Permissions Configuration Bypass in Local Settings Enforcement
The user has configured their local .claude/settings.local.json to deny file listing operations:
{
"permissions": {
"allow": [],
"deny": [
"Bash(ls:*)",
"LS",
"Search(pattern: \"*\")"
]
}
}
However, they can still list files even after running the /clear command, indicating the permission settings aren't being properly enforced.
Environment:
- Platform: darwin
- Terminal: tmux
- Version: 1.0.35
- Feedback ID: c769e31a-6137-429a-be4c-491d436abe23
Errors:
The error logs show Invalid settings errors with Expected object, received null validation failures in the Claude Code CLI, suggesting there's an issue with how the local settings are being parsed or
applied.
This appears to be a security/configuration bug where local permission restrictions are being bypassed, specifically for file listing operations.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗