claude-code-permissionslisted

# Claude Code Permissions ## When to Use - Configuring Claude Code permissions to reduce or eliminate prompts - Debugging why a tool call is being blocked or prompted - Setting up managed / worker agents (e.g. a supervisor that spawns Claude Code children) with correct permissions - Understanding how `--settings`, `--allowedTools`, `--disallowedTools` interact - Designing safe-by-default permission configs for autonomous agents ## Permission Modes | Mode | `defaultMode` value | Auto-approves | Notes | |---|---|---|---| | Ask Permissions | `default` | Read only | Most restrictive | | Auto Accept Edits | `acceptEdits` | Read + Edit | **Recommended baseline** | | Plan Mode | `plan` | Read only, blocks all writes/execution | Exploration only | | Don't Ask | `dontAsk` | Only tools in `allow` list | Fully non-interactive; unlisted tools silently skipped | | Bypass Permissions | `bypassPermissions` | Everything | No safety net, not recommended | ## Rule Evaluation Order **First match wins, checked in this order:** ``` 1. deny → BLOCKED unconditionally 2. ask → user PROMPTED for confirmation 3. allow → APPROVED without prompting 4. mode → fallback to defaultMode behavior ``` `deny` always beats `allow`. Safe to broadly allow + specifically deny. ## Pattern Syntax ### Tool matching ```json "Bash" // ALL bash commands (bare tool name) "Write" // ALL file writes "Read" // ALL file reads "Agent" // ALL agent spawns "Web