PreToolUse hook's permissionDecision ignored for .claude/ directory in bypassPermissions mode
Problem
In bypassPermissions mode, write operations to .claude/ directory always trigger user confirmation prompts, even when:
- User has
defaultMode: "bypassPermissions"set skipDangerousModePermissionPrompt: trueis enabledWrite(*)/Edit(*)are in the allow list- A PreToolUse hook returns
{"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}
The hook fires and logs its decision, but the built-in .claude/ protection overrides it, making the hook ineffective.
Why this matters
.claude/agents/, .claude/skills/, and .claude/channels/ contain user-authored content (agent definitions, skill manuals, access configs), not security-sensitive settings like settings.json. Users who opt into bypassPermissions should be able to allow writes to these subdirectories via hook logic, especially for automation (e.g., agent orchestration system updates, channel access sync).
Current behavior
[Hook] ALLOW .claude/ path: /Users/sanokazuya/.claude/channels/discord/access.json
[Claude Code] Permission required: Write to /Users/sanokazuya/.claude/channels/discord/access.json
→ User prompted for approval
Desired behavior
Option B (recommended): Allow PreToolUse hook's permissionDecision: "allow" to take precedence over built-in .claude/ protection.
Alternative options:
- (A) Exempt
.claude/agents/,.claude/skills/,.claude/commands/,.claude/channels/from built-in protection inbypassPermissionsmode - (C) Add a
protectedDirectoriessetting for customizable protection
Environment
- Claude Code v2.1.117
- macOS
bypassPermissionsmode withWrite(*)and PreToolUse hook
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗