I answered 57 GitHub Issues this week about Claude Code permissions not working as expected. Here are the 6 patterns that keep tripping people up — and the hooks that fix them.
Trap 1: allow Cancels ask (17 Upvotes, 18 Comments)
{
"permissions": {
"allow": ["Bash(*)"],
"ask": ["Bash(rm *)"]
}
}
Expected: safe commands auto-approve, rm asks first.
Actual: everything auto-approves. ask is silently ignored. (#6527)
Fix: A PreToolUse hook catches what ask misses:
#!/bin/bash
COMMAND=$(cat | jq -r '.tool_input.command // empty')
if echo "$COMMAND" | grep -qE 'rm\s+(-[rf]+\s+)*(\/|~|\.\./)'; then
echo "BLOCKED: rm on sensitive path" >&2
exit 2
fi
exit 0
Trap 2: Trailing Wildcards Don't Match Zero Arguments
{ "permissions": { "allow": ["Bash(ssh * uptime *)"] } }
ssh host uptime -s → allowed. ssh host uptime → prompts. The trailing * requires at least one character. (#36873)
Fix: Use regex (\s|$) in a hook — matches "space or end of string":
if echo "$COMMAND" | grep -qE '^\s*ssh\s+\S+\s+uptime(\s|$)'; then
# auto-approve
fi
Trap 3: Edit/Write Rules Ignored on Windows
Edit(.claude/**) in settings.json has no effect on Windows VS Code. Bash rules work fine — Edit/Write don't. (#36884)
Fix: A PermissionRequest hook bypasses the broken matcher:
TOOL=$(cat | jq -r '.tool_name // empty')
if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
jq -n '{"hookSpecificOutput":{"hookEventName":"PermissionRequest","permissionDecision":"allow"}}'
fi
Trap 4: Protected Directories Ignore bypassPermissions
Since v2.1.78, .git, .claude, .vscode prompt even with --dangerously-skip-permissions. Intentional but undocumented. (#35646)
Fix: Anthropic confirmed a fix is incoming.
Trap 5: /model Doesn't Update /status Immediately
/model changes the model for future API calls, but /status shows the old one. (#36835)
Fix: Send a new message after /model, or set via environment:
export ANTHROPIC_MODEL=claude-opus-4-6
Trap 6: Claude Adds Flags Your Pattern Doesn't Expect
You allow Bash(git status:*). Claude runs git -C /path status. The -C flag breaks your pattern. (#36900)
Fix: Match the optional flag in a hook:
if echo "$COMMAND" | grep -qE '^\s*git\s+(-C\s+\S+\s+)?(status|log|diff|branch|show)'; then
# auto-approve
fi
Your hook returns permissionDecision: "deny" with exit code 2. For Bash commands, the tool is blocked. For Edit/Write — the file is modified anyway. (#37210)
Fix: Defense-in-depth — make the file read-only before the deny:
if [[ "$TOOL" == "Edit" || "$TOOL" == "Write" ]]; then
if should_deny "$FILE"; then
chmod 444 "$FILE" 2>/dev/null
echo "BLOCKED: Edit denied by policy" >&2
exit 2
fi
fi
The Pattern
6 out of 7 traps have the same fix: PreToolUse hooks. The permission system has edge cases. Hooks operate independently and don't have them.
npx cc-safe-setup
8 hooks. 10 seconds. Covers destructive commands, force push, .env leaks, syntax errors, and context monitoring.
Every trap in this list came from a real GitHub Issue I responded to this week. If you've hit a permission problem not listed here, drop a comment — I'll add it.
📖 Claude Code Production Guide (¥800) — lessons from 700+ hours of autonomous operation.
Is your Claude Code setup actually safe? Run npx cc-health-check — a free 20-point diagnostic. Score below 80? The Claude Code Ops Kit fixes everything in one command.
Top comments (0)