bypassPermissions defaultMode appears to be ignored in claude.ai remote sessions

Resolved 💬 1 comment Opened May 10, 2026 by retailsolutions-daveking Closed Jun 8, 2026

Summary

permissions.defaultMode: "bypassPermissions" set in ~/.claude/settings.json does not appear to take effect in remote sessions launched via claude.ai/code. Permission prompts continue to fire, and the user must click "Allow" for individual command shapes — which then accumulate in .claude/settings.local.json.

Setup

~/.claude/settings.json:

{
  "permissions": { "defaultMode": "bypassPermissions" },
  "skipDangerousModePermissionPrompt": true,
  "remoteControlAtStartup": true,
  "autoUploadSessions": true
}

No managed-policy override is in effect (sole admin on the account, no enterprise org). No project- or local-level defaultMode override.

Expected

Tool calls run without per-call permission prompts.

Actual

Prompts fire continuously. .claude/settings.local.json grows mid-session with entries the user clicked "Allow" on:

{
  "permissions": {
    "allow": [
      "Bash(git checkout *)",
      "Bash(npx tsc *)",
      "Bash(node --test --import tsx /Users/.../orchestrator.abort.test.ts)",
      "Bash(git -C /Users/.../rs-app-platform commit -m ' *)",
      "Skill(update-config)"
    ]
  }
}

Hypothesis

claude.ai remote sessions enforce a server-side permission gate that disregards the client-side bypassPermissions setting — likely as an intentional safety boundary for the hosted runtime. If so:

  1. Could the docs / settings schema flag this explicitly? Right now the bypassPermissions enum value reads as fully effective.
  2. Is there an admin-side mechanism (org settings, account flag) to opt-in to true bypass for remote sessions, given the user has explicitly accepted skipDangerousModePermissionPrompt?

Alternatively — if this is a bug and bypassPermissions should apply remotely, that's the report.

Environment

  • Platform: macOS Darwin 25.4.0
  • Session type: claude.ai/code remote session
  • Workaround in use: pre-populating permissions.allow with read-only command shapes

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗