[BUG] Project-level allow rules cannot override user-level deny rules for path patterns

Resolved 💬 5 comments Opened Dec 17, 2025 by kolkov Closed Feb 14, 2026

Bug Description

Project-level permission settings in .claude/settings.local.json cannot override user-level deny rules from ~/.claude/settings.json. This makes it impossible to work with legitimate source code files that match security patterns.

Reproduction Steps

  1. Create user-level settings (~/.claude/settings.json):
{
  "permissions": {
    "deny": ["Read(**/token)"]
  }
}
  1. Create a Go project with internal/token/token.go (lexer token definitions, NOT secrets)
  1. Create project-level settings (.claude/settings.local.json):
{
  "permissions": {
    "allow": ["Read(internal/**)"]
  }
}
  1. Try to read internal/token/token.go

Expected Behavior

Project-level allow rules should be able to override user-level deny rules for specific paths. The principle of "more specific rules override general rules" should apply.

Actual Behavior

The file is blocked with:

Error: File is in a directory that is denied by your permission settings.

The global deny pattern Read(**/token) blocks the entire internal/token/ directory, and no project-level allow can override it.

Impact

This is a critical usability issue for projects with:

  • internal/token/ directories (common in lexer/parser implementations)
  • Any path containing words that might match security patterns (token, secret, key, etc.)
  • Go projects following standard naming conventions

Workaround

Currently, the only workaround is to remove the deny rule from user settings, which defeats the purpose of having project-specific security configurations.

Suggested Fix

Either:

  1. Priority-based override: Allow project-level settings to explicitly override user-level settings with a special syntax like "allow-override": ["Read(internal/token/**)"]
  1. Scope-based matching: Make deny patterns only match files that look like actual secrets (e.g., *.key, *.pem, token.json, api_token.env) rather than any path containing the word "token"
  1. Documentation: At minimum, clearly document this limitation so users understand they cannot use project-level allow to override user-level deny

Environment

  • Platform: Windows 11 (MINGW64/Git Bash)
  • Claude Code Version: 2.x
  • Settings location: User settings in ~/.claude/settings.json
  • Project settings: .claude/settings.local.json

Related Issues

  • #9924 (Documentation update for security override behavior)
  • #10906 (Plan agent ignores parent settings.json permissions)

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗