Desktop app ignores settings.json permissions.allow and defaultMode: bypassPermissions
Bug Description
~/.claude/settings.json permission settings (permissions.allow rules and defaultMode: "bypassPermissions") have no effect in the Claude Code desktop app (macOS). Every tool call still prompts for manual approval.
Steps to Reproduce
- Set
~/.claude/settings.json:
{
"permissions": {
"defaultMode": "bypassPermissions",
"allow": [
"Bash(*)",
"Read(*)",
"Write(*)",
"Edit(*)",
"Glob(*)",
"Grep(*)"
],
"deny": []
}
}
- Also enabled "Allow bypass permissions mode" in Desktop app → Settings → Claude Code
- Start a new session in the Claude Code desktop app
- Any tool call (Bash, Read, Write, Edit) still prompts "Allow Claude to Run/Read/Write...?" with Deny/Allow once/Always allow for session
What Was Tried (All Failed)
| Attempt | Result |
|---------|--------|
| Specific path patterns: Write(//Users/me/path/**) | Still prompted |
| Wildcard patterns: Bash(echo *), Write(*) | Still prompted |
| Blanket wildcards: Bash(*), Read(*), Write(*), Edit(*) | Still prompted |
| defaultMode: "bypassPermissions" | Still prompted |
| Desktop app UI: Settings → Claude Code → "Allow bypass permissions mode" ON | Still prompted |
| All of the above combined | Still prompted |
Expected Behavior
With defaultMode: "bypassPermissions" or matching permissions.allow rules, tool calls should auto-approve without prompting.
Actual Behavior
Every tool call prompts for approval regardless of settings. The "Always allow for session" button sometimes appears but:
- Only approves the exact command, not the pattern (each
echowith different content triggers a new prompt) - Sometimes doesn't appear at all (only "Deny" and "Allow once")
Environment
- Claude Code desktop app (macOS, Sequoia 15.5)
- Claude Opus 4.6
~/.claude/settings.jsonconfirmed correct (validated JSON, correct keys)- No project-level settings.json overriding
- CLI
claude --dangerously-skip-permissionsworks — only desktop app is affected
Impact
Workflows that involve repeated tool calls (batch processing, session documentation protocols) require dozens of manual approvals per session, making automation impractical.
Workaround
None for the desktop app. CLI with --dangerously-skip-permissions is the only working alternative.
21 Comments
Found 3 possible duplicate issues:
This issue will be automatically closed as a duplicate in 3 days.
🤖 Generated with Claude Code
Additional data points from continued use (Feb 25-27):
Read(*)inpermissions.allowdoesn't auto-approve file reads in the desktop appecho '...' >> file.jsonldoes NOT approve the nextechowith different content.python3and Bash commands)permissions.allowrules anddefaultMode: "bypassPermissions"have zero observable effect in the desktop app.This makes any workflow involving repeated tool calls (batch processing, automated documentation) extremely painful — each call requires a manual click.
I’m one of likely many with great frustration on this. I’m not 100% certain, but I think that in my case, it’s even worse. I have some permissive Allow() that mostly worked. Really trivial stuff like ls, find and grep. They used to work at least a lot of the time - definitely not ALL the time - but now that I have put bypassPermissions in, they seem to be ignrored comprehensively. AND since bypassPermissions does not work, it makes me approve pretty much every single action. Yikes.
I routinely use two or three Code windows working on separate parts of a project, which may further complicate this, but having to constantly approve even trivial things in multiple windows is like being a one-armed paper hanger.
Related issue is that the docs are a complete mess, leading to confusion when either I or Claude (or both) try to figure this out. See https://github.com/anthropics/claude-code/issues/30113
Adding a Windows + UNC path data point to this bug.
Environment
\vandelay\SkippyKB— Synology NAS over SMB)Reproduction
Same as OP —
defaultMode: "bypassPermissions"set at all three levels (user, project, project-local settings), comprehensivepermissions.allowlists includingEdit, plusskipDangerousModePermissionPrompt: true. The bypass mode banner shows correctly at the top of the window, but the Edit tool still fires "Allow Claude to Edit?" permission dialogs on every edit.What was tried (all failed)
bypassPermissionsin~/.claude/settings.json(user level)bypassPermissionsin.claude/settings.json(project level)bypassPermissionsin.claude/settings.local.json(project-local level)skipDangerousModePermissionPrompt: truein both user and project-local settingsKey observation
The bypass mode banner displays correctly ("Bypass permissions mode: Claude can take actions without asking"), confirming the setting IS being read. But the Edit tool specifically still prompts. This suggests the Edit tool has its own permission check that doesn't respect the bypass mode flag.
Workaround
"Always allow for session" (Ctrl+Enter) on the first Edit prompt. Holds for the session but resets on restart.
Still experiencing this on the desktop app (macOS, Opus 4.6, March 2026).
bypassPermissionsset at user, project, and worktree levels -- all correctly formatted, all ignored. Every Bash, Edit, Write, and WebSearch call prompts. This has persisted for months across dozens of sessions.I am a non-developer business user who relies on Claude Code via the desktop app for daily email triage and project management (~30+ tool calls per morning routine). The CLI flag workaround is not viable because the desktop app has no way to pass
--dangerously-skip-permissions.This is a significant workflow blocker. Filed a detailed standalone report at #38662.
Update: Root cause identified + working fix
After weeks of fighting this, we traced the root cause and have a permanent fix. Sharing in case it helps others here.
Root Cause: macOS SMB File Handling (Not Claude Code)
The permissions bypass does work — but not on network/SMB/UNC paths. The issue is how macOS (and Windows to a lesser extent) handles files accessed over SMB shares:
\\server\share) with NTFS ACLs differently than local pathsbypassPermissions(the banner shows), but the underlying filesystem permission checks from the OS layer still fire for Edit/Write operations on network-mounted pathsThis is why some users see it work sometimes and not others — if your repo is local, bypass works. If it's on a NAS, network share, or mounted volume, the OS intercedes.
Our Setup (Before — Broken)
Both machines accessed the same repo over SMB. Claude Code's
bypassPermissionswas ignored on both because the OS treated the files as network resources.The Fix: Local Repo + SSH
We moved the repo to a local filesystem on a dedicated Ubuntu server and access it via SSH:
bypassPermissionsworks perfectly on local pathsTL;DR
If you're running Claude Code against a repo on a network share (SMB, NFS-mounted, UNC path, mounted NAS volume),
bypassPermissionswill be ignored because the OS doesn't trust network-mounted files the same way it trusts local files.Fix: Move your repo to a local filesystem. If you need multi-machine access, use SSH to a central server rather than a shared network filesystem.
This isn't a Claude Code bug per se — it's a filesystem trust boundary that Claude Code can't override. But it might be worth documenting this caveat in the permissions docs, since "network paths are treated differently" isn't obvious and multiple users here have been bitten by it.
Still happening as of 26 March 2026 on Desktop app (macOS Sequoia 15.3.2, Team plan). We have now also discovered that the Auto mode and Bypass permissions options are greyed out in the UI dropdown even after enabling both account-level toggles on claude.ai and setting defaultMode in settings.json. The app tooltip says to enable them in settings — but they are enabled. Restart does not help. Filed separately as #39311. Background agents also completely blocked — filed as #38859.
Root cause and workaround
After debugging this on macOS, I found the root cause: Claude Desktop does not read
permissions.defaultModefrom~/.claude/settings.json. Thesettings.jsonpermission config only applies to the CLI.Here's what actually happens when Desktop spawns a Claude Code session:
~/Library/Application Support/Claude/Local Storage/leveldb/), under the keyLSS-cc-landing-draft-permission-mode.--permission-mode <value>to the Claude Code subprocess.settings.json'sdefaultMode, so the settings file is effectively ignored.You can verify this yourself by inspecting the running Claude Code process:
You'll see
--permission-mode acceptEdits(or whatever your current UI selection is) alongside--allow-dangerously-skip-permissions— the bypass capability is already enabled, but the selected mode is what Desktop stored in Local Storage, not what's insettings.json.Fix
The workaround is to modify the Electron Local Storage value directly. Requires
classic-levelfrom npm and Claude Desktop must be fully quit first (it holds an exclusive lock on the DB).Save this as
fix-desktop-permission-mode.mjs:Then run:
Notes
settings.json'sdefaultMode, or at minimum expose a persistent config key inclaude_desktop_config.jsonfor the initial permission mode.Tested on Claude Desktop 1.1.9493, Claude Code 2.1.87, macOS 15.4 (Darwin 25.2.0).
Same issue on CLI (not Desktop/VS Code).
Version: 2.1.101
Platform: Debian Trixie (13) / WSL2, CLI only
~/.claude/settings.json:
json{
"defaultMode": "bypassPermissions",
"skipDangerousModePermissionPrompt": true
}
claude — still prompts for every tool call.
claude --dangerously-skip-permissions — works as expected.
No project-level settings overriding. This confirms the issue is not IDE-specific — defaultMode in settings.json is ignored across CLI as well.
pls fix this!!!
+1 this makes the desktop app unusable for any serious development
fix it pls!! I'm very like desktop app, but cannot use it!
Fix please, this makes Claude Desktop unusable in daily practice
We need fix.. we need desktop app to work same way cli .. We need it badly..
+1, Rippling HRIS team affected on macOS Desktop. The discrepancy with Claude Code CLI (which honors
~/.claude/settings.jsonpermissions.allow) vs Desktop (which appears to ignore it) is the most disorienting part — same config file, opposite behavior, no docs flagging the gap. Even just documented parity would help. Willing to test fixes.— Posted via AI agent on Nikita's behalf; may contain errors. Tag or DM Nikita if feedback.
The problem seems to have gotten worse with the new update.
-----------------------------------------
Edittool prompts for permission inacceptEditsandbypassPermissions/auto modes — affects both CLI and desktop app (v2.1.126)Summary
In Claude Code 2.1.126, the
Edittool fires a permission prompt even when the session is inacceptEditsor auto /bypassPermissionsmode. The bug:~/.claude/settings.jsonremoved entirely).Writetool in auto mode, despiteWritebeing in the same tool category and same modes — which scopes the bug narrowly toEdit's permission resolution path.This blocks normal day-to-day use because every file edit interrupts the workflow with a prompt that no documented mechanism (mode toggle, allowlist,
skipAutoPermissionPrompt) can suppress.Environment
/Users/<user>/.local/share/claude/versions/2.1.126)/doctoroutput: all green — auto-updates enabled, latest channel, no version-lock conflicts.The fact that the same bug reproduces in both the CLI and the desktop app rules out terminal/TTY handling, shell integration, and CLI-specific Shift-Tab parsing as causes. The bug must live in the shared permission-resolver layer that both clients use.
Steps to reproduce (clean-room — settings file removed)
mv ~/.claude/settings.json ~/.claude/settings.json.bak(no project-level settings, emptysettings.local.json).acceptEditsmode. The system reminder confirms the mode change is registered.please add a line to note.txt).Edit(...).bypassPermissionsmode. System reminder confirms "Auto Mode Active".Edit(...).Writein the same auto-mode session.Writeis correctly auto-approved.Expected behavior
acceptEditsmode is documented to auto-approveEdit,Write, andNotebookEdit.Editshould not prompt.bypassPermissions/ auto mode is documented to auto-approve all non-destructive tools.Editshould not prompt.Actual behavior
Editprompts inacceptEditsmode.Editprompts in auto /bypassPermissionsmode.Writedoes not prompt in auto mode (working as expected).Readprompts inacceptEditsmode (this is expected —acceptEditsis for edit tools only — but mentioning for completeness).Readdoes not prompt in auto mode (working as expected).Earlier (non-clean-room) findings
Before stripping the config, the user's
~/.claude/settings.jsoncontained:"Read"to the allowlist correctly silencedReadprompts in all modes."Write"and"Edit"to the allowlist (tested previously) did not silenceEditprompts.skipAutoPermissionPrompt: truehad no effect onEditprompts.So three independent suppression mechanisms (allowlist, mode,
skipAutoPermissionPrompt) all fail forEditspecifically.Plugin / hook audit
Confirmed no installed plugin registers a
PreToolUsehook. The two plugins withhooks/hooks.jsonfiles (vercel,explanatory-output-style) only registerSessionStart/SessionEndhooks. So plugin interception is ruled out.The clean-room reproduction further rules out plugins entirely, since the test session ran with no
enabledPluginsconfig.Hypothesis for maintainers
Because
EditandWritediffer in behavior despite being in the same tool category and the same modes:Edit("you're about to modify existing content") that is not properly gated onacceptEdits/bypassPermissionsmode.Editpattern even when literally"Edit"is configured, while it does match"Read"and"Write".Both hypotheses predict the observed asymmetry between
EditandWrite.Impact
Daily use is significantly degraded. Every routine file edit interrupts the workflow with a prompt that no documented in-product mechanism can suppress. The user has confirmed that all four of the following bypass mechanisms fail to suppress
Editprompts in v2.1.126:"Edit"explicitly in~/.claude/settings.json— no effect.acceptEditsmode (Shift-Tab toggle) — no effect.bypassPermissionsmode (Shift-Tab toggle) — no effect."skipAutoPermissionPrompt": truesetting — no effect.The only mechanism that does currently suppress
Editprompts is launching with the--dangerously-skip-permissionsCLI flag. This is not a viable day-to-day workaround because it disables all permission resolution globally and is documented as unsafe.Cross-version progression (potentially useful for maintainers)
The
--dangerously-skip-permissionsbehavior changed across versions:--dangerously-skip-permissionsdid not suppressEditprompts.--dangerously-skip-permissionsdoes suppressEditprompts.So progress was made between these two releases on at least one bypass path. However, the four documented (non-
--dangerously-) mechanisms above still don't work forEdit. This suggests the fix between 2.1.123 → 2.1.126 patched the--dangerously-skip-permissionsflag's path specifically, but the corresponding fix foracceptEdits,bypassPermissions, allowlist matching, andskipAutoPermissionPromptwas not made. A grep for whatever change unblocked the--dangerously-path may point directly at where the analogous fix needs to go for the other paths.Repro environment available
Happy to provide:
~/.claude/settings.json/doctoroutputWhy is this closed. This bug isn't fixed by the mentioned PR. There is no reason given for this being closed.
@amorriscode can you elaborate why you closed this ticket, although plenty of users still see that issue to this day? it only ever got worse.
Claude code desktop is completely unusable because of this. Other tickets refer to this one as duplicate, yet this was closed with no resolution.
There _is_ a workaround, which is successful. Use a PreToolUse hook, and set up your hook so that it only checks truly dangerous things like formatting drives, removing databases, etc. I’ve been using it instead of the recommended but inoperative fixes with bypassPermissions etc. I can’t explain why this one is closed, I do still have to use the hook.
This issue has been automatically locked since it was closed and has not had any activity for 7 days. If you're experiencing a similar issue, please file a new issue and reference this one if it's relevant.