Permission deny rules not enforced for Bash commands

Resolved 💬 5 comments Opened Feb 13, 2026 by jharshman Closed Feb 17, 2026

Bug Description

Claude Code is not respecting the deny rules configured in .claude/settings.json for Bash commands.

Steps to Reproduce

  1. Configure .claude/settings.json with a deny rule for gcloud:
{
  "permissions": {
    "deny": [
      "Bash(*gcloud*)"
    ]
  }
}
  1. Ask Claude to run a gcloud command (e.g., run gcloud -h or gcloud)
  2. Claude executes the command despite it being in the deny list

Expected Behavior

Commands matching patterns in the deny list should be blocked and never execute, regardless of other settings like dangerouslyDisableSandbox.

Actual Behavior

Claude successfully executed gcloud -h and gcloud commands even though Bash(*gcloud*) is explicitly denied in settings.json.

Configuration

{
  "defaultMode": "dontAsk",
  "permissions": {
    "allow": [...],
    "deny": [
      "Bash(*kubectl*)",
      "Bash(*terraform*)",
      "Bash(*aws*)",
      "Bash(*gcloud*)",
      "Bash(*sudo*)",
      "Bash(*rm*)",
      ...
    ],
    "ask": [...]
  },
  "sandbox": {
    "enabled": false,
    "autoAllowBashIfSandboxed": false,
    "allowUnsandboxedCommands": false
  },
  "disableBypassPermissionsMode": "enforce"
}

Impact

This is a security issue as it allows bypassing user-configured safety restrictions for dangerous commands like kubectl, terraform, aws, gcloud, sudo, rm, etc.

Environment

  • Claude Code version: [unknown from session]
  • Platform: macOS (Darwin 25.1.0)
  • Model: claude-sonnet-4-5-20250929

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗