bypassPermissions prompts on Edit/Write to .claude/commands/ and *.md files in normal project paths despite universal allow rules

Resolved 💬 3 comments Opened Apr 27, 2026 by ksinding Closed May 1, 2026

Summary

Running Claude Code on Windows 11 with defaultMode: bypassPermissions and universal Edit(*) / Write(*) allow rules at both user and project scope. Permission prompts still fire on:

  1. Edit/Write to paths inside .claude/commands/ — directly contradicting the permissions docs which list .claude/commands, .claude/agents, and .claude/skills as exempt from the .claude/ carve-out.
  2. Edit/Write to ordinary *.md files inside the project working directory (e.g. D:\fmt\docs\foo.md) — outside any .claude/ path and fully covered by Edit(*) / Write(*) allow rules.

A single /session-close slash command produces ~12 such prompts, severely disrupting workflow.

Environment

  • OS: Windows 11 Home (10.0.26200)
  • Shell: Git Bash (MSYS2)
  • Running inside Claude Code (Opus 4.7)

Settings (sanitized)

~/.claude/settings.json:

{
  "permissions": {
    "defaultMode": "bypassPermissions",
    "allow": ["Bash(*)", "Read(*)", "Edit(*)", "Write(*)", "Glob(*)", "Grep(*)", "..."],
    "additionalDirectories": ["C:\Users\<user>\.claude"]
  },
  "skipDangerousModePermissionPrompt": true
}

Project <repo>/.claude/settings.local.json mirrors the same defaultMode and allow list. Project <repo>/.claude/settings.json adds path-scoped Edit/Write allows for the project root and user's project memory dir.

Repro 1 — .claude/commands/ prompts despite documented exemption (directly verified)

Use the Edit tool against <repo>/.claude/commands/session-close.md.

  • Expected: silent edit per docs ("Writes to .claude/commands, .claude/agents, and .claude/skills are exempt and do not prompt").
  • Actual: permission prompt fires.

Repro 2 — *.md writes in normal project paths prompt (observed across multiple sessions)

Use the Edit/Write tool against <repo>/docs/<anything>.md — a path with no .claude/ segment.

  • Expected: silent edit. Path is inside the project working directory; covered by Edit(*) / Write(*); covered by bypassPermissions.
  • Actual: permission prompt fires.

Workaround

Bash(*) is allowed and is NOT subject to either prompt source. We've rewritten our /session-close skill to write memory files via cat > file <<'EOF' ... EOF heredoc instead of the Write tool. Eliminates the .claude/ prompts. We may need the same workaround for ordinary docs/*.md writes — at which point Edit/Write are effectively unusable for files we own, which is clearly not the intended UX.

Ask

Some combination of:

  • Fix the docs to accurately describe what triggers prompts in bypassPermissions mode, including the *.md-in-project-path behavior if it's intentional.
  • Fix the implementation to honor the documented .claude/commands / .claude/agents / .claude/skills exemption.
  • Provide a documented escape hatch (e.g. permissions.disableProtectedPathPrompts: true) so power users can opt in to full bypass.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗