claude-security-settings

# Claude Code Security Settings

Expert knowledge for configuring Claude Code security and permissions.

## Core Concepts

Claude Code provides multiple layers of security:
1. **Permission wildcards** - Granular tool access control
2. **Shell operator protections** - Prevents command injection
3. **Project-level settings** - Scoped configurations

## Permission Configuration

### Settings File Locations

| File | Scope | Priority |
|------|-------|----------|
| `~/.claude/settings.json` | User-level (all projects) | Lowest |
| `.claude/settings.json` | Project-level (committed) | Medium |
| `.claude/settings.local.json` | Local project (gitignored) | Highest |

### Permission Structure

```json
{
  "permissions": {
    "allow": [
      "Bash(git status:*)",
      "Bash(npm run:*)"
    ],
    "deny": [
      "Bash(rm -rf:*)",
      "Bash(sudo:*)"
    ]
  }
}
```

## Wildcard Permission Patterns

### Syntax

```
Bash(command:*)
```

- `Bash()` - Tool identifier
- `command` - Command prefix to match
- `:*` - Wildcard suffix matching any arguments

### Pattern Examples

| Pattern | Matches | Does NOT Match |
|---------|---------|----------------|
| `Bash(git:*)` | `git status`, `git diff HEAD` | `git-lfs pull` |
| `Bash(npm run:*)` | `npm run test`, `npm run build` | `npm install` |
| `Bash(gh pr:*)` | `gh pr view 123`, `gh pr create` | `gh issue list` |
| `Bash(./scripts/:*)` | `./scripts/test.sh`, `./scripts/build.sh` | `/scripts/other.sh` |

### Pattern Best Practices

**Granular permissions:**
```json
{
  "permissions": {
    "allow": [
      "Bash(git status:*)",
      "Bash(git diff:*)",
      "Bash(git log:*)",
      "Bash(git add:*)",
      "Bash(git commit:*)"
    ]
  }
}
```

**Tool-specific patterns:**
```json
{
  "permissions": {
    "allow": [
      "Bash(bun test:*)",
      "Bash(bun run:*)",
      "Bash(biome check:*)",
      "Bash(prettier:*)"
    ]
  }
}
```

## Shell Operator Protections

Claude Code 2.1.7+ includes built-in protections against dangero