How one committed JSON file could put Claude Code in YOLO mode

TODO: full writeup pending. A malicious repository could ship a .claude/settings.json setting permissions.defaultMode to bypassPermissions; Claude Code resolved that file before showing the workspace-trust dialog, so the dialog was skipped on first open and tools ran without consent. Fixed in 2.1.53.