https://ice-ice-bear.github.io/tags/javascript/Recent content in Javascript on ICE-ICE-BEAR-BLOGHugo -- gohugo.ioenFri, 10 Apr 2026 00:00:00 +0900https://ice-ice-bear.github.io/posts/2026-04-10-claude-auto-permission/Fri, 10 Apr 2026 00:00:00 +0900https://ice-ice-bear.github.io/posts/2026-04-10-claude-auto-permission/<img src="https://ice-ice-bear.github.io/" alt="Featured image of post Claude Auto-Permission Dev Log #1 — Hook-Based Auto-Permission System" /><h2 id="overview">Overview </h2><p>If you use Claude Code heavily, you know the pain: hundreds of &ldquo;Allow&rdquo; clicks per session. Reading a file? Allow. Running <code>git status</code>? Allow. Running tests? Allow. The built-in <code>settings.local.json</code> accumulates one-off approvals that quickly become unmanageable. To solve this, I built <strong>claude-auto-permission</strong> — a hook-based auto-permission system with preset-driven configs and a learning mechanism.</p> <h2 id="the-problem--hundreds-of-allow-clicks">The Problem — Hundreds of &ldquo;Allow&rdquo; Clicks </h2><p>Claude Code requires user approval for every tool use. This is the right default for security, but in practice it creates significant friction during development:</p> <ul> <li><code>Read</code> tool to open a file — approve</li> <li><code>Bash</code> to run <code>git status</code> — approve</li> <li><code>Bash</code> to run <code>npm test</code> — approve</li> <li><code>Grep</code> to search code — approve</li> </ul> <p>A one-hour coding session easily generates 100-200 approval prompts. And as you approve them one by one, <code>settings.local.json</code> accumulates entries like this:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;permissions&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;allow&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(git status)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(git diff)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(git log --oneline -20)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(git log --oneline -10)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(npm test)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(npm run test)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;Bash(npx jest)&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="err">...</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>Since it records exact command strings, <code>git log --oneline -20</code> and <code>git log --oneline -10</code> are separate entries. No pattern generalization means the list grows endlessly.</p> <h2 id="design--hook-architecture">Design — Hook Architecture </h2><p>Claude Code&rsquo;s hook system lets you attach external scripts to events like <code>PreToolUse</code> and <code>PostToolUse</code>. By hooking into <code>PreToolUse</code>, we can intercept every tool invocation and decide whether to auto-approve, block, or pass through to the user.</p> <p>Here is the overall architecture:</p> <pre class="mermaid" style="visibility:hidden">flowchart TD A["Claude Code&lt;br/&gt;Tool Use Request"] --> B["PreToolUse Hook&lt;br/&gt;selective-auto-permission.mjs"] B --> C{"auto-permission.json&lt;br/&gt;Check Rules"} C -->|deny match| D["Block&lt;br/&gt;Return reason"] C -->|allow match| E["Auto-approve&lt;br/&gt;Return approve"] C -->|no match| F["Pass to User&lt;br/&gt;Manual Approval"] F -->|approved| G["Recorded in&lt;br/&gt;settings.local.json"] G --> H["/learn-permissions&lt;br/&gt;Skill Invoked"] H --> I["Generalize Pattern&lt;br/&gt;Merge into auto-permission.json"] I --> C style D fill:#ff6b6b,color:#fff style E fill:#51cf66,color:#fff style I fill:#339af0,color:#fff</pre><p>Three core components make this work:</p> <ol> <li><strong><code>selective-auto-permission.mjs</code></strong> — The PreToolUse hook. On every tool use, it checks the allow/deny lists in <code>auto-permission.json</code> and returns a verdict.</li> <li><strong><code>permission-learner.mjs</code></strong> — Analyzes manual approval history and extracts patterns.</li> <li><strong><code>/learn-permissions</code> skill</strong> — An interactive workflow that merges learned patterns into <code>auto-permission.json</code>.</li> </ol> <h2 id="preset-system">Preset System </h2><p>Writing rules from scratch for every project is impractical. So the system ships with five presets for common development environments:</p> <table> <thead> <tr> <th>Preset</th> <th>Use Case</th> <th>Auto-Approve Scope</th> </tr> </thead> <tbody> <tr> <td><code>safe-read</code></td> <td>Read-only</td> <td>Read, Grep, Glob, git status/log/diff</td> </tr> <tr> <td><code>node-dev</code></td> <td>Node.js development</td> <td>+ npm/npx, jest, eslint, tsc</td> </tr> <tr> <td><code>python-dev</code></td> <td>Python development</td> <td>+ uv, pytest, ruff, mypy, pip</td> </tr> <tr> <td><code>fullstack-dev</code></td> <td>Full-stack</td> <td>node-dev + python-dev combined</td> </tr> <tr> <td><code>full-trust</code></td> <td>Full trust</td> <td>Nearly all tools (except deny list)</td> </tr> </tbody> </table> <p>Every preset shares a <strong>universal deny list</strong> that is never auto-approved:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-javascript" data-lang="javascript"><span class="line"><span class="cl"><span class="kr">const</span> <span class="nx">UNIVERSAL_DENY</span> <span class="o">=</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;rm -rf&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;git push --force&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;git reset --hard&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;git clean -f&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">];</span> </span></span></code></pre></div><p>Even with the <code>full-trust</code> preset, these four commands always require manual approval. An accidental <code>rm -rf /</code> should never be auto-approved.</p> <h2 id="auto-permissionjson-structure">auto-permission.json Structure </h2><p>Rules are defined in <code>.claude/auto-permission.json</code> at each project root:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;preset&#34;</span><span class="p">:</span> <span class="s2">&#34;python-dev&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;custom_allow&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;tool&#34;</span><span class="p">:</span> <span class="s2">&#34;Bash&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;pattern&#34;</span><span class="p">:</span> <span class="s2">&#34;docker compose *&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;tool&#34;</span><span class="p">:</span> <span class="s2">&#34;Bash&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;pattern&#34;</span><span class="p">:</span> <span class="s2">&#34;hugo server *&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;custom_deny&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;tool&#34;</span><span class="p">:</span> <span class="s2">&#34;Bash&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;pattern&#34;</span><span class="p">:</span> <span class="s2">&#34;docker system prune *&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">}</span> </span></span><span class="line"><span class="cl"> <span class="p">]</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><p>The <code>preset</code> provides baseline rules, while <code>custom_allow</code> and <code>custom_deny</code> add project-specific overrides. Patterns support glob-style matching, so <code>docker compose *</code> covers <code>docker compose up</code>, <code>docker compose down</code>, <code>docker compose logs -f</code>, and so on.</p> <p><strong>Rule priority</strong>: deny always takes precedence over allow. If a command matches both lists, it is blocked. When in doubt, err on the side of safety.</p> <h2 id="permission-learner--extracting-patterns-from-approval-history">Permission Learner — Extracting Patterns from Approval History </h2><p>As you manually approve commands, <code>settings.local.json</code> accumulates similar entries:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">Bash(pytest tests/test_auth.py) </span></span><span class="line"><span class="cl">Bash(pytest tests/test_api.py) </span></span><span class="line"><span class="cl">Bash(pytest tests/test_models.py -v) </span></span><span class="line"><span class="cl">Bash(pytest --tb=short) </span></span></code></pre></div><p><code>permission-learner.mjs</code> analyzes these entries by:</p> <ol> <li>Extracting common prefixes (<code>pytest</code>)</li> <li>Classifying safety (read-only vs. filesystem-modifying)</li> <li>Generalizing into patterns (<code>pytest *</code>)</li> </ol> <p>When you run the <code>/learn-permissions</code> skill, it presents the learned patterns for review and, upon confirmation, adds them to <code>custom_allow</code> in <code>auto-permission.json</code>. Once learned, the entire family of similar commands is auto-approved going forward.</p> <h2 id="design-decisions">Design Decisions </h2><h3 id="hook-response-time">Hook Response Time </h3><p>The PreToolUse hook runs on every single tool use. Spawning a new Node.js process each time could be a concern, but in practice, reading one JSON file and running pattern matching takes only tens of milliseconds — well below any perceptible delay.</p> <h3 id="balancing-security-and-convenience">Balancing Security and Convenience </h3><p>The most important question in an auto-permission system is &ldquo;how much should be auto-approved?&rdquo; Too permissive is dangerous; too restrictive is useless.</p> <p>This project follows three principles:</p> <ol> <li><strong>Deny always wins</strong> — no matter how broad the allow list, a deny match blocks the action</li> <li><strong>Universal deny is preset-independent</strong> — destructive commands are blocked regardless of which preset is active</li> <li><strong>Learning only suggests</strong> — the permission learner proposes patterns, but the user must confirm before they take effect</li> </ol> <h3 id="per-repo-configuration">Per-Repo Configuration </h3><p><code>auto-permission.json</code> lives in the <code>.claude/</code> directory at the project root. Different projects need different permissions even for the same developer. A blog repo needs <code>hugo server *</code>, while an API server repo needs <code>docker compose *</code>. This has to be per-project, not global.</p> <h2 id="current-state-and-next-steps">Current State and Next Steps </h2><p>What the first release includes:</p> <ul> <li>Five presets with custom rule support</li> <li>PreToolUse hook-based auto-approve and block</li> <li>Permission learner and <code>/learn-permissions</code> skill</li> <li>Universal deny list</li> </ul> <p>What comes next:</p> <ul> <li>Edge cases discovered while applying to real projects</li> <li>Guide for customizing and creating new presets</li> <li>Potential integration with other hook events (<code>PostToolUse</code>, <code>Notification</code>)</li> </ul> <p>GitHub repository: <a class="link" href="https://github.com/ice-ice-bear/claude-auto-permission" target="_blank" rel="noopener" >ice-ice-bear/claude-auto-permission</a></p>