Safer Alternative to Bypass Permissions: Allow + Deny Lists in Claude Code
See more in Claude Code / Skills βExact instruction
- Instead of enabling bypass permissions entirely:
- Go into Claude Code permissions settings.
- Build an allow list: add every command you know is safe (e.g. npm run, git status, reading files). Claude will run these instantly without asking.
- Build a deny list: add anything potentially destructive (e.g. rm -rf, git push --force, sudo). Claude will block these explicitly and cannot be overridden.
- This gives bypass-level speed for safe commands while keeping hard guardrails on dangerous ones.
Suggested prompt
Set up an allow list and deny list in this project's Claude Code permissions. Allow list: npm run, git status, git log, git diff, reading files. Deny list: rm -rf, git push --force, sudo, DROP TABLE. Show me the settings.json changes.
Adopt?
Yes: This allow/deny list pattern is directly applicable to this project right now β we run in bypass mode but should have explicit deny rules for rm -rf and git push --force. General Claude Code update.
Find the resource
Creator @itsmariahbrunner shares her exact allow + deny list when you comment "safety". This can also be configured via Claude Code /permissions or in settings.json under the allowedTools and blockedTools fields.
show original captionhide original caption
comment "safety" and I'll send you my exact allow + deny list :) scared to turn on bypass permissions? build two lists instead: an allow list for safe stuff (npm run, git status, reading files) so it just runs a deny list for the scary stuff (rm -rf, git push βforce, sudo) it can never cross #claude #claudeai #aitips #claudecode #aiworkflow