⚠ The “YOLO Mode” Problem
Too many developers are running Claude Code with --dangerously-skip-permissions or tapping “approve all” on every prompt. That flag exists for a reason — the word “dangerously” is right there in the name. We’ve seen Claude accidentally delete project files, overwrite .env secrets, run rm -rf in the wrong directory, and execute sudo commands that modified system files. A proper settings.json file lets you work at full speed without any of that risk.
What This Guide Covers
- ☐ Where your settings.json file lives (Mac, Windows, & Linux)
- ☐ The difference between user, project, and local settings
- ☐ A copy-and-paste safe settings.json you can use today
- ☐ What every rule does and why it’s there
- ☐ How to customize it for your specific stack
- ☐ The commands you should never auto-approve
- ☐ How to disable bypass permissions mode entirely
Just want the file? Grab it and go.
101 deny rules • 162 allow rules • bypass mode disabled
Unzip → drop into ~/.claude/ → restart Claude Code
Find Your Settings File
Claude Code reads settings from a hierarchy of files. For your global defaults (what we’re configuring here), you want the user settings file:
~/.claude/settings.json
Open in Terminal: nano ~/.claude/settings.json or code ~/.claude/settings.json
%USERPROFILE%\.claude\settings.json
Open in PowerShell: code "$env:USERPROFILE\.claude\settings.json"
~/.claude/settings.json
Same as Linux — it’s your WSL home directory.
Don’t have a ~/.claude/ directory yet? Create it: mkdir -p ~/.claude (Mac/Linux) or mkdir "$env:USERPROFILE\.claude" (Windows PowerShell). Claude Code creates this directory automatically on first run, but you can set it up ahead of time.
Understand the Hierarchy
Claude Code merges settings from multiple files. Higher-priority files override lower ones. Here’s the order (highest priority first):
| Priority | File | Purpose |
|---|---|---|
| 1 (highest) | managed-settings.json | Enterprise/admin policies. Can’t be overridden. |
| 2 | CLI flags | Temporary per-session overrides. |
| 3 | .claude/settings.local.json | Your personal project overrides (gitignored). |
| 4 | .claude/settings.json | Shared project settings (committed to git). |
| 5 (lowest) | ~/.claude/settings.json | Your global user defaults. This is what we’re editing. |
💡 Key Insight
Rules merge across files — they don’t replace. If your user settings allow Bash(git:*) and your project settings add Bash(npm run test:*), both rules apply. But within a single file, evaluation order is always: deny → ask → allow. Deny rules always win.
The Safe Settings File
Copy and paste this into your ~/.claude/settings.json. It auto-approves common safe development commands while blocking anything that could damage your system, leak secrets, or modify files outside your project.
🚫 DENY Rules — Always Blocked
These are evaluated first and override everything else, even allow rules. 101 rules across 5 categories:
Destructive System Commands
rm -rf • rm -r / • sudo • su • chmod 777 • chown • shutdown • reboot • halt • poweroff • init • mkfs • fdisk • dd • mount/umount • eval • exec
Network & Remote Access
ssh • scp • rsync • sftp • ftp • nc/ncat/netcat • nmap • telnet • iptables • ufw • curl|bash • wget|bash
System-Level Package Installs
brew install • apt install • apt-get install • yum install • dnf install • pacman -S • snap install • npm install -g • pip install • gem install • cargo install
Destructive Git Operations
git push • git push –force • git reset –hard • git clean -fd
Secrets & Credentials (Read, Write, & Edit blocked)
.env / .env.* • *.pem / *.key / *.p12 / *.pfx / *.jks • *secret* / *credential* / *password* • .aws/ • .ssh/ • .gnupg/ • .config/gcloud/ • .azure/ • .kube/config • .docker/config.json • .npmrc / .pypirc / .netrc • .git-credentials • .htpasswd • id_rsa* / id_ed25519* / id_ecdsa*
✅ ALLOW Rules — Auto-Approved
162 granular rules that let you work at full speed. Organized by category:
File Operations
Read • Edit • MultiEdit • Write • Glob • Grep • LS • Task
Safe Git (granular — push/reset/clean stay in deny)
git status • git log • git diff • git show • git branch • git checkout • git switch • git add • git commit • git stash • git merge • git rebase • git fetch • git pull • git tag • git remote -v • git blame
Shell Utilities (read-only & safe ops)
ls • cat • head • tail • less • echo • mkdir • touch • cp • mv • find • grep • rg • ag • fd • wc • sort • sed • awk • diff • tee • xargs • which • file • stat • du • df • pwd • date • jq • yq • tree • tar • unzip • base64 • md5sum • sha256sum
JavaScript / Node Ecosystem
npm run/test/build/dev/lint/ci/install • npx • yarn run/test/build/dev/lint/install • pnpm run/test/build/dev/install • bun run/test/install • node • tsx • ts-node • tsc • eslint • prettier • jest • vitest • mocha • playwright
Python Ecosystem
python / python3 • pip list/show/freeze/check • poetry run/show/check • pytest • mypy • ruff • black • isort • flake8 • pylint
Rust, Go, & Build Tools
make • cmake • cargo build/test/run/check/clippy/fmt • go build/test/run/vet/fmt/mod
Safe File Permissions & Cleanup
chmod +x • chmod 755 • chmod 644 • ln -s • rm (without -rf)
🔒 CRITICAL: Bypass Mode Disabled
The file includes "disableBypassPermissionsMode": "disable" — this prevents --dangerously-skip-permissions from working, even if someone tries to use it. The nuclear option is off the table.
Understanding the Patterns
Here’s the pattern syntax so you can customize the file for your own stack:
| Pattern | What It Means |
|---|---|
| Bash(git status:*) | Allow bash commands starting with git status. The :* is a wildcard for all arguments. |
| Read(**/.env) | Block reading any file named .env at any directory depth. **/ = any path. |
| Read(**/*.pem) | Block reading any .pem file at any depth. |
| Read | Allow reading files generally. Deny rules override for specific sensitive patterns. |
| Write / Edit | Allow writing/editing files. Deny rules block .env, keys, and certs. |
| Task | Allow Claude to spawn sub-agent tasks for parallel work. |
⚠ Why We Don’t Allow Bash(*)
Some guides tell you to allow Bash with no pattern, which auto-approves every bash command. That’s essentially the same as bypass mode. Our approach explicitly lists safe commands so anything unexpected still prompts you for approval.
Customize for Your Stack
The settings.json file already covers JS, Python, Rust, and Go. Here are additional lines you can add to the allow array:
| Stack | Add to “allow” array |
|---|---|
| Docker | “Bash(docker:*)”, “Bash(docker-compose:*)” |
| Ruby / Rails | “Bash(bundle:*)”, “Bash(rails:*)”, “Bash(rake:*)” |
| PHP / Laravel | “Bash(composer:*)”, “Bash(php:*)”, “Bash(artisan:*)” |
| Java / Kotlin | “Bash(gradle:*)”, “Bash(mvn:*)”, “Bash(java:*)” |
| Terraform | “Bash(terraform plan:*)” — plan only, not apply |
| Web tools | “WebFetch”, “WebSearch” |
💡 Pro Tip: Use Project-Level Settings Too
Keep your global ~/.claude/settings.json lean with universally safe commands. Then add project-specific tools to .claude/settings.local.json inside each project.
Install It (60 Seconds)
Open your terminal
Mac: Terminal or iTerm. Windows: PowerShell. Linux: any terminal emulator.
Create the directory (if needed)
Mac/Linux: mkdir -p ~/.claude
Windows: New-Item -Path "$env:USERPROFILE\.claude" -ItemType Directory -Force
Download the settings.json file
Grab our pre-built, battle-tested settings file — 101 deny rules, 162 allow rules, bypass mode disabled:
Unzip and place the file at:
Mac/Linux: ~/.claude/settings.json
Windows: %USERPROFILE%\.claude\settings.json
Or create the file manually: nano ~/.claude/settings.json (Mac/Linux) or notepad "$env:USERPROFILE\.claude\settings.json" (Windows) and paste the contents.
Restart Claude Code
Close and reopen your session. New settings take effect immediately on the next start.
Verify with /permissions
Inside Claude Code, type /permissions to see all active rules and which file they came from. Confirm your deny and allow rules loaded.
Never Auto-Approve These
If you’re building your own settings from scratch, these should always be in your deny list:
| Command | Why It’s Dangerous |
|---|---|
| rm -rf | Recursive force delete. Wipes entire directories instantly with no undo. |
| sudo / su | Elevated privileges. Could modify system files, install anything, or break your OS. |
| ssh / scp | Remote access. Could connect to production servers or exfiltrate data. |
| eval / exec | Arbitrary code execution. Runs anything Claude constructs dynamically. |
| dd | Raw disk writes. Can overwrite your boot drive or destroy partitions. |
| git push / reset –hard | Pushes to remotes or destroys local history. Should always be a deliberate human action. |
| pip/npm/brew install | Global/system package installs. Can introduce supply chain vulnerabilities. |
| .env / .pem / .key | Contain secrets, API keys, passwords, and certificates. Reading leaks them into context. |
Want AI Systems Built For Your Business?
Aprendio builds custom AI automation for small businesses (5–50 employees). From CRM pipelines to content engines to claims processing — we embed inside your operations and build systems that run without you.
Disclaimer: This guide is provided for educational and informational purposes only. Aprendio LLC and its employees, agents, and affiliates make no warranties, express or implied, regarding the completeness, accuracy, or reliability of this information. Use of the provided settings.json configuration is entirely at your own risk. Aprendio LLC shall not be held liable for any damages, data loss, system corruption, security breaches, or other losses arising from the use or misuse of any information, configuration files, or recommendations contained in this guide. Always test configuration changes in a safe, non-production environment before deploying to your primary development setup. Claude Code and its settings system are products of Anthropic, PBC — Aprendio is not affiliated with Anthropic.
© 2026 Aprendio LLC. All rights reserved. Free to share with attribution.
