Hardening Claude Code: permissions, hooks, and custom commands
Claude Code is a powerful local agent. By default it can read most files on your machine. Here is how to lock it down and extend it for your workflow. Block access to credential files Put this in your global Claude settings at ~/.claude/settings.json. Claude will refuse to read any of these paths — even if you accidentally ask it to. { "permissions": { "deny": [ "Read(~/.aws/**)", "Read(~/.config/gcloud/**)", "Read(~/.azure/**)", "Read(~/....