D2.5 and D3.4 governed permission inside an interactive session. This chapter takes the same agent out of the terminal and into a pipeline. The mechanics change — there is no one at the keyboard to approve a tool or answer a question — so a headless run has to decide its output shape and its permission surface up front. The payoff is that Claude Code becomes a scriptable, gated CI citizen.

Do I know this already? Diagnostic

Answer these confidently and you can skim ahead to Exam essentials; if any is shaky, read closely — each is developed below.

What does --bare skip, and why does omitting it make a headless run non-reproducible?
Which --output-format gives you total_cost_usd and session_id as parseable fields?
With no human at the keyboard, which permission mode is the documented floor for a locked-down CI run, and what does it deny?
What is a CI step actually gating on when it passes or fails a claude -p run? Name two conditions that make the run exit non-zero.
In GitHub Actions v1.0, how do you pass --bare or --allowedTools through to the underlying claude -p?

Check your answers

--bare skips auto-discovery of hooks, skills, plugins, MCP servers, auto memory, and CLAUDE.md; without it the run loads whatever the host machine has, so the same command behaves differently on different runners.
--output-format json — a single payload with result, session_id, and total_cost_usd (plus a per-model cost breakdown).
--permission-mode dontAsk — it denies anything not in permissions.allow or the read-only command set.
The run’s process exit code (0 passes, non-zero fails); hitting --max-turns and piping stdin over the 10 MB cap both exit non-zero.
Through the claude_args passthrough input — v1.0 keeps prompt for instructions and routes all CLI flags via claude_args.

The headless invocation

The entry point for everything in this chapter is one flag: “claude -p "<query>" is the canonical non-interactive invocation; the CLI exits after responding. All standard CLI options work with -p.” [Official] Run Claude Code programmatically · AnthropicT1-official original That single command runs the full agent loop and returns — no prompt, no session UI.

For CI you almost always pair it with --bare: “Add --bare to reduce startup time by skipping auto-discovery of hooks, skills, plugins, MCP servers, auto memory, and CLAUDE.md. Without it, claude -p loads the same context an interactive session would, including anything configured in the working directory or ~/.claude. Bare mode is useful for CI and scripts where you need the same result on every machine.” [Official] Run Claude Code programmatically · AnthropicT1-official original It is the recommended mode for scripted calls and is slated to become the default for -p in a future release. [Official] Run Claude Code programmatically · AnthropicT1-official original

Output formats

A headless run can emit one of three shapes, selected with --output-format: text (default), json (a single payload with result, session_id, and total_cost_usd), and stream-json (newline-delimited events). [Official] Run Claude Code programmatically · AnthropicT1-official original The json form is what makes a run scriptable: “With --output-format json, the response payload includes total_cost_usd and a per-model cost breakdown, so scripted callers can track spend per invocation without consulting the usage dashboard.” [Official] Run Claude Code programmatically · AnthropicT1-official original

Structured output with `--json-schema`

When a downstream step needs a specific shape rather than prose, constrain the output to a schema: “To get output conforming to a specific schema, use --output-format json with --json-schema and a JSON Schema definition. The response includes metadata about the request (session ID, usage, etc.) with the structured output in the structured_output field.” [Official] Run Claude Code programmatically · AnthropicT1-official original The flag is --json-schema '<schema>'; the CLI reference describes it as producing “validated JSON output matching a JSON Schema after agent completes its workflow (print mode only).” [Official] CLI reference · AnthropicT1-official original

A minimal schema looks like this (illustration only — the shape is yours to define):

claude -p "Classify this PR's risk" \
  --output-format json \
  --json-schema '{"type":"object","properties":{"severity":{"type":"string"}},"required":["severity"]}'

The schema-conforming result then arrives in structured_output, alongside the usual session_id and usage metadata.

Permission gates for a run with no human

The defining constraint of CI is that no one is there to approve a tool call, so the permission surface must be settled before the run starts. The locked-down mode from D3.4 is built for exactly this: --permission-mode dontAsk “denies anything not in permissions.allow or the read-only command set,” which the docs call out as useful for locked-down CI runs. [Official] Run Claude Code programmatically · AnthropicT1-official original Pair it with an allowlist: --allowedTools "Bash(git diff *),Read" auto-approves specific tools and supports prefix matching. [Official] Run Claude Code programmatically · AnthropicT1-official original

Two more knobs bound a run: --max-turns N “limits agentic turns and exits with error when reached,” and --max-budget-usd <N> caps dollar spend — both print-mode-only. [Official] CLI reference · AnthropicT1-official original At the far end, --permission-mode bypassPermissions (alias --dangerously-skip-permissions) skips prompts entirely [Official] Run Claude Code programmatically · AnthropicT1-official original — appropriate only inside an isolated container, never as a convenience.

Exit codes: what CI actually gates on

Output format decides what a run prints; the exit code decides whether the pipeline step passes. A CI step’s pass/fail is the exit status of the process it ran — so a headless claude -p that runs the full loop and “exits after responding” [Official] Run Claude Code programmatically · AnthropicT1-official original hands its exit code straight to the runner, and 0 means the step succeeds while non-zero fails it. The docs name concrete non-zero triggers you can rely on: --max-turns N “limits agentic turns and exits with error when reached,” [Official] CLI reference · AnthropicT1-official original and an over-cap stdin (10 MB) “returns a clear error and non-zero exit.” [Official] Run Claude Code programmatically · AnthropicT1-official original

The same mechanism gives you a clean pre-flight gate: claude auth status “exits 0 if logged in, 1 if not — useful as a CI gate before the agent step.” [Official] Run Claude Code programmatically · AnthropicT1-official original Run it first and the job fails fast with a clear cause instead of burning a turn on an unauthenticated agent call.

A read-only review gate that fails correctly Worked example

Goal: a CI job that lets Claude read the repo and run tests, blocks on nothing (no human), bounds cost, and fails the pipeline if the run fails. A shell step:

# 1. Pre-flight: fail fast if the runner isn't authenticated.
claude auth status --text || { echo "Claude not authenticated"; exit 1; }

# 2. The gated run. Exit code propagates to the step.
claude -p "Review the staged diff for regressions; run the test suite." \
  --bare \
  --permission-mode dontAsk \
  --allowedTools "Read,Bash(git diff *),Bash(npm test)" \
  --max-turns 12 \
  --output-format json > result.json
# No `|| true` — if claude exits non-zero, the step (and the job) fails here.

Trace each guard: auth status (step 1) turns a missing credential into an immediate, legible failure — exit 1 — rather than a confusing agent error. --bare makes the run a function of its inputs, not the runner’s stray config. dontAsk + the tight --allowedTools fix the permission surface up front, so no tool request can stall waiting for an approval that will never come. --max-turns 12 is the ceiling: if the agent thrashes past twelve turns it exits with error, and because the step does not mask the status, the job goes red. On success the agent exits 0, result.json holds the parseable payload, and a later step can read total_cost_usd to log spend. The job’s green/red is the agent’s exit code — exactly the contract CI needs.

GitHub Actions and the credential model

The managed CI surface wraps all of the above. Claude Code GitHub Actions is “built on top of the Claude Agent SDK” [Official] Claude Code GitHub Actions · AnthropicT1-official original and wraps claude -p in a GitHub Action runner. Beyond the direct Anthropic API it supports two cloud providers — Amazon Bedrock (use_bedrock) and Google Vertex AI (use_vertex) — each authenticated through GitHub OIDC / Workload Identity Federation, so no static cloud keys are stored. [Official] Claude Code GitHub Actions · AnthropicT1-official original The v1.0 interface is deliberately small: “mode is auto-detected; use prompt for all instructions and claude_args for any CLI passthrough” [Official] Claude Code GitHub Actions · AnthropicT1-official original — so everything from earlier sections (--bare, --output-format, --allowedTools) reaches the runner through claude_args.

Practice

Exercise solutions

Solution ↑ Exercise

B. The job has no human to approve anything, so the permission surface must be fixed up front: dontAsk denies anything not pre-approved, --allowedTools "Read,Bash(npm test)" grants exactly the read and test-run capability (prefix matching scopes Bash to the test command), and --bare makes the run reproducible across machines. A does the opposite of locking down — --dangerously-skip-permissions approves everything, including edits and pushes. C auto-approves file edits, but the job is supposed to be read-only. D is the classic headless trap: in CI there is no one to answer the approval prompt, so a tool that falls through to default mode stalls or is denied rather than helpfully pausing. The locked-down combination is dontAsk + a tight allowlist + --bare.

Solution ↑ Exercise

Use --output-format json and read the session_id and total_cost_usd fields. The json form returns a single payload with result, session_id, and total_cost_usd (plus a per-model cost breakdown), so the later step can resume with the captured session_id and log spend from total_cost_usd — no usage-dashboard round-trip. The default text format returns only the final response (nothing parseable), and stream-json would make you reassemble the fields from an event stream.

Solution ↑ Exercise

The flag is --bare, and the cause it addresses is non-reproducible context discovery. Without --bare, claude -p auto-discovers and loads whatever the machine has — the repo’s CLAUDE.md, a developer’s personal ~/.claude config, locally-configured MCP servers, hooks, skills, plugins, auto memory — so the same command becomes a function of the host rather than of its inputs, and two runners diverge. --bare skips that discovery, making the run reproducible across machines (and it is slated to become the -p default).

Solution ↑ Exercise

(a) The job gates on the run’s process exit code: claude -p exits after responding and hands its exit status to the runner — 0 passes the step, non-zero fails it. (b) Two documented non-zero conditions: hitting --max-turns (“exits with error when reached”) and an over-cap stdin (piped input above the 10 MB limit “returns a clear error and non-zero exit”); claude auth status exiting 1 when not logged in is a third, useful as a pre-flight gate. (c) Swallowing the status — e.g. ending the command with || true or masking it behind a pipe — so the shell reports success even though the agent run failed; let the exit code propagate.

Exam essentials

Headless entry — claude -p "<query>" runs non-interactively and exits; add --bare to skip discovery (hooks/skills/MCP/CLAUDE.md) for reproducible CI. --bare is slated to become the -p default.
Output formats — text (default), json (result, session_id, total_cost_usd, per-model cost), stream-json (newline-delimited events; system/init carries plugin_errors to fail CI).
Structured output — --output-format json with --json-schema adds a validated structured_output field; --json-schema is print-mode only (as are --max-turns, --max-budget-usd).
Permission gates — CI has no human to prompt, so decide the surface up front: dontAsk (deny anything not pre-approved) + --allowedTools (prefix matching, e.g. Bash(git diff *)); --max-turns / --max-budget-usd cap a run; bypassPermissions / --dangerously-skip-permissions skips all checks — containers only.
Exit codes are the CI contract — a step passes/fails on the run’s exit status (0 success, non-zero failure). --max-turns reached and over-cap stdin (10 MB) exit non-zero; claude auth status exits 0/1 as a pre-flight gate. Don’t mask the status (|| true) — a failed run would report green.
GitHub Actions — wraps claude -p; v1.0 auto-detects mode (prompt + claude_args); the Anthropic API plus Bedrock + Vertex (the two cloud providers via OIDC, no static keys); supply credentials as secrets, never hardcoded.

Part 3 · D3 Review

6 exercises across 6 chapters — interleaved review.

d3-01-claude-md-hierarchy

d3-01-ex-scope-concat A monorepo has `/repo/CLAUDE.md` ("use tabs") and `/repo/services/api/CLAUDE.md` ("use 2-space indent"). A developer runs Claude Code from `/repo/services/api/`, and both files are discovered. Which statement describes what Claude Code actually loads, and why? - **A.** Only the `services/api/CLAUDE.md` loads — the closest file overrides its ancestors. - **B.** Only the root `/repo/CLAUDE.md` loads — the project-root file takes precedence. - **C.** Both load and concatenate (root first, then `api`); with no precedence, both instructions sit in context at once. - **D.** Both load, but `api`'s lines override the root's, the way `settings.local.json` overrides user settings.

d3-02-slash-commands-skills

d3-02-ex-command-vs-skill Your team has a 2,000-token deployment runbook you want Claude to follow whenever it deploys — ideally without anyone having to remember to paste it. Where should it live, and why? - **A.** In `CLAUDE.md`, so the runbook is always available to every session. - **B.** As a skill at `.claude/skills/deploy/SKILL.md`, so only its ~100-token description costs context until it is invoked. - **C.** As a slash command at `.claude/commands/deploy.md`, since that is the only way to get a `/deploy` command. - **D.** Pasted inline into each prompt at deploy time, so it is always fresh.

d3-03-rules-path-scoping

d3-03-ex-scoped-vs-unconditional You have a one-line standard — "all API endpoints must validate their input" — that is only relevant when someone edits files under `src/api/`. You want it in front of Claude during that work but not cluttering context the rest of the time. How should you author it? - **A.** As a line in `CLAUDE.md`, so it is always loaded and never missed. - **B.** As an unconditional rule `.claude/rules/api.md` with no `paths`, so it loads every session. - **C.** As a path-scoped rule `.claude/rules/api.md` with `paths: ["src/api/**/*.ts"]`, so it loads only when Claude reads an API file. - **D.** As a skill at `.claude/skills/api/SKILL.md`, so Claude can invoke it when needed.

d3-04-plan-mode

d3-04-ex-plan-or-direct You are asked to rename a widely-used helper function across an unfamiliar ~40-file service, and you want Claude to carry it out. Which approach best contains the risk, and why? - **A.** Start in `acceptEdits` and let Claude rename call sites as it finds them — the fastest path to a green tree. - **B.** Start in plan mode so Claude maps every call site and proposes the complete change set before editing; approve once it is complete. - **C.** Use `bypassPermissions` so nothing interrupts the multi-file edit. - **D.** Work in `default` mode and approve each edit as it appears, catching mistakes one prompt at a time.

d3-05-iterative-refinement

d3-05-ex-interview-vs-direct You are kicking off a sizeable new feature — a billing system — whose design space you have not fully thought through (proration rules, failure modes, and edge cases are still fuzzy). What is the most effective way to start Claude on it? - **A.** Write one detailed prompt with every requirement and verification criterion you can think of, for maximum autonomy. - **B.** Use the interview pattern: a minimal prompt asking Claude to interview you with `AskUserQuestion`, ending in a written `SPEC.md`, then a fresh session implements from it. - **C.** Give a vague one-liner and course-correct turn by turn as the design reveals itself. - **D.** Use plan mode alone — let Claude explore the codebase and propose an approach without interviewing you.

d3-06-cicd-integration

d3-06-ex-locked-down-ci A CI job should let Claude read the repository and run the test suite — and nothing else: no edits, no pushes, and no hanging on a prompt, because there is no human to answer one. Which invocation best fits? - **A.** `claude -p "..." --dangerously-skip-permissions`, so the run never blocks on a permission check. - **B.** `claude -p "..." --permission-mode dontAsk --allowedTools "Read,Bash(npm test)" --bare`. - **C.** `claude -p "..." --permission-mode acceptEdits`, so it can write any test artifacts it needs. - **D.** `claude -p "..."` in the default mode, letting it prompt for approval if it needs more access.

The headless invocation

Output formats

Structured output with --json-schema

Permission gates for a run with no human

Exit codes: what CI actually gates on

GitHub Actions and the credential model

Practice

Exercise solutions

Exam essentials

Structured output with `--json-schema`