Claude Code v2.1.178 Nested Skills and Permission Settings for Team Operations

コラム claude-code チーム開発 権限管理 スキル管理 モノレポ

Clauder Navi 編集部 / 最終更新 2026-06-17

Even if you've heard that nested skills and permission settings have been added, many teams may not be sure what actually changes in their workflow. This article summarizes the 3 new features in v2.1.178 and provides concrete steps for team adoption.

AI Chat Article Summarypowered by Claude
結論powered by Claude

Claude Code v2.1.178 simultaneously added three features: skill management via nested .claude directories, fine-grained permission syntax using the Tool(param:value) format, and classifier evaluation before subagent launches in auto mode. You can start using these the same day by running npm update @anthropic-ai/claude-code (releasebot.io).

For team permission management, you can now shift from tool-level control to parameter-level fine-grained control. Writing policies in .claude/settings.json and blocking dangerous commands by parameter matching becomes the standard pattern for advancing automation while ensuring governance.

In monorepo environments, a nested design where each subdirectory has its own skills is the practical approach. Name conflicts can be resolved using the <dir>:<name> format, allowing frontend, backend, and infra teams to maintain independent skill sets while managing common skills at the root (kajikent design notes).

目次 (23)

What Changed in v2.1.178 — Overview of 3 Major Updates

Claude Code v2.1.178, released on June 16, 2026, is an update that directly addresses operational challenges in large-scale teams and monorepo environments. The added features can be organized into three major categories. Release information is available on releasebot.io and npmjs.com.

Addition of Nested .claude Skills

The .claude/ directory that was previously placed only at the project root is now supported throughout subdirectory hierarchies. This allows monorepos to have each subproject maintain its own skill set, such as apps/frontend/.claude/, apps/backend/.claude/, and infra/.claude/. Since skill resolution prioritizes subdirectories and traverses up to the project root, you can now centralize common skills at the root while letting subprojects override them with project-specific procedures. The larger the team, the greater the benefit of maintaining accuracy while preventing context pollution across projects.

Addition of Tool(param:value) Permission Syntax

The allowedTools configuration has been extended from tool names alone to combinations of "tool name + parameter value." For example, you can write Bash(command:git status) to explicitly allow only specific commands. By sharing .claude/settings.json as a team policy, you can now express and version-control the scope of operations that can be executed without approval. Previously, the choice was binary — "allow all or deny all" — but fine-grained parameter-level control now makes it realistic to reduce risk without sacrificing development efficiency.

Classifier Evaluation in Auto Mode

Before a subagent launches in auto mode, a classifier now evaluates the risk of the target action. Evaluation targets are limited to high-risk actions such as changes to production environments, access to external services, and large-scale filesystem operations — normal code generation, reading, and test execution are unaffected. For enterprise adoption reviews, the existence of a feature where the AI tool autonomously evaluates risk actions can serve as a basis for security explanations.

How to Update

npm update @anthropic-ai/claude-code

Or to install the latest version explicitly:

npm install -g @anthropic-ai/claude-code@latest

After installation, confirm the version number with claude --version and verify it is 2.1.178 or later. Preparation is complete with just this version check, and the new features are available immediately without any additional configuration.

How Nested .claude Skills Work and When to Use Them

Directory Hierarchy and Skill Resolution Priority

When Claude Code searches for skills, it traverses from the current directory upward to the root. When claude is launched from within a subdirectory, it first checks .claude/skills/ in that directory, then the parent directory, and then the project root if none is found. This mechanism allows common skills (code review procedures, pre-deploy checklists, commit conventions, etc.) to be centralized at the root, while service-specific procedures can be managed independently in subprojects.

Skill overriding is also controlled hierarchically. If a subproject has a skill with the same name, the subproject version is automatically prioritized. If you want to explicitly call the root skill, you use an explicit path. This architecture provides a fundamental answer to the question of "how to give each service its own specific context" — and that answer only becomes more valuable as teams grow.

@kajikent noted in design notes shared on June 16, 2026 (x.com/kajikent) that placing general-purpose skills at the root and domain-specific skills in subprojects is effective in actual production use. This folder design approach is also a general pattern that can be applied to AI-assisted editor extensions.

Resolving Conflicts with the <dir>:<name> Format

When the root and multiple subprojects have skills with the same name, you can explicitly call the desired one using the <dir>:<name> format. For example, if there is a deploy skill at the root and also a deploy skill in infra/.claude/skills/, typing /infra:deploy will prioritize the infra skill.

my-repo/
├── .claude/
│   └── skills/
│       ├── deploy.md     # Common deploy procedure
│       └── review.md     # Common review guidelines
├── apps/
│   ├── frontend/
│   │   └── .claude/
│   │       └── skills/
│   │           ├── deploy.md    # Frontend-specific deploy procedure
│   │           └── test.md      # Frontend-specific test procedure
│   └── backend/
│       └── .claude/
│           └── skills/
│               ├── deploy.md    # Backend-specific deploy procedure
│               └── db.md        # DB operation procedure
└── infra/
    └── .claude/
        └── skills/
            └── deploy.md        # Infrastructure deploy procedure

With this kind of structure, when working in the frontend directory, simply typing /deploy will prioritize the frontend-specific procedure, while the common /review skill is inherited from the root. The <dir>:<name> format is only needed when you explicitly want to call a skill from a different directory. This allows you to manage optimized procedures for each subproject without worrying about skill conflicts.

Practical Placement Example in a Monorepo — Separating frontend / backend / infra

A typical scenario for leveraging nested skills in a monorepo is a microservices architecture. When each service has a different framework, deployment method, and test procedure, the previous choices were either to cram all service procedures into the root CLAUDE.md or to omit them entirely. Nested skills now allow each service directory to have its own skills, maintaining accuracy while preventing context bloat.

@masahirochaen praised this update in a June 16, 2026 post (x.com/masahirochaen). The ability for each service team to independently manage .claude/skills/ is also an important point for balancing organizational autonomy with governance.

Tool(param:value) Permission Syntax — Fine-Grained Control in Practice

Differences from Previous Permission Settings

Before v2.1.178, allowedTools only supported allow/deny at the tool name level. Allowing Bash would permit all shell commands, while denying it would block everything — a binary choice. This made it impossible to express team policies like "allow git and make commands but not rm -rf or external communication via curl."

Starting with v2.1.178, you can specify parameter values using the Tool(param:value) format, and wildcard patterns are also supported.

Configuration Format Example Behavior
Tool name only (old) Bash Allows all shell commands
Parameter-specified (new) Bash(command:git *) Allows only git commands
Compound specification (new) Bash(command:npm test) Allows only npm test
Block specification (new) blockedTools: ["Bash(command:rm *)"] Blocks rm commands

Example Design for Safe Auto-Approval via Parameter Matching

Here is an example .claude/settings.json configuration for safely advancing automation within a team. It auto-approves code reading, searching, git references, and test execution, while explicitly blocking file deletion and external communication.

{
  "allowedTools": [
    "Read",
    "Grep",
    "Glob",
    "Bash(command:git status)",
    "Bash(command:git diff *)",
    "Bash(command:git log *)",
    "Bash(command:npm test)",
    "Bash(command:npm run lint)"
  ],
  "blockedTools": [
    "Bash(command:rm *)",
    "Bash(command:curl *)",
    "Bash(command:wget *)"
  ]
}

When both blockedTools and allowedTools are specified, blockedTools takes priority. Even if a developer mistakenly adds something to allowedTools, the blockedTools entries will protect against it.

How to Incorporate This as a Team Policy in .claude/settings.json

By committing .claude/settings.json to the repository, all team members can use Claude Code with the same permission settings. Previously, settings were scattered per individual, easily leading to a situation where "Member A allows dangerous commands while Member B denies them." A shared settings file allows Claude Code usage policies to be managed as part of the codebase.

my-repo/
└── .claude/
    ├── settings.json         # Shared team permission settings (committed to repository)
    └── settings.local.json   # Personal settings (recommended to exclude via .gitignore)

Since settings.local.json overrides settings.json, individuals can customize for their own productivity while maintaining team policy. However, since blockedTools can be overridden in settings.local.json as well, it is important to classify items that must be enforced as team policy under blockedTools and explicitly document that "overriding blocked tools in personal settings is prohibited."

Auto Mode × Classifier Evaluation — Risk Reduction Before Subagent Launch

How Classifier Evaluation Works and What Actions It Covers

When a subagent launches in auto mode (e.g., when using the --no-interactive flag), the target action is now evaluated for risk by an internal classifier. The main categories subject to evaluation are:

  1. Change operations to production environments or infrastructure configuration
  2. Access to external services or network resources
  3. Large-scale filesystem changes (directory deletion, bulk overwrites, etc.)
  4. Operation patterns suspected of reading sensitive information

When actions matching these categories are detected, the system either inserts an approval confirmation or pauses and logs the operation, even in auto mode. Normal operations such as code generation, reading, unit test execution, and file searching are unaffected.

A blog post by @ClaudeDevs (x.com/ClaudeDevs) reports that in a production deployment case of Claude Managed Agents, classifier evaluation significantly reduced the risk of infrastructure operations being executed unintentionally.

Impact on Team Operations — Sorting Out the Speed vs. Safety Trade-Off

It is important to understand that the addition of classifier evaluation affects latency. The evaluation process depends on the characteristics of the target action, but for high-risk actions, approval confirmation may be inserted, potentially increasing manual intervention in fully automated pipelines.

The recommended approach for team operations is as follows:

  1. First, observe evaluation logs for 1–2 weeks to confirm that intended operations are not being blocked
  2. For operations with frequent false positives, explicitly allow them using the Tool(param:value) syntax in allowedTools
  3. For operations where blocking is appropriate, document them in a policy document and review periodically as a team

The balance between speed and safety should be adjusted according to the team's risk tolerance and automation maturity. Starting with full approval or full blocking is not optimal. Particularly for teams growing from startup to mid-scale, a cycle of observe → narrow the allowed scope via parameters → review periodically tends to work well.

Justification for Saying "We're Automating Safely" During Enterprise Adoption

With the introduction of classifier evaluation, it has become easier to build a system that can audit and explain AI tool usage. For companies facing the challenge of "security reviews blocking company-wide Claude Code adoption," the existence of a feature that evaluates and records risk actions on the tool side provides explanation material. Specifically, the following points can serve as justification:

  1. High-risk actions are pre-evaluated by the classifier and cannot be executed without approval
  2. Permission settings via allowedTools / blockedTools can be managed and audited as code
  3. Evaluation logs allow tracing of what was actually executed

These function as explanations addressing the "principle of least privilege" and "retention of operation logs" requirements in SOC 2 and internal security policies. Having a setup where you can present configuration files and logs when explaining to IT departments or security teams will help smooth the adoption review process.

Team Adoption Roadmap — Steps by Team Size and Common Pitfalls

Getting Started for Small Teams (up to 5 people)

For small teams, the recommendation is to first use nested skills to build a collection of procedures that all members can share. Start conservatively with permission settings and prioritize establishing a skill management practice.

  1. Create a .claude/skills/ directory at the project root
  2. Write code review procedures, test execution procedures, and commit message conventions as skills
  3. Set basic allowedTools in settings.json and commit to the repository
  4. After one week of use, have the team reflect on "which skills were useful" and improve the content

Once comfortable with the settings, gradually add blockedTools. Imposing strict restrictions from the start worsens the developer experience and tends to reduce Claude Code usage. Starting loosely and tightening gradually is more sustainable for small teams.

Permission Setup for Mid-Size Teams (5–20 people)

At mid-size, situations arise more frequently where different roles need different permission settings. It is effective to allow frontend engineers to freely make UI component changes while restricting infrastructure configuration changes.

  1. Separate nested skills and settings.json per subproject
  2. Apply stricter blockedTools to infrastructure and database directories
  3. Establish a rule in code review that changes to .claude/settings.json always require approval from at least 2 people
  4. Conduct monthly policy reviews, and consider adding frequently-blocked operations to allowedTools or revisiting the workflow

At this scale, also document how settings.local.json should be used. It is important to allow personal productivity customization while maintaining the rule that the block list defined in the shared settings.json must not be overridden in personal settings.

Governance Management for Large Teams (20+ people)

For teams exceeding 20 people, it becomes important to centrally manage the .claude/ directory configuration in the repository and validate changes via CI.

  1. Have a dedicated maintainer manage the .claude/ directory, with changes made via pull requests
  2. When changing settings, simulate and document in advance whether the changes will impact existing members' work
  3. Regularly audit the change history of settings.json to detect unintended permission expansions
  4. Include an explanation of Claude Code permission settings in the onboarding documentation for new members

In the production deployment case of Managed Agents reported by @ClaudeDevs (x.com/ClaudeDevs), version control of settings and a change approval process were cited as key points for large-scale adoption. Organizations without a change control mechanism tend to end up in a situation where settings diverge per person and "whose settings are correct" becomes unclear.

Common Pitfalls and How to Handle Them

Identifying skill conflicts: If the intended skill is not being executed, launch with the claude --debug flag to check the path of the resolved skill. Due to subdirectory-priority behavior, explicitly calling a root skill may require an explicit invocation format. In most cases, specifying the namespace with the <dir>:<name> format will resolve the issue.

Debugging permission configuration mistakes: If a command set in blockedTools is still being executed, check whether settings.local.json is overriding it. Since personal settings take priority over shared settings, a team member's personal settings may be inadvertently bypassing the policy. A practical approach is to add settings.local.json to .gitignore while establishing a team rule that overriding specific items via personal settings is prohibited.

The version pinning trap: If your team has pinned to a specific version, new features will not be available if the @anthropic-ai/claude-code version in package.json is not updated. Full pinning (e.g., 2.1.177) also carries the risk of not receiving security patches, so it is recommended to pin only the major version (e.g., ^2.0.0) and allow minor and patch versions to auto-update. Before updating, it is good practice to check the release notes on npmjs.com changelog to verify there are no significant behavioral changes.

Sources

参考になったら ♡
この記事は役立ちましたか?
ご注意: Clauder Navi は Anthropic 公式情報を直接参照し正確な内容に努めておりますが、 本記事の内容に基づく投資判断・契約・利用結果による損害について責任を負いかねます。 重要な意思決定の際は、必ず Anthropic 公式claude.com の一次情報をご自身でご確認ください。

関連記事

What Is CLAUDE.md, Now Adopted by Apple | The New Standard for AI-Driven Development
コラム

What Is CLAUDE.md, Now Adopted by Apple | The New Standard for AI-Driven Development

2026/05/03
Claude Code New Features Explained | Centralized MCP Approval and Artifact Utilization
コラム

Claude Code New Features Explained | Centralized MCP Approval and Artifact Utilization

2026/06/22
Claude Code v2.1.183 Blocks Destructive Operations in Non-Interactive Mode
コラム

Claude Code v2.1.183 Blocks Destructive Operations in Non-Interactive Mode

2026/06/20
Claude Design | Explaining the Bidirectional Design-Code Integration
コラム

Claude Design | Explaining the Bidirectional Design-Code Integration

2026/06/18
Clauder Navi 編集部
@clauder_navi

Anthropic の Claude / Claude Code を中心に、日本のエンジニア向けに最新動向と実務 を毎日発信。 運営方針 は メディアについて をご覧ください。

プロフィール → 副社長コラム → レッスン一覧 →