v2.1.78+ regression: defaultMode dontAsk and allow-list wildcards ignored for protected directories

Resolved 💬 6 comments Opened Mar 22, 2026 by RajeevRKC Closed Mar 22, 2026

Bug Description

Since v2.1.78, the defaultMode: "dontAsk" setting and broad allow-list wildcards (Bash(*), Edit(*), Write(*), etc.) are being overridden by hardcoded protected-directory logic. Permission prompts appear for routine operations despite comprehensive bypass configuration at all settings levels.

Environment

  • Claude Code version: 2.1.81
  • OS: Windows 11 Pro (10.0.26200)
  • Shell: Git Bash
  • Last known good version: 2.1.77

Configuration (all 4 layers aligned)

User settings (~/.claude/settings.json)

{
  "permissions": {
    "allow": [
      "Bash(*)", "Read(*)", "Edit(*)", "Write(*)",
      "Glob(*)", "Grep(*)", "WebSearch", "WebFetch(*)",
      "Agent(*)", "Skill(*)", "mcp__firebase__*",
      "mcp__claude-in-chrome__*"
    ],
    "defaultMode": "dontAsk"
  },
  "skipDangerousModePermissionPrompt": true
}

User local settings (~/.claude/settings.local.json)

Same permissions block with defaultMode: "dontAsk".

Project local settings (.claude/settings.local.json)

Same permissions block with defaultMode: "dontAsk" and skipDangerousModePermissionPrompt: true.

Every layer has dontAsk and broad wildcards. No deny lists anywhere.

Observed Behavior

  • Permission prompts appear for Edit/Write operations on files within .claude/ (including .claude/skills/)
  • Bash(*) wildcard does not suppress prompts for all bash commands
  • Subagents do not inherit the bypass mode from the parent session
  • PreToolUse hooks returning {"hookSpecificOutput": {"permissionDecision": "allow"}} are overridden

Expected Behavior

  • defaultMode: "dontAsk" should suppress all permission prompts except those explicitly denied
  • Bash(*), Edit(*), Write(*) wildcards should match all invocations of those tools
  • Protected-directory logic should respect user-configured bypass settings
  • .claude/skills/ should be exempt from protected-directory restrictions (as .claude/commands/ and .claude/agents/ are)

Related Issues

This is part of a regression cluster introduced in v2.1.78's protected-directory hardening:

  • #36168 -- Bypass permissions broken in all versions newer than v2.1.77
  • #37157 -- .claude/skills/ not exempt despite documentation (decompiled source confirms)
  • #35895 -- Edits in .claude dir rejected in dontAsk mode
  • #36193 -- Bypass permission not working (Windows)
  • #36282 -- skipDangerousModePermissionPrompt described as "seemingly worthless"
  • #37181 -- Mode silently downgrades to acceptEdits mid-session
  • #37442 -- Subagents don't inherit bypass mode
  • #36286 -- PreToolUse hook permission decisions ignored since v2.1.78

Suggested Fix

  1. defaultMode: "dontAsk" and bypassPermissions should take precedence over the protected-directory hardening introduced in v2.1.78
  2. Add .claude/skills/ to the protected-directory exemption list alongside .claude/commands/ and .claude/agents/
  3. Ensure subagents inherit the parent session's permission mode

Reproduction Steps

  1. Configure defaultMode: "dontAsk" at user level with broad wildcards
  2. Start a session in a workspace with .claude/skills/ directory
  3. Attempt to edit any file inside .claude/skills/
  4. Observe: permission prompt appears despite dontAsk mode

Works correctly on v2.1.77. Regresses on v2.1.78+.

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗