Issue 03 | Understanding the Underlying Trust Model of Claude Code
🎯 Learning Objectives
By the end of this issue, you will understand:
- Claude Code's permission layering mechanism (Plan / Default / Auto / BypassPermissions)
- Which operations require user confirmation and which are automatically approved
- How to configure custom permission rules to protect sensitive files
📖 Core Concepts Explained
3.1 Four Permission Modes
Claude Code controls the AI's behavioral boundaries through Permission Modes:
╭─ Permission Mode Comparison ────────────────────────╮
│ │
│ 🔒 Plan Mode Read-only analysis, no file modification │
│ ├── Available Tools: Read, Glob, Grep, WebFetch │
│ └── Unavailable: Write, Edit, Bash, Git │
│ │
│ 🔐 Default Mode Read, write, execute; sensitive operations require confirmation │
│ ├── Auto-approved: Read, Glob, Grep │
│ └── Requires confirmation: Write, Edit, Bash │
│ │
│ ⚡ Auto Mode Automatically approved based on preset rules │
│ ├── User-defined allowlist │
│ └── Operations not on the list still require confirmation │
│ │
│ ⚠️ BypassPermissions Skips all permission checks │
│ ├── All operations execute automatically │
│ └── Only for trusted environments like CI/CD │
│ │
╰──────────────────────────────────────────────────────╯
📚 Official Documentation Reference: Permission Modes
3.2 Tool Permission Categories
Each Tool has clear permission requirements:
| Permission Level | Tool | Description |
|---|---|---|
| No Confirmation Needed | Read, Glob, Grep, LS, WebFetch |
Read-only operations, safe |
| Requires User Confirmation | Write, Edit, Bash, NotebookEdit |
Modifies files or executes commands |
| Special Permissions | EnterWorktree, CronCreate |
Creates worktrees or scheduled tasks |
3.3 Custom Permission Rules
Configured via .claude/settings.json or user global ~/.claude/settings.json:
{
"permissions": {
"allow": [
"Bash(npm test)",
"Bash(npm run lint)",
"Bash(git status)",
"Bash(git diff *)",
"Bash(git log *)"
],
"deny": [
"Bash(rm -rf *)",
"Bash(sudo *)",
"Bash(curl * | bash)"
]
}
}
Rule Syntax:
Bash(npm test)— Exact matchBash(git *)— Wildcard matches all git subcommandsWrite(src/**)— Only allows writing to the src directoryEdit(*.config.*)— Prohibits editing configuration files
💻 Simulating Claude TUI Interaction
Scenario 1: Permission Confirmation in Default Mode
> Delete all deprecated files in the src/legacy/ directory
╭─ Claude ────────────────────────────────────────────╮
│ │
│ I'll help you clean up deprecated files. First, let me see which files exist: │
│ │
│ 🔍 Using tool: Glob (src/legacy/**) │
│ → Found 12 files │
│ │
│ Here is the list of files under src/legacy/: │
│ • src/legacy/old-router.ts (replaced by app-router) │
│ • src/legacy/utils-v1.ts (migrated to utils-v2.ts) │
│ • ... 12 files in total │
│ │
│ ⚠️ Tool request: Bash │
│ Command: rm -rf src/legacy/ │
│ │
│ ╭─────────────────────────────────────────────╮ │
│ │ [Y] Allow [n] Deny [e] Edit command │ │
│ │ [a] Always allow this tool │ │
│ ╰─────────────────────────────────────────────╯ │
│ │
╰──────────────────────────────────────────────────────╯
Note that Glob (read-only) executed automatically, but Bash (delete command) requires your confirmation.
Scenario 2: Switching to Plan Mode
> (Press Shift+Tab)
╭─ Mode Switched ─────────────────────────────────────╮
│ │
│ 🔒 Plan Mode activated │
│ │
│ Claude can only: │
│ ✅ Read files ✅ Search code │
│ ✅ Analyze structure ✅ Ask questions │
│ │
│ Claude cannot: │
│ ❌ Write/edit files ❌ Run commands │
│ ❌ Create commits ❌ Modify anything │
│ │
╰──────────────────────────────────────────────────────╯
> Analyze the security vulnerabilities in this project's authentication module
╭─ Claude (Plan Mode) ────────────────────────────────╮
│ │
│ 🔍 Using tool: Read (src/auth/jwt.ts) │
│ 🔍 Using tool: Read (src/middleware/auth.ts) │
│ 🔍 Using tool: Grep ("secret" across src/**) │
│ │
│ ## Security Analysis Report │
│ │
│ ⚠️ Found 3 potential issues: │
│ │
│ 1. JWT Secret hardcoded on line 12 of jwt.ts │
│ → Should be moved to environment variables │
│ │
│ 2. Token expiration set to 30 days, recommended ≤ 24 hours │
│ │
│ 3. Missing refresh token mechanism │
│ → Old tokens remain valid after user logout │
│ │
│ 📝 These are purely analytical results; I have not modified any files. │
│ Switch to Default Mode to allow me to help you fix them. │
│ │
╰──────────────────────────────────────────────────────╯
💻 Code Demo: Configuring Auto Mode
# View current Auto Mode default rules
claude auto-mode defaults
# Export default rules to a JSON file
claude auto-mode defaults > auto-rules.json
# Load custom rules after editing
claude auto-mode config
# Specify Auto Mode at startup
claude --permission-mode auto
Auto Mode Rule Configuration Example
{
"auto_approve": [
"Read",
"Glob",
"Grep",
"Bash(npm test *)",
"Bash(npm run *)",
"Bash(git status)",
"Bash(git diff *)",
"Bash(git add *)",
"Write(src/**)",
"Edit(src/**)"
],
"always_deny": [
"Bash(rm -rf *)",
"Bash(sudo *)",
"Write(.env*)",
"Edit(.env*)"
]
}
🔧 Involved Tools / CLI
| Tool/Command | Purpose |
|---|---|
Shift+Tab |
Switch permission mode within the terminal |
claude --permission-mode plan |
Specify Plan Mode at startup |
claude --permission-mode auto |
Specify Auto Mode at startup |
/permissions |
View current permission rules in session |
claude auto-mode defaults |
View/export Auto Mode rules |
.claude/settings.json |
Project-level permission configuration |
~/.claude/settings.json |
Global permission configuration |
📝 Key Takeaways from this Issue
- Claude Code has four permission modes: Plan, Default, Auto, BypassPermissions
- Read-type tools (Read, Glob, Grep) are automatically approved by default
- Write/execute-type tools (Write, Edit, Bash) require user confirmation
- Use
.claude/settings.jsonto fine-tune permission rules for each tool - Plan Mode is the safe starting point for unfamiliar codebases — analyze first, then act