[BUG] Write and Bash(cp) executed without permission despite restrictive settings.local.json

Resolved 💬 5 comments Opened Mar 15, 2026 by mkduew Closed May 1, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Claude Code executed a Write tool call to /tmp/set_additional_category.md and a subsequent Bash(cp ...) command without prompting for user approval, despite neither being covered by the project's settings.local.json. The permission system was bypassed silently — no prompt, no warning, no error.

What Should Happen?

Both tool calls should have been blocked or should have triggered a user approval prompt, as they are not covered by the configured allow list in settings.local.json.

  • Write to /tmp/... → should require approval (no Write permission configured at all)
  • Bash(cp ...) → should require approval (Bash(cp:*) is not in the allow list)

Error Messages/Logs

No error was shown. Both operations completed silently without any permission warning or prompt.

Steps to Reproduce

  1. Create a settings.local.json with a restrictive allow list — no Write(*) and no Bash(cp:*) entries.
  2. Ask Claude to write a file to a tmp directory (without specifying full path).
  3. Claude interprets tmp as the system /tmp directory and calls Write(/tmp/some_file.md)executes without prompt.
  4. Claude then calls Bash(cp /tmp/some_file.md /project/tmp/some_file.md) to move the file — also executes without prompt.

Relevant settings.local.json (abbreviated):

{
  "permissions": {
    "allow": [
      "Bash(ls:*)",
      "Bash(git:*)",
      "Bash(curl:*)",
      "Bash(php:*)",
      "Read(//Users/userpath/PhpstormProjects/exp2pim_api/**)"
    ]
  }
}

No Write(*), Write(/tmp/*), or Bash(cp:*) is present.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

2.1.76 (Claude Code)

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

IntelliJ IDEA terminal

Additional Information

  • OS: macOS Darwin 25.3.0
  • The Write tool appears to bypass permission checks entirely when writing outside the project directory.
  • The Bash(cp ...) command was not matched against the allow list despite the list containing only explicit Bash(<command>:*) entries.
  • This undermines the security model of settings.local.json, as users rely on it to restrict Claude's write access to the local filesystem.

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗