We have all heard the horror stories.
You blink and your database/data is gone. So you are glued to the screen.
Instead, there is a failsafe which you can make use of for absolutely non-negotiable stuff. This method would lock the deny rules at OS level — even --dangerously-skip-permissions couldn’t override them. Outlining with example of delete files/folders below:-
Precedence
: Managed > CLI flags > local > project > user.
Deny rules in managed cannot be overridden by anything.
File paths:
On Windows: C:\Program Files\ClaudeCode
managed-settings.json
On WSL/Linux: /etc/claude-code/
managed-settings.json
What it gives you beyond regular settings:
disableBypassPermissionsMode
: “disable”
This blocks --dangerously-skip-permissions from bypassing deny rules
allowManagedPermissionRulesOnly
: true
This ignores all allow/deny rules from user/project settings; only managed rules apply
allowManagedHooksOnly
: true
This blocks user/project hooks; only managed hooks run
Deployment
: Just create the file with valid JSON. Claude Code reads it on startup, never writes to it. Set filesystem permissions so only admin can modify it.
a minimal managed-settings.json that makes deletion truly non-bypassable:
{
“disableBypassPermissionsMode”: “disable”,
“permissions”: {
“deny”: [
“Bash(rm
)”, “Bash(rm)”, "Bash(rmdir )", “Bash(rmdir)”,
“Bash(del /
)”, “Bash(rd )", "Bash(erase )",
"Bash(
Remove-Item)”, “Bash(shutil.rmtree)”,*
“Bash(unlink
)”, “Bash(git clean)”, “Bash(git rm)”,*
“Bash(
-delete*)”, “Bash(xargs rm)”*
]
}
}
submitted by
/u/Aggravating_Pinch
Originally posted by u/Aggravating_Pinch on r/ClaudeCode