Permissions and sandboxing
We've already seen that Claude Code stops to ask for approval before risky actions. But 'approve' isn't a button you press without thinking — it's a habit: stop, actually read the command, the reason, and the scope, and only then decide. In this lesson we'll learn to recognize three categories that
Before signing a contract, you read every clause carefully instead of trusting just the headline. A chemist testing a risky reaction does it behind a thick glass shield inside a fume hood, not out on an open table.
- least privilege
- Giving the agent only the narrowest permission the current task actually needs — not broad access 'just in case'.
- sandboxed execution
- Running a command inside an isolated, disposable environment — no network access, no writes to real host files — so damage stays contained inside it.
- force-push
- A git push that overwrites remote history; on a shared branch it can silently erase other people's commits.
- network exfiltration
- An outbound network call that sends local — sometimes sensitive — data to an external destination unrelated to the task you asked for.