Importing from Claude Code
If you already have permissions configured in Claude Code's settings.json, you can import them directly into Bulwark as policies. This lets you migrate your existing rules without recreating them by hand.
Finding Your Claude Code Permissions
Claude Code stores permissions in its settings.json file. The permissions block looks like this:
{
"permissions": {
"allow": [
"Bash(npm run lint)",
"Bash(npm run test *)",
"Read(~/.zshrc)"
],
"deny": [
"Bash(curl *)",
"Read(./.env)"
],
"ask": [
"Write(/etc/*)"
]
}
}
You can paste either the full settings.json or just the permissions block.
How to Import
- Go to Settings → Policies
- Click Import from Claude Code
- Choose an input mode:
Paste JSON
Paste your Claude Code settings.json (or its permissions block) into the text area and click Parse Rules. Bulwark will extract all allow, deny, and ask entries and convert them into policies.
Write Rules
Enter rules one per line using Claude Code's rule syntax, then select the action (Allow, Deny, or Ask) from the dropdown. This is useful when you want to quickly add a few rules without constructing JSON.
Bash(npm run lint)
Bash(npm run test *)
Read(~/.zshrc)
WebFetch(domain:docs.example.com)
Lines starting with # are treated as comments and ignored.
- Review the parsed policies in the preview
- Click Import to create them
Supported Rule Formats
Built-in Tools
| Claude Code Rule | Bulwark Field | Example |
|---|---|---|
Bash(...) | tool_input.command | Bash(npm run *) |
Read(...) | tool_input.file_path | Read(./.env) |
Edit(...) | tool_input.file_path | Edit(src/*.ts) |
Write(...) | tool_input.file_path | Write(/etc/hosts) |
WebFetch(...) | tool_input.url | WebFetch(domain:example.com) |
Task(...) | tool_input.agent_name | Task(Bash) |
MCP Server Rules
MCP server rules use the mcp__ prefix:
| Rule | What it Matches |
|---|---|
mcp__myserver | All tools from myserver |
mcp__myserver__* | All tools from myserver (explicit wildcard) |
mcp__myserver__search | Only the search tool from myserver |
Wildcards and Patterns
| Pattern | Operator | Example |
|---|---|---|
Tool(exact) | equals | Bash(npm run lint) matches exactly |
Tool(prefix*) | starts with | Bash(npm run *) matches any npm run command |
Tool(*suffix) | ends with | Read(*.env) matches files ending in .env |
Tool() or Tool(*) | any | Bash() matches all Bash calls |
Tool(a*b*c) | regex | Complex globs are converted to regex |
WebFetch Domain Syntax
WebFetch(domain:example.com) is converted into a tool_input.url contains "example.com" rule, matching any URL on that domain.
What Gets Created
Each imported rule becomes a separate Bulwark policy with:
- Name: Auto-generated from the action and rule (e.g., "Allow Bash: npm run lint")
- Description: Notes that it was imported from Claude Code
- Action: Matches the original
allow/deny/asksection - Status: Active
- Rules: An AND group matching the tool name and input specifier
Warnings and Errors
During parsing, Bulwark will surface warnings for:
- Invalid JSON syntax
- Non-array values in
allow/deny/ask - Rules that couldn't be parsed
Successfully parsed rules are still imported even if some rules produce warnings.
Tip
After importing, review your new policies in the policy list. You can edit any imported policy to adjust its name, priority, or rules.
Next Steps
- How Policies Work - Understand policy evaluation
- Rule Conditions - All available fields and operators
- Creating Policies - Build policies from scratch