claude-chillbro

Auto-approves obviously-safe Bash commands so Claude Code stops asking permission for every grep, cat, and ls. Static allowlist (read-only ops), static asklist (destructive ops), self-learning (commands you've approved twice get auto-approved next time), and a headless 'claude -p' classifier as a last-resort fallback for unknown commands.

claude-chillbro

A Claude Code plugin that stops the model from asking permission for every grep, cat, ls, and new file you ask it to create.

"Allow Bash(ls -la)?" "Allow Write to src/foo.ts?" "Allow Bash(grep -r foo .)?"

You know the feeling. chillbro fixes it.

What it does

Six layers, in order:

Static asklist (~75 patterns). Destructive operations like rm -rf, sudo, git push --force, git reset --hard, prisma migrate reset, curl -X POST, kill -9, anything touching .env* or ~/.ssh/id_* always prompt you. Never auto-allowed.
Context-aware probes. git push to main/master asks, push to feature branch allows. gh pr|issue|release create|merge asks on public repos, allows on private.
Inline interpreter scanner. python -c, node -e, perl -e, ruby -e, deno, bun invocations have their inline code statically scanned for dangerous tokens. Clean code (pure data inspection, arithmetic, JSON parsing) auto-allows with no LLM call. Suspect code defers to the next layer.
Learned auto-allow. Commands you've manually approved twice (in their normalized form) get appended to ~/.claude-chillbro/learned-allow.txt and auto-allowed thereafter. See Self-learning below.
Static allowlist (~110 patterns). Read-only operations like ls, cat, grep, rg, git status, git log, git diff, pnpm test, pnpm install, tsc --noEmit, cargo check, pytest get auto-approved. No prompt, no delay.
LLM waterfall for anything still unknown:
- Layer A: direct Anthropic API call to Haiku 4.5 (~400-900ms). Active when ANTHROPIC_API_KEY is set.
- Layer B: headless claude -p --model haiku (slow cold start, no key needed). Reuses your existing Claude Code authentication.
- Layer C: defaults to ask. Always reachable.

The LLM also receives the model's description field as intent. A destructive command can classify SAFE if the intent describes an equivalent scope (e.g. rm -rf <dir> + intent "remove the now-empty old branch dir after move"). A command that exceeds the stated scope still classifies RISKY.

For file writes: in-project paths auto-allow (creating new files is the whole point of asking the model to create new files). Out-of-cwd writes, .env*, .aws/credentials, .ssh/id_*, secrets/, and credentials.{json,yml,toml,env} always prompt.

Self-learning

After two successful executions of the same command (in its normalized form) that wasn't already on the static allow list, chillbro promotes it to ~/.claude-chillbro/learned-allow.txt and auto-allows it on every future invocation. Promotion is based on PostToolUse hook firings with exit code 0 — typically that means you approved the command at the permission prompt, and then it ran clean. Static-allow commands never get counted (they're already auto-allowed; no need to track).

Every promotion is recorded in ~/.claude-chillbro/learned-allow.log (timestamp + source + normalized command) so you can audit what was added and when. Inspect / curate from the CLI:

chillbro learn list                # alphabetical dump of learned patterns
chillbro learn audit               # recent promotions, newest first
chillbro learn add "<cmd>"         # manually promote a command (source=manual in audit)
chillbro learn forget "<cmd>"      # remove a learned pattern (use exact normalized form)
``` Normalization replaces variable bits (paths, hashes, URLs, branch names) with placeholders so different invocations of the "same" command map to the same key:

git checkout feature/foo -> git checkout pnpm test src/foo.test.ts -> pnpm test curl https://api.x.io/y -> curl


Edit `~/.claude-chillbro/learned-allow.txt` directly to prune mistakes.

## Context-aware probes

A handful of patterns need runtime context to classify correctly. chillbro inspects the environment and decides:

- **`git push`**: targets `main` or `master`, ask. Targets a feature branch, allow.
- **`gh pr|issue|release create|merge`**: public repo (per `gh repo view`), ask. Private or internal repo, allow.

Probe results are cached in memory for the lifetime of the hook process.

## Install

Source repo:

```bash
git clone https://github.com/HthSolid/claude-chillbro ~/Documents/projects/claude-chillbro

Symlink into Claude Code's plugin directory so edits to source apply live:

mkdir -p ~/.claude/plugins
ln -s ~/Documents/projects/claude-chillbro ~/.claude/plugins/claude-chillbro

Restart Claude Code. The hooks fire automatically. No ~/.claude/settings.json changes needed.

You can also install via the hte-claude-tools marketplace:

claude plugin add-marketplace github:HthSolid/hte-claude-tools
claude plugin install claude-chillbro

claude-chillbro

Popularity

What's Inside

README

claude-chillbro

What it does

Self-learning

Requirements

Confidence

Similar Plugins

ecc

feature-dev

ralph-loop

anthropic-essentials

chrome-devtools-mcp

agent-skills

More by HthSolid

claude-dejavu

Popularity

Health & Quality

More by HthSolid

claude-dejavu

Similar Plugins

ecc

feature-dev

ralph-loop

anthropic-essentials

chrome-devtools-mcp

agent-skills