Security by Design
Claude Code operates on a capability-based security model. Unlike traditional CLI tools, Claude must be explicitly granted capabilities to interact with your environment.
Tool-Level Authorization
Every potentially dangerous action requires permission:
- One-time: Approve a single specific call
- Session: Approve all calls for that tool until exit
- Persistent: Save to config for future sessions
Security Tip
Use --allow-read when starting Claude to limit its vision to only the current directory, preventing access to sensitive files in your home folder.