permissions.allow and PreToolUse hooks cannot override .claude/ sensitive-file prompt (blocks automation)

Resolved 💬 6 comments Opened Mar 31, 2026 by HengWoo Closed Jun 24, 2026

Summary

When running Claude Code sessions unattended (via tmux scheduled tasks, cron, bots), any Write/Edit/Bash operation targeting ~/.claude/ paths triggers an interactive permission prompt that blocks execution indefinitely. Neither permissions.allow entries nor PreToolUse hooks returning permissionDecision: "allow" can override this.

This is related to #37765, #37516, #36396, but the impact is different: those issues affect interactive users who can click through. This completely breaks automated/unattended workflows.

Environment

  • Claude Code v2.1.87
  • macOS (Darwin 25.2.0)
  • Permission mode: bypass (⏵⏵ bypass permissions on)
  • skipDangerousModePermissionPrompt: true in settings.json

Reproduction

  1. Configure permissions.allow in ~/.claude/settings.json:
"permissions": {
  "allow": [
    "Edit(/Users/heng/.claude/users/**)",
    "Write(/Users/heng/.claude/users/**)",
    "Edit(~/.claude/users/**)",
    "Write(~/.claude/users/**)"
  ]
}
  1. Configure a PreToolUse hook returning explicit allow:
{
  "matcher": "Write|Edit|Bash",
  "hooks": [{
    "type": "command",
    "command": "~/.claude/hooks/auto-allow-user-writes.sh"
  }]
}

Where the hook returns:

{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow","permissionDecisionReason":"Auto-allow writes to user state directory"}}
  1. Start a fresh Claude Code session in ~/.claude/users/{userId}/
  2. Ask it to Edit a file under ~/.claude/users/
  3. Result: Interactive prompt appears asking "Do you want to make this edit? ... allow Claude to edit its own settings for this session"
  4. Expected: The operation should proceed silently per the permissions.allow entry and hook response

What we tested (all fail)

| Approach | Write/Edit | Bash |
|----------|-----------|------|
| permissions.allow with path patterns | ❌ Still prompts | ❌ Still prompts |
| PreToolUse hook permissionDecision: "allow" | ❌ Hook fires but prompt still shows | ❌ Same |
| Bypass mode on | ❌ | ❌ |
| skipDangerousModePermissionPrompt: true | ❌ | ❌ |

Impact

We run an AI assistant platform with 9 users, each with a Claude Code session managed via tmux. Scheduled tasks (nightly memory maintenance, morning briefings) need to write to ~/.claude/users/{userId}/daily/ and ~/.claude/users/{userId}/MEMORY.md. Every fresh session blocks on the first write until a human manually accepts the prompt.

Current workaround: Terminal automation — after sending a scheduled prompt, a watcher polls the pane output for the permission dialog and sends Down Enter via tmux to select "allow for this session." This is fragile and shouldn't be necessary.

Suggested fix

The permissions.allow entries should be authoritative. If a user explicitly adds Write(~/.claude/users/**) to their allow list, the sensitive-file check should respect it. The PreToolUse hook permissionDecision: "allow" should also be sufficient — it's the documented mechanism for programmatic permission control.

At minimum, --dangerously-skip-permissions / bypass mode should skip ALL prompts including this one.

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗