--dangerously-skip-permissions has no effect when projects reside under a .vscode directory path

Resolved 💬 3 comments Opened Mar 25, 2026 by RCushmaniii Closed May 1, 2026

Perceived Problem

When launching Claude Code with --dangerously-skip-permissions, the flag appears to do absolutely nothing. Every single tool call — Edit, Write, Bash — still prompts the user for confirmation:

  • "Do you want to make this edit to portfolio.md?"
  • "Do you want to proceed?" (for Bash commands)
  • "Quick safety check: Is this a project you created or one you trust?"

The status bar correctly displays "bypass permissions on", and the settings are correctly configured:

{
  "permissions": {
    "defaultMode": "bypassPermissions"
  }
}

Despite both the CLI flag and the settings being in place, the behavior is identical to running in default permission mode. The user experiences this across every repo, every file, every tool — making it appear as though the feature is completely broken.

Investigation

We initially pursued several theories:

  1. Settings misconfiguration — Verified settings.json had the correct defaultMode value. Confirmed valid.
  2. Workspace trust dialog — Discovered hasTrustDialogAccepted: false in ~/.claude.json for the home directory. Fixed it. The trust prompt stopped, but tool-level prompts persisted.
  3. Invalid settings keys — Removed skipDangerousModePermissionPrompt (not a real setting). No change.
  4. Version-specific bug — Tested on Claude Code v2.1.81. Could not find a documented regression.

None of these resolved the core issue. The flag simply would not work.

Discovery of the Actual Cause

The breakthrough came from examining the project directory structure. All projects were stored at:

C:\Users\<username>\.vscode\Projects\<repo-name>\

We ran a controlled experiment with claude --dangerously-skip-permissions -p (non-interactive mode):

| File Location | Result |
|---|---|
| ~/test-bypass.txt | Edit executed instantly, no prompt. Bypass worked. |
| ~/.vscode/Projects/repo/test-bypass.txt | Edit blocked and prompted, bypass had no effect. |

Same session, same flag, same file content. The only difference was the path.

Root Cause

Claude Code treats .vscode, .git, .claude, and .idea as protected directories where writes always require confirmation — even in bypassPermissions mode. This is a security measure to prevent accidental corruption of IDE and repository configuration.

However, the protection check matches .vscode as a path component anywhere in the full file path, not just as a project-root config folder. This means:

  • C:\Users\me\my-repo\.vscode\settings.jsoncorrectly protected (actual IDE config)
  • C:\Users\me\.vscode\Projects\my-repo\src\App.tsxincorrectly protected (regular source code that happens to have .vscode as an ancestor directory)

Because the entire project tree lived under ~/.vscode/Projects/, every file in every repo was flagged as protected, making bypass mode completely non-functional across the entire workflow.

Workaround

Move projects out of any path containing .vscode as a directory component:

# Before (broken — bypass mode has no effect)
C:\Users\<username>\.vscode\Projects\my-repo\

# After (working — bypass mode functions correctly)
C:\Users\<username>\Projects\my-repo\

Expected Behavior

The protected directory check should distinguish between:

  1. IDE/tooling config directories<project-root>/.vscode/ containing settings.json, launch.json, etc. These should remain protected.
  2. User directories that happen to be named .vscode~/.vscode/Projects/ used as a general project workspace. Files inside these should not be treated as protected when they are clearly regular source code.

A reasonable fix might be to only protect .vscode directories that are direct children of the current working directory or project root, rather than matching the name anywhere in the path hierarchy.

Likely Regression

This behavior was likely introduced or broadened by the security fix for CVE-2025-54794 (path restriction bypass), which tightened path validation from simple prefix matching to canonical path resolution. Before that fix, --dangerously-skip-permissions worked correctly with the same directory structure.

Environment

  • Claude Code: v2.1.81
  • OS: Windows 11 Home 10.0.26200
  • Shell: PowerShell / Git Bash (MINGW64)
  • Model: Claude Opus 4.6 (1M context)

Reproduction Steps

  1. Create a project directory under ~/.vscode/Projects/my-test-repo/
  2. Add a simple file: echo "hello" > ~/.vscode/Projects/my-test-repo/test.txt
  3. Launch claude --dangerously-skip-permissions
  4. Ask Claude to edit test.txt
  5. Observe: Claude prompts for confirmation despite bypass mode being active
  6. Move the repo to ~/Projects/my-test-repo/ and repeat
  7. Observe: Edit goes through without prompting

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗