Skip to content
Agentic Control Plane
Topic hub

Claude Code: permissions, cost, control

A real Claude Code session declares 76 tools in every API request — the coding loop, plus tools that send messages, publish public web pages, schedule their own future runs, and drive your logged-in browser. Most of what's written about Claude Code permissions covers three of them. These posts cover the rest, from live captured traffic: which tools to deny out of the box, how the deny list gets bypassed, what a full working day costs at API rates ($148.16, in one real session), and how to see all of it on your own machine.

Start with the Tool Surface Index — the live capture this cluster is built on — or the one-command setup on ACP for coding agents.

Posts on Claude Code

  1. Which Claude Code Tools Should You Deny (or Gate Behind Approval) Out of the Box?
    One Claude Code session declares 76 tools. The core coding loop isn't the risk — the never-invoked tail is: tools that send, schedule, publish, and spawn. A default posture, argued from blast radius, not asserted.
  2. AI Agent Tool Allowlists: Deny by Default, Scope per Task, Audit Everything
    One Claude Code session declares 76 tools; 64 of them never fire. A tool allowlist is the list of calls your agent may make — everything else denied. How to set one in Claude Code, Codex CLI, and MCP, and where client-side lists stop holding.
  3. Claude Code's Deny List Can Be Bypassed. Here's What a Real Enforcement Boundary Looks Like.
    Deny rules match command strings inside the client — compound commands, substitution, and one documented flag all route around them. Where client-side permissions honestly stop, and what enforcement outside the agent process looks like.
  4. Claude Code's --dangerously-skip-permissions disables every governance hook
    Claude Code's --dangerously-skip-permissions silently disables every PreToolUse and PostToolUse hook, including ACP's. How to detect it server-side.
  5. Claude Code Cost Tracking: Token Counters Tell You What You Spent, Not Where It Went
    A real working day of Claude Code: 276 model calls, 1,697 tool calls, $148.16 at API rates — 100% of it loop tax. Why /cost, ccusage, and proxy totals can't show you that, and what per-action attribution looks like.
  6. Log and Control Every Claude Code Tool Call in 60 Seconds
    One command puts a hook on every Claude Code tool call. Bash, Read, Write, Edit, WebFetch — logged, checked against your allow/deny rules, visible in a dashboard.
  7. Codex CLI Hooks: PreToolUse & PostToolUse Reference
    How Codex CLI hooks work: enable the codex_hooks flag, what PreToolUse covers (Bash only, by design), why only deny is operational, and how to govern apply_patch and MCP calls.
  8. Stop your AI agent from running `rm -rf` on your filesystem — in three steps
    Cursor and Claude Code agents have wiped home directories mid-session. The fix isn't smarter prompting — it's a control plane between the agent's tool call and your filesystem. Here's the exact configuration.
  9. Stop your AI agent from rewriting your git history — in three steps
    Claude Code, Cline, and Cursor agents have force-pushed over teammates' work, reset uncommitted changes, and stripped commits from production branches. The model can't see what you'd lose. A control plane between the agent and your git remote can.
  10. Stop your AI agent from leaking secrets in your `.env` file — in three steps
    AI coding agents read your .env files by default. They quote secrets back into commits, paste them into chat logs, and surface them in tool outputs. Here's how to gate that without breaking your agent's actual job.

Related: tool permissions & policy · agent costs · the Stop Your Agent From… series · all posts