Claude Code Auto Mode - DeveloPassion

# Claude Code Auto Mode Auto mode is a permission mode in [[Claude Code]] where Claude makes permission decisions on behalf of the user, with a background classifier reviewing each action before it runs. It sits between the default mode (approve everything) and `bypassPermissions` / `--dangerously-skip-permissions` (approve nothing). Announced 2026-03-24. Available as a research preview. ## How it works Before each tool call executes, a separate classifier model (Sonnet 4.6, regardless of the session model) evaluates the pending action against the conversation context and decides whether to allow or block it. Claude's own text and tool results are stripped from classifier input, so hostile content in files or web pages cannot manipulate the classifier directly. The classifier also receives CLAUDE.md content, so project instructions factor into decisions. Decision order for each action: 1. Actions matching explicit allow/deny rules resolve immediately 2. Read-only actions and file edits within the working directory are auto-approved 3. Everything else goes to the classifier 4. If the classifier blocks, Claude receives the reason and tries an alternative On entering auto mode, Claude Code drops broad allow rules that would bypass the classifier: blanket `Bash(*)`, wildcarded interpreters like `Bash(python*)`, package-manager run commands, and any `Agent` allow rule. Narrow rules like `Bash(npm test)` carry over. Dropped rules are restored when leaving auto mode. ## What the classifier blocks by default The classifier trusts the working directory and configured git remotes. Everything else is treated as external until configured otherwise. **Blocked by default:** - Downloading and executing code (`curl | bash`, scripts from cloned repos) - Sending sensitive data to external endpoints - Production deploys and migrations - Mass deletion on cloud storage - Granting IAM or repo permissions - Modifying shared infrastructure - Irreversibly destroying pre-session files - Destructive source control operations (force push, pushing to `main`) **Allowed by default:** - Local file operations in the working directory - Installing dependencies from lock files/manifests - Reading `.env` and sending credentials to their matching API - Read-only HTTP requests - Pushing to the current branch or one Claude created View the full default rule lists with `claude auto-mode defaults`. ## Subagent handling The classifier evaluates subagent tasks at spawn time. Dangerous task descriptions are blocked before the subagent starts. Inside a subagent, auto mode runs with the same block/allow rules; any `permissionMode` in the subagent's frontmatter is ignored. When the subagent finishes, the classifier reviews its full action history and prepends a security warning if anything looks off. ## Fallback behavior If the classifier blocks an action 3 times consecutively or 20 times total in a session, auto mode pauses and Claude Code resumes prompting for each action. Approving a prompted action resets the denial counters. In non-interactive mode (`-p` flag), repeated blocks abort the session. ## Cost and latency Classifier calls count toward token usage. Each checked action sends a portion of the conversation transcript plus the pending action to the classifier. Read-only actions and working-directory file edits skip the classifier, so the overhead mainly applies to shell commands and network operations. ## Availability and setup Requires Team plan (Enterprise and API rolling out). Works with Sonnet 4.6 and Opus 4.6 only. Not available on Haiku, claude-3 models, or third-party providers (Bedrock, Vertex, Foundry). With the release of [[Claude Opus 4.7]], Auto mode was also extended to Max users. **For admins:** enable in Claude Code admin settings. Disable with `"disableAutoMode": "disable"` in managed settings. Disabled by default on Desktop; toggle via Organization Settings. **For developers:** - CLI: `claude --enable-auto-mode`, then cycle to it with `Shift+Tab` - VS Code / Desktop: enable in Settings, then select from the permission mode dropdown - As a default: set `"defaultMode": "auto"` in `permissions` settings - Non-interactive: `claude -p "task" --permission-mode auto` ## Configuring trusted infrastructure If auto mode blocks routine actions (pushing to your org's repo, writing to a company bucket), the classifier doesn't recognize those as trusted. Admins can configure trusted repos, buckets, and services via the `autoMode.environment` setting in managed settings. See [[Claude Code Permissions]] for details. ## References - Announcement: https://claude.com/blog/auto-mode - Permission modes docs: https://code.claude.com/docs/en/permission-modes - Classifier configuration: https://code.claude.com/docs/en/permissions#configure-the-auto-mode-classifier ## Related - [[Claude Code]] - [[Claude Code Permissions]] - [[Claude Code Interactive Mode]] - [[Claude Code Hooks]] - [[Claude Code Configuration]] - [[Claude Opus 4.7]]