Agent Code Academy
Home/Appendices
Appendix G

Permissions, Sandbox & Security

Permission Modes

ModeDescription
defaultStandard behavior — prompts for permission on first use of each tool
planPlan Mode — Claude can analyze but not modify files or execute commands
acceptEditsAuto-accepts file edit permissions for the session
dontAskAuto-denies tools unless pre-approved via /permissions or permissions.allow rules
delegateCoordination-only mode for agent team leads. Restricts to team management tools
bypassPermissionsSkips ALL permission prompts. Only use in isolated environments (containers/VMs)

Set via defaultMode in settings, --permission-mode flag, or toggle with /permissions.

Permission Rule Syntax

Rules follow the format Tool or Tool(specifier). Evaluated in order: deny → ask → allow (first match wins).

Bash rules — glob patterns with *:

  • Bash(npm run *) — any npm run command
  • Bash(git commit *) — any git commit
  • Bash(* --version) — any version check

Read/Edit rules — gitignore-style paths:

  • Read(./.env) — deny reading .env (relative to cwd)
  • Edit(/src/**/*.ts) — relative to settings file
  • Read(~/.zshrc) — home directory
  • Edit(//tmp/scratch.txt) — absolute path (// prefix)

MCP rules: mcp__server__tool or mcp__server__* Subagent rules: Task(Explore), Task(my-custom-agent)

Sandbox

Provides OS-level enforcement restricting Bash tool filesystem and network access:

  • sandbox.enabled: true — enable sandbox
  • sandbox.autoAllowBashIfSandboxed: true — auto-approve Bash when sandboxed
  • sandbox.excludedCommands: ["docker"] — commands that bypass sandbox
  • sandbox.network.allowedDomains: ["github.com", "*.npmjs.org"] — network allowlist
  • Filesystem restrictions use Read/Edit deny rules (not separate config)
  • Permissions + sandbox = defense-in-depth (two complementary layers)

Managed Settings (Enterprise)

Deployed to system directories by IT administrators. Cannot be overridden by user/project settings.

  • macOS: /Library/Application Support/ClaudeCode/managed-settings.json
  • Linux/WSL: /etc/claude-code/managed-settings.json

Managed-only settings:

  • disableBypassPermissionsMode — prevent bypassPermissions mode
  • allowManagedPermissionRulesOnly — only managed permission rules apply
  • allowManagedHooksOnly — block user/project/plugin hooks
  • strictKnownMarketplaces — control plugin marketplace access

Exercise: Configure a project settings file with permission rules that allow Bash(npm *) and Bash(git *) while denying Read(./.env*) and Read(./secrets/**). Test that Claude respects the rules.