The question: How do I let Claude freely run show commands while physically preventing it from ever typing configure terminal without my explicit approval?
Why networking demands a different safety model
In software, a bad code change gets caught by tests or reverted with git. In networking, a bad config change takes down the production network in under a second. There's no unit test for "did I just blackhole the default route." There's no undo button for an ACL that blocks the management plane. The cost of error is fundamentally different, and the permission system must reflect that.
The settings file
Create .claude/settings.json:
{
"permissions": {
"allow": [
"Read",
"Glob",
"Grep",
"Bash(ping:*)",
"Bash(traceroute:*)",
"Bash(mtr:*)",
"Bash(nmap -sn:*)",
"Bash(dig:*)",
"Bash(nslookup:*)",
"Bash(whois:*)",
"Bash(ssh * show:*)",
"Bash(ssh * display:*)",
"Bash(ssh * get:*)",
"Bash(cat:*)",
"Bash(jq:*)",
"Bash(grep:*)",
"Bash(ansible-inventory:*)",
"Bash(terraform plan:*)",
"Bash(terraform validate:*)",
"Bash(terraform fmt:*)",
"Bash(git status:*)",
"Bash(git log:*)",
"Bash(git diff:*)"
],
"deny": [
"Bash(ssh * conf:*)",
"Bash(ssh * configure:*)",
"Bash(ssh * reload:*)",
"Bash(ssh * reboot:*)",
"Bash(ssh * write:*)",
"Bash(ssh * copy run:*)",
"Bash(ssh * delete:*)",
"Bash(rm -rf:*)",
"Bash(sudo:*)",
"Bash(terraform apply:*)",
"Bash(terraform destroy:*)",
"Bash(ansible-playbook:*)"
],
"ask": [
"Bash(ansible-playbook --check:*)",
"Bash(terraform apply -target:*)",
"Bash(scp:*)",
"Bash(git push:*)",
"Bash(git commit:*)"
],
"defaultMode": "askEdits"
}
}This permission set encodes the first law of network operations: reads are safe, writes are dangerous.
The allow list runs without prompting. Every command on it is read-only — show commands via SSH, ping, dig, terraform plan, file reads. Claude executes these silently, which makes troubleshooting feel fluid rather than interrupted.
The deny list is absolute. Nothing on this list executes, ever — not even if Claude asks and you accidentally approve. configure terminal, reload, write memory, terraform apply, ansible-playbook — blocked at the system level. This is not guidance. It's a physical lock.
The ask list covers commands that require judgment. An Ansible dry run (--check) is usually safe. A targeted Terraform apply to a single resource might be fine. An SCP file transfer needs you to verify the destination. Claude prompts for each one and waits for your decision.
The sandbox
For additional isolation — say, analyzing configs from an untrusted vendor or a compromised device:
/sandboxSandbox mode restricts Claude to the project directory at the OS level. It cannot access your SSH keys, .env files, credentials, or anything outside the project tree. Use it when the input is suspect.