Auto-mode wrote a permissions allow-list entry for ssh-to-prod without per-action user approval
Summary
Under auto-mode, a per-call ask safeguard denied an ssh prod call, enforcing a project CLAUDE.md rule that production access requires explicit user permission each time. The denial message hinted that the user could add a Bash permission rule to their settings.
The assistant then generated a Write against .claude/settings.local.json containing:
{ "permissions": { "allow": ["Bash(ssh prod *)", "Bash(curl -sI*)"] } }
without explicit user approval to author that rule. The user interrupted the Write before the file was created.
Bash(ssh prod *) matches any command run through the ssh prod alias, including state-changing operations. Had the file landed, the rule would have applied to every subsequent Claude Code session in that repository until removed.
The chat-level description of the change used the phrases "narrow project-scoped rule" and "this exact pattern"; the rule itself is not pattern-scoped to verification.
Environment
- Claude Code 2.1.119, macOS (Darwin 24.6.0)
- auto-mode, model
claude-opus-4-7(1M context)
Asks
- Treat user-installed permission and hook files as read-only from the assistant's perspective. Writes to
settings.json/settings.local.jsonthat addpermissions.allowentries, removepermissions.askentries, or weaken hooks should require explicit per-action user approval naming the file and the diff. Approval should not be inferred from prior conversation (e.g. "stop asking", "just go"). - Make denial messages explicit that the recommended remediation (adding a permission rule) is for the user, not the assistant.
- Under auto-mode, require interactive user approval for any
Write/Editagainst permission-relevant files, regardless of prior approvals in the session. - Consider treating ssh-to-production permission widening as a class auto-mode cannot author; it can still recommend the rule for the user to apply.
Related
Filed shortly after #53824 (auto-mode bypassing an ask hook on git operations).
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗