Thoughtful permission configs for Claude Code without the container overhead.
Claude Code users face a frustrating choice: run in a Docker sandbox with --dangerously-skip-permissions for convenience, or run natively and deal with constant permission prompts.
This tool offers a middle ground. Generate permission configurations tailored to your workflow, reducing prompt fatigue while maintaining control over what Claude Code can do.
⚠️ Warning: This approach is inherently less safe than a fully isolated environment. You're trading sandbox protection for convenience.⚠️
The fastest way to get going:
npx cc-permissions applyThis analyzes your project, detects relevant templates, and applies permissions to .claude/settings.json.
Want to see what would be applied first?
npx cc-permissionsOr install globally to use without npx:
npm install -g cc-permissionsThen run: cc-permissions apply
Or use as slash command via a Claude Code plugin:
# Add the marketplace
claude plugin marketplace add DanielCarmingham/cc-permissions
# Install the plugin
claude plugin install cc-permissions@DanielCarmingham-cc-permissions
# Update to latest version
claude plugin update cc-permissions@DanielCarmingham-cc-permissions
# Uninstall
claude plugin uninstall cc-permissions@DanielCarmingham-cc-permissionsThen use /cc-permissions:analyze, /cc-permissions:apply, and other slash commands directly in Claude Code.
Note: Third-party plugins don't auto-update by default. Run claude plugin update from your terminal to get new versions, or enable auto-update via /plugin → Marketplaces → select marketplace → Enable auto-update.
Permissions are organized into templates and levels.
Templates group commands by technology. Use nodejs for npm/yarn/pnpm commands, python for pip and pytest, docker for container operations, and so on. Combine them freely:
cc-permissions apply nodejs,python,dockerLevels control how permissive each template is:
| Level | What it allows |
|---|---|
restrictive |
Read-only operations (list, status, info) |
standard |
Development workflow (run, build, test) |
permissive |
Broader access (install, publish, remove) |
Levels are cumulative. standard includes everything from restrictive, and permissive includes everything from standard.
# Safe exploration mode
cc-permissions apply nodejs --level restrictive
# Normal development (default)
cc-permissions apply nodejs
# Trusted project, full access
cc-permissions apply nodejs --level permissive| Template | Description |
|---|---|
| shell | Basic shell and filesystem commands |
| Template | Description |
|---|---|
| vscode-mcp | VS Code IDE MCP tools for Claude Code integration |
| Template | Description |
|---|---|
| git | Git version control |
| gitea | Gitea CLI (tea) for repository and workflow management |
| gitea-mcp | Gitea MCP Server tools for repository and workflow management |
| github | GitHub CLI (gh) for repository and workflow management |
| github-mcp | GitHub MCP Server tools for repository and workflow management |
| gitlab | GitLab CLI (glab) for repository and workflow management |
| gitlab-mcp | GitLab MCP Server tools for repository and workflow management |
| Template | Description |
|---|---|
| bun | Bun runtime and package manager |
| dotnet | dotnet CLI, NuGet, MSBuild |
| go | Go development and golangci-lint |
| java | Java and JVM runtime |
| nodejs | Node.js, npm, and npx |
| php | PHP, Composer, and Laravel Artisan |
| pnpm | pnpm package manager |
| python | pip, python, venv, pytest, and common data tools |
| ruby | Ruby, Bundler, Rails, and Rake |
| rust | Cargo, rustc, and rustup |
| typescript | TypeScript compiler (tsc) |
| yarn | Yarn package manager |
| Template | Description |
|---|---|
| gradle | Gradle build tool and wrapper |
| maven | Apache Maven build tool |
| Template | Description |
|---|---|
| aws | AWS CLI, SAM, CDK, Amplify, and Elastic Beanstalk |
| aws-mcp | AWS MCP Server tools for cloud infrastructure and serverless development |
| azure | Azure CLI, Functions, Bicep, and Azure Developer CLI |
| bicep | Azure Bicep infrastructure-as-code CLI |
| gcp | Google Cloud CLI, gsutil, Firebase, and BigQuery |
| Template | Description |
|---|---|
| docker | Docker, Docker Compose, and Buildx |
| docker-mcp | Docker MCP Server tools for container management |
| kubernetes | kubectl, Helm, k9s, and Minikube |
| podman | Podman, Podman Compose, and Podman Machine |
| podman-mcp | Podman MCP Server tools for container management |
| terraform | Terraform, Terragrunt, and tflint |
| Template | Description |
|---|---|
| azure-sql | Azure SQL Database CLI tools (az sql) |
| azure-storage | Azure Storage CLI tools (az storage) for blobs, tables, queues, and file shares |
| excel-mcp | Excel MCP Server tools for spreadsheet operations |
| mariadb | MariaDB CLI tools (mariadb, mariadb-dump, mariadb-admin) |
| mariadb-mcp | MariaDB MCP Server tools for database queries |
| mongodb | MongoDB CLI tools (mongosh, mongodump, mongorestore) |
| mysql | MySQL CLI tools (mysql, mysqldump, mysqladmin) |
| postgres | PostgreSQL CLI tools (psql, pg_dump, pg_restore) |
| postgres-mcp | PostgreSQL MCP Server tools for database queries |
| redis | Redis CLI tools (redis-cli) |
| sqlite | SQLite CLI tools (sqlite3) |
| sqlite-mcp | SQLite MCP Server tools for database operations |
| Template | Description |
|---|---|
| chrome-devtools-mcp | Chrome DevTools MCP Server tools for browser inspection and debugging |
| firefox-devtools-mcp | Firefox DevTools MCP Server tools for browser inspection and debugging |
| playwright | Playwright testing framework |
| playwright-mcp | Playwright MCP Server tools for browser automation |
| selenium | Selenium testing framework CLI tools |
| selenium-mcp | Selenium MCP Server tools for browser automation |
| Template | Description |
|---|---|
| android | Android SDK, ADB, and emulator |
| flutter | Flutter SDK and Dart development |
| ios | Xcode, Swift, CocoaPods, and iOS development |
All MCP server templates in one place. These are also listed alongside their CLI counterparts above.
| Template | Description |
|---|---|
| aws-mcp | AWS MCP Server tools for cloud infrastructure and serverless development |
| azure-sql-mcp | Azure SQL Database MCP Server tools (azmcp) |
| azure-storage-mcp | Azure Storage MCP Server tools (azmcp) |
| chrome-devtools-mcp | Chrome DevTools MCP Server tools for browser inspection and debugging |
| docker-mcp | Docker MCP Server tools for container management |
| excel-mcp | Excel MCP Server tools for spreadsheet operations |
| firefox-devtools-mcp | Firefox DevTools MCP Server tools for browser inspection and debugging |
| gitea-mcp | Gitea MCP Server tools for repository and workflow management |
| github-mcp | GitHub MCP Server tools for repository and workflow management |
| gitlab-mcp | GitLab MCP Server tools for repository and workflow management |
| mariadb-mcp | MariaDB MCP Server tools for database queries |
| playwright-mcp | Playwright MCP Server tools for browser automation |
| podman-mcp | Podman MCP Server tools for container management |
| selenium-mcp | Selenium MCP Server tools for browser automation |
| postgres-mcp | PostgreSQL MCP Server tools for database queries |
| sqlite-mcp | SQLite MCP Server tools for database operations |
| typescript-mcp | TypeScript MCP Server tools for type checking and compilation |
| vscode-mcp | VS Code IDE MCP tools for Claude Code integration |
Click any template to see the full list of commands at each level.
By default, permissions go to .claude/settings.json (project scope). You can change this:
# Personal defaults across all projects
cc-permissions apply --scope user
# Project-specific overrides (gitignored)
cc-permissions apply --scope local
# Custom file
cc-permissions apply --output ./my-permissions.json| Scope | File | Use case |
|---|---|---|
project |
.claude/settings.json |
Team settings, commit to repo |
user |
~/.claude/settings.json |
Personal defaults |
local |
.claude/settings.local.json |
Personal overrides, gitignored |
All generated configs include a deny list blocking dangerous patterns like rm -rf /, sudo, and piped remote execution (curl | bash). You can still shoot yourself in the foot, but the obvious hazards are blocked.
# See what would be applied (same as cc-permissions analyze)
cc-permissions
# List available templates
cc-permissions list
# View template permissions without applying
cc-permissions template nodejs
# Output as JSON (for piping/scripting)
cc-permissions template nodejs --format jsonSee CONTRIBUTING.md for instructions on adding new templates and development setup.
0BSD - Use freely, no attribution required.