bypassPermissions defaultMode appears to be ignored in claude.ai remote sessions
Summary
permissions.defaultMode: "bypassPermissions" set in ~/.claude/settings.json does not appear to take effect in remote sessions launched via claude.ai/code. Permission prompts continue to fire, and the user must click "Allow" for individual command shapes — which then accumulate in .claude/settings.local.json.
Setup
~/.claude/settings.json:
{
"permissions": { "defaultMode": "bypassPermissions" },
"skipDangerousModePermissionPrompt": true,
"remoteControlAtStartup": true,
"autoUploadSessions": true
}
No managed-policy override is in effect (sole admin on the account, no enterprise org). No project- or local-level defaultMode override.
Expected
Tool calls run without per-call permission prompts.
Actual
Prompts fire continuously. .claude/settings.local.json grows mid-session with entries the user clicked "Allow" on:
{
"permissions": {
"allow": [
"Bash(git checkout *)",
"Bash(npx tsc *)",
"Bash(node --test --import tsx /Users/.../orchestrator.abort.test.ts)",
"Bash(git -C /Users/.../rs-app-platform commit -m ' *)",
"Skill(update-config)"
]
}
}
Hypothesis
claude.ai remote sessions enforce a server-side permission gate that disregards the client-side bypassPermissions setting — likely as an intentional safety boundary for the hosted runtime. If so:
- Could the docs / settings schema flag this explicitly? Right now the
bypassPermissionsenum value reads as fully effective. - Is there an admin-side mechanism (org settings, account flag) to opt-in to true bypass for remote sessions, given the user has explicitly accepted
skipDangerousModePermissionPrompt?
Alternatively — if this is a bug and bypassPermissions should apply remotely, that's the report.
Environment
- Platform: macOS Darwin 25.4.0
- Session type: claude.ai/code remote session
- Workaround in use: pre-populating
permissions.allowwith read-only command shapes
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗