Cookbook/Allow only reading and editing files
getting started
5 min

Allow only reading and editing files

security
configuration
tools

What Are Allowed Tools?

Allowed tools let you restrict which capabilities Claude Code can use during a session. This provides granular control over file system access, command execution, and other operations.

Basic Configuration

# Allow only reading and editing files
claude --allowedTools read,edit

# Allow file operations but no command execution
claude --allowedTools read,edit,write,glob,grep

# Disallow specific tools
claude --disallowedTools delete,bash

Available Tools

  • read - Read file contents
  • edit - Modify existing files
  • write - Create new files
  • delete - Remove files
  • bash - Execute shell commands
  • glob - Search for files by pattern
  • grep - Search file contents
  • web_search - Search the internet
  • web_fetch - Fetch web pages

Use Cases

1. Code Review Mode

Scenario: Reviewing a PR without making changes

claude --allowedTools read,glob,grep

Why it's useful:

  • Prevents accidental modifications
  • Ensures Claude only analyzes and explains code
  • Safe for reviewing untrusted code

Example session:

User: Review the security of our authentication system
Claude: [Can read files and search, but cannot modify anything]

2. Documentation-Only Mode

Scenario: Generating documentation without touching code

claude --allowedTools read,write

Why it's useful:

  • Isolates documentation updates
  • Prevents code changes during doc sprints
  • Ensures compliance with doc-only policies

Example session:

User: Update all API documentation based on the current code
Claude: [Can read code but only write to docs/]

3. Safe Exploration Mode

Scenario: Exploring an unfamiliar codebase

claude --allowedTools read,grep,glob

Why it's useful:

  • No risk of modifying files
  • Can't execute potentially harmful commands
  • Perfect for auditing or learning

4. Build-Only Mode

Scenario: Running builds and tests without code changes

claude --allowedTools bash --disallowedTools write,edit,delete

Why it's useful:

  • Restricts to specific build commands
  • Prevents arbitrary file modifications
  • Ideal for CI/CD contexts

Advanced Configurations

Combining with Other Flags

# Read-only mode with verbose output
claude --allowedTools read --verbose

# Safe refactoring mode with JSON output
claude --allowedTools read,edit --output-format json

Security Benefits

  1. Principle of Least Privilege: Only grant necessary permissions
  2. Audit Trail: Easier to track what Claude can do
  3. Mistake Prevention: Reduce risk of unintended operations
  4. Compliance: Meet security requirements for tool usage

Tips

  • Start restrictive and add tools as needed
  • Use --verbose to see what tools Claude is trying to use
  • Combine with other flags for enhanced control
  • Test configurations before using in production environments

Master Claude Code with Expert Training

These recipes are from our comprehensive 2-day training course. Learn directly from experts and transform your development workflow.