Deny rules for Write/Edit on .claude/*.json not enforced
Bug
Deny rules in settings.json for Write and Edit on .claude/*.json files are not enforced. Claude Code was able to overwrite settings.local.json without any permission prompt despite explicit deny rules.
Settings
In ~/.claude/settings.json:
"deny": [
"Bash(rm -rf *)",
"Bash(git push --force*)",
"Bash(git reset --hard*)",
"Bash(git clean -f*)",
"Edit(C:\Users\matth\.claude\settings*)",
"Write(C:\Users\matth\.claude\settings*)",
"Edit(C:\Users\matth\.claude\*.json)",
"Write(C:\Users\matth\.claude\*.json)"
]
What happened
Claude Code (Opus 4.6) executed a Write tool call targeting C:\Users\matth\.claude\settings.local.json. The write succeeded immediately with no permission prompt. The deny rules were completely bypassed.
Expected behavior
The Write tool call should have been blocked or at minimum prompted the user for confirmation, since the target path matches multiple deny patterns:
Write(C:\Users\matth\.claude\settings*)Write(C:\Users\matth\.claude\*.json)
Security concern
If deny rules can be bypassed, a prompt injection or misbehaving agent could modify permission settings (adding allow rules, removing deny rules) to escalate its own privileges without user awareness.
Environment
- Claude Code version: latest (auto-update channel)
- Platform: Windows 11 (win32)
- Shell: bash
- Model: claude-opus-4-6
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗