Issue Station
Sign In
Tools hereToolbox

claude-code - 💡(How to fix) Fix PermissionRequest hook does not override .claude/** sensitive-path prompt on macOS 2.1.119 [2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
anthropics/claude-code#52834Fetched 2026-04-25 06:19:39
View on GitHub
Comments
2
Participants
2
Timeline
15
Reactions
2
Author
julish13julish13
Participants
julish13julish13markshustmarkshust
Timeline (top)
labeled ×5mentioned ×4subscribed ×4commented ×2

On macOS with Claude Code CLI 2.1.119, the PermissionRequest hook workaround suggested in #37029 (auto-approve writes to .claude/** to bypass the hardcoded sensitive-path check) does not work. The prompt still fires even when the hook is registered and its script returns a valid permissionDecision: "allow" payload. This matches the Windows report by @keenanwh but confirms the limitation extends to macOS.

Filing as a new issue because #35718 is closed+locked, and #37029 primarily covers ~/.claude/settings.json — this report adds project-level .claude/** scope and macOS empirical data.

Root Cause

Filing as a new issue because #35718 is closed+locked, and #37029 primarily covers ~/.claude/settings.json — this report adds project-level .claude/** scope and macOS empirical data.

Fix Action

Fix / Workaround

On macOS with Claude Code CLI 2.1.119, the PermissionRequest hook workaround suggested in #37029 (auto-approve writes to .claude/** to bypass the hardcoded sensitive-path check) does not work. The prompt still fires even when the hook is registered and its script returns a valid permissionDecision: "allow" payload. This matches the Windows report by @keenanwh but confirms the limitation extends to macOS.

  1. Asked the agent to Write a file at <project>/.claude/.workaround-test.md.

  2. Expected: silent write (hook auto-approves the .claude/** path). Actual: prompt fires:

    Do you want to create .workaround-test.md?

    1. Yes
    2. Yes, and allow Claude to edit its own settings for this session
    3. No

Code Example

#!/usr/bin/env bash
   set -euo pipefail
   INPUT="$(cat)"
   FILE="$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null || true)"
   case "$FILE" in
     */.claude/*)
       printf '%s\n' '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","permissionDecision":"allow","permissionDecisionReason":"Auto-approved .claude/ write"}}'
       ;;
   esac
   exit 0

---

$ echo '{"tool_input":{"file_path":"/path/.claude/skills/foo/SKILL.md"}}' \
       | ~/bin/claude-allow-dotclaude.sh
   {"hookSpecificOutput":{"hookEventName":"PermissionRequest","permissionDecision":"allow","permissionDecisionReason":"Auto-approved .claude/ write"}}

---

{
     "permissions": { "...": "..." },
     "hooks": {
       "PermissionRequest": [{
         "matcher": "Edit|Write",
         "hooks": [{"type": "command", "command": "bash ~/bin/claude-allow-dotclaude.sh"}]
       }]
     }
   }
RAW_BUFFERClick to expand / collapse

Summary

On macOS with Claude Code CLI 2.1.119, the PermissionRequest hook workaround suggested in #37029 (auto-approve writes to .claude/** to bypass the hardcoded sensitive-path check) does not work. The prompt still fires even when the hook is registered and its script returns a valid permissionDecision: "allow" payload. This matches the Windows report by @keenanwh but confirms the limitation extends to macOS.

Filing as a new issue because #35718 is closed+locked, and #37029 primarily covers ~/.claude/settings.json — this report adds project-level .claude/** scope and macOS empirical data.

Environment

  • OS: macOS 26.2 (Darwin 25.2.0)
  • Claude Code CLI: 2.1.119 (native installer, not Desktop app)
  • Launch: claude --dangerously-skip-permissions (with --mcp-config pointing at a user-level MCP config; MCP is unrelated to this bug)
  • User settings: ~/.claude/settings.json has skipDangerousModePermissionPrompt: true
  • Project settings: <project>/.claude/settings.local.json (gitignored) with the hook below

Reproduction

  1. Created ~/bin/claude-allow-dotclaude.sh (chmod +x, tested standalone):

    #!/usr/bin/env bash
set -euo pipefail
INPUT="$(cat)"
FILE="$(printf '%s' "$INPUT" | jq -r '.tool_input.file_path // empty' 2>/dev/null || true)"
case "$FILE" in
  */.claude/*)
    printf '%s\n' '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","permissionDecision":"allow","permissionDecisionReason":"Auto-approved .claude/ write"}}'
    ;;
esac
exit 0

  2. Dry-run of the script confirms it emits the expected payload on matching paths:

    $ echo '{"tool_input":{"file_path":"/path/.claude/skills/foo/SKILL.md"}}' \
    | ~/bin/claude-allow-dotclaude.sh
{"hookSpecificOutput":{"hookEventName":"PermissionRequest","permissionDecision":"allow","permissionDecisionReason":"Auto-approved .claude/ write"}}

  3. Registered in <project>/.claude/settings.local.json:

    {
  "permissions": { "...": "..." },
  "hooks": {
    "PermissionRequest": [{
      "matcher": "Edit|Write",
      "hooks": [{"type": "command", "command": "bash ~/bin/claude-allow-dotclaude.sh"}]
    }]
  }
}

  4. Fully restarted the Claude Code session (not /resume — fresh launch).

  5. Asked the agent to Write a file at <project>/.claude/.workaround-test.md.

  6. Expected: silent write (hook auto-approves the .claude/** path). Actual: prompt fires:

    Do you want to create .workaround-test.md?

    1. Yes
    2. Yes, and allow Claude to edit its own settings for this session
    3. No

Impact

Bulk .claude/skills/*/SKILL.md refactors (our concrete case: touching 25+ skill files in one task via an automated skill-improvement flow) require ~15–20 manual approvals even with --dangerously-skip-permissions active. Option 2 ("allow all edits in <dir>/ during this session") does NOT persist across sibling skill dirs — each new .claude/skills/<name>/ re-prompts. This makes autonomous agent workflows on .claude/** impractical.

Additional context

  • Same class of issue as #37029 (open, ~/.claude/settings.json scope) and #35718 (closed+locked, 2026-04-02).
  • @yurukusa's workaround in #37029 comment suggests PermissionRequest hooks override the check "because they fire after the built-in protection check." This empirically does not hold on macOS 2.1.119.
  • @keenanwh reported the same failure on Windows in #37029 comment. Combined, this strongly suggests the hook-based workaround is broken on all platforms for current CLI versions.
  • Downgrade to 2.1.77 is reported working (per @markshust, @ahnbu in #35718), but loses 40+ versions of improvements and requires disabling the auto-updater.

Requested fix (any of the following would unblock)

  • --trust-project-config CLI flag — scoped to the current worktree, lets the user opt into .claude/** self-edit for a specific session.
  • Project settings opt-in"allowSelfEdits": true in project .claude/settings.local.json (requires one manual edit to turn on, then persists).
  • Make PermissionRequest hooks actually override the sensitive-path check — matching the behavior implied by the hook docs and the workaround threads on #37029.

extent analysis

TL;DR

The PermissionRequest hook workaround does not work on macOS with Claude Code CLI 2.1.119, and a fix or alternative solution is needed to bypass the sensitive-path check for .claude/** writes.

Guidance

  • Verify that the hook script is correctly registered and configured in the project's .claude/settings.local.json file.
  • Test the hook script independently to ensure it produces the expected payload for .claude/** paths.
  • Consider downgrading to version 2.1.77 as a temporary workaround, although this will mean losing 40+ versions of improvements.
  • Explore alternative solutions, such as requesting a new CLI flag (--trust-project-config) or a project settings opt-in ("allowSelfEdits": true) to enable .claude/** self-edits.

Example

No code snippet is provided as the issue is more related to configuration and workflow rather than a specific code problem.

Notes

The current workaround using PermissionRequest hooks does not work on macOS (or Windows) with the current CLI version, and the suggested fixes or alternatives are needed to resolve the issue.

Recommendation

Apply a workaround, such as downgrading to version 2.1.77, until a proper fix is available, as the current PermissionRequest hook workaround is not functional on macOS with Claude Code CLI 2.1.119.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#mixed precision#training loop#device allocation#model download#tokenizer error

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING

claude-code - 💡(How to fix) Fix PermissionRequest hook does not override .claude/** sensitive-path prompt on macOS 2.1.119 [2 comments, 2 participants]