cf permission
Manage Claude Code permission rules for Coding Friend skills and hooks.
Overview
Interactive permission manager for Coding Friend. Configures Claude Code permission rules so skills and hooks can run without repeated prompts.
cf permission
For the full list of rules and which skills use them, see Permissions Reference.
💡 You can run it multiple times to add or remove rules.
Usage
# Interactive — browse categories and pick rules
cf permission
# Apply all recommended permissions without prompts
cf permission --all
# Choose scope explicitly
cf permission --project # .claude/settings.local.json (default)
cf permission --user # ~/.claude/settings.json (all projects)
# Combine: apply all to user scope
cf permission --all --user
How It Works
- Asks where to save permissions (project or user scope)
- Shows permission categories with progress indicators (e.g., "3/5 ✓") plus an Auto-approve toggle
- Lets you drill into each category to check/uncheck individual rules — each rule has a colored tag prefix indicating its type (
[read-only],[modify],[write],[remote],[execute],[network]) - The Auto-approve toggle lets you enable/disable auto-approve (auto-approves read-only tools + working-dir file edits, LLM classifier for unknowns) and choose whether to save the setting globally or per-project. When enabling, it audits existing permissions for dangerous rules that would bypass the classifier
- Computes the diff (rules to add, rules to remove)
- Asks for confirmation before writing changes
- Automatically cleans up stale old-format per-script rules
Scope
By default, cf permission asks you to choose between:
- Project (
.claude/settings.local.json) — scoped to this project only, gitignored - User (
~/.claude/settings.json) — applies to all projects
Use --project or --user to skip the prompt.
Permission Tiers
Coding Friend organizes permissions into two tiers:
- Tier 1 (Static) — Path-independent rules like
Bash(git add *),Bash(npm test *), MCP memory tools. These are stable across plugin updates. - Tier 2 (Plugin Scripts) — Four rules that cover all Coding Friend plugin scripts: two Bash rules (quoted and unquoted path invocations) and two Read rules (plugin cache and global config). These patterns are version-independent, so permissions survive plugin updates automatically — no refresh needed.
When adding Plugin Script permissions, cf permission shows a warning explaining the wide pattern and asks for confirmation.
Also Available In
cf init— Step 8 offers to apply all recommended permissions during initial setupcf config→ Permissions — same options accessible from the config menu
See Also
- Permissions Reference — full permission list with descriptions
cf init— initial setup wizard (Step 8 handles permissions)cf config— edit settings including permissions- Security — security model