Allow opting out of .claude/ write protection in bypassPermissions mode

Resolved 💬 4 comments Opened Mar 26, 2026 by grandamenium Closed Apr 30, 2026

Problem

When running persistent autonomous agents (via launchd/tmux with Telegram hooks for permission routing), the hardcoded .claude/ directory write protection creates unnecessary friction. Even with bypassPermissions enabled and PermissionRequest hooks routing approvals to Telegram, agents still can't write to .claude/settings.json without a blocking prompt.

Use Case

Multi-agent orchestration systems where agents need to update their own cron schedules, hook configs, or skill files at runtime. In my setup, I run multiple Claude Code agents 24/7 managed by launchd, with all permission requests routed to Telegram via hooks. The .claude/ protection means every settings change blocks the agent until I manually tap approve on my phone - even though I've already opted into full autonomy via bypassPermissions.

Current Workaround

Route permission prompts to Telegram via PermissionRequest hooks, but this still blocks the agent until the human taps approve. Not ideal for overnight autonomous work.

Proposal

Add a flag or setting to explicitly opt out of .claude/ protection for users who accept the risk. For example:

{
  "dangerouslyAllowSettingsWrites": true
}

Or alternatively, allow specific paths within .claude/ to be whitelisted in the existing permissions system.

Note: .claude/commands, .claude/agents, and .claude/skills are already exempt from the protection - extending this to .claude/settings.json with an explicit opt-in flag would be consistent with that pattern.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗