Claude Code Security — Developer Guide¶
This is a developer guide for working safely with Claude Code in this toolkit. It does not define organizational policy — for that see SPEC-143 (KI-Richtlinie) when it ships. It also does not cover Anthropic Teams-account management (SPEC-144, parked). What this guide does cover: the permission modes you'll meet day-to-day, the hooks the toolkit installs on your behalf, the templates you can copy, the dangerous-flag rules, and what to do when something feels off.
Everything below is an index into mechanisms implemented by SPEC-114 (Security Baseline Hardening). Each subsection ends in a link to the file that does the actual work — drift between this page and the implementation is therefore visible, not hidden.
1. Permission Modes¶
Claude Code runs every tool call through one of three permission modes; the toolkit's baseline deny rules live at configs/security/baseline-settings.json and apply across all three. Per-category threat model: configs/security/SECURITY-CONFIG.md.
auto — the recommended default. An AI classifier approves safe actions (file edits, test runs) and blocks dangerous ones (rm -rf, credential reads). See: Claude Code Auto-mode docs.
normal — every tool call you haven't pre-allowed prompts you. Use this for unfamiliar codebases or when you want a complete audit trail of approvals.
bypassPermissions — interactive override that approves all tools for the session. Different from the --dangerously-skip-permissions flag (see Section 4); use only in disposable environments.
2. Toolkit Hooks (Inventory)¶
The toolkit ships four hooks that run as part of your day-to-day workflow. Each runs at a specific Claude Code or git lifecycle point and is wired up by setup.sh. To see what a hook does internally, follow its link.
| Hook | Lifecycle point | Purpose |
|---|---|---|
secret-scanner.sh |
PreToolUse + pre-commit | Blocks tool calls and commits that would write credential patterns to disk |
security-lint.sh |
PostToolUse | Flags risky patterns after a file edit lands (informational, non-blocking) |
pre-commit |
git pre-commit | Composes secret-scanner with branch-protection (no direct commits to main) |
claudeignore-guard.sh |
PreToolUse | Enforces .claudeignore for Read/Grep/Glob so the agent cannot see hidden files |
Hooks are deployed by setup.sh and pinned via SHA-256 in configs/security/trusted-hooks.yaml. Drift detection: setup.sh --verify.
3. Example Settings¶
Two templates ship with the toolkit. Pick the one that matches your workflow and let setup.sh deploy it — see installation.md for the first-time deploy and verify-setup.md for the post-install integrity check.
- Regular profile — configs/user-global/settings.json. The default. Conservative permission set, hooks enabled, no extra MCP servers pre-approved. Installed by
setup.sh --safe(or--full,--update). - Power-user profile — configs/user-global/settings.power-user.json.patch. An RFC 6902 JSON Patch applied on top of the regular settings; adds 6 always-allow rules for git history workflow and frequently-used MCP servers. Persona notes: settings.power-user.json.patch.README.md. Installed by
setup.sh --profile=power-user.
The choice persists in ~/.claude/settings.local.json (vt_profile key) and is re-applied automatically on setup.sh --update. To switch back to the conservative default, run setup.sh --profile=regular. Project-local additions belong in .claudeignore (template) and .gitignore (template).
4. The --dangerously-skip-permissions Flag¶
Warning.
claude --dangerously-skip-permissionsdisables every permission check for the entire session — no deny rules, no classifier, no prompts. If something goes wrong, the agent can read secrets, write outside the project, or call destructive commands without you noticing. Do not use this on your main workstation. Full policy: CLAUDE.md Rule 10b.
Acceptable scenarios (where the lowered gate is reasonable):
- Disposable VM — a throwaway sandbox you'll destroy after the demo, with no access to credentials or shared infrastructure.
- CI sandbox without secrets — an ephemeral CI runner running on test fixtures only, where no
.env, no production tokens, and no SSH keys are mounted. - Throwaway demo container — a Docker container brought up for a single recorded demo, then thrown away.
Note: the CLI flag is different from the interactive bypassPermissions mode (Section 1). Both lower the gate, but bypassPermissions is per-session and reversible; the CLI flag affects the whole process.
5. What to Do When Something Seems Off¶
If Claude does something unexpected, work through this 5-step playbook in order — and run /vt-c-security-scan for the canonical 11-category audit at step 3. Don't ad-lib; small detours hide evidence.
- Pause. Cancel the running tool call (Ctrl-C if streaming) or close the session. Do not approve further actions.
- Snapshot. Run
git statusandgit diffto see what changed on disk. Save the session transcript if your interface supports it. Don'tgit addorgit commityet. - Investigate. Run
/vt-c-security-scanfor the 11-category audit, then read the changed files and check the diff against your intent. - Escalate. If the change touches secrets, deletes data, or hits an external service in a way you didn't authorize, tell your team lead now. Don't try to "fix it" alone.
- Report. Capture what you saw in an issue or incident note, including the prompt that triggered the behaviour. Future-you (and future-toolkit) will use this.
Longer-form security docs: docs/security/hardening-guide.md.
6. SPEC-114 Cross-Reference Index¶
For auditors and advanced users who want to read the security baseline directly, these are the Tier 2 deliverables of SPEC-114:
- configs/security/config-snapshot.yaml — audit snapshot of deployed rule counts per category
- configs/security/trusted-hooks.yaml — SHA-256 registry of approved hook implementations
- configs/security/drift-waivers.yaml — per-project waiver mechanism for justified deviations from the baseline
- plugins/core-standards/scripts/install-hooks.sh — hook installer (sets
HOOK_HOMEenv in git hooks) - templates/scaffold/coding/.gitleaks.toml — GitLeaks config for coding and mixed projects
For the human-readable per-category threat model see configs/security/SECURITY-CONFIG.md. For the version-1.1.0 baseline see configs/security/baseline-settings.json.