Claude Code

Sane defaults for Claude Code itself: allows the built-in tools so routine work doesn't prompt, and redirects /tmp paths to a per-session sandbox (/tmp/claude) so scratch files stay isolated.

.claude/fencepost.yaml

import:
  - claude

Full preset

presets/claude.yaml

# Fencepost preset: claude

meta:
  title: Claude Code
  description: >-
    Sane defaults for Claude Code itself: allows the built-in tools so routine
    work doesn't prompt, and redirects /tmp paths to a per-session sandbox
    (/tmp/claude) so scratch files stay isolated.

# Rewrite /tmp -> /tmp/claude in tool inputs (Bash commands and file paths).
redirect:
  tmp: true
  tmpTarget: /tmp/claude

tools:
  # WebFetch and WebSearch are intentionally NOT allow-listed; they reach
  # external services, so they fall through to your `default` decision (see
  # the claude-web preset). `Bash` is also intentionally absent: fencepost
  # always routes Bash through the bash command pipeline, so listing it here
  # would have no effect.
  allow:
    - Read
    - Glob
    - Grep
    - Edit
    - Write
    - NotebookEdit
    - TodoWrite
    - Task
    - ExitPlanMode
    - BashOutput
    - KillShell

  bash:
    # Structured rules (feature 20) over the parsed command.
    arguments:
      # Allow scratch file ops when EVERY path argument is inside the sandbox.
      # This is multi-target safe: "rm -rf /tmp/claude/x /etc" is NOT allowed,
      # because /etc is outside the sandbox.
      - command: "rm|rmdir|mkdir|touch|cp|mv|cat|ls|head|tail|stat|wc|file"
        allArgsInside: ["/tmp/claude"]
        decision: allow

    redirects:
      # Block writing/appending to an absolute path outside the sandbox or the
      # project. (With redirect.tmp on, /tmp writes are already steered inward.)
      - mode: write
        outside: ["/tmp/claude", "."]
        decision: deny
        description: "Redirecting output outside the sandbox can clobber files."
        alternative: "Write under /tmp/claude/ or a path inside the project."