[BUG] Plugin System Overwrites User Settings
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Claude Code Bug Report: Plugin System Overwrites User Settings
Summary
Critical Bug: The plugin marketplace initialization/sync process overwrites ~/.claude/settings.json, causing permanent loss of user-configured permissions.
Severity
CRITICAL - Causes data loss of user security configurations without warning or backup.
Environment
- Claude Code Version: 2.0.76
- OS: macOS (Darwin 23.6.0)
- Shell: zsh
- Installation: CLI via
~/.local/bin/claude
Description
User-configured deny permissions in ~/.claude/settings.json are being lost and reset to an older state when the plugin marketplace system initializes or syncs. This has happened multiple times, causing loss of important security configurations.
Steps to Reproduce
- Add custom deny permissions to
~/.claude/settings.json(user scope) - Use Claude Code normally with these permissions for weeks/months
- Claude Code plugin marketplace initialization or sync occurs
- Check
~/.claude/settings.json- custom permissions are gone
Expected Behavior
User-configured permissions in ~/.claude/settings.json should persist permanently and never be modified by the plugin system or any automated process without explicit user consent.
Actual Behavior
The settings.json file is being overwritten during plugin marketplace operations, reverting to an older state and losing all custom permissions configured since that old snapshot.
Evidence
Timeline of Data Loss
October 2-27, 2025
- User actively configured multiple deny permissions:
- MySQL database access controls
- MCP server permissions
- File edit permissions
- Multiple bash command restrictions
December 17, 2025 - 09:38:32 - FIRST DATA LOSS
- settings.json last modified: 09:38:32
- Plugin marketplace cloned: 09:38:38 (6 seconds later)
- ALL October/November permissions lost
- File reverted to older state
December 22, 2025
- User discovered permissions missing
- Manually restored permissions via nvim at 15:32:15 and 15:55:45
- Plugin marketplace updated at 09:21:50
December 25, 2025 - SECOND DATA LOSS
- Plugin marketplace sync: 07:33:23
- Permissions lost AGAIN
- settings.json remains at December 17 state
File Modification Evidence
$ stat -f "%Sm %N" -t "%Y-%m-%d %H:%M:%S" ~/.claude/settings.json
2025-12-17 09:38:32 /Users/username/.claude/settings.json
$ ls -la ~/.claude/plugins/
drwxr-xr-x@ 7 224 Dec 17 09:38 plugins/
Critical: settings.json and plugins directory show SAME modification timestamp.
Plugin Git Log
~/.claude/plugins/marketplaces/claude-plugins-official/.git/logs/HEAD:
1765931918 +0900 clone: from github.com:anthropics/claude-plugins-official.git
→ December 17, 2025 09:38:38
1766362910 +0900 pull origin HEAD: Fast-forward
→ December 22, 2025 09:21:50
User Shell History
User's zsh history shows manual edits to settings.json on these dates:
- October 2: 10:02:22 (user scope)
- October 22: 11:49:29 (user scope)
- December 22: 15:32:15 (attempting to restore)
- December 22: 15:55:45 (attempting to restore)
No shell history entry exists for December 17 at 09:38 - proving the user did NOT manually modify the file.
Conversation History Evidence
From ~/.claude/history.jsonl:
October 22, 2025:
{"display":"mysqlはdenyに戻してください","timestamp":1761101732684}
{"display":"Perfect, and next I want to add the permission for this mcp server. So always ask user when the server is going to post a message.","timestamp":1761193830414}
{"display":"Add to user settings.","timestamp":1761193884707}
December 22, 2025:
{"display":"There are should be permissions for deny. I have created that in a session. but when I /permissions in this session, I cannot find any of them.","timestamp":1766384931519}
{"display":"I created permissions in user scope.","timestamp":1766385004114}
December 25, 2025:
{"display":"The deny permissions I added in the past session.I notice all of it is disappeared.","timestamp":1766648025070}
{"display":"And it's a user scope deny permissions.","timestamp":1766648046195}
Current State
Current settings.json content (only one deny rule remains):
{
"permissions": {
"allow": [],
"deny": [
"Bash(gh repo delete:*)"
],
"ask": []
}
}
Before data loss (October 2025), user had configured:
- MySQL deny rules
- MCP server permission controls
- Edit file permissions
- Multiple bash command restrictions
- Other security-critical deny rules
All lost without backup or warning.
Root Cause Analysis
Based on timestamp correlation:
- Plugin marketplace system initialization/sync modifies
settings.json - No plugins are even installed (
installed_plugins.jsonshows{"version": 2, "plugins": {}}) - The modification happens automatically without user action
- No backup is created before overwriting
- No warning or notification is shown to the user
Hypothesis: The plugin system may be:
- Restoring from a cached/backup version of settings.json
- Merging settings incorrectly
- Resetting to a default template
- Syncing from cloud storage with an old version
Impact
- Security Risk: Users lose security configurations (deny permissions)
- Data Loss: No way to recover lost permissions without manual restoration
- Trust Issue: Users cannot trust that their configurations will persist
- No Warning: Silent data loss with no notification or backup
- Reproducible: Happens repeatedly across plugin sync operations
Affected Components
~/.claude/settings.json(user scope settings)- Plugin marketplace system
- Settings persistence mechanism
Related Files
~/.claude/settings.json- User settings (affected)~/.claude/plugins/known_marketplaces.json- Plugin sync metadata~/.claude/plugins/marketplaces/claude-plugins-official/- Plugin repository~/.claude.json- Main state file (may contain backup/cache logic)
Suggested Fixes
- Never modify user settings automatically - User settings should only be modified by explicit user action
- Create backups before any modification - Timestamp-based backups like
settings.json.backup-YYYYMMDD-HHMMSS - Warn users before settings changes - If a sync/update would modify settings, prompt for confirmation
- Settings migration path - If plugin system needs settings updates, provide safe migration with rollback
- Audit logging - Log all settings.json modifications with timestamps and reasons
Workarounds (for users experiencing this bug)
- Manual backups:
``bash``
cp ~/.claude/settings.json ~/.claude/settings.json.backup-$(date +%Y%m%d-%H%M%S)
- File monitoring (detect unauthorized changes):
``bash``
# Create a monitoring script
watch -n 60 'stat -f "%Sm" -t "%Y-%m-%d %H:%M:%S" ~/.claude/settings.json'
- Version control:
``bash``
cd ~/.claude
git init
git add settings.json
git commit -m "Backup settings"
Additional Context
- This bug has caused data loss at least twice (Dec 17, Dec 25)
- User spent significant time configuring permissions that were lost
- No automated recovery mechanism exists
- Official documentation does not mention plugin system modifying user settings
Request
Please investigate and fix this critical bug. User security configurations should never be silently overwritten by automated processes.
---
Report generated: 2025-12-25
Reported by: User via Claude Code Bug Investigation
Evidence files: Shell history, git logs, conversation history, file timestamps
What Should Happen?
user scope settings.json should not be overwrites.
Error Messages/Logs
Steps to Reproduce
I Don't know.
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
2.0.76
Platform
Other
Operating System
macOS
Terminal/Shell
iTerm2
Additional Information
_No response_
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗