Read Only Tailored

Restrict Claude Code to read-only operations for safe code review, analysis, and security auditing.

When to Use This Setting

Apply this setting when you need to:

• Explore an unfamiliar codebase without any risk of accidental modifications
• Conduct security audits where the tool must not alter any files or execute commands
• Perform code reviews where Claude Code should analyze but never change source files Consider alternatives when:
• You need Claude Code to make suggested changes directly in the codebase
• Your workflow requires running build commands or test suites as part of the review process

Quick Start

Configuration

Copy
name: read-only-tailored
type: setting
category: permissions

Example Application

Copy
claude setting:apply read-only-tailored

Example Output

Setting applied. Changes:
- permissions.allow: [Read(**/*), Glob, Grep, LS]
- permissions.deny: [Edit, Write, MultiEdit, Bash, WebFetch]

Core Concepts

Read-Only Model Overview

Aspect	Details
Allowed Tools	Read, Glob, Grep, and LS for file reading, searching, and listing
Denied Tools	Edit, Write, MultiEdit, Bash, and WebFetch are completely blocked
Safety Guarantee	No file modifications or command executions can occur under this setting
Use Cases	Code review, security audit, codebase exploration, documentation analysis

Read-Only Boundary Architecture

+---------------------------+
|  ALLOWED (read-only)      |
+---------------------------+
|  Read(**/*) - Any file    |
|  Glob      - Find files   |
|  Grep      - Search code  |
|  LS        - List dirs    |
+---------------------------+
         |
         | (hard boundary)
         v
+---------------------------+
|  DENIED (all writes)      |
+---------------------------+
|  Edit     - File edits    |
|  Write    - File creation |
|  MultiEdit- Batch edits   |
|  Bash     - All commands  |
|  WebFetch - Network calls |
+---------------------------+

Configuration

Parameter	Type	Default	Description
permissions.allow	array	[]	List of read-only tools permitted in this mode
permissions.deny	array	[]	List of write and execution tools blocked in this mode
Read(**/*)	string	N/A	Allow reading any file in any subdirectory of the project
Glob	string	N/A	Allow file pattern matching for navigation and discovery
Bash	string	N/A	Deny all bash command execution without exception

Best Practices

1. Use read-only mode for initial codebase exploration - When joining a new project or reviewing a contribution, start in read-only mode to understand the codebase before enabling write permissions.
2. Apply during security audits - Security reviews require that the auditing tool cannot modify files or execute commands. Read-only mode provides this guarantee at the permission level.
3. Combine with additional directory access - If your review spans multiple repositories, pair read-only mode with additional-directories settings to access related codebases while maintaining the no-write guarantee.
4. Switch to development mode after review - Once you have completed your analysis and are ready to implement changes, switch to development-mode-enhanced or a custom write-enabled profile.
5. Use for training and onboarding - New team members can safely explore the codebase with Claude Code in read-only mode, asking questions and navigating without risk of accidental changes.

Common Issues

1. Cannot run tests or build commands - Read-only mode blocks all Bash execution. If you need to verify behavior, switch to a profile that allows specific test commands while still denying file writes.
2. WebFetch blocked prevents external documentation lookup - The deny rule for WebFetch blocks all network requests. If you need external documentation access during review, create a custom profile that allows WebFetch while denying writes.
3. Cannot view command output for debugging - Since Bash is denied, you cannot run diagnostic commands. Use Grep and Read to find the information you need in configuration files and logs instead.