{
  "//": "Capa 3 (barrera determinista). Va en .claude/settings.json de tu repo.",
  "permissions": {
    "deny": [
      "Read(.env)",
      "Read(.env.*)",
      "Read(**/.env)",
      "Read(**/.env.*)",
      "Edit(.env)",
      "Edit(**/.env)",
      "Bash(cat .env*)",
      "Bash(printenv:*)",
      "Bash(env:*)",
      "Edit(producto/constitucion.md)",
      "Write(producto/constitucion.md)",
      "Edit(fabrica/constitucion-fabrica.md)",
      "Write(fabrica/constitucion-fabrica.md)"
    ]
  },
  "hooks": {
    "PostToolUse": [
      {
        "matcher": "Write|Edit",
        "hooks": [
          {
            "type": "command",
            "command": "cd \"$CLAUDE_PROJECT_DIR\" && uv run ruff check --fix src/ tests/ 2>/dev/null; uv run ruff format src/ tests/ 2>/dev/null; true"
          }
        ]
      }
    ],
    "Stop": [
      {
        "hooks": [
          {
            "type": "command",
            "command": "cd \"$CLAUDE_PROJECT_DIR\" && git add -A && git diff-index --quiet HEAD || git commit -m \"checkpoint: $(date +%H:%M)\" 2>/dev/null || true"
          }
        ]
      }
    ]
  }
}
