[BUG] SessionStart hook Bash command runs without permission prompt in CLI, but prompts in VS Code extension
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
A SessionStart hook configured in ~/.claude/settings.json runs a bash <script> command that is not present in any permissions.allow list, with permissions.defaultMode set to "default".
Per the Permissions docs ("Extend permissions with hooks"), hook-invoked commands are expected to go through the same permission system as any other Bash command — hook decisions don't bypass permission rules.
Observed behavior
- VS Code extension: On the user's first message, a permission prompt appears asking to approve the hook's Bash command. This matches documented behavior.
- Terminal CLI: The same hook, same
settings.json, same repo — the command runs silently with no permission prompt at all.
Environment
- Claude Code CLI version:
2.1.195 - Also tested with VS Code extension (Claude Code plugin)
permissions.defaultMode:"default"- Hook command:
bash $HOME/.claude/my-session-hook.sh(not present inpermissions.allow)
Hook config (~/.claude/settings.json)
"hooks": {
"SessionStart": [
{
"hooks": [
{ "type": "command", "command": "bash $HOME/.claude/my-session-hook.sh" }
]
}
]
}
What Should Happen?
Consistent permission handling across both surfaces — either both prompt, or there's a documented reason (and ideally a settings.json field) explaining why the CLI treats SessionStart hooks as pre-approved while the extension doesn't.
Error Messages/Logs
Steps to Reproduce
- Add the above
SessionStarthook to~/.claude/settings.json, withpermissions.defaultMode: "default"and no matchingallowrule. - Start a new session via the CLI (
claude) in a repo — no permission prompt appears; the hook runs. - Start a new session via the VS Code extension in the same repo — sending the first message triggers a permission prompt for the hook's Bash command.
Claude Model
None
Is this a regression?
No, this never worked
Last Working Version
_No response_
Claude Code Version
2.1.195
Platform
macOS native app, CLI
Operating System
macOS
Terminal/Shell
Terminal.app/iTerm
Additional Information
Possibly related: #65056 describes a similar pattern — Bash commands (python3 script.py) executing without a permission prompt when no matching allow rule exists, in sandboxed mode. The trigger is different (that one is a direct model-invoked tool call; this one is a hook-invoked command), but both point at permission checks being silently skipped for certain Bash invocation paths on the CLI.