settings.json + Permissions — stop the permission popup spam
By default Claude Code asks before running any new shell command. Configure permission scopes once and the right things become auto-allowed forever.
settings.json + Permissions
Claude Code has a permission system that asks before running any shell command, MCP tool, or destructive operation. Out of the box it's safe but noisy. After 50 prompts it gets old.
The fix is permissions blocks in ~/.claude/settings.json. You declare patterns to auto-allow, patterns to auto-deny, and Claude stops asking.
Step 1: The four permission categories
| Category | Format | Example |
|---|---|---|
| Bash commands | Bash(<pattern>) | Bash(git status), Bash(npm test:*) |
| File reads | Read(<glob>) | Read(./**), Read(~/.claude/**) |
| File edits | Edit(<glob>) | Edit(./src/**) |
| MCP tools | mcp__<server>__<tool> | mcp__github__list_issues, mcp__memory__nex_search |
Each entry can use * for wildcards: Bash(npm:*) matches any npm subcommand, Bash(git status) matches that exact command.
Step 2: Build a sensible allowlist
Edit ~/.claude/settings.json and add a permissions.allow block. Start with read-only commands you trust:
{
"permissions": {
"allow": [
"Bash(ls)",
"Bash(ls *)",
"Bash(pwd)",
"Bash(cat *)",
"Bash(git status)",
"Bash(git diff:*)",
"Bash(git log:*)",
"Bash(git branch:*)",
"Bash(npm test)",
"Bash(npm run test:*)",
"Bash(npm run build)",
"Bash(npx tsc:*)",
"Bash(node --version)"
]
}
}
These are all read-only or test-only. Auto-allowing them removes 80% of the popup spam without unlocking anything dangerous.
Step 3: Block the dangerous patterns explicitly
Even with the bash safety hook in place (recipe 1.3), defense in depth helps. Add to settings.json:
{
"permissions": {
"deny": [
"Bash(rm -rf:*)",
"Bash(git push --force:*)",
"Bash(curl * | bash)",
"Bash(curl * | sh)",
"Bash(:(){ :|:& };:)"
]
}
}
Deny rules win over allow rules. Patterns that match a deny entry get blocked even if they'd match an allow entry.
Step 4: MCP tool permissions
After you install MCP servers (next phase), they show up in ~/.claude.json. By default each tool call asks for permission. Add safe ones to the allowlist:
{
"permissions": {
"allow": [
"mcp__memory__nex_search",
"mcp__memory__nex_recall",
"mcp__github__list_issues",
"mcp__github__get_file_contents",
"mcp__brave-search__brave_web_search"
]
}
}
Read-only tools are safe to auto-allow. Anything that writes (creates issues, sends emails, modifies files) — leave it as a prompt for now.
Step 5: Use the fewer-permission-prompts skill
Claude Code ships with a skill that scans your transcripts for repeated permission prompts on read-only commands and proposes additions to your allowlist. Run it after a few sessions:
Trigger by saying "scan my transcripts for permission patterns to allow" — the skill picks the right candidates and adds them to your project's `.claude/settings.json` (NOT the global one) by default.
Step 6: Verify
Run aiguide_validate_step. The validator parses ~/.claude/settings.json and confirms it's valid JSON. To verify the permissions actually work, try Bash(git status) — it should run without asking. Then try Bash(rm -rf /tmp/test-dir-that-doesnt-exist) — it should be blocked.
A well-tuned permissions block makes the assistant feel responsive instead of cautious. The first time you go five prompts in a row without a popup is the moment Claude Code stops being a tool you tolerate and starts being one you trust.
python3 -m json.tool ~/.claude/settings.json > /dev/null && echo "valid" || echo "invalid or missing"