</span><span class="nv"> </span><span class="s">-fdx"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">reset</span><span class="nv"> </span><span class="s">--soft</span><span class="nv"> </span><span class="s">HEAD~1"</span> </code></pre> </div> <p>This is the part that becomes awkward with shell regex alone. You have to think about option order, wrappers, absolute paths, and equivalent command forms.</p> <p>Semantic parsing does not prove safety. It just gives you a more precise way to express what you mean to allow, ask, or deny.</p> <h2> AWS by profile, service, and operation </h2> <p>AWS CLI commands also change meaning depending on profile, service, and operation.</p> <p>For example:</p> <ul> <li>allow a read-only profile</li> <li>ask for a write profile</li> <li>deny explicitly dangerous operations</li> </ul> <p>Profile-based rules can look like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS readonly profile</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">profile</span><span class="pi">:</span> <span class="s">readonly</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow</span><span class="nv"> </span><span class="s">AWS</span><span class="nv"> </span><span class="s">readonly</span><span class="nv"> </span><span class="s">profile"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">readonly</span><span class="nv"> </span><span class="s">sts</span><span class="nv"> </span><span class="s">get-caller-identity"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">readonly</span><span class="nv"> </span><span class="s">s3</span><span class="nv"> </span><span class="s">ls"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">cloudformation</span><span class="nv"> </span><span class="s">deploy"</span> <span class="na">ask</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS write profile</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">profile</span><span class="pi">:</span> <span class="s">write</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">AWS</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">profile</span><span class="nv"> </span><span class="s">requires</span><span class="nv"> </span><span class="s">confirmation"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">ask</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">write</span><span class="nv"> </span><span class="s">cloudformation</span><span class="nv"> </span><span class="s">deploy"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">readonly</span><span class="nv"> </span><span class="s">sts</span><span class="nv"> </span><span class="s">get-caller-identity"</span> </code></pre> </div> <p>If you want something narrower, match service and operation:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">AWS identity</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">aws</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">service</span><span class="pi">:</span> <span class="s">sts</span> <span class="na">operation</span><span class="pi">:</span> <span class="s">get-caller-identity</span> <span class="na">message</span><span class="pi">:</span> <span class="s2">"</span><span class="s">allow</span><span class="nv"> </span><span class="s">AWS</span><span class="nv"> </span><span class="s">identity</span><span class="nv"> </span><span class="s">check"</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">sts</span><span class="nv"> </span><span class="s">get-caller-identity"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">--profile</span><span class="nv"> </span><span class="s">readonly</span><span class="nv"> </span><span class="s">sts</span><span class="nv"> </span><span class="s">get-caller-identity"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">aws</span><span class="nv"> </span><span class="s">cloudformation</span><span class="nv"> </span><span class="s">deploy"</span> </code></pre> </div> <p>The point is not that profile names magically prove safety. IAM still matters. The point is that profile-based and operation-based permission rules are straightforward to express in YAML.</p> <h2> Rule-local tests and end-to-end tests </h2> <p>Rules can carry their own tests:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">permission</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git status</span> <span class="na">command</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">git</span> <span class="na">semantic</span><span class="pi">:</span> <span class="na">verb</span><span class="pi">:</span> <span class="s">status</span> <span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">--force</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> </code></pre> </div> <p>This is a rule-local test. It proves what this specific rule matches and does not match.</p> <p>But the final hook decision does not come from one rule alone. It can involve:</p> <ul> <li>multiple cc-bash-guard rules</li> <li>Claude Code settings permissions</li> <li>fallback behavior</li> <li>compound shell commands</li> </ul> <p>That is what top-level tests are for:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">test</span><span class="pi">:</span> <span class="na">allow</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">/usr/bin/git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">bash</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'git</span><span class="nv"> </span><span class="s">status'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">env</span><span class="nv"> </span><span class="s">bash</span><span class="nv"> </span><span class="s">-c</span><span class="nv"> </span><span class="s">'git</span><span class="nv"> </span><span class="s">status'"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">command</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">status"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">-C</span><span class="nv"> </span><span class="s">repo</span><span class="nv"> </span><span class="s">status"</span> <span class="na">ask</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="na">deny</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">--force</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">git</span><span class="nv"> </span><span class="s">status</span><span class="nv"> </span><span class="s">&amp;&amp;</span><span class="nv"> </span><span class="s">git</span><span class="nv"> </span><span class="s">push</span><span class="nv"> </span><span class="s">--force</span><span class="nv"> </span><span class="s">origin</span><span class="nv"> </span><span class="s">main"</span> <span class="na">abstain</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">unknown-tool</span><span class="nv"> </span><span class="s">status"</span> </code></pre> </div> <p>The compound example is important. If <code>git status</code> is allowed but <code>git push --force origin main</code> is denied, then:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git status <span class="o">&amp;&amp;</span> git push <span class="nt">--force</span> origin main </code></pre> </div> <p>should still deny.</p> <h2> What abstain means </h2> <p><code>abstain</code> means "no matching rule" or "this source has no opinion".</p> <p>It is not a final hook decision. If every source abstains, <code>cc-bash-guard</code> falls back to <code>ask</code>.</p> <p>Decision precedence is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>deny &gt; ask &gt; allow &gt; abstain </code></pre> </div> <p>Some examples:</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>cc-bash-guard policy</th> <th>Claude Code settings</th> <th>final decision</th> <th>Why</th> </tr> </thead> <tbody> <tr> <td><code>allow</code></td> <td><code>abstain</code></td> <td><code>allow</code></td> <td>policy allows and Claude settings have no matching rule</td> </tr> <tr> <td><code>allow</code></td> <td><code>ask</code></td> <td><code>ask</code></td> <td>explicit confirmation wins over allow</td> </tr> <tr> <td><code>allow</code></td> <td><code>deny</code></td> <td><code>deny</code></td> <td>deny wins</td> </tr> <tr> <td><code>ask</code></td> <td><code>allow</code></td> <td><code>ask</code></td> <td>ask is not overridden by allow</td> </tr> <tr> <td><code>deny</code></td> <td><code>allow</code></td> <td><code>deny</code></td> <td>deny wins</td> </tr> <tr> <td><code>abstain</code></td> <td><code>allow</code></td> <td><code>allow</code></td> <td>Claude settings allow when policy has no match</td> </tr> <tr> <td><code>abstain</code></td> <td><code>ask</code></td> <td><code>ask</code></td> <td>Claude settings ask when policy has no match</td> </tr> <tr> <td><code>abstain</code></td> <td><code>deny</code></td> <td><code>deny</code></td> <td>Claude settings deny when policy has no match</td> </tr> <tr> <td><code>abstain</code></td> <td><code>abstain</code></td> <td><code>ask</code></td> <td>no source matched, so ask</td> </tr> </tbody> </table></div> <p>This is one of the main reasons I wanted top-level tests. They let you test the final merged decision, not only a single rule.</p> <h2> Let Claude Code help maintain the policy </h2> <p>I do not expect people to hand-write a perfect policy on day one.</p> <p>The workflow I want is more like:</p> <ol> <li>write or ask Claude Code to draft rules</li> <li>add rule-local and top-level tests</li> <li>run <code>cc-bash-guard verify</code> </li> <li>inspect surprises with <code>cc-bash-guard explain</code> </li> <li>adjust rules and tests</li> </ol> <p>For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cc-bash-guard explain <span class="s2">"git push --force origin main"</span> cc-bash-guard explain <span class="nt">--why-not</span> allow <span class="s2">"git status &gt; /tmp/out"</span> </code></pre> </div> <p>The explain output is useful for humans, but it is also useful when asking Claude Code to improve the policy.</p> <p>You can say things like:</p> <blockquote> <p>Migrate my current Claude Code Bash permissions into cc-bash-guard policy.</p> </blockquote> <p>or:</p> <blockquote> <p>Explain why this command was denied, then update the rule and tests if needed.</p> </blockquote> <p>The important part is that the agent has a verification loop. It can edit YAML, run <code>verify</code>, inspect failures with <code>explain</code>, and iterate.</p> <p><code>suggest</code> is available too, but I treat it as a helper. It prints a pasteable starter rule. It does not automatically edit your config.</p> <h2> Hook setup </h2> <p>Claude Code calls <code>cc-bash-guard</code> as a <code>PreToolUse</code> hook.</p> <p><code>cc-bash-guard init</code> prints a hook configuration snippet you can add to Claude Code settings. It looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"matcher"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bash"</span><span class="p">,</span><span class="w"> </span><span class="nl">"hooks"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"command"</span><span class="p">,</span><span class="w"> </span><span class="nl">"command"</span><span class="p">:</span><span class="w"> </span><span class="s2">"cc-bash-guard hook"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>The hook receives the Bash command Claude Code is about to run. It evaluates the command using the verified policy artifact and current Claude Code settings, then returns:</p> <ul> <li> <code>allow</code>: skip the Claude Code permission prompt</li> <li> <code>ask</code>: ask the user to confirm</li> <li> <code>deny</code>: block the Bash tool call</li> </ul> <p>After editing policy files, included files, Claude Code settings, or upgrading the binary, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>cc-bash-guard verify </code></pre> </div> <p>The hook does not regenerate artifacts at runtime.</p> <h2> Closing </h2> <p>Claude Code Bash permissions are useful, but string patterns can become too coarse when you only want to slightly widen what is allowed.</p> <p><code>cc-bash-guard</code> fills that gap with semantic rules and tests.</p> <p>The goal is not only to lock everything down. It is to make common read-only operations smooth, keep risky or ambiguous commands visible, and leave a reviewed YAML trail of the decisions you want.</p> <p>Instead of trying to write the perfect policy upfront, you can grow it over time:</p> <ul> <li>this should pass</li> <li>this should be denied</li> <li>this should ask</li> <li>this near miss should stay outside the rule</li> </ul> <p>That is the workflow I wanted for Claude Code Bash permissions.</p> <p>GitHub:</p> <p><a href="https://github.com/tasuku43/cc-bash-guard" rel="noopener noreferrer">https://github.com/tasuku43/cc-bash-guard</a></p> claude bash security ai Tasuku Yamashita Mon, 02 Feb 2026 14:46:44 +0000 https://dev.to/tasuku43/manage-git-worktrees-declaratively-with-yaml-planapply-guardrails-gion-378n https://dev.to/tasuku43/manage-git-worktrees-declaratively-with-yaml-planapply-guardrails-gion-378n <p><strong>TL;DR:</strong> I built <strong>gion</strong>, a CLI to manage <strong>Git worktrees</strong> declaratively.<br><br> Write your desired state in <code>gion.yaml</code>, then <strong>plan/apply</strong> to create/update/cleanup in bulk <strong>with guardrails</strong>.<br><br> It also supports <strong>task-scoped workspaces</strong> (grouping multiple repos for a <strong>monorepo-like workflow</strong>) and fast navigation via <strong>giongo</strong>.</p> <p>Repo / docs:<br> <a href="https://github.com/tasuku43/gion" rel="noopener noreferrer">https://github.com/tasuku43/gion</a></p> <h2> Why I built this </h2> <p>After I started using AI coding agents more often, I ended up doing more parallel work. That naturally led me to <code>git worktree</code>.</p> <p>But the more parallel tasks I had, the more I kept asking myself:</p> <ul> <li>Where should I create the next worktree?</li> <li>Navigating across many worktrees is annoying.</li> <li>Can I delete this safely? (Or will I accidentally lose local changes?)</li> </ul> <p>There are already tools around worktrees, but I wanted two things in particular:</p> <p>1) <strong>Guardrails during cleanup</strong><br><br> I wanted to prevent “I didn’t mean to delete it, but it was deletable anyway.”</p> <p>2) <strong>Task-scoped workspaces</strong><br><br> I wanted a “box per task” that can contain <strong>one or more worktrees</strong>, possibly across <strong>multiple repositories</strong>, so I can run my coding agent from the workspace root — and then delete the whole box when done.</p> <p>That’s what <strong>gion</strong> is.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdqcs7okhzr8ui9o7ln8.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fgdqcs7okhzr8ui9o7ln8.gif" alt="Demo: gion reconciles workspaces via plan/apply (create/update/delete)" width="760" height="456"></a></p> <h2> Overview </h2> <p>The core workflow is <strong>Create / Move / Cleanup</strong>:</p> <ul> <li> <strong>Create</strong>: edit <code>gion.yaml</code> manually, or use <code>gion manifest add</code> (interactive) → <code>gion apply</code> (Plan → confirm → Apply)</li> <li> <strong>Move</strong>: use <code>giongo</code> to search and jump (no state changes)</li> <li> <strong>Cleanup</strong>: edit <code>gion.yaml</code> manually, or use <code>gion manifest gc</code> (automatic) / <code>gion manifest rm</code> (interactive) → <code>gion apply</code> (Plan → confirm → Apply)</li> </ul> <p>Tip: <code>gion manifest</code> can be shortened to <code>gion m</code> or <code>gion man</code>.</p> <h2> How it works: <code>gion.yaml</code> and the <code>manifest</code> subcommands </h2> <p>The center of gion is <strong><code>gion.yaml</code></strong>.</p> <ul> <li> <code>gion.yaml</code> is the <strong>source of truth</strong> (“desired state” / inventory).</li> <li> <code>gion manifest ...</code> is an <strong>entry point</strong> to update that YAML (you can also edit it directly).</li> <li>After any update (via command or direct editing), you run <strong><code>gion apply</code></strong> to reconcile the filesystem with the desired state.</li> <li> <code>gion apply</code> computes a <strong>plan</strong>, shows the diff, and then applies it when you confirm.</li> <li>By default, <code>gion manifest ...</code> will run <code>gion apply</code> after rewriting <code>gion.yaml</code>. Use <code>--no-apply</code> if you want to update <code>gion.yaml</code> only and apply later.</li> </ul> <h3> Terminology: worktree vs workspace </h3> <ul> <li>A <strong>Git worktree</strong> is a working directory that checks out a branch (or a specific commit).</li> <li>A <strong>workspace</strong> (in gion’s terms) is a <strong>task-scoped directory</strong> that can contain <strong>one or more worktrees</strong> — potentially from multiple repos.</li> </ul> <p>A typical layout looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>GION_ROOT/ ├─ gion.yaml # desired state (inventory) ├─ bare/ # shared bare repo store └─ workspaces/ # task-scoped workspaces ├─ PROJ-123/ # workspace_id (task) │ ├─ backend/ # worktree (repo: backend) │ ├─ frontend/ │ └─ docs/ └─ PROJ-456/ └─ backend/ </code></pre> </div> <h2> Create: review a plan, then create in bulk </h2> <p>There are two ways to declare “create this workspace”:</p> <ul> <li>Use <code>gion manifest add</code>, or</li> <li>Edit <code>gion.yaml</code> directly</li> </ul> <p>In both cases, you’re declaring a desired state first, and then reconciling with <strong><code>gion apply</code></strong>:<br> 1) compute the plan<br> 2) show the diff<br> 3) apply when you confirm</p> <h3> Four creation modes </h3> <p><code>gion manifest add</code> supports four entry paths:</p> <ul> <li><code>repo</code></li> <li><code>issue</code></li> <li><code>review</code></li> <li><code>preset</code></li> </ul> <p>The entry point differs, but the destination is the same: everything ends up in <code>gion.yaml</code> as desired state.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqeedcq6ufp7q11726t1c.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqeedcq6ufp7q11726t1c.png" alt="Screenshot: gion manifest add modes (repo/issue/review/preset)" width="800" height="211"></a></p> <h4> <code>issue</code> / <code>review</code>: queue up many, then apply once </h4> <p>If you use <code>issue</code> / <code>review</code>, you’ll need the <code>gh</code> CLI (GitHub-only).<br> These correspond to <code>--issue</code> / <code>--review</code>.</p> <p>The intended flow is:</p> <ul> <li>select multiple Issues / PRs</li> <li>add them to <code>gion.yaml</code> </li> <li>run <code>gion apply</code> once</li> <li>review the plan, then apply</li> </ul> <p>This is great when you want to spin up many review/issue worktrees quickly.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftfe4u3a1iz9uppv1kw4u.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ftfe4u3a1iz9uppv1kw4u.gif" alt="Demo: select multiple Issues/PRs and create worktrees in one apply" width="800" height="600"></a></p> <h4> <code>repo</code>: create a single workspace quickly </h4> <p>If you just want the fastest “create one workspace”, <code>repo</code> is the simplest:</p> <ul> <li>choose a repo</li> <li>set a workspace id</li> <li>confirm the plan</li> <li>apply</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmokwx7dosfgl3rtj7im7.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmokwx7dosfgl3rtj7im7.png" alt="Screenshot: repo mode (create one workspace quickly)" width="800" height="467"></a></p> <h4> <code>preset</code>: group multiple repos under one task workspace (monorepo-like workflow) </h4> <p>A workspace is a “task box”, so it’s common to want something like:</p> <ul> <li>backend + frontend + docs</li> <li>backend + infra</li> <li>or any other multi-repo set</li> </ul> <p>With <strong>presets</strong>, you define the set once, and then reuse it to create workspaces repeatedly.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57acy19xsjfgt4do8179.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F57acy19xsjfgt4do8179.png" alt="Screenshot: create a preset (define a reusable repo set)" width="800" height="555"></a></p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7aqcmz5e0etprx10d46m.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F7aqcmz5e0etprx10d46m.png" alt="Screenshot: create a workspace from a preset (multi-repo)" width="800" height="555"></a></p> <h4> Direct YAML editing </h4> <p>Direct editing is useful when you want to:</p> <ul> <li>adjust branch names in bulk</li> <li>create/remove multiple workspaces at once</li> <li>refactor/reorganize existing definitions</li> </ul> <p>After editing, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>gion apply </code></pre> </div> <p>You’ll get a plan showing <strong>creates / deletes / updates</strong> together, so you can calmly review what will happen before applying.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpsperyjrfddicopxrbba.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fpsperyjrfddicopxrbba.png" alt="Screenshot: plan shows create/delete/update changes together" width="800" height="339"></a></p> <h2> Move: search and jump to a workspace/worktree </h2> <p>Once worktrees start to accumulate, you waste time thinking:</p> <blockquote> <p>“Where was I working on that?”</p> </blockquote> <p>For navigation, use <strong><code>giongo</code></strong> (installed alongside <code>gion</code> via Homebrew/mise).</p> <ul> <li> <code>giongo</code> does <strong>not</strong> change any state.</li> <li>It lists both <strong>workspaces</strong> and <strong>worktrees</strong>, and lets you filter and select.</li> <li>Select a <strong>workspace</strong> → jump to the workspace directory</li> <li>Select a <strong>worktree</strong> → jump to that repo’s working directory</li> </ul> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffi7w0edfr2ktvxpkvono.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Ffi7w0edfr2ktvxpkvono.gif" alt="Demo: giongo lists and jumps to workspaces/worktrees" width="800" height="430"></a></p> <h3> Shell integration: make <code>giongo</code> change directories </h3> <p>If you want selection → <code>cd</code>, you need a small shell integration. The README includes options, but the simplest is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">eval</span> <span class="s2">"</span><span class="si">$(</span>giongo init<span class="si">)</span><span class="s2">"</span> </code></pre> </div> <p>(That prints a function you can paste into <code>~/.zshrc</code> or <code>~/.bashrc</code> for permanent setup.)</p> <h2> Cleanup: conservative <code>gc</code>, and guarded <code>rm</code> </h2> <p>As worktrees pile up, you eventually pause and ask:</p> <blockquote> <p>“Is it safe to delete this?”</p> </blockquote> <p>gion splits cleanup into two commands:</p> <ul> <li> <code>gion manifest gc</code>: <strong>automatic, conservative cleanup</strong> </li> <li> <code>gion manifest rm</code>: <strong>manual selection with guardrails</strong> </li> </ul> <h3> <code>gion manifest gc</code>: conservative auto-cleanup </h3> <p><code>gion manifest gc</code> proposes candidates that are <strong>highly likely safe</strong> to delete.</p> <p>For example:</p> <ul> <li>workspaces whose checked-out branches are already merged into the default branch can be reclaimed</li> <li>anything ambiguous (uncommitted / unpushed / unreadable state, etc.) is excluded by default</li> <li>even “created but no commits” workspaces are excluded so you don’t delete something by accident</li> </ul> <p>In short: <code>gc</code> aims to keep false-positives very low.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F90lzkd6aubtu9p87o4z5.png" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F90lzkd6aubtu9p87o4z5.png" alt="Screenshot: gc classifies safe-to-delete candidates conservatively" width="800" height="416"></a></p> <h3> <code>gion manifest rm</code>: manual removal, with guardrails </h3> <p><code>gion manifest rm</code> is for cases where <strong>a human decides</strong> what to delete.</p> <p>It supports interactive selection and then a final confirmation. During selection, each workspace gets lightweight tags like:</p> <ul> <li><code>[dirty]</code></li> <li><code>[unpushed]</code></li> <li><code>[diverged]</code></li> <li><code>[unknown]</code></li> </ul> <p>What those mean:</p> <ul> <li> <strong>dirty</strong>: working tree has uncommitted changes (including untracked files or conflicts)</li> <li> <strong>unpushed</strong>: your local branch is ahead of upstream (has commits not pushed)</li> <li> <strong>diverged</strong>: local and upstream have both advanced (ahead and behind)</li> <li> <strong>unknown</strong>: cannot be determined (no upstream, detached HEAD, git error, etc.)</li> </ul> <p>When you delete something risky (e.g., <code>dirty</code>), the <strong>plan</strong> will show a risk summary (e.g., <code>risk: dirty (unstaged=2)</code>) and (for dirty cases) the changed files, so you can sanity-check quickly before you confirm.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jdlxkz8lggmv0l5kk8n.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F2jdlxkz8lggmv0l5kk8n.gif" alt="Demo: rm shows risk and changed files in the plan before deletion" width="800" height="600"></a></p> <h3> Cleanup via direct YAML editing </h3> <p>You can also remove workspaces by editing <code>gion.yaml</code> directly.</p> <p>Even then, <code>gion apply</code> will:</p> <ul> <li>clearly show what will be removed in the plan</li> <li>ask for a confirmation before destructive changes</li> </ul> <p>So if you get nervous, you can just answer <code>n</code> and stop.</p> <h2> Closing </h2> <p>Installation (Homebrew / mise) and full usage examples are in the GitHub README. If you’ve ever felt the pain of worktree sprawl — especially in multi-repo tasks — I’d love for you to try <strong>gion</strong> and share feedback.</p> <p><a href="https://github.com/tasuku43/gion" rel="noopener noreferrer">https://github.com/tasuku43/gion</a></p> git github productivity cli