Permission system not working - prompts appear despite comprehensive allow patterns

Resolved 💬 3 comments Opened May 29, 2025 by dwillitzer Closed May 29, 2025

Description

The Claude Code permission system is not functioning correctly. Despite having comprehensive permission settings configured at multiple levels (including enterprise policies), users are still prompted for every command execution.

Environment

  • Claude Code version: 1.0.5 (installed via npm)
  • OS: macOS 15.4.1 (24E263) on Intel
  • Architecture: x86_64 (Intel)
  • Installation method: npm install -g @anthropic-ai/claude-code

Current Configuration

1. Enterprise Policy (Highest Precedence)

Location: /Library/Application Support/ClaudeCode/policies.json

  • Symlinked to comprehensive settings file
  • Contains 897 allow patterns
  • Contains 149 deny patterns

2. User Settings

Location: ~/.claude/settings.json

  • Contains similar comprehensive permissions
  • Includes patterns like "Bash(ssh root@gmktec-k9 *)"

Expected Behavior

According to the official documentation, permissions should be applied in order of precedence:

  1. Enterprise policies (highest)
  2. Command line arguments
  3. Local project settings
  4. Shared project settings
  5. User/Global settings (lowest)

Commands matching allowed patterns should execute without prompting.

Actual Behavior

  • Every command execution triggers a permission prompt
  • This occurs even for commands explicitly allowed in enterprise policies
  • The permission system appears to be completely bypassed

Reproduction Steps

  1. Install Claude Code: npm install -g @anthropic-ai/claude-code
  2. Create comprehensive settings.json with allow patterns
  3. Symlink to enterprise policy location: sudo ln -sf /path/to/settings.json "/Library/Application Support/ClaudeCode/policies.json"
  4. Run any command that matches an allow pattern (e.g., claude then try ssh user@server ls)
  5. Observe that permission prompt still appears

Sample Permission Patterns That Don't Work

{
  "permissions": {
    "allow": [
      "Bash(ssh gmktec-k9 *)",
      "Bash(ssh root@gmktec-k9 *)",
      "Bash(ssh gmktec-k9 \"*\")",
      "Bash(ssh root@gmktec-k9 \"*\")",
      "Bash(ssh gmktec-k9 '*')",
      "Bash(ssh root@gmktec-k9 '*')",
      "Bash(docker *)",
      "Bash(git *)",
      "Bash(ls*)",
      // ... 890+ more patterns
    ]
  }
}

Additional Context

  • Using --resume flag doesn't help
  • Settings files are valid JSON (verified with python -m json.tool)
  • File permissions are correct (readable by Claude Code process)
  • Issue persists across different terminal sessions

Impact

This bug severely impacts productivity as users must manually approve every command, defeating the purpose of the permission system entirely.

Suggested Investigation Areas

  1. Permission pattern matching logic may have a bug
  2. Settings file loading might be failing silently
  3. Enterprise policy precedence might not be implemented correctly
  4. Pattern syntax parsing could be broken for certain patterns (especially with wildcards)

Related Documentation

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗