Summary
When editing certain files, Claude Code prompts the user with a dangerous-file confirmation dialog, blocking the input pipeline and preventing heartbeat delivery (causing a liveness timeout).
Root Cause
~/.claude/settings.json is missing the skipDangerousModePermissionPrompt: true key.
The zylos runtime adapter (claude.js) writes this flag during launch() → _ensureOnboardingComplete(). However, if settings.json is later overwritten by other operations (e.g., hooks updates, update-config skill), this key gets lost.
When a session rotates via /clear (which does not call launch() again), the flag is not re-applied, leaving the user exposed to the confirmation prompt.
Why newer Claude versions are more affected
Newer Claude Code versions added additional confirmation layers for certain scenarios (e.g., the Write tool writing to files that haven't been read). The --dangerously-skip-permissions CLI flag no longer fully bypasses these prompts.
Additional finding: .claude/ directory has hardcoded protection
howard.zhou reports: Even with skipDangerousModePermissionPrompt: true set, modifying files inside ~/.claude/ still triggers a user authorization prompt after Claude Code restart. This suggests Claude Code has a separate, hardcoded write-protection layer for its own config directory that is not controlled by this flag.
This means:
skipDangerousModePermissionPrompt only covers "dangerous mode" prompts for general files.claude/ directory writes (e.g., hooks, settings, skills) require a different bypass mechanism- May need to use
settings.json permissions allowlist or a different authorization approach to pre-authorize .claude/ directory writes
Impact
- The confirmation dialog blocks the input box
- Heartbeat commands cannot be delivered while the dialog is active
- This triggers a false liveness timeout → recovery loop → potential restart
Expected Fix
- Resilient write: When any code path modifies
settings.json, it should preserve existing keys (merge, not overwrite)
- Session-level guard: Check for
skipDangerousModePermissionPrompt not only at launch() but also at session start (e.g., after /clear)
.claude/ directory pre-authorization: Find and apply the correct mechanism to allow writes to ~/.claude/ without prompts (may require permissions allowlist in settings.json)- Defensive read-back: After writing
settings.json, verify the key is still present
Workaround
Manually add "skipDangerousModePermissionPrompt": true to ~/.claude/settings.json. This resolves some but not all prompt scenarios (.claude/ directory writes still prompt).
Summary
When editing certain files, Claude Code prompts the user with a dangerous-file confirmation dialog, blocking the input pipeline and preventing heartbeat delivery (causing a liveness timeout).
Root Cause
~/.claude/settings.jsonis missing theskipDangerousModePermissionPrompt: truekey.The zylos runtime adapter (
claude.js) writes this flag duringlaunch()→_ensureOnboardingComplete(). However, ifsettings.jsonis later overwritten by other operations (e.g., hooks updates,update-configskill), this key gets lost.When a session rotates via
/clear(which does not calllaunch()again), the flag is not re-applied, leaving the user exposed to the confirmation prompt.Why newer Claude versions are more affected
Newer Claude Code versions added additional confirmation layers for certain scenarios (e.g., the
Writetool writing to files that haven't been read). The--dangerously-skip-permissionsCLI flag no longer fully bypasses these prompts.Additional finding:
.claude/directory has hardcoded protectionhoward.zhou reports: Even with
skipDangerousModePermissionPrompt: trueset, modifying files inside~/.claude/still triggers a user authorization prompt after Claude Code restart. This suggests Claude Code has a separate, hardcoded write-protection layer for its own config directory that is not controlled by this flag.This means:
skipDangerousModePermissionPromptonly covers "dangerous mode" prompts for general files.claude/directory writes (e.g., hooks, settings, skills) require a different bypass mechanismsettings.jsonpermissionsallowlist or a different authorization approach to pre-authorize.claude/directory writesImpact
Expected Fix
settings.json, it should preserve existing keys (merge, not overwrite)skipDangerousModePermissionPromptnot only atlaunch()but also at session start (e.g., after/clear).claude/directory pre-authorization: Find and apply the correct mechanism to allow writes to~/.claude/without prompts (may requirepermissionsallowlist in settings.json)settings.json, verify the key is still presentWorkaround
Manually add
"skipDangerousModePermissionPrompt": trueto~/.claude/settings.json. This resolves some but not all prompt scenarios (.claude/directory writes still prompt).