Bug: Pressing '2' overwrites .claude/settings.local.json instead of appending permissions
Bug Report: Pressing "2" Overwrites .claude/settings.local.json Instead of Appending
Summary
When pressing "2" to approve all future requests for a command, Claude Code overwrites the entire .claude/settings.local.json file instead of appending the new permission to the existing permissions array.
Steps to Reproduce
- Have an existing
.claude/settings.local.jsonfile with custom permissions in theallowarray - Execute a command that requires permission approval
- When prompted, press "2" to "Approve this request and all future requests like it"
- Observe the
.claude/settings.local.jsonfile after approval
Expected Behavior
Claude Code should:
- Read the existing
.claude/settings.local.jsonfile - Parse the JSON and locate the
permissions.allowarray - Append the new permission pattern to the existing array
- Write the updated JSON back to the file, preserving all existing permissions
Actual Behavior
Claude Code appears to overwrite the entire file, losing previously configured permissions. This requires users to manually re-add permissions after each approval.
Impact
- High severity: Users lose custom permission configurations
- Forces manual file editing after each "approve all" action
- Defeats the purpose of the "approve all future requests" feature
- Creates security risk as users may be tempted to use overly broad patterns to avoid repeated loss
Environment
- OS: macOS (Darwin 24.3.0)
- Project: Python project with
.claude/settings.local.jsonin project root - File location:
.claude/settings.local.json
Example File Before Approval
{
"includeCoAuthoredBy": false,
"permissions": {
"allow": [
"Bash(git *)",
"Bash(python *)",
"Bash(pytest *)",
"Bash(echo *)",
"Bash(date *)"
],
"deny": [],
"ask": []
},
"outputStyle": "confident-literal"
}
Example File After Approving New Command (e.g., "bd create task")
{
"includeCoAuthoredBy": false,
"permissions": {
"allow": [
"Bash(bd create *)"
],
"deny": [],
"ask": []
},
"outputStyle": "confident-literal"
}
Note: All previous permissions are lost.
Workaround
Users must manually edit .claude/settings.local.json to restore lost permissions after each approval, which is tedious and error-prone.
Suggested Fix
Update the permission approval logic to:
- Load existing
.claude/settings.local.jsonif it exists - Merge new permission into existing
allowarray (avoiding duplicates) - Preserve all other configuration settings
- Write the merged configuration back to the file
---
Report submitted by: User experiencing this issue in production workflow
Date: 2025-10-18
This issue has 10 comments on GitHub. Read the full discussion on GitHub ↗