Audit, review, and clean up your Claude Code standing permissions.
GrantGuard audits the permission allowlist that Claude Code builds up as you click "always allow."
Hidden away in settings files that are rarely audited, these permissions strings can contain
substantive risks: API keys once pasted into a command, unrestricted git push
, commands that read your OS credential store, common destructive commands, and more.
GrantGuard classifies and groups granted permissions into risk groups, with a UI for easy review and one-click removal of unsafe or unwanted permission grants.
GrantGuard runs as a small local Python app using Python's standard library and browser-native HTML/CSS/JS. GrantGuard does not install or load third-party runtime Python packages, npm packages, web UI frameworks, or CDN-hosted scripts.
Cross-platform. Works on macOS, Linux, and Windows.No third-party runtime packages. Uses Python 3.10+ standard library code and browser-native HTML/CSS/JS. Nopip install
, nonpm install
, no build steps, and no CDN-loaded browser libraries.Runs locally. The web UI binds to127.0.0.1
and makes no network calls. Your settings never leave the machine, and secrets are redacted in outputs.Safe by default. Auditing is read-only. Removals happen only when you confirm them, and they're non-destructive — Claude re-asks for anything removed, so you can re-approve it.
- a Python package and project manager, a modern best-in-class standard for python projects. GrantGuard uses
uv
uv run
as its supported launch path, allowing consistent and convenient execution across MacOS, Linux, and Windows.git
- for cloning this repo- A supported browser for the Web UI
GrantGuard uses browser-native HTML/CSS/JS and is intended for current stable versions of Chrome, Edge, Firefox, and Safari.
If you haven't already,
install.uv
Clone this repo
git clone https://github.com/VantaInc/grantguard.git
Run the web UI
cd grantguard
uv run grantguard.py
By default, GrantGuard reviews user-level Claude settings sources only. It does not infer a project from the directory where you launch it, and it does not walk project directories unless you ask it to.
uv run grantguard.py ui [TARGET ...] [--targets PATH] [--scan | --deep-scan] [--tolerance default|permissive] [--port PORT] [--no-open]
uv run grantguard.py audit [TARGET ...] [--targets PATH] [--scan | --deep-scan] [--tolerance default|permissive] [--show-safe] [--fix]
With no targets and no scan flag, GrantGuard inspects:
~/.claude/settings.json
~/.claude/settings.local.json
~/.claude.json
- the platform managed settings file, if present
An empty selection is a successful empty audit. GrantGuard prints that no Claude
settings sources were found and exits 0
.
uv run grantguard.py audit
Targets may be passed positionally or with repeatable --targets PATH
; both forms behave identically.
uv run grantguard.py audit /path/to/repo
uv run grantguard.py audit --targets /path/to/repo
uv run grantguard.py audit --targets /repo/a --targets /repo/b
Use --scan
to shallowly discover .claude/settings*.json
below one or more target roots:
uv run grantguard.py audit --scan --targets /path/to/workspace
Use --deep-scan
for deeper discovery under target roots, or without targets for broad discovery:
uv run grantguard.py audit --deep-scan --targets /path/to/workspace
uv run grantguard.py audit --deep-scan
uv run grantguard.py audit --tolerance default
uv run grantguard.py audit --tolerance permissive
default
flags high-risk findings and overbroad wildcard rules. permissive
keeps overbroad wildcard rules and flags only higher-risk findings.
audit
is read-only unless --fix
is present.
uv run grantguard.py audit --fix
uv run grantguard.py audit --tolerance permissive --fix
audit --fix
writes to editable Claude settings files in scope and removes all
flagged rules selected by the active tolerance. Managed settings and
~/.claude.json
are reported as read-only and are not modified.
| Code | Meaning |
|---|---|
0 |
|
| No flagged findings, empty audit, or requested fix completed successfully | |
1 |
|
| Findings found in read-only audit, editable findings remain, or a write failed | |
2 |
|
Invalid CLI usage, such as --scan without targets |
| Category | Verdict | Example |
|---|---|---|
| 🔑 Inline credential or API key | remove | curl -H "Authorization: Bearer <token>" … |
| 🗝️ Credential-store read | remove | security find-generic-password * (macOS), secret-tool … (Linux), cmdkey (Windows) |
| 💣 Destructive wildcards | remove | git reset * , rm -rf … , pkill |
| 🚀 Unprompted remote push | remove | git push * |
| 🌫️ Overly broad wildcards | review | npm install * , gh api * |
| ✅ Scoped or read-only | keep | Bash(npm run build) , Read(...) |
Use --tolerance permissive
to treat the "review" category as safe and act only on the "remove" categories.
GrantGuard parses each settings file and classifies every allow
rule with regular
expressions. The first matching pattern wins, and the most severe match decides the
verdict. When you apply removals, it rebuilds the allow
array from the rules you kept and re-serializes the JSON, so the output is always well-formed.
This is pattern matching, so treat the results as guidance. GrantGuard reports risky
permissions; it cannot block an action while an agent is running. For controls that are
enforced at runtime, deploy an organization-managed managed-settings.json
with
permissions.deny
rules and PreToolUse
hooks, which apply regardless of what the agent decides. See docs/enforced-controls.md.
GrantGuard is scoped to local Claude Code permission allowlists. It reads settings to classify
permissions.allow
rules, plus the allowedTools
entries it knows how to surface from
~/.claude.json
.
| Claude Code source | Location or pattern | Read by GrantGuard? | Modified by GrantGuard? |
|---|---|---|---|
| User settings | ~/.claude/settings.json (%USERPROFILE%\.claude\settings.json on Windows) |
||
| Yes, by default and when passed explicitly | Yes, but only selected permissions.allow entries after confirmation or --fix |
||
| Home-local grants | ~/.claude/settings.local.json |
||
| Yes, by default and when passed explicitly | Yes, but only selected permissions.allow entries after confirmation or --fix |
||
| Project shared settings | <repo>/.claude/settings.json |
||
Yes, when a target repo is passed explicitly or discovered with --scan / --deep-scan |
|||
Yes, but only selected permissions.allow entries after confirmation or --fix |
|||
| Project local settings | <repo>/.claude/settings.local.json |
||
Yes, when a target repo is passed explicitly or discovered with --scan / --deep-scan |
|||
Yes, but only selected permissions.allow entries after confirmation or --fix |
|||
| Claude state file | ~/.claude.json |
||
Yes, by default and during broad --deep-scan ; top-level allowedTools and projects[*].allowedTools are surfaced, and other state is ignored |
|||
| No; GrantGuard reports this as read-only because the file also contains unrelated Claude Code state | |||
| File-based managed settings | macOS /Library/Application Support/ClaudeCode/managed-settings.json ; Linux/WSL /etc/claude-code/managed-settings.json ; Windows: GrantGuard currently checks C:\ProgramData\ClaudeCode\managed-settings.json |
||
| Yes, if the platform-specific file GrantGuard knows about exists | No; GrantGuard reports recognized managed settings as read-only | ||
| File-based managed drop-ins | managed-settings.d/*.json beside managed-settings.json |
||
| No | No | ||
| Server-managed settings | Delivered by the Claude.ai admin console, with no local JSON file to inspect | No | No |
| MDM / OS policy settings | macOS com.anthropic.claudecode managed preferences; Windows HKLM / HKCU policy registry |
||
| No | No |
GrantGuard runs entirely on your machine. The UI server binds to 127.0.0.1
, makes no
outbound network calls, and the only files it opens are Claude Code settings files
(.claude/settings*.json
) plus the read-only Claude state file (~/.claude.json
) when
it is in scope. By default it checks only user-level settings sources. Directory traversal
happens only when you pass --scan
or --deep-scan
; broad scans skip generated,
vendored, and tool-managed trees such as dependency caches and editor extensions. On
macOS, scans also skip privacy-sensitive home and ~/Library
folders (Photos, Music,
Documents, Desktop, Downloads, Application Support, Containers, …) to avoid reading
that data or triggering OS privacy prompts. Secrets are redacted in the UI and the CLI. Files
are written only when you confirm a removal or run audit --fix
. The /api
endpoints require a per-session token carried in the launch URL, and the server accepts requests only from loopback, same-origin callers, which protects the local write endpoint from DNS-rebinding and cross-site requests.
Contributions are welcome, especially new risk detectors and broader platform coverage. GrantGuard is standard-library Python with no dependencies, and we want to keep it that way. See CONTRIBUTING.md and the Code of Conduct.
- Bugs and ideas: open an issue.
- Security reports: see SECURITY.md. Please do not file them publicly. - Release history: CHANGELOG.md.
GrantGuard started on the product side of Vanta, not in Engineering. It was built by a PM using agentic tools (Claude Code, and now Codex) to answer a real question: how far can someone who does not ship production code for a living get toward a genuinely useful, trustworthy tool, while holding the bar high enough to put Vanta's name on it.
This is an early-stage project, and we want to be clear about that. Vanta's open source work spans a range: some of it carries the full rigor of Vanta Engineering from day one, and some, like this, begins as a strong prototype and is engineered up from there. GrantGuard already does something real (it audits your Claude Code permission grants and flags the risky ones), and engineers are now involved to steadily raise its quality toward the standard we hold everything else to. What you are looking at is a project in the process of being leveled up, and you will see it improve over the weeks and months ahead.
We are open sourcing it at this stage on purpose. Exploring how people outside Engineering can build real, credible things means doing it in the open. Issues and pull requests are welcome, and they feed directly into that work.
Created by Herman Errico.
MIT © Vanta Inc.