Permission deny rules not enforced for Bash commands

Resolved 💬 5 comments Opened Feb 17, 2026 by jharshman Closed Feb 18, 2026

Bug Description

Claude Code is not respecting the deny rules configured in .claude/settings.json for Bash commands.

Steps to Reproduce

  1. Configure .claude/settings.json with a deny rule for gcloud:
{
  "permissions": {
    "deny": [
      "Bash(*gcloud*)"
    ]
  }
}
  1. Ask Claude to run a gcloud command (e.g., run gcloud -h or gcloud)
  2. Claude executes the command despite it being in the deny list

Expected Behavior

Commands matching patterns in the deny list should be blocked and never execute.

Actual Behavior

Claude successfully executed gcloud -h and gcloud commands even though Bash(*gcloud*) is explicitly denied in settings.json. The deny rules simply don't deny anything.

Configuration

{
  "defaultMode": "dontAsk",
  "permissions": {
    "allow": [...],
    "deny": [
      "Bash(*kubectl*)",
      "Bash(*terraform*)",
      "Bash(*aws*)",
      "Bash(*gcloud*)",
      "Bash(*sudo*)",
      "Bash(*rm*)",
      ...
    ],
    "ask": [...]
  },
  "sandbox": {
    "enabled": false,
    "autoAllowBashIfSandboxed": false,
    "allowUnsandboxedCommands": false
  },
  "disableBypassPermissionsMode": "enforce"
}

Impact

This is a security issue as it allows bypassing user-configured safety restrictions for dangerous commands like kubectl, terraform, aws, gcloud, sudo, rm, etc.

Environment

  • Claude Code version: [unknown from session]
  • Platform: macOS (Darwin 25.1.0)
  • Model: claude-sonnet-4-5-20250929

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗