Permission system prompts for safe operations but silently runs destructive ones (migrate, ALTER TABLE)

Resolved 💬 2 comments Opened Feb 22, 2026 by hriks Closed Mar 23, 2026

Bug Description

Claude Code regularly asks for permission to perform non-destructive operations (reading files, writing files), but executes destructive commands like python3 manage.py migrate and raw SQL ALTER TABLE / DROP COLUMN without any permission prompt.

This is backwards — it prompts for safe operations but silently runs dangerous ones.

Root Cause

When a user has a broad allow rule like Bash(python3:*) in their settings.local.json, it allows all python3 commands — including destructive ones like migrate, raw SQL via manage.py shell, etc.

The permission system treats all commands matching a broad pattern equally, with no distinction between read-only and destructive operations.

Expected Behavior

Destructive/irreversible commands (e.g., database migrations, schema changes, DROP, ALTER) should require explicit user approval regardless of broad allow rules. At minimum, Claude should proactively ask the user before running such commands — the same way it is instructed to confirm before destructive git operations.

If Claude asks permission to read a file, it should absolutely ask permission before modifying a database schema.

Steps to Reproduce

  1. Add Bash(python3:*) to settings.local.json allow list
  2. Ask Claude to work on a Django migration task
  3. Claude regularly prompts for permission to read/write files during the task
  4. But Claude runs python3 manage.py migrate without prompting — modifying the database schema
  5. Claude also runs raw SQL via manage.py shell (ALTER TABLE, DROP COLUMN) without prompting

Impact

In our case, this resulted in irreversible database schema changes (ArrayField columns converted to JSONField) that required multiple manual SQL fixes to restore.

Suggested Fix

  • Add a built-in deny/warn list for known destructive command patterns (e.g., migrate, DROP, ALTER, DELETE, rm -rf)
  • Or: require Claude to always confirm before running commands that modify database schema, regardless of allow rules
  • At minimum: if Claude prompts for non-destructive operations, it must also prompt for destructive ones

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗