bypassPermissions prompts on Edit/Write to .claude/commands/ and *.md files in normal project paths despite universal allow rules
Summary
Running Claude Code on Windows 11 with defaultMode: bypassPermissions and universal Edit(*) / Write(*) allow rules at both user and project scope. Permission prompts still fire on:
- Edit/Write to paths inside
.claude/commands/— directly contradicting the permissions docs which list.claude/commands,.claude/agents, and.claude/skillsas exempt from the.claude/carve-out. - Edit/Write to ordinary
*.mdfiles inside the project working directory (e.g.D:\fmt\docs\foo.md) — outside any.claude/path and fully covered byEdit(*)/Write(*)allow rules.
A single /session-close slash command produces ~12 such prompts, severely disrupting workflow.
Environment
- OS: Windows 11 Home (10.0.26200)
- Shell: Git Bash (MSYS2)
- Running inside Claude Code (Opus 4.7)
Settings (sanitized)
~/.claude/settings.json:
{
"permissions": {
"defaultMode": "bypassPermissions",
"allow": ["Bash(*)", "Read(*)", "Edit(*)", "Write(*)", "Glob(*)", "Grep(*)", "..."],
"additionalDirectories": ["C:\Users\<user>\.claude"]
},
"skipDangerousModePermissionPrompt": true
}
Project <repo>/.claude/settings.local.json mirrors the same defaultMode and allow list. Project <repo>/.claude/settings.json adds path-scoped Edit/Write allows for the project root and user's project memory dir.
Repro 1 — .claude/commands/ prompts despite documented exemption (directly verified)
Use the Edit tool against <repo>/.claude/commands/session-close.md.
- Expected: silent edit per docs ("Writes to
.claude/commands,.claude/agents, and.claude/skillsare exempt and do not prompt"). - Actual: permission prompt fires.
Repro 2 — *.md writes in normal project paths prompt (observed across multiple sessions)
Use the Edit/Write tool against <repo>/docs/<anything>.md — a path with no .claude/ segment.
- Expected: silent edit. Path is inside the project working directory; covered by
Edit(*)/Write(*); covered bybypassPermissions. - Actual: permission prompt fires.
Workaround
Bash(*) is allowed and is NOT subject to either prompt source. We've rewritten our /session-close skill to write memory files via cat > file <<'EOF' ... EOF heredoc instead of the Write tool. Eliminates the .claude/ prompts. We may need the same workaround for ordinary docs/*.md writes — at which point Edit/Write are effectively unusable for files we own, which is clearly not the intended UX.
Ask
Some combination of:
- Fix the docs to accurately describe what triggers prompts in
bypassPermissionsmode, including the*.md-in-project-path behavior if it's intentional. - Fix the implementation to honor the documented
.claude/commands/.claude/agents/.claude/skillsexemption. - Provide a documented escape hatch (e.g.
permissions.disableProtectedPathPrompts: true) so power users can opt in to full bypass.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗