Security & Permissions Intermediate
Read-Only Agent
Lock Claude to read-only file access — the correct pattern using BOTH allowedTools and disallowedTools
Command
$ "color:#7C5CFC">claude -p "Analyze this codebase ">for security issues" \ "color:#d97757">--allowedTools "Read,Grep,Glob" \ "color:#d97757">--disallowedTools "Write,Edit,Bash,WebFetch,WebSearch" \ "color:#d97757">--permission-mode bypassPermissions \ "color:#d97757">--output-format json
Response
{
"subtype": "success",
"result": "## Security Analysis\nFound 3 potential issues...",
"num_turns": 4,
"permission_denials": []
} Parsing Code
059669">">const data = JSON.parse(execFileSync(059669059669">">'claude', [ 059669059669">">'-p', 059669059669">">'Analyze codebase', 059669059669">">'--allowedTools', 059669059669">">'Read,Grep,Glob', 059669059669">">'--disallowedTools', 059669059669">">'Write,Edit,Bash,WebFetch,WebSearch', 059669059669">">'--permission-mode', 059669059669">">'bypassPermissions', 059669059669">">'--output-format', 059669">'json' ], opts));
Gotchas
! Must use BOTH --allowedTools AND --disallowedTools — with only --allowedTools, Claude falls back to Bash to write files
! This is the correct pattern for a truly read-only agent