Permissions bypassed and not persisted in VS Code/Cursor extension
Environment
- IDE: Cursor (VS Code fork) — reproduced by multiple users, both local and SSH remote setups
- Host OS: macOS (Darwin 25.3.0)
- Auth: Enterprise login
- Claude Code extension version: 2.1.78
Bug Description
Two related permission issues when using the Claude Code extension in Cursor:
1. Commands execute without permission prompts despite not being in the allow list
Commands like rm are executed without any permission prompt, even though they are not listed in ~/.claude/settings.json permissions.allow. This is a security concern — the permission system appears to be bypassed.
2. "Allow for all projects" does not persist
When clicking "Allow for all projects" on a permission prompt (e.g., for bq ls), the permission is not written to ~/.claude/settings.json. The next time the same command runs, it prompts again (when prompts do appear). No project-level settings files are created either (~/.claude/projects/*/settings.json).
Expected Behavior
- Commands not in the allow list should always trigger a permission prompt before execution.
- Clicking "Allow for all projects" should persist the permission to
~/.claude/settings.json.
Steps to Reproduce
- Open a project in Cursor with the Claude Code extension
- Ensure
rm(or another potentially destructive command) is not in~/.claude/settings.jsonallow list - Ask Claude to run that command
- Observe: command executes without a permission prompt
- For a command that does prompt, click "Allow for all projects"
- Check
~/.claude/settings.json— no new entry is added
Additional Context
- Reproduced by multiple team members on an enterprise plan, not specific to SSH remote setups
~/.claude/policy-limits.jsondoes not contain any permission-related restrictions- Manually editing
~/.claude/settings.jsonto add allow entries works correctly — the file is being read, just not written to - Enterprise auth (not personal API key)
Impact
This is a security-relevant bug. The permission system is a key safety mechanism, and having it silently bypassed undermines user trust and safety guarantees. Users may not realize their allow/deny lists are not being enforced.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗