Conservative permissions with deny rules
A settings.json that pre-approves safe operations and blocks dangerous ones.
{
"model": "claude-sonnet-4-6",
"permissions": {
"allow": [
"Read",
"Edit",
"Glob",
"Grep",
"Bash(npm run test)",
"Bash(npm run build)",
"Bash(git *)"
],
"deny": [
"Bash(npm publish *)",
"Bash(git push --force*)",
"Bash(docker system prune*)"
]
}
}