Bug: Pressing '2' overwrites .claude/settings.local.json instead of appending permissions

Resolved 💬 10 comments Opened Oct 18, 2025 by BucklerCTO Closed Jan 15, 2026

Bug Report: Pressing "2" Overwrites .claude/settings.local.json Instead of Appending

Summary

When pressing "2" to approve all future requests for a command, Claude Code overwrites the entire .claude/settings.local.json file instead of appending the new permission to the existing permissions array.

Steps to Reproduce

  1. Have an existing .claude/settings.local.json file with custom permissions in the allow array
  2. Execute a command that requires permission approval
  3. When prompted, press "2" to "Approve this request and all future requests like it"
  4. Observe the .claude/settings.local.json file after approval

Expected Behavior

Claude Code should:

  1. Read the existing .claude/settings.local.json file
  2. Parse the JSON and locate the permissions.allow array
  3. Append the new permission pattern to the existing array
  4. Write the updated JSON back to the file, preserving all existing permissions

Actual Behavior

Claude Code appears to overwrite the entire file, losing previously configured permissions. This requires users to manually re-add permissions after each approval.

Impact

  • High severity: Users lose custom permission configurations
  • Forces manual file editing after each "approve all" action
  • Defeats the purpose of the "approve all future requests" feature
  • Creates security risk as users may be tempted to use overly broad patterns to avoid repeated loss

Environment

  • OS: macOS (Darwin 24.3.0)
  • Project: Python project with .claude/settings.local.json in project root
  • File location: .claude/settings.local.json

Example File Before Approval

{
  "includeCoAuthoredBy": false,
  "permissions": {
    "allow": [
      "Bash(git *)",
      "Bash(python *)",
      "Bash(pytest *)",
      "Bash(echo *)",
      "Bash(date *)"
    ],
    "deny": [],
    "ask": []
  },
  "outputStyle": "confident-literal"
}

Example File After Approving New Command (e.g., "bd create task")

{
  "includeCoAuthoredBy": false,
  "permissions": {
    "allow": [
      "Bash(bd create *)"
    ],
    "deny": [],
    "ask": []
  },
  "outputStyle": "confident-literal"
}

Note: All previous permissions are lost.

Workaround

Users must manually edit .claude/settings.local.json to restore lost permissions after each approval, which is tedious and error-prone.

Suggested Fix

Update the permission approval logic to:

  1. Load existing .claude/settings.local.json if it exists
  2. Merge new permission into existing allow array (avoiding duplicates)
  3. Preserve all other configuration settings
  4. Write the merged configuration back to the file

---

Report submitted by: User experiencing this issue in production workflow
Date: 2025-10-18

View original on GitHub ↗

This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗