"How to Fix Claude Code's Broken Permissions (With Hooks)"

Claude Code's permission system has a problem. If you've ever set up careful allow/deny rules in settings.json and still gotten prompted for commands that should match -you're not alone. Issue #30519 documents the core problems: Wildcards don't match compound commands. Bash(git:*) doesn't match git add file && git commit -m "message" . Claude generates compound commands constantly. "Always Allow" saves dead rules. Click "Always Allow" on git commit -m "fix typo" and it saves that exact string. Never matches again. User-level settings don't apply at project level. Rules in ~/.claude/settings.json show up in /permissions but don't match. Deny rules have the same bugs. Multiline commands bypass deny rules too. There are 30+ open issues about permission matching. The community is building workarounds. Here's the one that works: move enforcement from permissions to hooks. The Core Insight Permissions are a request to the system. Hooks are enforcement. A PreToolUse hook runs before every too