[BUG] ask/deny permissions bypassed when Bash command cd's outside the launch directory
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report
- [x] I am using the latest version of Claude Code
What's Wrong?
When a Bash command uses cd to change to a directory outside the project launch directory, ask/deny rules in ~/.claude/settings.json are not enforced — the command executes without any permission prompt.
Note: I'm aware that allowlists/permission rules are not a security boundary, but this is still a correctness bug worth fixing — the rules are simply ignored in this case.
What Should Happen?
ask and deny rules should apply regardless of what working directory the command ends up running in. A cd prefix should not cause permission rules to be skipped.
Steps to Reproduce
- Add
Bash(testcommand *)to the"ask"section of~/.claude/settings.json:
``json``
{
"permissions": {
"ask": [
"Bash(testcommand *)"
]
}
}
- Launch Claude Code in a project directory
- Ask Claude to run
testcommand abc→ permission prompt appears ✓ - Ask Claude to run
cd .. && testcommand abc→ no prompt, executes directly ✗
Error Messages/Logs
None — the bug is the absence of a prompt.
Claude Model
Sonnet (default)
Is this a regression?
I don't know
Claude Code Version
2.1.81 (Claude Code)
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
The ask rules in ~/.claude/settings.json are intended to be global (user-level). The fact that they only apply when the working directory stays within the launch directory makes them unreliable — any chained command with cd /outside/project && will silently bypass them.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗