Allow opting out of .claude/ write protection in bypassPermissions mode
Problem
When running persistent autonomous agents (via launchd/tmux with Telegram hooks for permission routing), the hardcoded .claude/ directory write protection creates unnecessary friction. Even with bypassPermissions enabled and PermissionRequest hooks routing approvals to Telegram, agents still can't write to .claude/settings.json without a blocking prompt.
Use Case
Multi-agent orchestration systems where agents need to update their own cron schedules, hook configs, or skill files at runtime. In my setup, I run multiple Claude Code agents 24/7 managed by launchd, with all permission requests routed to Telegram via hooks. The .claude/ protection means every settings change blocks the agent until I manually tap approve on my phone - even though I've already opted into full autonomy via bypassPermissions.
Current Workaround
Route permission prompts to Telegram via PermissionRequest hooks, but this still blocks the agent until the human taps approve. Not ideal for overnight autonomous work.
Proposal
Add a flag or setting to explicitly opt out of .claude/ protection for users who accept the risk. For example:
{
"dangerouslyAllowSettingsWrites": true
}
Or alternatively, allow specific paths within .claude/ to be whitelisted in the existing permissions system.
Note: .claude/commands, .claude/agents, and .claude/skills are already exempt from the protection - extending this to .claude/settings.json with an explicit opt-in flag would be consistent with that pattern.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗