v2.1.78+ regression: defaultMode dontAsk and allow-list wildcards ignored for protected directories
Resolved 💬 6 comments Opened Mar 22, 2026 by RajeevRKC Closed Mar 22, 2026
Bug Description
Since v2.1.78, the defaultMode: "dontAsk" setting and broad allow-list wildcards (Bash(*), Edit(*), Write(*), etc.) are being overridden by hardcoded protected-directory logic. Permission prompts appear for routine operations despite comprehensive bypass configuration at all settings levels.
Environment
- Claude Code version: 2.1.81
- OS: Windows 11 Pro (10.0.26200)
- Shell: Git Bash
- Last known good version: 2.1.77
Configuration (all 4 layers aligned)
User settings (~/.claude/settings.json)
{
"permissions": {
"allow": [
"Bash(*)", "Read(*)", "Edit(*)", "Write(*)",
"Glob(*)", "Grep(*)", "WebSearch", "WebFetch(*)",
"Agent(*)", "Skill(*)", "mcp__firebase__*",
"mcp__claude-in-chrome__*"
],
"defaultMode": "dontAsk"
},
"skipDangerousModePermissionPrompt": true
}
User local settings (~/.claude/settings.local.json)
Same permissions block with defaultMode: "dontAsk".
Project local settings (.claude/settings.local.json)
Same permissions block with defaultMode: "dontAsk" and skipDangerousModePermissionPrompt: true.
Every layer has dontAsk and broad wildcards. No deny lists anywhere.
Observed Behavior
- Permission prompts appear for
Edit/Writeoperations on files within.claude/(including.claude/skills/) Bash(*)wildcard does not suppress prompts for all bash commands- Subagents do not inherit the bypass mode from the parent session
- PreToolUse hooks returning
{"hookSpecificOutput": {"permissionDecision": "allow"}}are overridden
Expected Behavior
defaultMode: "dontAsk"should suppress all permission prompts except those explicitly deniedBash(*),Edit(*),Write(*)wildcards should match all invocations of those tools- Protected-directory logic should respect user-configured bypass settings
.claude/skills/should be exempt from protected-directory restrictions (as.claude/commands/and.claude/agents/are)
Related Issues
This is part of a regression cluster introduced in v2.1.78's protected-directory hardening:
- #36168 -- Bypass permissions broken in all versions newer than v2.1.77
- #37157 --
.claude/skills/not exempt despite documentation (decompiled source confirms) - #35895 -- Edits in
.claudedir rejected indontAskmode - #36193 -- Bypass permission not working (Windows)
- #36282 --
skipDangerousModePermissionPromptdescribed as "seemingly worthless" - #37181 -- Mode silently downgrades to
acceptEditsmid-session - #37442 -- Subagents don't inherit bypass mode
- #36286 -- PreToolUse hook permission decisions ignored since v2.1.78
Suggested Fix
defaultMode: "dontAsk"andbypassPermissionsshould take precedence over the protected-directory hardening introduced in v2.1.78- Add
.claude/skills/to the protected-directory exemption list alongside.claude/commands/and.claude/agents/ - Ensure subagents inherit the parent session's permission mode
Reproduction Steps
- Configure
defaultMode: "dontAsk"at user level with broad wildcards - Start a session in a workspace with
.claude/skills/directory - Attempt to edit any file inside
.claude/skills/ - Observe: permission prompt appears despite
dontAskmode
Works correctly on v2.1.77. Regresses on v2.1.78+.
This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗