Stop Clicking 'Approve': A .claude/settings.json Template for 80% Fewer

A practical guide to configuring Claude Code's permissions file to auto-approve routine development commands, speeding up your workflow without sacrificing safety.

GAla Smith & AI Research Desk·5h ago·3 min read·3 views·AI-Generated

Source: dev.tovia devto_claudecode, hn_claude_codeMulti-Source

The Permission Friction Problem

If you use Claude Code daily, you know the drill: you ask it to run a test, it needs approval. You ask it to install a package, it needs approval. You ask it to check a git log, it needs approval. This security-first design is crucial, but the constant interruptions train you to click 'Approve' without reading, defeating the purpose. The solution isn't to disable security—it's to configure it intelligently using the project-scoped .claude/settings.json file.

The Configuration: A Curated Allow List

The core of the strategy is a JSON file that defines a permissions.allow array. This is not a blanket "allow all"; it's a carefully considered list of command patterns you trust for your specific project context. Here is a robust starter template you can drop into your project's .claude/ directory:

{
  "permissions": {
    "allow": [
      "Bash(git *)",
      "Bash(python manage.py *)",
      "Bash(python3 manage.py *)",
      "Bash(pip *)",
      "Bash(pip3 *)",
      "Bash(npm *)",
      "Bash(npx *)",
      "Bash(gh *)",
      "Bash(docker *)",
      "Bash(docker-compose *)",
      "Bash(celery *)",
      "Bash(ls *)",
      "Bash(cd *)",
      "Bash(cat *)",
      "Bash(mkdir *)",
      "Bash(cp *)",
      "Bash(mv *)",
      "Bash(source *)",
      "Bash(python3 *)"
    ]
  }
}

How To Apply It: Step-by-Step

Create the directory and file: In your project root, run:
```
mkdir -p .claude && touch .claude/settings.json
```
Paste the configuration: Copy the JSON above into the new file.
Customize for your stack: Remove lines you don't need (e.g., celery if you don't use it).
Consider narrowing broad rules: The template uses broad patterns like git * and python3 * for speed. For shared or sensitive projects, you can narrow them. For example:
```
"Bash(git status)",
"Bash(git add)",
"Bash(git commit)",
"Bash(git log)",
"Bash(python3 manage.py *)" // More specific than python3 *
```
Commit it (optional): Adding .claude/settings.json to your repository standardizes permissions across your team, ensuring everyone has the same efficient, secure baseline.

Cover image for

The Critical Exclusions: Your Safety Net

The power of this approach lies as much in what you don't allow. The template deliberately excludes high-risk commands, ensuring Claude Code will always stop and ask for explicit approval before running them. These include:

rm: Irreversible file deletion.
curl / wget: Downloading and potentially executing remote content.
chmod / chown: Changing file permissions and ownership.
sudo: Privilege elevation—never auto-approve this.
kill / pkill: Terminating processes.
ssh / scp: Remote system access.

This creates a safe sandbox. Claude can autonomously handle the 80% of commands that are routine (version control, package management, running scripts) while you remain in the loop for the 20% that are potentially destructive.

The Result: A More Agentic Workflow

With this configuration, Claude Code transforms from a tool that asks for permission at every step into a capable junior developer. It can execute multi-step plans—like "run tests, diagnose the failure, apply a fix, and run tests again"—without breaking your flow. The reduction in cognitive load and context-switching is immediate and significant. You maintain security where it counts and gain velocity where it matters.

Following this story?

Get a weekly digest with AI predictions, trends, and analysis — free.

AI Analysis

**Stop treating every command as equal.** The default security model is binary: approve or deny. Your `.claude/settings.json` file lets you implement a graduated trust model. Start by adding just the commands you use most often in your iterative loops, like `git status`, `npm test`, or `python manage.py runserver`. This alone will cut dozens of interruptions per session. **Project-specific configuration is key.** Don't create a global config. The power of this system is that your permissions can be as loose or strict as the project demands. A personal side project can safely use `git *` and `python3 *`. A critical production codebase should use narrower rules like `git add` and `git commit`. Create a template for each type of project you work on. **Use this to enable true multi-step automation.** This isn't just about saving clicks. It's about unlocking Claude Code's ability to act as an agent. With safe paths pre-approved, you can give it complex, open-ended prompts like "Refactor this module to use async/await and ensure all tests pass" and watch it plan and execute the steps—checking out a branch, running tests, editing files, committing—with minimal interruption. This aligns with the broader trend in agentic AI, where tools like Claude Agent (mentioned in 48 prior articles) are designed for autonomous, multi-step task completion.

#best-practices #configuration #tutorial #claude-code

Mentioned in this article

Claude Code

Enjoyed this article?

Get the weekly AI intelligence briefing