PKM

Claude Code Workspace Restriction via settings.json

2 min read

Claude Code Workspace Restriction via settings.json

Prevent Claude Code from reading or modifying files outside the current workspace using permission deny rules and optional OS-level sandboxing.

Why / When to Use

When running Claude Code on a machine with sensitive files outside the project directory — or in a team/CI context where you want hard boundaries on what Claude can touch.

Core Concept / Commands

Workspace-only permission rules

Place in .claude/settings.json at the project root:

{
  "permissions": {
    "deny": [
      "Read(/**)",
      "Edit(/**)",
      "Write(/**)",
      "Bash(cd /*)",
      "Bash(cat /*)",
      "Bash(cp /* *)",
      "Bash(mv /* *)",
      "Bash(rm /*)"
    ],
    "allow": [
      "Read(./**)",
      "Edit(./**)",
      "Write(./**)"
    ]
  }
}

Rules are evaluated in order: deny → ask → allow. The first matching rule wins, so deny rules always take precedence. The ./ prefix patterns match relative to the workspace; / patterns cover absolute paths.

Add OS-level sandboxing (strongest)

Combine deny rules with sandbox for defense-in-depth:

{
  "permissions": {
    "deny": [
      "Read(/**)",
      "Edit(/**)",
      "Write(/**)"
    ]
  },
  "sandbox": {
    "enabled": true
  }
}

Sandbox applies OS-level restrictions to Bash commands and child processes. Enable interactively with /sandbox inside a Claude Code session.

Key Options / Variants

Managed settings — unoverridable team policy

For team enforcement that cannot be overridden by user or project settings:

OSPath
Mac/Library/Application Support/ClaudeCode/managed-settings.json
Linux/WSL/etc/claude-code/managed-settings.json
WindowsC:\ProgramData\ClaudeCode\managed-settings.json

Gotchas

  • Bash inherits the running user’s full OS permissions — Claude Code does not inherently restrict Bash to the workspace. Deny rules alone are not enough; add sandboxing for full enforcement.
  • Permission deny rules stop Claude from attempting restricted access; sandbox prevents Bash from reaching those resources even if a prompt injection bypasses Claude’s decision-making.
  • Use both together for strongest security posture.

Source

Conversation “Configuring settings.json within workspace” — 2026-05-14

Graph View