Claude Compass

Permissions

Tool permissions granted to Claude Code via ~\.claude\settings.json. These rules tell the harness which operations to approve automatically — no prompt required.

Settings file

Permissions are stored globally in C:\Users\matt_\.claude\settings.json under a permissions.allow array. They apply to every project and every session. Rules use the syntax ToolName(path\pattern) where ** matches any file or subfolder at any depth.

"permissions": { "allow": [ "Read(C:\Users\matt_\OneDrive\Claude\**)", "Write(C:\Users\matt_\OneDrive\Claude\**)", "Edit(C:\Users\matt_\OneDrive\Claude\**)", "Glob(C:\Users\matt_\OneDrive\Claude\**)", "Grep(C:\Users\matt_\OneDrive\Claude\**)", "PowerShell(Get-ChildItem *)", "PowerShell(New-Item -ItemType Directory *)", "PowerShell(notepad *)" ] }
ℹī¸ Changes to settings.json take effect on the next Claude Code session. A restart is required after editing this file.

Allowed operations

📖
Read ✓ Auto-approved
Read(C:\Users\matt_\OneDrive\Claude\**)

Allows Claude to open and read any file within the Claude workspace without prompting. This is the most frequently used permission — almost every task starts with reading a file to understand its current state.

What this covers
  • Reading CLAUDE.md files, HTML pages, markdown notes, and skill files
  • Reading settings, config files, and memory files
  • Reading any file you reference with @filename or "can you see"
  • Reading files Claude needs to inspect before editing
What this does NOT cover
  • Files outside C:\Users\matt_\OneDrive\Claude\ — e.g. cloned repos, system files, other drives
  • Read operations on those paths will still prompt
✏ī¸
Write ✓ Auto-approved
Write(C:\Users\matt_\OneDrive\Claude\**)

Allows Claude to create new files or completely overwrite existing ones within the Claude workspace. Used when generating a new page, writing a fresh output file, or saving something to _temp\.

What this covers
  • Creating new HTML pages, markdown files, skill files, agent files
  • Writing output files to _output\ folders
  • Writing temporary files to _temp\
  • Full rewrites of existing files (where Edit would be impractical)
Note
  • Write replaces the entire file — for targeted changes to existing files, Claude uses Edit instead
  • Deletion is never auto-approved — Claude always confirms before removing any file
🖊ī¸
Edit ✓ Auto-approved
Edit(C:\Users\matt_\OneDrive\Claude\**)

Allows Claude to make targeted string replacements within existing files — only the changed section is sent, not the whole file. This is the most common edit operation: updating a rule, adding a nav link, tweaking a card description.

What this covers
  • Updating specific lines in CLAUDE.md rules
  • Adding or modifying cards in HTML pages
  • Updating nav links across multiple pages
  • Patching any text block within a file without touching the rest
How Edit differs from Write
  • Edit — finds an exact string in the file and replaces it with a new string. Safer for surgical changes.
  • Write — replaces the entire file contents. Used for new files or full rewrites.
🔍
Glob ✓ Auto-approved
Glob(C:\Users\matt_\OneDrive\Claude\**)

Allows Claude to search for files by name pattern within the Claude workspace. Glob matches against file paths using patterns like *.html or **\commands\*.md, and returns a list of matching file paths sorted by modification time.

What this covers
  • Finding all .html files in a folder to update nav links
  • Locating a skill or agent file by name pattern
  • Checking which files exist before creating something new
  • Used by Claude internally before almost every multi-file task
🔎
Grep ✓ Auto-approved
Grep(C:\Users\matt_\OneDrive\Claude\**)

Allows Claude to search file contents by regex pattern within the Claude workspace. Where Glob finds files by name, Grep finds files by what's inside them — returning matching lines with optional context.

What this covers
  • Finding which HTML page contains a specific rule card or nav element
  • Locating a specific phrase or string across all files in the workspace
  • Checking whether a skill or memory entry already exists before adding a duplicate
  • Searching for a function name, config key, or any text pattern
⚡
PowerShell (specific commands) ✓ Auto-approved
PowerShell(Get-ChildItem *)  |  PowerShell(New-Item -ItemType Directory *)  |  PowerShell(notepad *)

Allows three specific PowerShell commands without prompting. These cover the operations needed to inspect folder structure, create new project/customer/skill directories, and open files in Notepad via the cmd.txt rule.

What this covers
  • Get-ChildItem * — list the contents of any folder (read-only)
  • New-Item -ItemType Directory * — create new empty folders (used by /create-project, /create-customer, /create-repo, etc.)
  • notepad * — open a file in Notepad (used when writing commands to _temp\cmd.txt)
What this does NOT cover
  • Any other PowerShell command — e.g. Remove-Item, Invoke-WebRequest, git, arbitrary scripts — will still prompt

What still requires approval

Operations outside the allow list

The permissions above only cover the C:\Users\matt_\OneDrive\Claude\ folder and everything inside it. Anything outside that path — or any operation type not listed — will still trigger a prompt.

Operation Status Reason
Bash commands Prompts Not included in the allow list — shell commands can affect any part of the system
PowerShell commands (other) Prompts Only Get-ChildItem, New-Item -ItemType Directory, and notepad are auto-approved — all other PowerShell commands still prompt
Read / Write / Edit outside Claude\ Prompts Path not matched by the ** glob — e.g. cloned repos, Downloads, system paths
File deletion (any path) Always confirms Deletion is irreversible — Claude asks before removing any file regardless of path
WebFetch / WebSearch Prompts Network operations are not in the allow list
MCP tool calls Prompts Not covered by file-path permission rules