.claude/settings.json: prune server-specific entries; consolidate redundant ones

The previous snapshot of settings.json was a verbatim dump from one
Mastodon-server install — it carried allowlist entries that won't
match anywhere else and a lot of narrow rules already subsumed by
broader wildcards.

Removed (server-specific, dead weight on other hosts):
- /home/mastodon/* paths and Mastodon .env.production sed/chmod/chown
- signers.online and auto.signers.online curl/openssl probes
- mastodon-web / mastodon-streaming / mastodon-sidekiq journalctl
- n8n journalctl, windmill journalctl + binary
- /usr/local/bin/fail2ban-ignoreip and the hardcoded IP 76.95.82.63
- nslookup signers.live, nginx site-availables grep with literal paths
- /var/log/nginx/access.log* zcat probes (path-specific)
- StatusReactions / status_quoted grep over Mastodon's frontend tree

Removed (redundant, covered by broader wildcard already in the list):
- All narrow Bash(systemctl <verb>:*) entries — Bash(systemctl:*) covers
- All narrow Bash(git ...) entries — Bash(git:*) covers
- All narrow Bash(curl ...) probes — Bash(curl:*) covers
- Bash(rkhunter --update), Bash(rkhunter --propupd) — Bash(rkhunter:*) covers
- Bash(sysctl -a) — Bash(sysctl:*) covers

Kept: tmux/git/curl/sudo/find/ls/cat plus generic system-admin verbs
(systemctl, sysctl, crontab, iptables, ufw, firewall-cmd, fail2ban-client,
apt/apt-get/dpkg, mount, netstat, openssl, lsmod, last, nginx, redis-cli,
rkhunter, aideinit, getent, sqlite3, dig, ulimit, getenforce, aa-status)
plus Read(//home/**), Read(//opt/**), Read(//etc/nginx/sites-{enabled,available}/**).

Net: 5004 -> 1434 bytes (57 lines), still valid JSON, behavior on a
fresh host is identical for the kept verbs and tighter for the dropped
ones (host-specific allows just won't match anything anyway).

If you re-run install.sh on this host, the slim version replaces the
fat one; the fat one survives in ~/.drunkendotfiles.bak.<ts>/ for
recovery.

.claude/settings.json

@@ -2,105 +2,52 @@
   "permissions": {
     "allow": [
       "Bash(tmux source-file:*)",
-      "Bash(git config:*)",
+      "Bash(git:*)",
-      "Read(//home/mastodon/live/**)",
+      "Bash(curl:*)",
-      "Bash(sed -i '/^$/N;/^\\\\n# Facebook Webhook/,/^MASTODON_BOT_ACCESS_TOKEN=.*/{ /# Facebook Webhook/d; /FACEBOOK_VERIFY_TOKEN/d; /FACEBOOK_APP_SECRET/d; /FACEBOOK_PAGE_ACCESS_TOKEN/d; /MASTODON_BOT_ACCESS_TOKEN/d }' .env.production)",
+      "Bash(sudo:*)",
-      "Bash(head -10 grep -rn \"StatusReactions\\\\|status_reactions\" /home/mastodon/live/app/javascript/mastodon/features/)",
+      "Bash(find:*)",
-      "Bash(ls -lt /home/mastodon/live/public/packs/status_quoted-*.js)",
+      "Bash(ls:*)",
+      "Bash(cat:*)",
+      "Bash(systemctl:*)",
+      "Bash(sysctl:*)",
+      "Bash(crontab:*)",
+      "Bash(dig:*)",
+      "Bash(ulimit:*)",
       "Bash(python3:*)",
       "Bash(iptables:*)",
       "Bash(ip6tables:*)",
       "Bash(ufw status:*)",
       "Bash(firewall-cmd:*)",
-      "Bash(systemctl status:*)",
-      "Bash(sysctl -a)",
-      "Bash(sysctl:*)",
       "Bash(apt list:*)",
+      "Bash(apt-get install:*)",
+      "Bash(apt-get upgrade:*)",
       "Bash(dpkg:*)",
-      "Bash(systemctl list-units:*)",
       "Bash(fail2ban-client status:*)",
+      "Bash(fail2ban-client set:*)",
       "Bash(aa-status)",
       "Bash(getenforce)",
-      "Bash(crontab:*)",
       "Bash(mount)",
       "Bash(netstat -tuln)",
-      "Bash(systemctl is-enabled:*)",
+      "Bash(netstat -tlnp)",
-      "Bash(usermod -s /usr/sbin/nologin mastodon)",
-      "Bash(usermod -s /usr/sbin/nologin postgres)",
-      "Bash(systemctl daemon-reload:*)",
-      "Bash(systemctl restart:*)",
-      "Bash(apt-get upgrade:*)",
-      "Bash(curl -sI https://auto.signers.online/webhook/ -o /dev/null -w \"%{http_code}\")",
-      "Bash(curl -sI https://auto.signers.online/ -o /dev/null -w \"%{http_code}\")",
       "Bash(openssl x509:*)",
-      "Bash(systemctl list-timers:*)",
+      "Bash(openssl rand:*)",
-      "Bash(find:*)",
       "Bash(grep -v \"^$\")",
       "Bash(du -sh /var/log/*)",
       "Bash(lsmod)",
       "Bash(xargs ls:*)",
       "Bash(last:*)",
-      "Bash(netstat -tlnp)",
-      "Bash(systemctl cat:*)",
-      "Bash(ls:*)",
-      "Bash(chmod 600 /home/mastodon/live/.env.development /home/mastodon/live/.env.test /home/mastodon/live/.env.vagrant /home/mastodon/live/.env.production)",
-      "Bash(openssl rand:*)",
       "Bash(nginx:*)",
       "Bash(redis-cli:*)",
-      "Bash(curl -sI https://signers.online/ -o /dev/null -w \"%{http_code}\")",
-      "Bash(systemctl is-active:*)",
-      "Bash(curl -sI https://auto.signers.online/)",
-      "Bash(apt-get install:*)",
-      "Bash(rkhunter --update)",
-      "Bash(rkhunter --propupd)",
       "Bash(rkhunter:*)",
-      "Bash(journalctl -u mastodon-web --since \"5 min ago\" --no-pager)",
-      "Bash(journalctl -u mastodon-web --since \"1 min ago\" --no-pager -l)",
-      "Bash(chown mastodon:mastodon /home/mastodon/live/.env.production /home/mastodon/live/.env.development /home/mastodon/live/.env.test /home/mastodon/live/.env.vagrant)",
       "Bash(aideinit)",
-      "Bash(curl -kI https://signers.online/nonexistent-path)",
-      "Bash(dig:*)",
-      "Bash(openssl s_client -connect signers.online:443 -servername signers.online)",
-      "Bash(ulimit:*)",
-      "Bash(systemctl:*)",
-      "Bash(cat:*)",
-      "Bash(curl -sI https://signers.online/assets/test-nonexistent.js)",
       "Bash(npm --version)",
       "Bash(ruby --version)",
       "Bash(getent passwd:*)",
       "Bash(sqlite3:*)",
-      "Bash(curl -sI https://signers.online/ --connect-timeout 5 -o /dev/null -w \"http_code:%{http_code} time:%{time_total}\")",
-      "Bash(fail2ban-client set:*)",
-      "Bash(chmod 755 /usr/local/bin/fail2ban-ignoreip)",
-      "Bash(/usr/local/bin/fail2ban-ignoreip 76.95.82.63)",
-      "Bash(git -C /home/mastodon/live status -s)",
-      "Bash(git -C /home/mastodon/live diff --stat)",
-      "Bash(git:*)",
-      "Bash(curl:*)",
-      "Bash(nslookup signers.live)",
-      "Bash(journalctl -u n8n --since \"1 min ago\" --no-pager)",
-      "Bash(journalctl -u n8n --since \"10 sec ago\" --no-pager)",
-      "Bash(journalctl -u n8n --since \"30 sec ago\" --no-pager)",
-      "Bash(sudo:*)",
-      "Bash(journalctl -u mastodon-web --since \"1 hour ago\" --no-pager)",
-      "Bash(journalctl -u mastodon-streaming --since \"1 hour ago\" --no-pager)",
-      "Bash(chown mastodon:mastodon *)",
-      "Bash(journalctl -u mastodon-web -u mastodon-sidekiq --since \"10 minutes ago\")",
-      "Bash(journalctl -u mastodon-web --since \"10 minutes ago\")",
-      "Bash(journalctl -u nginx --since \"1 hour ago\")",
-      "Bash(zcat -f /var/log/nginx/access.log.1 /var/log/nginx/access.log)",
-      "Bash(zcat -f /var/log/nginx/access.log*)",
       "Read(//home/**)",
       "Read(//opt/**)",
-      "Bash(journalctl -u windmill --since \"2 hours ago\")",
       "Read(//etc/nginx/sites-enabled/**)",
-      "Read(//etc/nginx/sites-available/**)",
+      "Read(//etc/nginx/sites-available/**)"
-      "Bash(journalctl -u windmill --since \"1 day ago\")",
-      "Bash(journalctl -u windmill --since \"2026-04-10\" --until \"2026-04-14\")",
-      "Bash(journalctl -u windmill -n 100000)",
-      "Bash(/usr/local/bin/windmill --version)",
-      "Bash(journalctl -u windmill -n 500)",
-      "Bash(grep -l 'root ' /etc/nginx/sites-available/*)"
     ],
     "defaultMode": "auto"
   },