PreToolUse hook's permissionDecision ignored for .claude/ directory in bypassPermissions mode

Resolved 💬 3 comments Opened Apr 22, 2026 by sanokazuya0306 Closed Apr 25, 2026

Problem

In bypassPermissions mode, write operations to .claude/ directory always trigger user confirmation prompts, even when:

  • User has defaultMode: "bypassPermissions" set
  • skipDangerousModePermissionPrompt: true is enabled
  • Write(*) / Edit(*) are in the allow list
  • A PreToolUse hook returns {"hookSpecificOutput":{"hookEventName":"PreToolUse","permissionDecision":"allow"}}

The hook fires and logs its decision, but the built-in .claude/ protection overrides it, making the hook ineffective.

Why this matters

.claude/agents/, .claude/skills/, and .claude/channels/ contain user-authored content (agent definitions, skill manuals, access configs), not security-sensitive settings like settings.json. Users who opt into bypassPermissions should be able to allow writes to these subdirectories via hook logic, especially for automation (e.g., agent orchestration system updates, channel access sync).

Current behavior

[Hook] ALLOW .claude/ path: /Users/sanokazuya/.claude/channels/discord/access.json
[Claude Code] Permission required: Write to /Users/sanokazuya/.claude/channels/discord/access.json
→ User prompted for approval

Desired behavior

Option B (recommended): Allow PreToolUse hook's permissionDecision: "allow" to take precedence over built-in .claude/ protection.

Alternative options:

  • (A) Exempt .claude/agents/, .claude/skills/, .claude/commands/, .claude/channels/ from built-in protection in bypassPermissions mode
  • (C) Add a protectedDirectories setting for customizable protection

Environment

  • Claude Code v2.1.117
  • macOS
  • bypassPermissions mode with Write(*) and PreToolUse hook

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗