Session-level permission grants are invisible and non-auditable

[SavoryBytes]

Problem

When a user approves a tool invocation with "Allow" or "Allow for this session" (as opposed to "Allow always"), the permission grant is stored only in process memory. There is:

• No command to list which transient permissions are currently active
• No log recording that the approval happened
• No way to revoke a session-level permission without restarting the session

This means there is a class of security-relevant state that is completely opaque to the user. You cannot answer the question: "What have I authorized Claude to do in this session?"

Expected Behavior

Users should be able to inspect, audit, and revoke transient permission grants.

Proposed Changes

1. /session-permissions command — List all active session-level approvals (tool name, args/pattern, timestamp, scope)
2. Permission audit log — Write every allow/deny decision (transient and persistent) to a local file (e.g. ~/.claude/audit.log) with timestamp, tool, input, and project context
3. Revocation support — A /revoke command or UI to selectively withdraw session-level approvals without restarting
4. PermissionDecision hook event — Emit a hook event when permissions are granted/denied so external tools (SIEM, audit systems) can observe state changes
5. CLI status indicator — Show count of active session permissions in the status bar

Why This Matters

• Security posture visibility — Users managing sensitive codebases need to understand what's been authorized
• Compliance/audit — No audit trail exists for the most common permission grant type (session-level)
• Least privilege — Without revocation, a mistaken "Allow for session" persists until restart
• Incident response — If a session is compromised, there's no way to determine what was authorized

Reproduction

1. Start a Claude Code session
2. Run a command that requires approval (e.g. a Bash command)
3. Click "Allow" (session-level)
4. Try to find where that approval is recorded — it doesn't exist on disk or in any queryable interface

[jeffdarmawan]

Up this.

I agree with /session-permissions, with the addition to locate which those permissions come from.

# Merged permissions
## User-scoped permissions
## Project-scoped permissions
## Session-scoped permissions (after clicking 'Allow all ... at ...')

I often encounter permission prompts even after I allow them in both .claude/settings.local.json and ~/.claude/settings.json. Some issues have also mentioned about some settings file overriding the other settings file which isn't traceable because we don't have that visibility.

/revoke-permission is also useful when you want to be more cautious in current session's conversations or just wanting to be aware of what's being done.

[yurukusa]

Hook-based workaround for the audit gap: a PostToolUse hook that logs every tool invocation to a persistent file:

INPUT=$(cat)
TOOL=$(echo "$INPUT" | jq -r '.tool_name // empty')
TIMESTAMP=$(date -u '+%Y-%m-%dT%H:%M:%SZ')
LOG_DIR="${HOME}/.claude/audit"
mkdir -p "$LOG_DIR"
echo "${TIMESTAMP} ${TOOL}" >> "${LOG_DIR}/tool-calls.log"
exit 0

This won't capture the "Allow" click itself (no hook event for that), but it records every tool that was actually executed — so you can audit what tools ran and when. Combined with git log, this gives a reasonable audit trail.
For richer logging, you can extract the command/file from the input:

CMD=$(echo "$INPUT" | jq -r '.tool_input.command // .tool_input.file_path // "-"')
echo "${TIMESTAMP} ${TOOL} ${CMD}" >> "${LOG_DIR}/tool-calls.log"

Install: npx cc-safe-setup --install-example permission-audit-log

[yurukusa]

You can build a permission audit log with hooks:

INPUT=$(cat)
TOOL=$(echo "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null)
FILE=$(echo "$INPUT" | jq -r '.tool_input.file_path // .tool_input.command // "N/A"' 2>/dev/null | head -c 200)
TS=$(date -Iseconds)
LOG="$HOME/.claude/permission-audit.log"
echo "[$TS] EXECUTED tool=$TOOL target=$FILE" >> "$LOG"
exit 0

INPUT=$(cat)
TOOL=$(echo "$INPUT" | jq -r '.tool_name // "unknown"' 2>/dev/null)
COMMAND=$(echo "$INPUT" | jq -r '.tool_input.command // "N/A"' 2>/dev/null | head -c 200)
TS=$(date -Iseconds)
LOG="$HOME/.claude/permission-audit.log"
echo "[$TS] PERMISSION_REQUESTED tool=$TOOL command=$COMMAND" >> "$LOG"
exit 0

cat ~/.claude/permission-audit.log | tail -50
grep "git push" ~/.claude/permission-audit.log

{
  "hooks": {
    "PostToolUse": [{"hooks": [{"type": "command", "command": "bash ~/.claude/hooks/permission-audit.sh"}]}],
    "PermissionRequest": [{"hooks": [{"type": "command", "command": "bash ~/.claude/hooks/permission-log.sh"}]}]
  }
}

This creates a complete audit trail at ~/.claude/permission-audit.log — every tool execution is logged with timestamp, tool name, and target. You can answer "what have I authorized?" at any time by reading the log.

[alemarcosa]

The auditability gap you're describing — not being able to answer 'what have I authorized in this session' — is exactly the thing I built for. Daedalab keeps a structured record of every tool call: what was auto-allowed, what required manual approval, what was denied and why, with timestamps and agent context. Exportable as CSV. It works at the proxy level so the audit record exists independently of what Claude Code logs internally. For anyone hitting this gap before a native fix ships: daedalab.app, one base URL change.

[dr5hn]

This is something CCM addresses. ccm permissions audit scans your settings.json and flags:

• Duplicate rules across allow/deny/ask categories
• Contradictions (same rule in both allow AND deny)
• Verbatim Bash rules without wildcards (from "Always Allow" accumulation)
• Rule count bloat (warns at 50+, flags at 100+)

And ccm permissions audit --fix auto-removes duplicates with a backup.

https://github.com/dr5hn/ccm