Permissions Configuration Bypass in Local Settings Enforcement

Resolved 💬 3 comments Opened Jun 29, 2025 by ccdatatraits Closed Aug 20, 2025

The user has configured their local .claude/settings.local.json to deny file listing operations:

{
"permissions": {
"allow": [],
"deny": [
"Bash(ls:*)",
"LS",
"Search(pattern: \"*\")"
]
}
}

However, they can still list files even after running the /clear command, indicating the permission settings aren't being properly enforced.

Environment:

  • Platform: darwin
  • Terminal: tmux
  • Version: 1.0.35
  • Feedback ID: c769e31a-6137-429a-be4c-491d436abe23

Errors:
The error logs show Invalid settings errors with Expected object, received null validation failures in the Claude Code CLI, suggesting there's an issue with how the local settings are being parsed or
applied.

This appears to be a security/configuration bug where local permission restrictions are being bypassed, specifically for file listing operations.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗