Permissions, settings.json, and plan mode: making one Claude Code session safe

You can't automate a tool you don't trust. This episode is the control surface: where settings live and which file wins, how to write tight allow/ask/deny permission rules (the real fence, not CLAUDE.md), the permission modes and the Shift+Tab plan-to-act toggle, and the slash commands a power user reaches for first, including the /rewind safety net. Plus the one pitfall everyone hits: the overly broad Bash(*) allow rule. Episode page & show notes Try a walking desk - stay healthy & sharp while you learn & code Episode 1 got a session running. This one makes it safe to leave running. We cover the control surfaces that turn Claude Code from a sharp tool you babysit into one you actually trust. Settings files and precedence. The four scopes you touch (~/.claude/settings.json, .claude/settings.json, .claude/settings.local.json, and enterprise-managed settings), which file wins when they collide, and the catch that permission rules merge across layers instead of overriding, with deny always winning. See the settings reference. The permission grammar. Why rules are enforced by Claude Code, not the model, so CLAUDE.md is advice and permission rules are the fence. The allow/ask/deny lists and their deny-first evaluation order. Bash glob patterns and the space-before-star word boundary, compound-command parsing, wrapper stripping (and the devbox run footgun), and gitignore-style path anchors for Read/Edit/Write. From the permissions reference. Modes and the plan-to-act toggle. default, acceptEdits, plan, plus auto, dontAsk, and the genuinely dangerous bypassPermissions (--dangerously-skip-permissions). The Shift+Tab cycle, the plan-mode workflow, and editing a proposed plan with Ctrl+G. See the permission modes reference. Slash commands a power user hits early. /clear vs /compact, /context, /config (where the removed /vim moved), /model, /permissions, /cost (now an alias for /usage), /review and /code-review, and the safety net of the episode: /rewind and double-Esc, plus the checkpointing gotcha that bash-modified files aren't tracked. The pitfall: the overly broad Bash(*) allow rule, why argument-constraining Bash patterns are fragile, and the deny-curl-use-WebFetch pattern instead. If you've stopped seeing prompts but never wrote specific allow rules, that's your cue to open /permissions and find what's too wide.