diff --git a/.claude/settings.json b/.claude/settings.json
new file mode 100644
index 0000000..78da54e
--- /dev/null
+++ b/.claude/settings.json
@@ -0,0 +1,79 @@
+{
+  "permissions": {
+    "allow": [
+      "Read",
+      "Write",
+      "Edit",
+      "NotebookEdit",
+      "Glob",
+      "Grep",
+      "WebSearch",
+      "WebFetch",
+      "Task",
+      "Agent",
+      "Bash(git)",
+      "Bash(git *)",
+      "Bash(gh)",
+      "Bash(gh *)",
+      "Bash(ls *)",
+      "Bash(pwd*)",
+      "Bash(which *)",
+      "Bash(cat *)",
+      "Bash(wc *)",
+      "Bash(head *)",
+      "Bash(tail *)",
+      "Bash(echo *)",
+      "Bash(find *)",
+      "Bash(diff *)",
+      "Bash(sed *)",
+      "Bash(xargs *)",
+      "Bash(tee *)",
+      "Bash(node *)",
+      "Bash(npx *)",
+      "Bash(npm *)",
+      "Bash(pnpm *)",
+      "Bash(yarn *)",
+      "Bash(bun *)",
+      "Bash(python *)",
+      "Bash(python3 *)",
+      "Bash(pip *)",
+      "Bash(pip3 *)",
+      "Bash(uv *)",
+      "Bash(ruff *)",
+      "Bash(pytest*)",
+      "Bash(pyenv *)",
+      "Bash(cargo *)",
+      "Bash(rustc *)",
+      "Bash(go *)",
+      "Bash(make *)",
+      "Bash(cmake *)",
+      "Bash(docker *)",
+      "Bash(docker-compose *)",
+      "Bash(kubectl *)",
+      "Bash(mkdir *)",
+      "Bash(cp *)",
+      "Bash(mv *)",
+      "Bash(touch *)",
+      "Bash(chmod *)",
+      "Bash(curl *)",
+      "Bash(wget *)",
+      "Bash(tar *)",
+      "Bash(unzip *)",
+      "Bash(zip *)",
+      "Bash(jq *)",
+      "Bash(sort *)",
+      "Bash(brew *)",
+      "Bash(agent-browser *)",
+      "Bash(rm /tmp/*)",
+      "Bash(rm -r /tmp/*)",
+      "Bash(rm -rf /tmp/*)"
+    ],
+    "deny": [
+      "Bash(rm -rf /)",
+      "Bash(rm -rf /*)",
+      "Bash(git push --force*)",
+      "Bash(git reset --hard*)",
+      "Bash(git clean -f*)"
+    ]
+  }
+}
diff --git a/README.md b/README.md
index 6d07122..0c94197 100644
--- a/README.md
+++ b/README.md
@@ -376,6 +376,7 @@ Wave 2（有依賴）：
 ```
 your-project/
 ├── .claude/
+│   ├── settings.json            # 權限設定（auto-accept rules）
 │   ├── agents/
 │   │   ├── spec-writer.md       # 產品規格專家
 │   │   ├── tech-lead.md         # 技術主管
@@ -445,6 +446,23 @@ your-project/
 
 ## 自訂與擴展
 
+### 權限設定（Auto Accept）
+
+專案內建 `.claude/settings.json`，預設 auto-accept 所有 specflow 工作流所需的工具權限：
+
+- **Agent** — 啟動 sub-agent（spec-writer、tech-lead、engineer、qa-engineer、verifier）
+- **Bash** — git、gh、docker、node、python 等常用指令
+- **檔案操作** — Read、Write、Edit、Glob、Grep
+- **網路** — WebSearch、WebFetch
+
+安全限制（deny list）：
+- `rm -rf /` / `rm -rf /*`
+- `git push --force`
+- `git reset --hard`
+- `git clean -f`
+
+如需調整，編輯 `.claude/settings.json` 的 `permissions.allow` / `permissions.deny`。
+
 ### 調整 Agent 行為
 
 編輯 `.claude/agents/*.md`：