Self-modification guard ignores bypassPermissions mode

Resolved 💬 5 comments Opened Mar 29, 2026 by rosemarymenard Closed May 11, 2026

Summary

The self-modification guard prompts for permission on ALL write operations to .claude/ directories, ignoring defaultMode: "bypassPermissions" in .claude/settings.json. This creates significant friction for projects that heavily customize their .claude/ directory.

Reproduction Steps

  1. Set defaultMode: "bypassPermissions" in .claude/settings.json
  2. Add Write(.claude/**) and Edit(.claude/**) to the allow list
  3. Ask Claude to edit any file under .claude/hooks/, .claude/guards/, .claude/lib/, or .claude/scripts/
  4. Observe: a 3-option TUI permission prompt appears ("Do you want to make this edit?")

Expected Behavior

When defaultMode: "bypassPermissions" is active AND the path is in the allow list, edits to .claude/ should proceed without prompting.

Actual Behavior

The self-modification guard fires BEFORE any hooks or permission rules are evaluated. It does not respect:

  • defaultMode: "bypassPermissions"
  • Write(.claude/**) / Edit(.claude/**) in the allow list
  • --dangerously-skip-permissions CLI flag
  • Custom permission hooks

Only .claude/commands/ and .claude/agents/ are exempt.

Impact

  • ~50+ occurrences across sessions in our project
  • Affects ~846 Python files under .claude/hooks/, .claude/guards/, .claude/lib/, .claude/scripts/
  • Bash file operations (touch, rm, cp, mv) on .claude/ state directories also trigger the guard
  • Even runtime directories with no security sensitivity prompt

Proposed Fix

When defaultMode: "bypassPermissions" is active, skip the self-modification guard prompt for paths that match entries in the user's allow list.

Environment

  • Claude Code version: 2.1.81+
  • OS: macOS (Darwin 25.3.0)

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗