Self-modification guard ignores bypassPermissions mode
Summary
The self-modification guard prompts for permission on ALL write operations to .claude/ directories, ignoring defaultMode: "bypassPermissions" in .claude/settings.json. This creates significant friction for projects that heavily customize their .claude/ directory.
Reproduction Steps
- Set
defaultMode: "bypassPermissions"in.claude/settings.json - Add
Write(.claude/**)andEdit(.claude/**)to theallowlist - Ask Claude to edit any file under
.claude/hooks/,.claude/guards/,.claude/lib/, or.claude/scripts/ - Observe: a 3-option TUI permission prompt appears ("Do you want to make this edit?")
Expected Behavior
When defaultMode: "bypassPermissions" is active AND the path is in the allow list, edits to .claude/ should proceed without prompting.
Actual Behavior
The self-modification guard fires BEFORE any hooks or permission rules are evaluated. It does not respect:
defaultMode: "bypassPermissions"Write(.claude/**)/Edit(.claude/**)in the allow list--dangerously-skip-permissionsCLI flag- Custom permission hooks
Only .claude/commands/ and .claude/agents/ are exempt.
Impact
- ~50+ occurrences across sessions in our project
- Affects ~846 Python files under
.claude/hooks/,.claude/guards/,.claude/lib/,.claude/scripts/ - Bash file operations (
touch,rm,cp,mv) on.claude/state directories also trigger the guard - Even runtime directories with no security sensitivity prompt
Proposed Fix
When defaultMode: "bypassPermissions" is active, skip the self-modification guard prompt for paths that match entries in the user's allow list.
Environment
- Claude Code version: 2.1.81+
- OS: macOS (Darwin 25.3.0)
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗