[BUG] Claude will respect setting config to deny Read but not Write when file does not already exist
Environment
- Platform (select one):
- [x] Anthropic API
- [ ] AWS Bedrock
- [ ] Google Vertex AI
- [ ] Other: <!-- specify -->
- Claude CLI version: 1.0.102 <!-- output of
claude --version--> - Operating System: macOS 15.6.1 (<!-- e.g. macOS 14.3, Windows 11, Ubuntu 22.04 -->
- Terminal: ghostty<!-- e.g. iTerm2, Terminal App -->
Bug Description
I have a settings configuration in the root of a project folder (/.claude/settings.json). I have included a version of it below.
When I ask Claude to read from "token.json" it will correctly note that it is not allowed to do so. However, when I ask it to write dummy content to that file, it will do so despite the Write rule in the deny section of the config.
Note: this is only in scenarios when the file does not already exist. if the file already exists Claude will not overwrite or append the file, as expected.
When I point this out to Claude it behaves correctly from that point onward in the conversation, but that's obviously not ideal :)
Here is the settings.json file:
{
"permissions": {
"deny": [
"Read(token.json)",
"Write(token.json)"
]
}
}
Note:
<!-- A clear and concise description of the bug -->
Steps to Reproduce
- Provide the settings.json file above at
.claude/settings.jsonin the root folder of a project - Ask it to write dummy content to
token.json(make sure there is no existing file by that name) - (It will write the contents to the file)
- Ask it to read from that file. It will correctly tell you it's denied.
Expected Behavior
<!-- What you expected to happen -->
I would expect Claude to be able to create the file in the first place, per the documentation.
<img width="685" height="661" alt="Image" src="https://github.com/user-attachments/assets/e31185a4-6cdf-4106-a35f-569c82d493e7" />
Actual Behavior
<!-- What actually happened -->
It will create the file if it does not exist.
Additional Context
<!-- Add any other context about the problem here, such as screenshots, logs, etc. -->
For our needs, we're basically identifying sensitive artifacts for our project that might land in the local working directory. We would like specify to Claude to be completely hands-off. Claude being able to inject content into these "hands-off" artifacts if they don't already exist is a vector we'd love to see closed.
I feel like a .claudeignore approach (which has been discussed elsewhere) would be a nicer solution to this problem, but that's neither here nor there.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗