When Claude Code runs in non-interactive/headless mode (-p flag with --output-format text or --output-format json), path-restricted patterns in --allowedTools and .claude/settings.json are silently ignored.
--allowedTools 'Write' — works (bare tool name)--allowedTools 'Write(apps/blog/**)' — does not work (permission denied)--allowedTools 'Write(//workspace/repo/apps/**)' — does not work (absolute path).claude/settings.json with Write(apps/**) — does not workBash patterns (e.g. Bash(git commit *)) work correctly in headless mode. The bug is specific to file-based tools (Write, Edit).
From inside a K8s pod running kpericak/ai-agent-runtime:0.2:
# This FAILS — path pattern ignored
claude -p 'Write hello to test.md' \
--output-format json \
--allowedTools 'Write(apps/**)' \
--max-turns 3
# This WORKS — bare tool name
claude -p 'Write hello to test.md' \
--output-format json \
--allowedTools 'Write' \
--max-turns 3
Confirmed on Claude Code version 2.1.76 (March 2026).
Use bare tool names in --allowedTools:
allowedTools: >-
Read,Glob,Grep,Write,
Bash(git commit *),Bash(date *),
mcp__discord__send_message
This grants unrestricted Write access to the agent, which is a known trade-off.
Without path-restricted Write, agents can write to any file in the workspace. Mitigations:
Bash(git add apps/blog/*) limits which files can be stagedMonitor anthropics/claude-code#6194. When the fix ships, update daily-ai-news.yaml to use Write(apps/blog/blog/markdown/wiki/journal/**) instead of bare Write.