`--permission-mode dontAsk` denies Write/Edit regardless of --allowedTools/permissions.allow, with no working scoped-write option for headless agents
Summary
Under --permission-mode dontAsk, Write/Edit are unconditionally denied regardless of any --allowedTools/permissions.allow rule scoping them to specific paths. This contradicts dontAsk's documented behavior (auto-approve allowlisted tools, auto-deny the rest) and leaves no discoverable flag combination to grant scoped Write access in a headless (-p) invocation.
Environment
Claude Code CLI v2.1.193, Linux.
Repro
mkdir -p /tmp/repro && cd /tmp/repro
claude -p "Write the exact text 'hello' to a file named test.txt using the Write tool." \
--permission-mode dontAsk --max-turns 5 --output-format json \
--allowedTools "Write(test.txt)"
Expected: test.txt created, since Write(test.txt) is explicitly allowlisted.
Actual: denied. Model's own explanation: "Claude Code is running in 'don't ask' mode, which blocks the Write tool." Confirmed via permission_denials in the JSON output.
Also tried — both fail identically
- Settings-file
permissions.allowinstead of CLI--allowedTools:
--permission-mode dontAsk --settings '{"permissions":{"allow":["Write(test.txt)"]}}'
- Default mode (no
--permission-mode) +--allowedTools "Write(test.txt)"
The only mode that works — but changes the security model
--permission-mode acceptEdits does let Write succeed — but it also auto-runs arbitrary Bash with zero --allowedTools configured (echo pwned > pwned.txt ran with no allowlist at all). --disallowedTools deny rules still work under it. So acceptEdits flips the model from "closed unless allowlisted" to "open unless denylisted" — a much harder security posture to get right for a locked-down unattended agent (enumerate every dangerous op, instead of allowlisting the few safe ones).
Why this matters
There's currently no mode giving "default-deny Bash + scoped Write access" simultaneously for headless agents. Either clarify the docs/denial message (dontAsk never permits Write/Edit regardless of any allow rule — say so directly), or make --allowedTools/permissions.allow actually honor scoped Write/Edit under dontAsk, matching existing Bash behavior.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗