[BUG] VSCode Extension: `.claude/settings.local.json` permissions not respected for Bash/Write/Edit operations (even with `bypassPermissions` mode)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
GitHub Issue Draft for Claude Code Team
Related Work Item: BUGFIX-003
Target Repository: https://github.com/anthropics/claude-code/issues
Created: 2025-12-31
Status: Draft - Ready to submit
---
Issue Title
[Bug] VSCode Extension: .claude/settings.local.json permissions not respected for Bash/Write/Edit operations (even with bypassPermissions mode)
---
Issue Type
Bug Report
---
Environment
Claude Code Version: Latest (VSCode Extension)
VSCode Version: Latest
OS: Windows 11
Extension Environment: VSCode Claude Code Extension
---
Summary
The .claude/settings.local.json permission configuration system appears to only work for Read-type tools (Read, Glob, Grep) but does NOT respect allow/deny rules for Bash commands, Write operations, or Edit operations in the VSCode extension environment.
Critical Finding: Even with bypassPermissions mode enabled (which should bypass ALL permission checks), users still receive approval prompts for Bash, Write, and Edit operations.
---
Expected Behavior
When .claude/settings.local.json contains:
{
"permissions": {
"defaultMode": "dontAsk",
"allow": [
"Read(**)",
"Glob",
"Grep",
"Task",
"Bash(dir:*)"
],
"deny": [
"Read(.env)",
"Read(.env.*)",
"Read(secrets/**)",
"Read(credentials.json)",
"Read(.aws/**)",
"Read(.git/config)",
"Read(../**)"
]
}
}
AND VSCode setting claudeCode.initialPermissionMode is set to "acceptEdits" or "bypassPermissions",
Expected: All allowed operations should execute without approval prompts, including:
- Bash commands matching
Bash(dir:*) - Write operations (creating files)
- Edit operations (modifying files)
---
Actual Behavior
What Works (No Prompts):
- ✅ Read(**) tool
- ✅ Glob tool
- ✅ Grep tool
What Still Prompts (Despite Configuration):
- ❌ Bash commands - ALL types (simple commands, pipelines, git operations)
- ❌ Write tool - Creating new files
- ❌ Edit tool - Modifying existing files
Critical Issue: Even with VSCode initialPermissionMode set to "bypassPermissions" (which should bypass ALL permission checks), the following still prompted:
- Bash command:
cat thoughts/project/work/doing/.limit - Write operation: Creating new file
- Edit operation: Modifying existing file
---
Reproduction Steps
Configuration Setup
- Create
.claude/settings.local.jsonin project root:
{
"permissions": {
"defaultMode": "dontAsk",
"allow": [
"Read(**)",
"Glob",
"Grep",
"Task",
"Bash(dir:*)"
],
"deny": [
"Read(.env)",
"Read(.env.*)",
"Read(secrets/**)",
"Read(credentials.json)",
"Read(.aws/**)",
"Read(.git/config)",
"Read(../**)"
]
}
}
- Open VSCode Settings (Ctrl+,)
- Search for "claude"
- Set
Claude Code: Initial Permission Modeto"acceptEdits" - Restart Claude Code session
Test Case 1: Read Operations (These Work)
- Use Read tool to read any project file
- Result: No prompt ✅
- Use Glob tool to search files
- Result: No prompt ✅
- Use Grep tool to search content
- Result: No prompt ✅
Test Case 2: Bash Commands (These Fail)
- Execute:
cat thoughts/project/work/doing/.limit
- Result: Approval prompt appears ❌
- Execute:
ls -la
- Result: Approval prompt appears ❌
- Execute:
git status
- Result: Approval prompt appears ❌
Test Case 3: Write/Edit Operations (These Fail)
- Use Write tool to create new file
- Result: Approval prompt appears ❌
- Use Edit tool to modify existing file
- Result: Approval prompt appears ❌
Test Case 4: bypassPermissions Mode (Critical Finding)
- Change VSCode setting to
"bypassPermissions" - Repeat Bash/Write/Edit tests
- Result: ALL still prompt ❌
This suggests the permission system is not properly integrated for these operation types.
---
Root Cause Analysis
Based on extensive testing, the VSCode extension appears to have two separate permission pathways:
Pathway 1 (Works): Read-type tools (Read, Glob, Grep, Task)
- These properly respect
.claude/settings.local.jsonallow/deny rules - Correctly work with
defaultMode: "dontAsk"
Pathway 2 (Broken): Bash/Write/Edit operations
- These do NOT respect
.claude/settings.local.jsonallow/deny rules - Do NOT respect VSCode
initialPermissionModesetting - Even
bypassPermissionsmode (which should skip ALL checks) still prompts
Hypothesis: Bash/Write/Edit operations may use a different permission check mechanism that is not connected to the configuration system.
---
Impact
Severity: Medium-High
User Impact:
- Users cannot configure non-destructive read-only operations (like checking WIP limits) without approval prompts
- Workflow friction persists despite correct configuration
bypassPermissionsmode not working as expected is particularly concerning
Workaround:
- None available for Bash/Write/Edit operations
- Users must manually approve each operation
---
Additional Context
Testing Environment Details
- Tested with fresh VSCode restart after each configuration change
- Verified only one
.claude/settings.local.jsonfile exists (no conflicts) - Tested all four
initialPermissionModevalues:default,acceptEdits,plan,bypassPermissions - Bash patterns tested:
Bash(cat:*),Bash(ls:*),Bash(pwd),Bash(git status),Bash(dir:*)
Configuration Files Verified
.claude/settings.local.json:
{
"permissions": {
"defaultMode": "dontAsk",
"allow": [
"Read(**)",
"Glob",
"Grep",
"Task",
"Bash(dir:*)"
],
"deny": [
"Read(.env)",
"Read(.env.*)",
"Read(secrets/**)",
"Read(credentials.json)",
"Read(.aws/**)",
"Read(.git/config)",
"Read(../**)"
]
}
}
VSCode settings.json:
{
"claudeCode.initialPermissionMode": "acceptEdits"
}
Expected vs Actual Permission Matrix
| Tool/Operation | .claude/settings.local.json | acceptEdits Mode | bypassPermissions Mode | Expected | Actual |
|----------------|-------------------------------|--------------------|--------------------------| ---------|--------|
| Read(**) | ✅ Configured | N/A | N/A | No prompt | ✅ No prompt |
| Glob | ✅ Configured | N/A | N/A | No prompt | ✅ No prompt |
| Grep | ✅ Configured | N/A | N/A | No prompt | ✅ No prompt |
| Bash(dir:*) | ✅ Configured | ✅ Enabled | ✅ Bypass ALL | No prompt | ❌ Still prompts |
| Write | N/A | ✅ Enabled | ✅ Bypass ALL | No prompt | ❌ Still prompts |
| Edit | N/A | ✅ Enabled | ✅ Bypass ALL | No prompt | ❌ Still prompts |
---
Suggested Fix
- Verify Bash/Write/Edit operations use the same permission check pathway as Read/Glob/Grep tools
- Ensure
bypassPermissionsmode actually bypasses all permission checks (currently not working) - Document permission system architecture so users understand which settings control which operations
---
Related Issues
(Search for similar issues - #15772 ]
---
Questions for Claude Code Team
- Is
.claude/settings.local.jsonsupposed to work for Bash/Write/Edit operations in VSCode extension? - Should
bypassPermissionsmode eliminate ALL prompts? (Currently it doesn't for Bash/Write/Edit) - Is there separate configuration needed for Bash/Write/Edit permissions in VSCode?
- Is this behavior expected, or is it a bug?
---
Reported By: SpearIT Project Framework Team
Date: 2025-12-31
Contact: (Add your GitHub username when submitting)
What Should Happen?
Expected: All allowed operations should execute without approval prompts, including:
- Bash commands matching
Bash(dir:*) - Bash commands like (cat, ls, grep)
Error Messages/Logs
Steps to Reproduce
See description above.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
Model: Claude Sonnet 4.5 (model ID: claude-sonnet-4-5-20250929) - VSCode ext 2.0.75
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
PowerShell
Additional Information
_No response_
29 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
No, don't close this is a terrible issue and none of the duplicates have been assigned.
Related to #15772
+1 - Experiencing the same issue. Edit/Write permissions in .claude/settings.local.json are not respected, still prompts for every edit operation. Read permissions work fine.
+1 #15772 was closed remarkably quickly so weighing in to say this issue is real. Claude CLI works as expected
Just ran into this issue, and took me a really long time to get here (Claude flailed for a LONG time adding patterns, suggesting different settings files to edit)
Same here. Having this issue and Claude ran circles around itself trying to fix until it found this.
This is not just a VSCode extension issue. I have the same issue on the command line with Claude Code on windows.
Can this be fixed please, it's hard to create a fully autonomus SDLC pipeline if the permissions are not respected
OH MY GOD ITS STILL NOT FIXED FOR MONTHS, ITS SUCH AN EASY FIX WHY ARE THEY IGNORING THIS?
Same here.. almost makes the extension unusable
Hey guys FYI I was able to work around this by using a pretooluse hook. I created a script with safe commands and pass that to the agent whenever it uses a tool (which includes Bash).
I did the same 1h after posting my first message here because I was so
frustrated with it. I created hooks with python rules. Added allowed
instructions, hundreds of them, created also another one with banned
harmful disallowed commands like command chaining and heredocs and any
commands leading to configuration or removal outside of specified and
allowed folders and I also banned any acces to certain folders on my hdd.
Claude configured them for itself. Now I have fully autonomous pipeline
with no questions asked! Worked like a charm. Claude can follow SDLC
pipeline and implement any feature end to end automatically. Different
specialised agents are invoked one by one or in parallel to do the job
done. Crazy if you ask me, it's like coding in star trek holodeck now. Lol.
On Mon, 16 Feb 2026, 20:47 nikhilsitaram, @.***> wrote:
Hooks really are the secret sauce to get Claude to do anything reliably!
Same here, Claude is set to "ask before edit" mode, yet reliably does the modifications directly. When asked, it tells me it'll ask next time and then proceeds to completely ignore that with the next prompt.
Same issue:
Same here on Linux CLI (Claude Code 2.x, Opus 4.6) —
bypassPermissionsmode in~/.claude/settings.jsondoes not suppress Edit/Write prompts.Workaround that actually works: a
PermissionRequesthook that unconditionally approves. Added tosettings.json:allow_all.sh:Confirms this isn't VSCode-specific — the permission-mode plumbing is broken across platforms. The fact that users need a hook to make
bypassPermissionsbehave as documented suggests the mode flag isn't reaching the Edit/Write/Bash gate.Works @Kieldro https://github.com/anthropics/claude-code/issues/15921#issuecomment-4255032042 but kind of risky.
The PermissionRequest hook in VS Code is fundamentally broken — deny doesn't deny, ask doesn't prompt, it just auto-allows everything regardless. That's another data point for the bug report: the workaround from that GitHub comment doesn't work safely for selective approval.
Still having this issue and this was opened in December.
VS Code Studio extension running on Arch Linux. Latest versions.
The VS Code interface is basically unusable with it asking to grep all the time. The docs clearly state that read-only commands should not prompt, but they do. Is that covered by this issue? Why don't Anthropic just have Claude Code fix this (recommend using CLI so it can actually work without stopping all the time).
This is frustrating to the extend. Each command is asking for the permission. Even after enabling skip permission.
This thread has accumulated multiple distinct failure modes under one umbrella. I can root-cause two of them from a disassembly of
claude.exe2.1.143.a06: the Edit/Write path-globbed-rules-ignored half (per @losjoe Feb 9 and @Kieldro Apr 15) and thebypassPermissions-mode-silently-rejected half (per several commenters). The third — Bash rules being ignored specifically in the VSCode extension while working on the CLI (OP's primary symptom) — is a different layer that I haven't traced.Root cause for the Edit/Write/CLI half
I disassembled
claude.exe2.1.143.a06 (Bun-compiled native binary) to chase a closely-related Windows reproducer. In the permission matcher, both the allow matcherv$_(ctx, tool)and the deny matcherxX8(ctx, tool)dispatch throughXIq(), whose first line is:Any rule with parens content (
Edit(...),Write(...),Read(...),Glob(...),Skill(...),mcp__name(...)) is unconditionally rejected by the matcher. Only bare tool-name rules (Edit,Write,Read) ever match. The per-toolcheckPermissionsforfilePatternTools(Read / Edit / Write / Glob / NotebookRead / NotebookEdit) doesn't compensate — it does only a working-directory scope check.Bash(...)andPowerShell(...)rules with content do work because Bash has its own content matcher (dz8) that picomatches the command string againstruleContentdirectly. That's why patterns likeBash(dir:*)work on the CLI butEdit(C:/Data/**)doesn't.Cross-platform: same matcher code in the shared JS bundle, so Linux/macOS/Windows all hit it identically. See #36884 for the full disassembly notes, four-row reproducer matrix, and
--print --debugrecipe.Root cause for the
bypassPermissions-mode-silently-rejected halfSame methodology, different code path. The binary contains this exact log string:
The mode is gated by an
isBypassPermissionsModeAvailableflag on the permission context. The default factoryh0()initializes that flag tofalse:The flag only flips to
truewhen the session is launched with--dangerously-skip-permissionsor--permission-mode bypassPermissionson the CLI. So when someone puts"defaultMode": "bypassPermissions"insettings.jsonand starts a session the normal way:setMode("bypassPermissions").isBypassPermissionsModeAvailable === falseand rejects the change.defaultmode and continues to prompt.Workaround for this one: launch with
--dangerously-skip-permissionson the CLI;defaultModein settings.json can't bootstrap into bypass mode by design. The same opt-in-per-session gate also exists fordontAskmode and thedisableBypassPermissionsMode/disableAutoModepolicy flags follow the same pattern.This is independent of the
XIqmatcher bug above — it's a separate "opt-in-only gate that fails silently" issue. The fix is small in both cases but different: either letdefaultMode: bypassPermissionsin settings flipisBypassPermissionsModeAvailable = trueautomatically, or surface the rejection at warn level so users see why their setting didn't apply.Note on the OP's Read/Glob/Grep observation
@elliottgaryusa noted Read/Glob/Grep worked while Edit/Write didn't. Worth being precise: Read/Glob/Grep on files inside the current working directory don't need a permission rule at all — the working-directory scope check grants them. The
Read(**)rule isn't what's allowing those; it's the scope. Try a Read of a file outside cwd (e.g., from~/something-else/file.mdwhen cwd is a different project) and Read fails too, for the sameXIqreason.Workaround — same one @nikhilsitaram and @RoboLagoon already arrived at
A
PreToolUsehook that inspectstool_input.file_path(ortool_input.commandfor Bash if you need the same for that bug) and emits a deny decision when patterns match. Independently confirms what others in this thread built — the hook layer is below the brokenXIqfilter, so it actually fires. The minimal Python reference is inline in the #36884 comment.Gotcha worth flagging for Windows users: the hook command string in
settings.jsonneeds forward slashes in the script path (python C:/path/to/guard.pynotpython C:\\path\\to\\guard.py) — backslashes get stripped by the hook runner's shell parsing, which makes every Read/Edit/Write fail-closed with a confusingcan't open file 'mangledpath'error.What this comment does NOT explain
dz8content matcher works on the CLI (verified —Bash(dir:*)honored,Bash(rm -rf:*)denies fire), so this is a different layer — likely the VSCode extension loading settings from a different scope or handling permissions in a separate IPC path. Possibly related to #43787 (project-level settings ignored by VSCode extension). I haven't traced the extension's code paths.Worth maintainers splitting this thread into separate issues for distinct triage. The two bugs I've root-caused (
XIqmatcher reject andbypassPermissionsopt-in gate) are both small, isolated fixes touching different functions; they can ship independently.Please fix this. It is irritating and hurts productivity to be unable to shut off permission requests. Using the Claude Code VS Code plugin on Mac.
This should get platform:mac label too. Another request to fix this. I stopped using Cursor for reasons so back to VS Code. This is a productivity killer.
The amount of tickets on the same issue closed as "not planned" despite this being an obvious bug and a productivity killer is ridiculous.
Bumping to bring attention to this.
How is it possible that this ticket only gets 25 upvotes. Anthropic has 1000s of Windows users. Suggestion: build a feedback system into the vscode extension / cli. Oh now I am writing this, I recognize that there is already a feedback system. Somehow always when it presents itself I am positively satisfied 😅
Update on the two matcher bugs I reported here earlier: both are fixed in the current
native CLI (
claude.exe2.1.207, Windows), verified with a reproducer in an isolated configsandbox.
Read/Edit/Write(and related) allow and deny rules now match (theywere previously silent no-ops).
"defaultMode": "bypassPermissions"insettings.jsonnow activates the mode instead ofbeing silently rejected. (One caveat: my sandbox had already accepted the bypass-mode
warning dialog once, so first-time activation may still require that acknowledgment — I
couldn't isolate that variable.)
The fix landed silently somewhere between 2.1.145 and 2.1.207, so upgrading is the remedy if
you're on an older build.
Scope: I verified the native CLI only. This thread's original report is about
Bash/Write/Editrules being ignored specifically in the VS Code extension — I didnot root-cause or test that surface, and I'm not claiming it's fixed. Anyone still seeing
the extension-specific behavior should treat that as open and worth a fresh reproduction on
the current extension build.
Can someone verify if this fix has landed in the macOS VS Code extension or not? I really want to stop using Cursor before the SpaceX deal goes through yet VS Code with Claude Code is unusable until this is fixed.
@joshuaiz In case it's still not fixed, this workaround works for me:
https://github.com/anthropics/claude-code/issues/18846
I just gave claude this link and said "use this workaround" and it applied it where needed.