Permissions Deep Dive

Three tiers of risk — with fine-grained rule syntax.

Read-only (file reads, grep, glob)

No approval needed. Claude can read any file in your working directory freely.

No Approval

Bash commands (shell execution)

Requires approval. Once approved, permission persists for the entire project (permanent per command pattern).

Permanent / Project

File modifications (create, edit, delete)

Requires approval. Permission lasts until session end only — must re-approve next session.

Session Only

Permission Rule Syntax

Bash(npm run *)— allow npm scripts

Read(./.env)— control env file reads

Edit(/src/**/*.ts)— scope to TS files

Precedence Order

deny > ask > allow

A deny rule always wins, regardless of where it appears.

Notes

Deny rules are absolute

A deny rule always wins, regardless of where it's defined. This makes guardrails reliable: a project-level deny cannot be overridden by a more permissive user setting.

Start strict, relax selectively

Begin with Ask Every Time for unfamiliar repos. As you learn which commands and edits are safe, add allow rules for those specific patterns. Never start permissive and try to lock down later.

Where to go next

Permission Modes & Settings — pick the right comfort level and learn how settings cascade
Working Directories & Scope — Claude operates from where you launch it; scope tight