Lock Down Claude Code With 5 Permission Patterns

I denied .env file reads in my settings.json. Claude Code read them anyway. Here is how to build permissions that actually hold. Claude Code ships with a tiered permission system that most developers never configure beyond clicking "Yes, don't ask again." That default workflow creates invisible gaps. Every auto-approved command persists permanently in your project settings. Every unconfigured tool runs with maximum access. The result is an AI assistant with more filesystem and network access than any human on your team. This article covers 5 permission patterns that lock down Claude Code properly -- from basic deny rules to OS-level sandboxing. Pattern 1: Deny-First Rules in settings.json Claude Code evaluates permission rules in a strict order: deny, then ask, then allow . Rules are evaluated by category: all deny rules are checked first, then ask rules, then allow rules. A deny rule always beats an allow rule, regardless of order in the JSON array or which settings file it lives in.