Refines the file-exclusion (permissions.deny) recommendations so they reliably save tokens:
- Security vs. noise excludes are now separated. Security-critical paths (
.env,secrets/, credentials) stay top-priority because Claude never reads them, so they are pure win. Convenience excludes (node_modules, build output) are now suggestions, recommended only as narrow, specific paths. - New token-cost guidance. Deny rules save tokens only when Claude never tries the path. A broad rule on a path Claude actively wants causes repeated permission-denied feedback that accumulates in context. The playbook, checklist, template, and audit now prefer narrow paths (
Read(./logs/**)) over broad globs (Read(./**/*.log)). - Audit no longer over-prioritizes missing convenience excludes.
Doc-only change. No code or behavior changes. Thanks to a community user for surfacing the tradeoff.