I Believed Plan Mode Only Read — Replacing That Belief With Machinery
Claude Code 2.1.212 fixed a bug where plan mode ran file-modifying Bash commands without the permission prompt or the SDK canUseTool callback. Here is what could happen while that assumption was broken, how to verify your own setup, and how to stop leaning on a mode name for safety.
The String I Approved Wasn't the String I Read — Testing a Relayed Permission Prompt with Deceptive Characters
I pushed bidi overrides and zero-width characters through my own approval relay. NFKC normalization caught 0%. Here is why, and the implementation that catches 100% with zero false positives.
The Permission Rules You Added for Safety Are Taxing Every Turn — Auditing the Ruleset Without Loosening It
Version 2.1.209 fixed the per-turn slowdown from large deny/ask rulesets, but the design debt in your rules is still yours. Here are the audit scripts, a shadowing detector, a turn-timing harness, and how to fold enumerated rules into prefix rules safely.
Give an Unattended Agent Only the MCP Tools It Needs — Enforcing a Deny-by-Default Policy
An unattended Claude Code agent can't lean on a permission prompt, so whatever a tool can reach becomes the blast radius. Here's how to lock MCP servers and tools down to deny-by-default and hand back only what the job needs, with managed-settings.json examples.
Stopping Claude Code Before It Runs a Destructive Command — a PreToolUse Screening Hook
How I wired a PreToolUse hook that screens every Bash command Claude Code is about to run: the settings.json setup, the Python screening script, what exit code 2 really does, and the false positives I tuned out over several weeks.
react-native-permissions vs Expo Permissions API — Claude Code
Should you use react-native-permissions or the Expo permissions API? This guide clarifies the decision criteria and shows practical iOS/Android implementation patterns using Claude Code, including common pitfalls and Privacy Manifest requirements.