Deny rules for Write/Edit on .claude/*.json not enforced

Resolved 💬 3 comments Opened Feb 17, 2026 by Aern28 Closed Feb 17, 2026

Bug

Deny rules in settings.json for Write and Edit on .claude/*.json files are not enforced. Claude Code was able to overwrite settings.local.json without any permission prompt despite explicit deny rules.

Settings

In ~/.claude/settings.json:

"deny": [
  "Bash(rm -rf *)",
  "Bash(git push --force*)",
  "Bash(git reset --hard*)",
  "Bash(git clean -f*)",
  "Edit(C:\Users\matth\.claude\settings*)",
  "Write(C:\Users\matth\.claude\settings*)",
  "Edit(C:\Users\matth\.claude\*.json)",
  "Write(C:\Users\matth\.claude\*.json)"
]

What happened

Claude Code (Opus 4.6) executed a Write tool call targeting C:\Users\matth\.claude\settings.local.json. The write succeeded immediately with no permission prompt. The deny rules were completely bypassed.

Expected behavior

The Write tool call should have been blocked or at minimum prompted the user for confirmation, since the target path matches multiple deny patterns:

  • Write(C:\Users\matth\.claude\settings*)
  • Write(C:\Users\matth\.claude\*.json)

Security concern

If deny rules can be bypassed, a prompt injection or misbehaving agent could modify permission settings (adding allow rules, removing deny rules) to escalate its own privileges without user awareness.

Environment

  • Claude Code version: latest (auto-update channel)
  • Platform: Windows 11 (win32)
  • Shell: bash
  • Model: claude-opus-4-6

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗