Hi, I'm ThadeusB.

If you're using Claude Code you've probably toggled between "approve every single file read" and --dangerously-skip-permissions. There's a middle ground and it's embarrassingly simple: just ask Claude to configure its own permissions.

Paste this prompt into Claude Code and it'll inspect your current settings, discover your local tooling, and apply a sane policy:

Configure Claude Code global permissions for a non-destructive auto-approve workflow.

Policy:
1) Auto-allow:
   - Read-only file/system inspection
   - Search, diff, and codebase analysis
   - Read-only git operations
   - Non-destructive tooling checks and dry-runs

2) Ask first:
   - File/content modifications and deletions
   - State-changing git actions (staging, commit, push, history rewrite)
   - Process control and privilege escalation
   - Package install/upgrade/remove operations
   - Any action that changes external systems/services

3) Hard-deny:
   - Writes under ~/.ssh/**
   - Writes under ~/.aws/**
   - Writes under ~/.gnupg/**

Requirements:
- Preserve all existing non-permission settings.
- Discover local tooling and include safe read-only usage patterns.
- Unknown actions default to ask-first.
- Output the final merged settings plus a short summary of allow/prompt/deny groups.

That's it. Claude reads your existing config, figures out what tools you have installed, and writes a permission set that auto-allows anything read-only while keeping a human in the loop for writes, pushes, and installs.

Worth noting

• Keep hard-deny small. Only credential paths. If your deny list is growing you're overcomplicating it.
• Review the first run per repo. Let it discover repo-specific tooling, adjust once, then forget about it.
• Classify by effect, not command name. git log is not git push. The prompt handles this already.

Save the prompt as a skill if you bootstrap environments often. One prompt, runs in 30 seconds, and you stop clicking "Allow" on cat.