Environment
- AO: 0.9.5 (latest stable on npm)
- Agent plugin:
claude-code
- Claude Code CLI: 2.1.173
- Runtime:
tmux 3.6b
- OS: macOS (arm64)
Problem
When AO spawns a claude-code session in a fresh git worktree, Claude Code 2.1.x shows the interactive workspace trust dialog ("Quick safety check: Is this a project you created or one you trust? → 1. Yes, I trust this folder / 2. No, exit") and the session blocks indefinitely waiting for keyboard input. Because AO creates a new worktree per session, every orchestrator and worker session hits this on first launch and never starts working.
agentConfig.permissions: permissionless (which makes AO pass --dangerously-skip-permissions) does not bypass this dialog. In Claude Code 2.1.x the workspace trust dialog is a separate gate from permission checks — --dangerously-skip-permissions only skips permission prompts, not the trust dialog.
There is also a related second gate: the one-time global "Bypass Permissions mode" disclaimer ("WARNING: Claude Code running in Bypass Permissions mode … 1. No, exit / 2. Yes, I accept"), which blocks the same way until it has been accepted once interactively.
Reproduction
- AO 0.9.5, agent
claude-code, Claude Code 2.1.173, runtime tmux, on a host where the workspace was never trusted before.
ao start <project> (or ao spawn <issue>).- Capture the session's tmux pane → it is stuck on the trust dialog and the agent makes no progress.
Root cause
Trust is persisted per-directory in ~/.claude.json under projects["<abs-path>"].hasTrustDialogAccepted. Fresh worktree paths are never pre-trusted, and --dangerously-skip-permissions does not cover the trust gate in 2.1.x. I confirmed against the installed 2.1.173 binary that there is no global env var or settings key to disable the workspace trust dialog — only the per-directory hasTrustDialogAccepted flag.
Current workaround
A postCreate hook that pre-seeds the worktree path as trusted in ~/.claude.json before Claude launches (atomic write + lock, so it is safe across parallel spawns):
postCreate:
- node /path/to/pre-trust.mjs # sets projects["$PWD"].hasTrustDialogAccepted = true
Plus a one-time interactive claude --dangerously-skip-permissions (accept "Yes") to clear the global Bypass Permissions disclaimer.
With both in place, worker sessions start unattended and the normal flow (worktree → commit → PR → CI) works.
Suggested fix
When AO launches a claude-code session in a worktree with permissions: permissionless (or auto-edit), AO could pre-seed hasTrustDialogAccepted: true for that worktree path in ~/.claude.json (atomic, lock-guarded for parallel spawns), and similarly handle the one-time bypass-mode disclaimer. That would let unattended worker sessions start on Claude Code 2.1.x without manual intervention.
Happy to share the workaround script if useful.
Environment
claude-codetmux3.6bProblem
When AO spawns a
claude-codesession in a fresh git worktree, Claude Code 2.1.x shows the interactive workspace trust dialog ("Quick safety check: Is this a project you created or one you trust? → 1. Yes, I trust this folder / 2. No, exit") and the session blocks indefinitely waiting for keyboard input. Because AO creates a new worktree per session, every orchestrator and worker session hits this on first launch and never starts working.agentConfig.permissions: permissionless(which makes AO pass--dangerously-skip-permissions) does not bypass this dialog. In Claude Code 2.1.x the workspace trust dialog is a separate gate from permission checks —--dangerously-skip-permissionsonly skips permission prompts, not the trust dialog.There is also a related second gate: the one-time global "Bypass Permissions mode" disclaimer ("WARNING: Claude Code running in Bypass Permissions mode … 1. No, exit / 2. Yes, I accept"), which blocks the same way until it has been accepted once interactively.
Reproduction
claude-code, Claude Code 2.1.173, runtimetmux, on a host where the workspace was never trusted before.ao start <project>(orao spawn <issue>).Root cause
Trust is persisted per-directory in
~/.claude.jsonunderprojects["<abs-path>"].hasTrustDialogAccepted. Fresh worktree paths are never pre-trusted, and--dangerously-skip-permissionsdoes not cover the trust gate in 2.1.x. I confirmed against the installed 2.1.173 binary that there is no global env var or settings key to disable the workspace trust dialog — only the per-directoryhasTrustDialogAcceptedflag.Current workaround
A
postCreatehook that pre-seeds the worktree path as trusted in~/.claude.jsonbefore Claude launches (atomic write + lock, so it is safe across parallel spawns):Plus a one-time interactive
claude --dangerously-skip-permissions(accept "Yes") to clear the global Bypass Permissions disclaimer.With both in place, worker sessions start unattended and the normal flow (worktree → commit → PR → CI) works.
Suggested fix
When AO launches a
claude-codesession in a worktree withpermissions: permissionless(orauto-edit), AO could pre-seedhasTrustDialogAccepted: truefor that worktree path in~/.claude.json(atomic, lock-guarded for parallel spawns), and similarly handle the one-time bypass-mode disclaimer. That would let unattended worker sessions start on Claude Code 2.1.x without manual intervention.Happy to share the workaround script if useful.