[BUG] Deny permissions for Edit/Write tools not enforced in v2.0.56

Resolved 💬 3 comments Opened Dec 2, 2025 by chris-hud Closed Dec 6, 2025

Description

Deny permissions for Edit and Write tools in .claude/settings.json are completely non-functional. All tested deny rules are ignored regardless of path format.

Version

2.0.56 (Claude Code)

Configuration Tested

{
  "permissions": {
    "deny": [
      "Edit(./CLAUDE.md)",
      "Write(./CLAUDE.md)",
      "Edit(./.claude/settings.json)",
      "Write(./.claude/settings.json)",
      "Edit(./apps/api/appsettings.json)",
      "Write(./apps/api/appsettings.json)"
    ]
  }
}

Path Formats Tested

All of these were bypassed:

  • Bare paths: Edit(CLAUDE.md)
  • Relative with ./: Edit(./CLAUDE.md)
  • Glob patterns: Edit(**/CLAUDE.md)
  • Both cases: claude.md and CLAUDE.md

Steps to Reproduce

  1. Add Edit(./CLAUDE.md) to deny list in .claude/settings.json
  2. Ask Claude to edit CLAUDE.md
  3. Claude successfully edits the file despite the deny rule

Expected Behavior

Claude should refuse to edit files matching deny patterns.

Actual Behavior

Claude edits files freely, completely ignoring deny rules for Edit/Write tools.

Related Issues

This appears to be a continuation of previously "fixed" issues:

  • #6699 - Critical Security Bug: deny permissions not enforced (closed as completed)
  • #6631 - Permission Deny Configuration Not Enforced for Read/Write Tools
  • #4467 - Permission deny patterns not working for Read/Write tools

The fix from those issues either didn't fully work or regressed in v2.0.56.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗