Pentagon needs access to local directories and gives you control over what tools each Claude Code agent can use. This guide covers both macOS-level permissions and Claude Code tool permissions.
macOS System Permissions
Pentagon accesses specific directories on your Mac. Grant these when prompted — or configure them in System Settings.
Required Directories
| Directory | Purpose | Access Type |
|---|
~/.pentagon/ | Agent data, settings, configurations | Read + Write |
~/.claude/ | Claude transcript files for conversation sync | Read |
| Your project directories | Where agents read and write code | Read + Write |
Granting Full Disk Access (Recommended)
For the smoothest experience, grant Pentagon Full Disk Access:
- Open System Settings > Privacy & Security
- Click Full Disk Access in the sidebar
- Toggle Pentagon on (or click + and add it)
This prevents repeated permission prompts and ensures agents can access any project directory you point them at.
Pentagon shows a helpful dialog if it detects permission issues, with a button to open System Settings directly.
What Happens Without Permissions
If file access is denied:
- Agent configurations won’t save when you quit
- Chat history won’t persist between sessions
- New agents may fail to create
- Transcript syncing won’t work
- The
~/.pentagon/ directory can’t be written to
When spawning an agent, you choose how much autonomy Claude has over its tools.
Full Auto Mode
Sets bypassPermissions — Claude runs all tools without asking for approval.
- Maximum agent autonomy
- No interruptions for tool approvals
- Best for trusted projects and experienced users
Custom Mode
Select exactly which tools the agent can use:
| Tool | What It Does | Risk Level |
|---|
| Read | Read files and directories | Low |
| Grep | Search file contents | Low |
| Glob | Find files by name pattern | Low |
| Edit | Modify existing files | Medium |
| Write | Create new files | Medium |
| Bash | Execute shell commands | High |
Setting Permissions
- Click an empty cell or press Cmd + N to open the spawn dialog
- Select Full Auto or Custom under permission mode
- If Custom, check the tools you want to allow
- Click Create
Security Best Practices
Use Custom Mode for Unfamiliar Code
When working with a codebase you don’t fully trust:
- Disable Bash to prevent arbitrary command execution
- Enable only Read and Grep for code review tasks
- Add Edit and Write only when you’re ready for changes
Review Bash Usage
Bash is the most powerful tool — it can run any shell command. When enabled:
- Watch the terminal output for commands being executed
- Consider whether the agent needs shell access at all
- Use worktree isolation so Bash commands can’t affect your main branch
Leverage Worktree Isolation
Git worktrees act as a natural security boundary:
- Each agent writes to its own branch
- Changes are isolated until you explicitly merge
- A misbehaving agent can’t corrupt your main branch
- You can simply delete the worktree to discard all changes
Gradual Trust
If you’re new to Pentagon:
- Start with Custom mode — enable Read and Grep only
- Watch how the agent works and what it attempts
- Add Edit and Write when comfortable
- Move to Full Auto once you trust the workflow
Privacy
Pentagon keeps all data local to your Mac:
- No cloud sync — agent data, configurations, and history stay in
~/.pentagon/
- No telemetry — Pentagon does not collect usage data or analytics
- No external connections — the only network traffic is between Claude Code and the Anthropic API
- No file exfiltration — Pentagon does not access or transmit files beyond what agents need for their tasks
Your API key is stored locally and used solely for Claude Code sessions.
Next Steps
