# Safe AI Development with Claude Code Permission Controls

## Introduction

You've seen how generative AI can automate boilerplate setup and accelerate project work to 80-90% completion, leaving you to focus on the complex, high-value tasks. The potential productivity gains are significant, and the use case is clear.

Yet many organizations have legitimate concerns about using AI tools along with proprietary code. Security teams need assurance that sensitive information won't be exposed, and that's entirely reasonable. The good news is that modern AI coding assistants, such as Claude Code, are built with these concerns in mind.

This is a hands-on guide to addressing security requirements when using Claude Code with proprietary code. As generative AI becomes more sophisticated, the question isn't whether to use these tools; it's how to use them responsibly. I'll walk you through practical solutions that protect sensitive information while still enabling the productivity benefits of AI-assisted development.

## Understanding Claude Code's Security Architecture

**Permission-Based System**

Claude Code operates on a **strict permission model** as documented in [the official IAM guide](https://docs.claude.com/en/docs/claude-code/iam). Each action the agent takes will be reviewed and allowed or blocked based on your configuration. If you haven't configured anything, the defaults are displayed in the following table.

**Tool Permission Tiers:**

| ToolType | Example | Approval Required |
| --- | --- | --- |
| Read-only | File reads, LS, Grep | No |
| Bash Commands | Shell execution | Yes |
| File Modification | Edit/write files | Yes |

**What Gets Sent to Anthropic's API?**

**Sent to Claude API:**  
\- Code you explicitly include in prompts  
\- Files Claude Code reads (with your permission)  
\- Command outputs you approve  
\- Conversation history

**NOT sent:**  
\- Files blocked by permission rules  
\- Environment variables (unless explicitly referenced)  
\- Files outside your working directory  
\- Other projects on your machine

**Note** - **According to Anthropic's commercial terms, your code is not used to train models**. See the [Trust Center](https://trust.anthropic.com) for more info and [FAQ](https://trust.anthropic.com/faq).

![image.png](https://codahosted.io/docs/Bc7BhIXsXA/blobs/bl-syU0eHcWY1/a9f553c574d693bc189a96aa1619109e3dee49710b85905e72d3ddfafddcccce74c0d972196860e36333ca03613ad801a8683b69c44dea4d25cc86f0884ed521933fee06cbb4347ea5c74c943a43f261d2f7a37cf149d3c341a1e21333e7dad05cae9230 align="left")

The following sections outline several strategies you can use to maintain safety while working.

## Use Permission Settings to Protect Sensitive Files

The **official way** to exclude sensitive files is to use **permissions.deny** in `settings.json`.

**Create Project Security Settings**

```bash
# Create .claude directory example
mkdir -p .claude

# Create settings.json with deny rules
cat > .claude/settings.json << 'EOF'
{
  "permissions": {
    "deny":[
      "Read(config/production.yml)"
    ],
    "ask": [
      "Bash(git push *)",
      "Bash(npm install *)"
    ],
    "allow": [
      "Read(src/public/**)",
      "Read(tests/**)",
      "Edit(src/public/**)"
    ]
  }
}
EOF

# Commit to share with the team
git add .claude/settings.json
git commit -m "Add Claude Code security settings"
```

![Screenshot 2025-11-13 at 15.00.26.png](https://codahosted.io/docs/Bc7BhIXsXA/blobs/bl-GOaDP95zvr/b4e9a880c4b61170ea7867e2dcc05cc619d6cae72e2eea034b408173a725f178c4a02ec321e81aea84a682482322554011f699491e441516ee916de98d4b7979236f37a8fb6b2a24b6d05630b7ff47685e9b2515634b971eb164af88ef5d2e21c89dbd56 align="left")

### **Path Pattern Types**

Claude Code uses the gitignore specification, as explained in the IAM guide:

| //path | Absolute from filesystem root | Read(//Users/alice/secrets/\*\*) | /Users/alice/secrets/\*\* |
| --- | --- | --- | --- |
| ~/path | From home directory | Read(~/Documents/\*.pdf) | /Users/alice/Documents/\*.pdf |
| /path | Relative to the settings file | Edit(/src/\*\*/\*.ts) | &lt;settings-file-path&gt;/src/\*\*/\*.ts |
| path | Relative to the current directory | Read(\*.env) | &lt;cwd&gt;/\*.env |

**Important**: A pattern like /Users/alice/file is NOT absolute - use //Users/alice/file for absolute paths!

**Test Your Permissions**

Create your settings files and the permission boundaries you want, then run clode and review them.

```bash
# View current permissions
claude
/permissions
# Try to access blocked file
claude "Show me the .env file"
# Should be denied

# Try to access allowed file
claude "Show me src/api.py"
# Should work
```

![image.png](https://codahosted.io/docs/Bc7BhIXsXA/blobs/bl-hdF7LG6aae/e2ec86fda09ca9a260e5c347e28e8df1613d9e00b4352f9e1adcbe3e01f5102cc6ef544f20f883d4a0ed2e9047c2fd33471d1557ad32de1fc700dd66d640b95f376b3b53e5ffb8cc82af0693f1baabc5803efb455f44b29383582764d064cf5ca4898ca5 align="left")

## Segment Your Workflow by Project Structure

With this approach, you can split your project into public and proprietary sections. This keeps sensitive files out of reach for Claude while allowing the model to access more generic parts. You can protect your unique business code and still use AI to help with routine tasks, like exposing data from a database through a web API.

```plaintext
my-project/
├── public/                # ✅ Safe for Claude
│   ├── api/               # Public API interfaces
│   └── utils/             # Generic utilities
│
├── proprietary/           # ⚠️ Sensitive
│   ├── algorithms/        # Proprietary business logic
│   └── integrations/      # Third-party secrets
│
└── .claude/
    └── settings.json      # Protection rules
```

Following the earlier pattern, edit .claude/settings.json:

```json
{
  "permissions": {
    "deny": [
      "Read(proprietary/**)",
      "Read(**/proprietary/**)"
    ],
    "allow": [
      "Read(public/**)",
      "Edit(public/**)"
    ]
  }
}
```

## Settings Precedence

Good to know: as documented in [IAM settings precedence](https://code.claude.com/docs/en/iam#settings-precedence)

1\. **Enterprise policies** (highest - cannot be overridden)  
2\. Command line arguments  
3\. Local project settings (\`.claude/settings.local.json\`)  
4\. Shared project settings (\`.claude/settings.json\`)  
5\. User settings (\`~/.claude/settings.json\`)

**Summary**

If your company or administration doesn’t allow you to use generative AI in your workflow, the company will fall behind. It’s your job to make them understand that there are solutions to work with these tools and still protect your edge.

The permissions are `settings.json` provided:

1\. **Granular Control**: You can do more than hide files. You can control reads, writes, commands, and network access.  
2\. **Team Sharing**: Commit `.claude/settings.json` to share security rules  
3\. **Enterprise Enforcement**: IT can enforce policies that can't be bypassed  
4\. **Flexibility**: Different rules for different projects and team members  
5\. **Auditability**: All permissions are explicit and version-controlled

**Next Steps:**

1. Tell the person blocking you from using generative AI that it’s possible to set permission boundaries for the models.
    
2. Focus on the essential tasks and let the AI handle the routine work.