[headless] .claude/ directory write protection blocks autonomous skill/agent modification even with --dangerously-skip-permissions

Resolved 💬 3 comments Opened Mar 26, 2026 by jayleekr Closed Mar 29, 2026

Summary

When running Claude Code in headless mode (-p / --print), writes to any file inside .claude/ (skills, agents, CLAUDE.md) are silently blocked — even with --dangerously-skip-permissions.

Reproduction

# Setup
mkdir -p .claude/skills/test && echo '# v1' > .claude/skills/test/SKILL.md

# All of these FAIL (permission_denials in JSON output):
claude -p 'Edit .claude/skills/test/SKILL.md — change v1 to v2' \
  --allowedTools 'Read,Write,Edit' --dangerously-skip-permissions --output-format json

claude -p 'Run: sed -i "" "s/v1/v2/" .claude/skills/test/SKILL.md' \
  --allowedTools 'Bash' --dangerously-skip-permissions --output-format json

# This SUCCEEDS (file outside .claude/):
claude -p 'Write "hello" to /tmp/test.txt' \
  --allowedTools 'Write' --dangerously-skip-permissions --output-format json

Environment

  • Claude Code v2.1.84
  • macOS 14.6 (arm64)
  • Auth: OAuth (claude.ai login)
  • Global settings include Write(.claude/**) and Edit(.claude/**) in permissions.allow

Impact

This prevents autonomous issue-solver crons from modifying their own skill definitions or agent configs. The only workaround is maintaining shadow copies outside .claude/ and using cp to sync — fragile and error-prone.

Expected behavior

--dangerously-skip-permissions should bypass ALL permission checks including .claude/ protection, or there should be a documented flag to opt into full .claude/ write access for headless/automation use cases.

Additional context

  • --bare mode doesn't help (same protection applies)
  • git worktrees don't help (same protection in new worktree)
  • --bare also skips OAuth/keychain which makes it unusable for OAuth-only setups
  • Tested with Write, Edit, and Bash(sed) tools — all blocked

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗