Rule Reference

SEC489lintai-ai-securitygovernancehardeningpreviewclaude_settingswarn

Claude settings: shared pnpm dlx Bash permissions

Claude settings permissions allow `Bash(pnpm dlx ...)` in a shared committed config

Public lane: governance
Category: hardening
Provider: lintai-ai-security
Scope: per-file
Surface: claude_settings
Tier: preview
Severity: warn
Confidence: high
Detection: structural
Remediation: message only

How to read this lane

Shared authority and workflow policy review.

How to read this category

Least-privilege, provenance, or operational hygiene signal.

Activation Model

Preset Activation

These presets explain where this rule appears in the product experience.

governancesidecar lane

claudesurface preset

Lifecycle

Stable Lifecycle Contract

State

stable

Graduation rationale

Checks shared committed Claude settings for exact `Bash(pnpm dlx ...)` mutable package-runner authority.

Deterministic signal basis

ClaudeSettingsSignals exact permission detection for `Bash(pnpm dlx ...)` entries inside permissions.allow.

Malicious corpus

claude-settings-mutable-runner-permissions

Benign corpus

claude-settings-package-runner-specific-safe

structured evidence required remediation reviewed

Canonical note

Structural preview rule; deterministic today, but the preview contract may still evolve.

Nearby Signals

Related Rules

SEC385Claude settings: shared git push permissionsClaude settings permissions allow `Bash(git push)` in a shared committed configgovernancehardeningclaude_settings

SEC386Claude settings: shared git checkout permissionsClaude settings permissions allow `Bash(git checkout:*)` in a shared committed configgovernancehardeningclaude_settings

SEC387Claude settings: shared git commit permissionsClaude settings permissions allow `Bash(git commit:*)` in a shared committed configgovernancehardeningclaude_settings

SEC388Claude settings: shared git stash permissionsClaude settings permissions allow `Bash(git stash:*)` in a shared committed configgovernancehardeningclaude_settings

SEC399Claude settings: shared npx Bash permissionsClaude settings permissions allow `Bash(npx ...)` in a shared committed configgovernancehardeningclaude_settings

SEC406Claude settings: shared git add permissionsClaude settings permissions allow `Bash(git add:*)` in a shared committed configgovernancehardeningclaude_settings

SEC489 / CLAUDE-PNPM-DLX-PERMISSION

SEC489 flags shared Claude settings when permissions.allow grants Bash(pnpm dlx ...).

Why It Matters

pnpm dlx executes packages without requiring a checked-in wrapper or reviewed installation path. In shared Claude settings, that creates a mutable package-runner trust boundary for the whole team.

Trigger Shape

The rule triggers only when all of these are true:

the file is a detected Claude settings surface
the path is not fixture-like
permissions.allow contains a string that starts with Bash(pnpm dlx

Clean Cases

These stay clean:

narrower non-dlx commands such as Bash(pnpm install)
settings without Bash(pnpm dlx ...)
fixture-like examples under test or fixture paths

Example Trigger

json

{
  "permissions": {
    "allow": ["Bash(pnpm dlx cowsay:*)", "Read(*)"]
  }
}

Safer Example

json

{
  "permissions": {
    "allow": ["Bash(pnpm install)", "Read(*)"]
  }
}

How To Fix

Replace shared Bash(pnpm dlx ...) permissions with a pinned wrapper or a narrower reviewed command permission that does not grant mutable package execution by default.

Claude settings: shared pnpm dlx Bash permissions

Preset Activation

Stable Lifecycle Contract

Related Rules

SEC489 / CLAUDE-PNPM-DLX-PERMISSION ​

Why It Matters ​

Trigger Shape ​

Clean Cases ​

Example Trigger ​

Safer Example ​

How To Fix ​