Permission cache bypass: In-memory cache persists after file-based allow rule cleanup

Resolved 💬 3 comments Opened Jan 31, 2026 by jeffrey-l-turner Closed Feb 4, 2026

Summary

Claude Code caches permission decisions in memory for the duration of a session. Once a user approves a hook prompt, subsequent calls to the same command bypass the hook entirely - even if the file-based allow rule in settings.local.json is cleaned up.

Reproduction Steps

  1. Configure a hook in ~/.claude/settings.json that prompts for approval:

``json
{
"permissions": {
"allow": [],
"deny": [],
"ask": [
{
"bash": "~/scripts/commit-script.sh*",
"permissionDecision": "ask"
}
]
}
}
``

  1. User invokes a skill/command that runs the script
  2. Hook prompts for approval (e.g., "ONLY ALLOW if YOU typed /commit")
  3. User approves
  4. Script executes successfully
  5. External cleanup script removes the allow rule from settings.local.json
  6. AI proactively runs the same script again (without user invoking the skill)
  7. Expected: Hook prompts again
  8. Actual: Hook is bypassed due to in-memory cache, command proceeds without prompting

Root Cause

Claude Code's permission system appears to have two layers:

  1. File-based: settings.local.json with permissions.allow array
  2. In-memory: Session cache of approved permissions

Cleaning up layer 1 (file) does not clear layer 2 (in-memory cache).

Impact

This defeats safety architectures that rely on per-invocation approval workflows. For example:

  • A "quick-commit" hook designed to prompt users to confirm they intentionally requested a commit
  • The prompt instructs users to DENY if the AI is acting proactively
  • After one legitimate approval, the AI can commit proactively for the rest of the session

Suggested Solutions

  1. Single-use permissions: Add a flag for permissions that should be cleared after one use
  2. Cache invalidation API: Allow hooks/scripts to signal that the cache should be cleared
  3. Auto-expire permissions: Permissions from hooks could automatically expire after execution
  4. Sync with file: When settings.local.json is modified, re-read and update the in-memory cache

Environment

  • Claude Code CLI
  • macOS/Linux
  • Issue discovered while implementing a hook-based safety workflow

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗