Edit/Write guardrail blocks files with .claude/ anywhere in path, not just project-root .claude/

Resolved 💬 1 comment Opened Apr 16, 2026 by verveguy Closed May 24, 2026

Bug

Claude Code's Edit and Write tools are denied on files that contain .claude/ anywhere in their path — not just files under the project-root .claude/ directory. This means application code in subdirectories that happen to be named .claude/ is incorrectly treated as Claude Code configuration and blocked from modification.

Reproduction

  1. Have a project with a directory structure like:

``
project-root/
├── .claude/ ← actual Claude Code config (correct to guard)
└── framework/
└── .claude/ ← application code, NOT Claude Code config
└── skills/
└── scripts/
└── graphiti_service.py ← blocked by guardrail
``

  1. Run Claude Code with --permission-mode dontAsk --allowedTools Edit --allowedTools Write
  1. Attempt to Edit or Write framework/.claude/skills/scripts/graphiti_service.py
  1. Claude Code denies the operation:

``
Permission to use Edit has been denied because Claude Code is running in don't ask mode.
``

Expected behavior

The .claude/ guardrail should only protect:

  • <project-root>/.claude/ — the Claude Code configuration directory for this project
  • ~/.claude/ — the global Claude Code configuration directory

Subdirectories named .claude/ deeper in the tree (e.g. framework/.claude/, packages/foo/.claude/) are application code and should be editable normally when Edit is in the allowed tools list.

Actual behavior

Any file with .claude/ in its path is denied, regardless of depth. The guard appears to pattern-match on the path segment rather than checking whether the .claude/ directory is actually at the project root.

Impact

This affects any project where .claude/ is used as a directory name for non-Claude-Code purposes deeper in the tree. In our case, framework/.claude/skills/ contains Python scripts that are part of the application's plugin system — they happen to use the same directory name as Claude Code's config directory, but they are application runtime code.

The workaround is --dangerously-skip-permissions, which is overly broad — it disables ALL permission checks, not just the .claude/ path guard.

Environment

  • Claude Code version: 2.1.109
  • macOS (Darwin 25.3.0)
  • Invocation: claude --output-format stream-json --verbose --permission-mode dontAsk --allowedTools Edit --allowedTools Write ...

Suggested fix

Check whether the .claude/ path segment is at the project root (first component of the relative path from the working directory), not anywhere in the path. Alternatively, only guard paths that resolve to the actual ~/.claude/ or <git-root>/.claude/ directories.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗