One subtle behaviour of Claude that wasn't obvious to me: whilst each conversation is transient, permissions persist across conversations.
So if you've given permission to run e.g. 'cargo test' or even 'cargo run', you need to be sure that all future invocations are safe too.
You can see the current permissions with /permissions.