docs(claude-code): add unattended-mode example for template admins

The most common template-admin use case is 'make Claude just work for
an agent or headless workspace without human interaction.' The existing
README shows envs, MCP, and a one-liner pre_install_script, but never
walks through how to skip the first-run wizard and the bypass-mode
consent banner.

Add a dedicated section documenting:

- settings.json with permissions.defaultMode = bypassPermissions,
  permissions.deny allowlist, and skipDangerousModePermissionPrompt
  (verified live against Claude Code CLI v2.1.117 on a workspace).
- ~/.claude.json hasCompletedOnboarding merged via jq so installer
  keys (userID, firstStartTime, installMethod, autoUpdates,
  migrationVersion) are preserved.
- A runtime-flag alternative for one-off 'claude -p' runs.

Verified the complete example end-to-end on dev.coder.com: fresh
workspace lands with the expected settings.json keys, onboarding
skipped, and installer-managed state intact.

Author: matifali

registry/coder/modules/claude-code/README.md

@@ -225,6 +225,71 @@ module "claude-code" {
 }
 ```
 
+## Unattended mode (skip setup wizard and permission prompts)
+
+For template-admin setups where Claude Code should just work — CI agents, headless workspaces, AI coding agents that do not have a human to click through the first-run wizard or confirm bypass-permissions mode — pre-write `settings.json` and `~/.claude.json` via `pre_install_script`.
+
+```tf
+module "claude-code" {
+  source   = "registry.coder.com/coder/claude-code/coder"
+  version  = "5.0.0"
+  agent_id = coder_agent.main.id
+
+  env = {
+    ANTHROPIC_API_KEY = var.anthropic_api_key
+  }
+
+  pre_install_script = <<-EOT
+    #!/bin/bash
+    set -euo pipefail
+
+    # Settings: default to bypassPermissions so tool calls do not prompt,
+    # silence the "dangerous mode" consent banner, and keep a deny list for
+    # anything the agent must never read.
+    mkdir -p "$HOME/.claude"
+    cat > "$HOME/.claude/settings.json" <<'JSON'
+    {
+      "permissions": {
+        "defaultMode": "bypassPermissions",
+        "deny": ["Read(./.env)", "Read(./secrets/**)", "Read(**/*.pem)"]
+      },
+      "skipDangerousModePermissionPrompt": true
+    }
+    JSON
+
+    # User config: skip the theme and first-run onboarding flow. The official
+    # installer creates ~/.claude.json before this pre_install_script runs,
+    # so merge rather than overwrite to preserve installer-managed keys
+    # (userID, autoUpdates, migrationVersion, firstStartTime).
+    if [ -f "$HOME/.claude.json" ]; then
+      tmp=$(mktemp)
+      jq '. + {hasCompletedOnboarding: true}' "$HOME/.claude.json" > "$tmp" \
+        && mv "$tmp" "$HOME/.claude.json"
+    else
+      printf '%s\n' '{"hasCompletedOnboarding": true}' > "$HOME/.claude.json"
+    fi
+  EOT
+}
+```
+
+Keys verified live against Claude Code CLI v2.1.117:
+
+| File                      | Key                                 | Effect                                                                                |
+| ------------------------- | ----------------------------------- | ------------------------------------------------------------------------------------- |
+| `~/.claude/settings.json` | `permissions.defaultMode`           | `"bypassPermissions"`, `"acceptEdits"`, `"plan"`, `"auto"`, `"default"`, `"dontAsk"`. |
+| `~/.claude/settings.json` | `permissions.allow` / `deny`        | Per-tool allowlist / denylist (e.g. `"Bash(git *)"`, `"Read(./secrets/**)"`).         |
+| `~/.claude/settings.json` | `skipDangerousModePermissionPrompt` | Silences the one-time "enable bypassPermissions mode" consent banner.                 |
+| `~/.claude.json`          | `hasCompletedOnboarding`            | Skips the first-run theme picker and welcome screens.                                 |
+
+> [!NOTE]
+> Pre-writing these files makes sense for automation and agents. Human users who expect the usual onboarding and per-project trust dialog should not use this pattern.
+
+For one-off non-interactive runs, prefer the runtime flag instead of pre-writing config:
+
+```bash
+claude -p "$PROMPT" --dangerously-skip-permissions --permission-mode bypassPermissions
+```
+
 ## Outputs
 
 | Output    | Type           | Description                                                                                                                                                                                     |