[BUG] Empty server-managed settings (304 cached) zero out local managed-settings.json — deny/allow rules never enforced
Platform: Linux (RHEL 9)
Claude Code version: current (tested 2026-06-22)
Problem
When a facility deploys /etc/claude-code/managed-settings.json with permissions.allow and permissions.deny rules, those rules are silently discarded at startup. All policySettings destinations end up with 0 rules regardless of what the file contains.
Root cause (from debug log)
The documented precedence is server-managed > managed-settings.json. When the deployment has no server-managed policy configured with Anthropic, the server returns an empty/cached 304 response. Claude Code treats this as "server-managed policy = zero rules" and replaces policySettings with empty arrays, overwriting the local file.
\\\\
[DEBUG] MDM settings load completed in 2ms # local file read
[DEBUG] Remote managed settings loaded # empty 304 from Anthropic
[DEBUG] Replacing all allow rules for destination 'policySettings' with 0 rule(s): []
[DEBUG] Replacing all deny rules for destination 'policySettings' with 0 rule(s): []
\\
The local file is valid and readable (managed-settings.json is world-readable, no symlink issues).
Expected behavior
An empty/absent server-managed response should be treated as "not configured" and fall through to managed-settings.json. It should not be treated as a configured policy of zero rules that overrides the local file.
Actual behavior
All policySettings allow/deny rules are zeroed out. Any rules in managed-settings.json — including deny rules meant to restrict tool access — are never enforced.
Impact
Facility-wide deny rules (e.g., Bash(condor_*)) are never enforced on shared systems. Users can run any command without restriction, defeating the purpose of managed settings for shared multi-user environments.
Reproduction
- Deploy
/etc/claude-code/managed-settings.jsonwith deny rules on a Linux system with no Anthropic enterprise/server-managed policy configured - Run
claude --debug-file /tmp/debug.log -p hello - Grep for
policySettingsin the debug log — all rules show0 rule(s): []despite the valid local file
Example managed-settings.json
{
"permissions": {
"allow": ["Bash(pixi*)", "Bash(du*)", "Bash(df*)"],
"deny": ["Bash(condor_*)"]
}
}
Notes
- The same behavior occurs with
managed-settings.d/drop-in files (tested prior to switching tomanaged-settings.json) - The debug log confirms the file is being watched:
Watching for changes in setting files ... /etc/claude-code/managed-settings.json... and drop-in directory /etc/claude-code/managed-settings.d - The remote settings fetch returns 304 (cached), suggesting this affects any deployment without a paid Anthropic enterprise MDM policy
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗