`--permission-mode dontAsk` denies Write/Edit regardless of --allowedTools/permissions.allow, with no working scoped-write option for headless agents

Open 💬 2 comments Opened Jul 5, 2026 by Bronek

Summary

Under --permission-mode dontAsk, Write/Edit are unconditionally denied regardless of any --allowedTools/permissions.allow rule scoping them to specific paths. This contradicts dontAsk's documented behavior (auto-approve allowlisted tools, auto-deny the rest) and leaves no discoverable flag combination to grant scoped Write access in a headless (-p) invocation.

Environment

Claude Code CLI v2.1.193, Linux.

Repro

mkdir -p /tmp/repro && cd /tmp/repro
claude -p "Write the exact text 'hello' to a file named test.txt using the Write tool." \
  --permission-mode dontAsk --max-turns 5 --output-format json \
  --allowedTools "Write(test.txt)"

Expected: test.txt created, since Write(test.txt) is explicitly allowlisted.
Actual: denied. Model's own explanation: "Claude Code is running in 'don't ask' mode, which blocks the Write tool." Confirmed via permission_denials in the JSON output.

Also tried — both fail identically

  1. Settings-file permissions.allow instead of CLI --allowedTools:

--permission-mode dontAsk --settings '{"permissions":{"allow":["Write(test.txt)"]}}'

  1. Default mode (no --permission-mode) + --allowedTools "Write(test.txt)"

The only mode that works — but changes the security model

--permission-mode acceptEdits does let Write succeed — but it also auto-runs arbitrary Bash with zero --allowedTools configured (echo pwned > pwned.txt ran with no allowlist at all). --disallowedTools deny rules still work under it. So acceptEdits flips the model from "closed unless allowlisted" to "open unless denylisted" — a much harder security posture to get right for a locked-down unattended agent (enumerate every dangerous op, instead of allowlisting the few safe ones).

Why this matters

There's currently no mode giving "default-deny Bash + scoped Write access" simultaneously for headless agents. Either clarify the docs/denial message (dontAsk never permits Write/Edit regardless of any allow rule — say so directly), or make --allowedTools/permissions.allow actually honor scoped Write/Edit under dontAsk, matching existing Bash behavior.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗