[headless] .claude/ directory write protection blocks autonomous skill/agent modification even with --dangerously-skip-permissions
Resolved 💬 3 comments Opened Mar 26, 2026 by jayleekr Closed Mar 29, 2026
Summary
When running Claude Code in headless mode (-p / --print), writes to any file inside .claude/ (skills, agents, CLAUDE.md) are silently blocked — even with --dangerously-skip-permissions.
Reproduction
# Setup
mkdir -p .claude/skills/test && echo '# v1' > .claude/skills/test/SKILL.md
# All of these FAIL (permission_denials in JSON output):
claude -p 'Edit .claude/skills/test/SKILL.md — change v1 to v2' \
--allowedTools 'Read,Write,Edit' --dangerously-skip-permissions --output-format json
claude -p 'Run: sed -i "" "s/v1/v2/" .claude/skills/test/SKILL.md' \
--allowedTools 'Bash' --dangerously-skip-permissions --output-format json
# This SUCCEEDS (file outside .claude/):
claude -p 'Write "hello" to /tmp/test.txt' \
--allowedTools 'Write' --dangerously-skip-permissions --output-format json
Environment
- Claude Code v2.1.84
- macOS 14.6 (arm64)
- Auth: OAuth (claude.ai login)
- Global settings include
Write(.claude/**)andEdit(.claude/**)in permissions.allow
Impact
This prevents autonomous issue-solver crons from modifying their own skill definitions or agent configs. The only workaround is maintaining shadow copies outside .claude/ and using cp to sync — fragile and error-prone.
Expected behavior
--dangerously-skip-permissions should bypass ALL permission checks including .claude/ protection, or there should be a documented flag to opt into full .claude/ write access for headless/automation use cases.
Additional context
--baremode doesn't help (same protection applies)- git worktrees don't help (same protection in new worktree)
--barealso skips OAuth/keychain which makes it unusable for OAuth-only setups- Tested with Write, Edit, and Bash(sed) tools — all blocked
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗