Tools & Permissions

Default Behaviour

All Claude Code tools are disabled by default. This is intentional — it prevents potentially harmful operations (like file writes or shell commands) from running automatically the first time you open a session.

You need to explicitly enable the tools you want to use.

Enabling Tools

1. Click the gear icon in the sidebar to open Tools Settings
2. Toggle on the tools you need
3. Your preferences are saved locally and persist across sessions

Recommended approach: Start with read-only tools enabled and add write/execute permissions only when you need them.

Available Tool Categories

Scoped Bash Permissions

Rather than enabling all Bash commands, you can scope permissions to specific commands:

{
  "permissions": {
    "allow": [
      "Bash(npm run lint)",
      "Bash(npm run test *)",
      "Bash(git log:*)"
    ],
    "deny": [
      "Bash(curl *)",
      "Read(./.env)"
    ]
  }
}

This is written to your ~/.claude/settings.json and takes effect immediately in both CloudCLI UI and the Claude Code CLI.

How Settings Sync

Permission changes you make in CloudCLI UI are written directly to your local ~/.claude config. This means:

• Changes appear immediately in your Claude Code CLI sessions
• MCP servers you add via the UI show up when you run claude in your terminal
• There is no separate config to maintain

Project-Scoped vs Global Permissions

Settings can be scoped at two levels:

• Global (~/.claude/settings.json) — applies to all projects
• Project (.claude/settings.json in the project root) — overrides global for that project only

Project-scoped settings can be committed to your repo so teammates share the same tool configuration. If you're working with a team, shared cloud environments for teams let you distribute MCP servers, tool permissions, and context files to every developer automatically.