Have you ever wondered: when you ask Claude Code to execute a dangerous command, how does it stop itself?

For example, when you say “clean up temporary files,” will it actually execute rm -rf /tmp/*? Or worse, rm -rf /?

The answer: it has a permission system, like a car’s ABS anti-lock braking—lets you drive freely normally, but automatically intervenes when danger arises.

Today we’re taking apart this “safety brake” to see how it works.

Permission System Like ABS The diagram: Permission system is like car ABS, automatically intervenes in danger

Three-Tier Permission Architecture

Claude Code’s permission system has three layers, from coarse to fine:

Tier 1: User Configuration

Rules set by users in CLAUDE.md or config files:

alwaysAllow: ['FileRead', 'Grep']
alwaysDeny: ['Bash', 'FileDelete']
askBefore: ['FileWrite', 'FileEdit']

This is the coarsest control—user explicitly says “this can be done,” “this cannot be done,” “ask me before this.”

Tier 2: Tool-level Permissions

Each tool’s own defined checkPermissions method:

checkPermissions(input, context) {
  if (input.command.includes('rm -rf /')) {
    return { behavior: 'deny', reason: 'Prohibited from deleting root directory' };
  }
  if (this.isReadOnly(input)) {
    return { behavior: 'allow' };
  }
  return { behavior: 'ask' };
}

This is medium granularity—decides behavior based on the tool’s specific input.

Tier 3: Auto Classifier

YOLO (You Only Look Once) classifier, uses AI to judge operation safety:

Input: Command text
Output: safe / ask / deny

This is the finest granularity—uses AI to identify potential risks.

Three-Tier Permission The diagram: Three-tier permission architecture, from coarse to fine

Always Allow/Deny: User Has the Final Say

User configuration is the most direct control method.

alwaysAllow: These tools can be used directly without confirmation.

- FileRead: Reading files is safe
- Grep: Searching is safe
- Glob: Listing files is safe

alwaysDeny: These tools cannot be used at all—they’re disabled.

- Bash: Some users prohibit command execution
- FileDelete: Some users prohibit file deletion

askBefore: These tools require user confirmation before use.

- FileWrite: Writing files may be risky
- FileEdit: Editing files may break code

How configuration takes effect: tools that are denied don’t even appear in the tool list sent to the model—the model doesn’t even know they exist.

YOLO Classifier: AI Judges AI

The YOLO classifier is Claude Code’s most interesting permission mechanism—uses AI to judge whether AI’s operations are safe.

Why called YOLO? Because “You Only Look Once”—one quick look, rapid judgment.

Working principle:

Input: Operation to execute (e.g., Bash command)
Feature Extraction: Extract key features
Classification Model: Judge safety level
Output: safe / ask / deny

What does the classifier judge based on?

Keyword Matching: Dangerous keywords like rm, drop table, DELETE FROM

Pattern Recognition: High-risk patterns like * wildcards, --force flags

Context Analysis: Current directory, user permissions, operation target

Historical Learning: Learning from past judgments (if there’s feedback)

YOLO Classifier The diagram: YOLO classifier quickly judges operation safety

Practical: Dangerous Command Interception

See how the permission system handles this request: “Delete temporary files”

Model Generates: rm -rf /tmp/*

Tier 1 Check (User Configuration):

  • BashTool is in askBefore list → Needs further check

Tier 2 Check (Tool-level Permissions):

  • BashTool checks command: rm -rf /tmp/*
  • Doesn’t include root directory / → Not absolutely prohibited
  • But contains -f force flag → Marked as high risk

Tier 3 Check (YOLO Classifier):

  • Keywords: rm + -rf + /* = high-risk combination
  • Judgment result: ask (ask user)

Final Result: AI shows confirmation dialog: “I’m going to execute rm -rf /tmp/*, confirm?”

User can choose: Confirm / Cancel / Modify Command

Permission Prompts: Letting AI “Know” Boundaries

Permissions aren’t just technical checks—AI also needs to “know” through prompts what it can and cannot do.

In system prompts, there’s a dedicated permission module:

Permission Rules:
- You can read any file
- Must confirm user intent before writing files
- Prohibited from executing operations that delete root directory
- Prohibited from accessing sensitive files (like .ssh, .env)
- If uncertain whether an operation is safe, ask the user

This lets the model self-constrain when selecting tools—not “do as it wishes,” but “think first whether it can do.”

Fail-Closed: Default to Safest

The permission system follows a “fail-closed” principle:

  • When uncertain, default to asking user
  • When judgment is wrong, default to denial
  • When configuration conflicts, take the strictest rule

This is why AI sometimes seems “overly cautious”—it would rather ask one more time than take risks.

Permission UX Design

Permission checking isn’t just a technical issue—it’s also a user experience issue.

Clear Prompts:

I'm going to execute:
rm -rf /tmp/*
This may delete all temporary files.
Confirm execution?

Provide Options:

  • Confirm execution
  • Cancel
  • Modify command
  • Always allow similar operations

Remember Choices: Users can “remember this choice” for automatic handling of same operations next time.

Undo Mechanism: If operations go wrong, provide undo methods.

Production-Grade Safety Considerations

In enterprise environments using AI tools, safety is critical:

Audit Logs: Record all permission decisions and executed operations.

Tiered Permissions: Different users/projects have different permission configurations.

Principle of Least Privilege: Only give AI necessary permissions, no more.

Human Confirmation: Critical operations must have human confirmation, cannot be fully automatic.

Rollback Mechanism: Dangerous operations have rollback plans.

Implications for Using Claude Code

Understanding the permission system helps you:

Configure Appropriate Permissions: Set alwaysAllow/alwaysDeny in CLAUDE.md to reduce unnecessary prompts.

Understand Why AI Always Asks: Permissions may be configured too strictly.

Use AI Safely: Don’t give AI unnecessary dangerous permissions.

Audit AI Behavior: Use logs to understand what operations AI executed.

Summary

The permission system is Claude Code’s “safety brake”—through three-tier architecture (user configuration, tool-level permissions, YOLO classifier), it finds balance between production-grade safety and personal efficiency.

Key designs:

  • User has final say: alwaysAllow/alwaysDeny
  • AI judges AI: YOLO classifier
  • Fail-closed: default to safest
  • Good UX: clear prompts and choices

Understanding this lets you use AI tools safely and efficiently.

In the next article, we’ll talk about CLAUDE.md and Hooks—building your personalized AI butler.