Session-level permission grants are invisible and non-auditable
Resolved 💬 8 comments Opened Mar 10, 2026 by SavoryBytes Closed May 21, 2026
Problem
When a user approves a tool invocation with "Allow" or "Allow for this session" (as opposed to "Allow always"), the permission grant is stored only in process memory. There is:
- No command to list which transient permissions are currently active
- No log recording that the approval happened
- No way to revoke a session-level permission without restarting the session
This means there is a class of security-relevant state that is completely opaque to the user. You cannot answer the question: "What have I authorized Claude to do in this session?"
Expected Behavior
Users should be able to inspect, audit, and revoke transient permission grants.
Proposed Changes
/session-permissionscommand — List all active session-level approvals (tool name, args/pattern, timestamp, scope)- Permission audit log — Write every allow/deny decision (transient and persistent) to a local file (e.g.
~/.claude/audit.log) with timestamp, tool, input, and project context - Revocation support — A
/revokecommand or UI to selectively withdraw session-level approvals without restarting PermissionDecisionhook event — Emit a hook event when permissions are granted/denied so external tools (SIEM, audit systems) can observe state changes- CLI status indicator — Show count of active session permissions in the status bar
Why This Matters
- Security posture visibility — Users managing sensitive codebases need to understand what's been authorized
- Compliance/audit — No audit trail exists for the most common permission grant type (session-level)
- Least privilege — Without revocation, a mistaken "Allow for session" persists until restart
- Incident response — If a session is compromised, there's no way to determine what was authorized
Reproduction
- Start a Claude Code session
- Run a command that requires approval (e.g. a Bash command)
- Click "Allow" (session-level)
- Try to find where that approval is recorded — it doesn't exist on disk or in any queryable interface
This issue has 8 comments on GitHub. Read the full discussion on GitHub ↗