Documentation — Spybara

best-practices.md +15 −10

Details

202### Configure permissions202### Configure permissions

203 203

204<Tip>204<Tip>

205 Use `/permissions` to allowlist safe commands or `/sandbox` for OS-level isolation. This reduces interruptions while keeping you in control.205 Use [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) to let a classifier handle approvals, `/permissions` to allowlist specific commands, or `/sandbox` for OS-level isolation. Each reduces interruptions while keeping you in control.

206</Tip>206</Tip>

207 207

208By default, Claude Code requests permission for actions that might modify your system: file writes, Bash commands, MCP tools, etc. This is safe but tedious. After the tenth approval you're not really reviewing anymore, you're just clicking through. There are two ways to reduce these interruptions:208By default, Claude Code requests permission for actions that might modify your system: file writes, Bash commands, MCP tools, etc. This is safe but tedious. After the tenth approval you're not really reviewing anymore, you're just clicking through. There are three ways to reduce these interruptions:

209 209

210* **Permission allowlists**: permit specific tools you know are safe (like `npm run lint` or `git commit`)210* **Auto mode**: a separate classifier model reviews commands and blocks only what looks risky: scope escalation, unknown infrastructure, or hostile-content-driven actions. Best when you trust the general direction of a task but don't want to click through every step

211* **Permission allowlists**: permit specific tools you know are safe, like `npm run lint` or `git commit`

211* **Sandboxing**: enable OS-level isolation that restricts filesystem and network access, allowing Claude to work more freely within defined boundaries212* **Sandboxing**: enable OS-level isolation that restricts filesystem and network access, allowing Claude to work more freely within defined boundaries

212 213

213Alternatively, use `--dangerously-skip-permissions` to bypass permission prompts for contained workflows like fixing lint errors or generating boilerplate. See [permission modes](/en/permissions#permission-modes) for what is and isn't skipped.214Read more about [permission modes](/en/permission-modes), [permission rules](/en/permissions), and [sandboxing](/en/sandboxing).

~~214~~

215<Warning>

216 Letting Claude run arbitrary commands can result in data loss, system corruption, or data exfiltration via prompt injection. Only use `--dangerously-skip-permissions` in a sandbox without internet access.

217</Warning>

~~218~~

219Read more about [configuring permissions](/en/permissions) and [enabling sandboxing](/en/sandboxing).

220 215

221### Use CLI tools216### Use CLI tools

222 217

540 535

541Use `--verbose` for debugging during development, and turn it off in production.536Use `--verbose` for debugging during development, and turn it off in production.

542 537

538### Run autonomously with auto mode

539

540For uninterrupted execution with background safety checks, use [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode). A classifier model reviews commands before they run, blocking scope escalation, unknown infrastructure, and hostile-content-driven actions while letting routine work proceed without prompts.

541

542```bash theme={null}

543claude --permission-mode auto -p "fix all lint errors"

544```

545

546For non-interactive runs with the `-p` flag, auto mode aborts if the classifier repeatedly blocks actions, since there is no user to fall back to. See [when auto mode falls back](/en/permission-modes#when-auto-mode-falls-back) for thresholds.

547

543***548***

544 549

545## Avoid common failure patterns550## Avoid common failure patterns

channels.md +55 −5

Details

14 14

15Unlike integrations that spawn a fresh cloud session or wait to be polled, the event arrives in the session you already have open: see [how channels compare](#how-channels-compare).15Unlike integrations that spawn a fresh cloud session or wait to be polled, the event arrives in the session you already have open: see [how channels compare](#how-channels-compare).

16 16

~~17You install a channel as a plugin and configure it with your own credentials. Telegram and Discord are included in the research preview.~~17You install a channel as a plugin and configure it with your own credentials. Telegram, Discord, and iMessage are included in the research preview.

18 18

19When Claude replies through a channel, you see the inbound message in your terminal but not the reply text. The terminal shows the tool call and a confirmation (like "sent"), and the actual reply appears on the other platform.19When Claude replies through a channel, you see the inbound message in your terminal but not the reply text. The terminal shows the tool call and a confirmation (like "sent"), and the actual reply appears on the other platform.

20 20

21This page covers:21This page covers:

22 22

~~23* [Supported channels](#supported-channels): Telegram and Discord setup~~23* [Supported channels](#supported-channels): Telegram, Discord, and iMessage setup

24* [Install and run a channel](#quickstart) with fakechat, a localhost demo24* [Install and run a channel](#quickstart) with fakechat, a localhost demo

25* [Who can push messages](#security): sender allowlists and how you pair25* [Who can push messages](#security): sender allowlists and how you pair

26* [Enable channels for your organization](#enterprise-controls) on Team and Enterprise26* [Enable channels for your organization](#enterprise-controls) on Team and Enterprise

165 </Step>165 </Step>

166 </Steps>166 </Steps>

167 </Tab>167 </Tab>

168

169 <Tab title="iMessage">

170 View the full [iMessage plugin source](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/imessage).

171

172 The iMessage channel reads your Messages database directly and sends replies through AppleScript. It requires macOS and needs no bot token or external service.

173

174 <Steps>

175 <Step title="Grant Full Disk Access">

176 The Messages database at `~/Library/Messages/chat.db` is protected by macOS. The first time the server reads it, macOS prompts for access: click **Allow**. The prompt names whichever app launched Bun, such as Terminal, iTerm, or your IDE.

177

178 If the prompt doesn't appear or you clicked Don't Allow, grant access manually under **System Settings > Privacy & Security > Full Disk Access** and add your terminal. Without this, the server exits immediately with `authorization denied`.

179 </Step>

180

181 <Step title="Install the plugin">

182 In Claude Code, run:

183

184 ```

185 /plugin install imessage@claude-plugins-official

186 ```

187

188 If Claude Code reports that the plugin is not found in any marketplace, your marketplace is either missing or outdated. Run `/plugin marketplace update claude-plugins-official` to refresh it, or `/plugin marketplace add anthropics/claude-plugins-official` if you haven't added it before. Then retry the install.

189 </Step>

190

191 <Step title="Restart with channels enabled">

192 Exit Claude Code and restart with the channel flag:

193

194 ```bash theme={null}

195 claude --channels plugin:imessage@claude-plugins-official

196 ```

197 </Step>

198

199 <Step title="Text yourself">

200 Open Messages on any device signed into your Apple ID and send a message to yourself. It reaches Claude immediately: self-chat bypasses access control with no setup.

201

202 <Note>The first reply Claude sends triggers a macOS Automation prompt asking if your terminal can control Messages. Click **OK**.</Note>

203 </Step>

204

205 <Step title="Allow other senders">

206 By default, only your own messages pass through. To let another contact reach Claude, add their handle:

207

208 ```

209 /imessage:access allow +15551234567

210 ```

211

212 Handles are phone numbers in `+country` format or Apple ID emails like `user@example.com`.

213 </Step>

214 </Steps>

215 </Tab>

168</Tabs>216</Tabs>

169 217

170You can also [build your own channel](/en/channels-reference) for systems that don't have a plugin yet.218You can also [build your own channel](/en/channels-reference) for systems that don't have a plugin yet.

173 221

174Fakechat is an officially supported demo channel that runs a chat UI on localhost, with nothing to authenticate and no external service to configure.222Fakechat is an officially supported demo channel that runs a chat UI on localhost, with nothing to authenticate and no external service to configure.

175 223

176Once you install and enable fakechat, you can type in the browser and the message arrives in your Claude Code session. Claude replies, and the reply shows up back in the browser. After you've tested the fakechat interface, try out [Telegram](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/telegram) or [Discord](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/discord).224Once you install and enable fakechat, you can type in the browser and the message arrives in your Claude Code session. Claude replies, and the reply shows up back in the browser. After you've tested the fakechat interface, try out [Telegram](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/telegram), [Discord](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/discord), or [iMessage](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/imessage).

177 225

178To try the fakechat demo, you'll need:226To try the fakechat demo, you'll need:

179 227

217 </Step>265 </Step>

218</Steps>266</Steps>

219 267

220If Claude hits a permission prompt while you're away from the terminal, the session pauses until you respond. Channel servers that declare the [permission relay capability](/en/channels-reference#relay-permission-prompts) can forward these prompts to you so you can approve or deny remotely. For unattended use, [`--dangerously-skip-permissions`](/en/permissions#permission-modes) bypasses prompts entirely, but only use it in environments you trust.268If Claude hits a permission prompt while you're away from the terminal, the session pauses until you respond. Channel servers that declare the [permission relay capability](/en/channels-reference#relay-permission-prompts) can forward these prompts to you so you can approve or deny remotely. For unattended use, [`--dangerously-skip-permissions`](/en/permission-modes#skip-all-checks-with-bypasspermissions-mode) bypasses prompts entirely, but only use it in environments you trust.

221 269

222## Security270## Security

223 271

2303. In your Claude Code session, approve the code when prompted2783. In your Claude Code session, approve the code when prompted

2314. Your sender ID is added to the allowlist2794. Your sender ID is added to the allowlist

232 280

281iMessage works differently: texting yourself bypasses the gate automatically, and you add other contacts by handle with `/imessage:access allow`.

282

233On top of that, you control which servers are enabled each session with `--channels`, and on Team and Enterprise plans your organization controls availability with [`channelsEnabled`](#enterprise-controls).283On top of that, you control which servers are enabled each session with `--channels`, and on Team and Enterprise plans your organization controls availability with [`channelsEnabled`](#enterprise-controls).

234 284

235Being in `.mcp.json` isn't enough to push messages: a server also has to be named in `--channels`.285Being in `.mcp.json` isn't enough to push messages: a server also has to be named in `--channels`.

274 324

275Channels fill the gap in that list by pushing events from non-Claude sources into your already-running local session.325Channels fill the gap in that list by pushing events from non-Claude sources into your already-running local session.

276 326

277* **Chat bridge**: ask Claude something from your phone via Telegram or Discord, and the answer comes back in the same chat while the work runs on your machine against your real files.327* **Chat bridge**: ask Claude something from your phone via Telegram, Discord, or iMessage, and the answer comes back in the same chat while the work runs on your machine against your real files.

278* **[Webhook receiver](/en/channels-reference#example-build-a-webhook-receiver)**: a webhook from CI, your error tracker, a deploy pipeline, or other external service arrives where Claude already has your files open and remembers what you were debugging.328* **[Webhook receiver](/en/channels-reference#example-build-a-webhook-receiver)**: a webhook from CI, your error tracker, a deploy pipeline, or other external service arrives where Claude already has your files open and remembers what you were debugging.

279 329

280## Next steps330## Next steps

channels-reference.md +3 −3

Details

25* [Gate inbound messages](#gate-inbound-messages): sender checks to prevent prompt injection25* [Gate inbound messages](#gate-inbound-messages): sender checks to prevent prompt injection

26* [Relay permission prompts](#relay-permission-prompts): forward tool approval prompts to remote channels26* [Relay permission prompts](#relay-permission-prompts): forward tool approval prompts to remote channels

27 27

~~28To use an existing channel instead of building one, see [Channels](/en/channels). Telegram, Discord, and fakechat are included in the research preview.~~28To use an existing channel instead of building one, see [Channels](/en/channels). Telegram, Discord, iMessage, and fakechat are included in the research preview.

29 29

30## Overview30## Overview

31 31

421 421

422Gate on the sender's identity, not the chat or room identity: `message.from.id` in the example, not `message.chat.id`. In group chats, these differ, and gating on the room would let anyone in an allowlisted group inject messages into the session.422Gate on the sender's identity, not the chat or room identity: `message.from.id` in the example, not `message.chat.id`. In group chats, these differ, and gating on the room would let anyone in an allowlisted group inject messages into the session.

423 423

424The [Telegram](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/telegram) and [Discord](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/discord) channels gate on a sender allowlist the same way. They bootstrap the list by pairing: the user DMs the bot, the bot replies with a pairing code, the user approves it in their Claude Code session, and their platform ID is added. See either implementation for the full pairing flow.424The [Telegram](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/telegram) and [Discord](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/discord) channels gate on a sender allowlist the same way. They bootstrap the list by pairing: the user DMs the bot, the bot replies with a pairing code, the user approves it in their Claude Code session, and their platform ID is added. See either implementation for the full pairing flow. The [iMessage](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins/imessage) channel takes a different approach: it detects the user's own addresses from the Messages database at startup and lets them through automatically, with other senders added by handle.

425 425

426## Relay permission prompts426## Relay permission prompts

427 427

743 743

744## See also744## See also

745 745

746* [Channels](/en/channels) to install and use Telegram, Discord, or the fakechat demo, and to enable channels for a Team or Enterprise org746* [Channels](/en/channels) to install and use Telegram, Discord, iMessage, or the fakechat demo, and to enable channels for a Team or Enterprise org

747* [Working channel implementations](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins) for complete server code with pairing flows, reply tools, and file attachments747* [Working channel implementations](https://github.com/anthropics/claude-plugins-official/tree/main/external_plugins) for complete server code with pairing flows, reply tools, and file attachments

748* [MCP](/en/mcp) for the underlying protocol that channel servers implement748* [MCP](/en/mcp) for the underlying protocol that channel servers implement

749* [Plugins](/en/plugins) to package your channel so users can install it with `/plugin install`749* [Plugins](/en/plugins) to package your channel so users can install it with `/plugin install`

cli-reference.md +4 −2

Details

27| `claude auto-mode defaults` | Print the built-in [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) classifier rules as JSON. Use `claude auto-mode config` to see your effective config with settings applied | `claude auto-mode defaults > rules.json` |

28| `claude remote-control` | Start a [Remote Control](/en/remote-control) server to control Claude Code from Claude.ai or the Claude app. Runs in server mode (no local interactive session). See [Server mode flags](/en/remote-control#server-mode) | `claude remote-control --name "My Project"` |29| `claude remote-control` | Start a [Remote Control](/en/remote-control) server to control Claude Code from Claude.ai or the Claude app. Runs in server mode (no local interactive session). See [Server mode flags](/en/remote-control#server-mode) | `claude remote-control --name "My Project"` |

29 30

48| `--dangerously-load-development-channels` | Enable [channels](/en/channels-reference#test-during-the-research-preview) that are not on the approved allowlist, for local development. Accepts `plugin:<name>@<marketplace>` and `server:<name>` entries. Prompts for confirmation | `claude --dangerously-load-development-channels server:webhook` |49| `--dangerously-load-development-channels` | Enable [channels](/en/channels-reference#test-during-the-research-preview) that are not on the approved allowlist, for local development. Accepts `plugin:<name>@<marketplace>` and `server:<name>` entries. Prompts for confirmation | `claude --dangerously-load-development-channels server:webhook` |

49| `--dangerously-skip-permissions` | Skip permission prompts (use with caution). See [permission modes](/en/permissions#permission-modes) for what this does and does not skip | `claude --dangerously-skip-permissions` |50| `--dangerously-skip-permissions` | Skip permission prompts (use with caution). See [permission modes](/en/permission-modes#skip-all-checks-with-bypasspermissions-mode) for what this does and does not skip | `claude --dangerously-skip-permissions` |

70| `--no-session-persistence` | Disable session persistence so sessions are not saved to disk and cannot be resumed (print mode only) | `claude -p --no-session-persistence "query"` |71| `--no-session-persistence` | Disable session persistence so sessions are not saved to disk and cannot be resumed (print mode only) | `claude -p --no-session-persistence "query"` |

72| `--permission-mode` | Begin in a specified [permission mode](/en/permissions#permission-modes) | `claude --permission-mode plan` |73| `--enable-auto-mode` | Unlock [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) in the `Shift+Tab` cycle. Requires a Team plan (Enterprise and API support rolling out shortly) and Claude Sonnet 4.6 or Opus 4.6 | `claude --enable-auto-mode` |

74| `--permission-mode` | Begin in a specified [permission mode](/en/permission-modes) | `claude --permission-mode plan` |

74| `--plugin-dir` | Load plugins from a directory for this session only. Each flag takes one path. Repeat the flag for multiple directories: `--plugin-dir A --plugin-dir B` | `claude --plugin-dir ./my-plugins` |76| `--plugin-dir` | Load plugins from a directory for this session only. Each flag takes one path. Repeat the flag for multiple directories: `--plugin-dir A --plugin-dir B` | `claude --plugin-dir ./my-plugins` |

75| `--print`, `-p` | Print response without interactive mode (see [Agent SDK documentation](https://platform.claude.com/docs/en/agent-sdk/overview) for programmatic usage details) | `claude -p "query"` |77| `--print`, `-p` | Print response without interactive mode (see [Agent SDK documentation](https://platform.claude.com/docs/en/agent-sdk/overview) for programmatic usage details) | `claude -p "query"` |

desktop.md +119 −29

Details

4 4

5# Use Claude Code Desktop5# Use Claude Code Desktop

6 6

~~7> Get more out of Claude Code Desktop: parallel sessions with Git isolation, visual diff review, app previews, PR monitoring, permission modes, connectors, and enterprise configuration.~~7> Get more out of Claude Code Desktop: computer use, Dispatch sessions from your phone, parallel sessions with Git isolation, visual diff review, app previews, PR monitoring, connectors, and enterprise configuration.

8 8

9The Code tab within the Claude Desktop app lets you use Claude Code through a graphical interface instead of the terminal.9The Code tab within the Claude Desktop app lets you use Claude Code through a graphical interface instead of the terminal.

10 10

12 12

13* [Visual diff review](#review-changes-with-diff-view) with inline comments13* [Visual diff review](#review-changes-with-diff-view) with inline comments

14* [Live app preview](#preview-your-app) with dev servers14* [Live app preview](#preview-your-app) with dev servers

15* [Computer use](#let-claude-use-your-computer) to open apps and control your screen on macOS

15* [GitHub PR monitoring](#monitor-pull-request-status) with auto-fix and auto-merge16* [GitHub PR monitoring](#monitor-pull-request-status) with auto-fix and auto-merge

16* [Parallel sessions](#work-in-parallel-with-sessions) with automatic Git worktree isolation17* [Parallel sessions](#work-in-parallel-with-sessions) with automatic Git worktree isolation

18* [Dispatch](#sessions-from-dispatch) integration: send a task from your phone, get a session here

17* [Scheduled tasks](#schedule-recurring-tasks) that run Claude on a recurring schedule19* [Scheduled tasks](#schedule-recurring-tasks) that run Claude on a recurring schedule

18* [Connectors](#connect-external-tools) for GitHub, Slack, Linear, and more20* [Connectors](#connect-external-tools) for GitHub, Slack, Linear, and more

19* Local, [SSH](#ssh-sessions), and [cloud](#run-long-running-tasks-remotely) environments21* Local, [SSH](#ssh-sessions), and [cloud](#run-long-running-tasks-remotely) environments

22 New to Desktop? Start with [Get started](/en/desktop-quickstart) to install the app and make your first edit.24 New to Desktop? Start with [Get started](/en/desktop-quickstart) to install the app and make your first edit.

23</Tip>25</Tip>

24 26

25This page covers [working with code](#work-with-code), [managing sessions](#manage-sessions), [extending Claude Code](#extend-claude-code), [scheduled tasks](#schedule-recurring-tasks), and [configuration](#environment-configuration). It also includes a [CLI comparison](#coming-from-the-cli) and [troubleshooting](#troubleshooting).27This page covers [working with code](#work-with-code), [computer use](#let-claude-use-your-computer), [managing sessions](#manage-sessions), [extending Claude Code](#extend-claude-code), [scheduled tasks](#schedule-recurring-tasks), and [configuration](#environment-configuration). It also includes a [CLI comparison](#coming-from-the-cli) and [troubleshooting](#troubleshooting).

26 28

27## Start a session29## Start a session

28 30

57Permission modes control how much autonomy Claude has during a session: whether it asks before editing files, running commands, or both. You can switch modes at any time using the mode selector next to the send button. Start with Ask permissions to see exactly what Claude does, then move to Auto accept edits or Plan mode as you get comfortable.59Permission modes control how much autonomy Claude has during a session: whether it asks before editing files, running commands, or both. You can switch modes at any time using the mode selector next to the send button. Start with Ask permissions to see exactly what Claude does, then move to Auto accept edits or Plan mode as you get comfortable.

58 60

60| ---------------------- | ------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |62| ---------------------- | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

62| **Auto accept edits** | `acceptEdits` | Claude auto-accepts file edits but still asks before running terminal commands. Use this when you trust file changes and want faster iteration. |64| **Auto accept edits** | `acceptEdits` | Claude auto-accepts file edits but still asks before running terminal commands. Use this when you trust file changes and want faster iteration. |

63| **Plan mode** | `plan` | Claude analyzes your code and creates a plan without modifying files or running commands. Good for complex tasks where you want to review the approach first. |65| **Plan mode** | `plan` | Claude analyzes your code and creates a plan without modifying files or running commands. Good for complex tasks where you want to review the approach first. |

64| **Bypass permissions** | `bypassPermissions` | Claude runs without permission prompts, equivalent to `--dangerously-skip-permissions` in the CLI. Enable in your Settings → Claude Code under "Allow bypass permissions mode". Only use this in sandboxed containers or VMs. See [permission modes](/en/permissions#permission-modes) for what is and isn't skipped. Enterprise admins can disable this option. |66| **Auto** | `auto` | Claude executes all actions with background safety checks that verify alignment with your request. Reduces permission prompts while maintaining oversight. Currently a research preview. Available on Team plans (Enterprise rolling out shortly). Requires Claude Sonnet 4.6 or Opus 4.6. Enable in your Settings → Claude Code. |

67| **Bypass permissions** | `bypassPermissions` | Claude runs without any permission prompts, equivalent to `--dangerously-skip-permissions` in the CLI. Enable in your Settings → Claude Code under "Allow bypass permissions mode". Only use this in sandboxed containers or VMs. Enterprise admins can disable this option. |

65 68

~~66The `dontAsk` permission mode is available only in the [CLI](/en/permissions#permission-modes).~~69The `dontAsk` permission mode is available only in the [CLI](/en/permission-modes#allow-only-pre-approved-tools-with-dontask-mode).

67 70

68<Tip title="Best practice">71<Tip title="Best practice">

69 Start complex tasks in Plan mode so Claude maps out an approach before making changes. Once you approve the plan, switch to Auto accept edits or Ask permissions to execute it. See [explore first, then plan, then code](/en/best-practices#explore-first-then-plan-then-code) for more on this workflow.72 Start complex tasks in Plan mode so Claude maps out an approach before making changes. Once you approve the plan, switch to Auto accept edits or Ask permissions to execute it. See [explore first, then plan, then code](/en/best-practices#explore-first-then-plan-then-code) for more on this workflow.

121 PR monitoring requires the [GitHub CLI (`gh`)](https://cli.github.com/) to be installed and authenticated on your machine. If `gh` is not installed, Desktop prompts you to install it the first time you try to create a PR.124 PR monitoring requires the [GitHub CLI (`gh`)](https://cli.github.com/) to be installed and authenticated on your machine. If `gh` is not installed, Desktop prompts you to install it the first time you try to create a PR.

122</Note>125</Note>

123 126

127## Let Claude use your computer

128

129Computer use lets Claude open your apps, control your screen, and work directly on your machine the way you would. Ask Claude to test a native app in the iOS simulator, interact with a desktop tool that has no CLI, or automate something that only works through a GUI.

130

131<Note>

132 Computer use is a research preview on macOS that requires a Pro or Max plan. It is not available on Team or Enterprise plans. The Claude Desktop app must be running.

133</Note>

134

135Computer use is off by default. [Enable it in Settings](#enable-computer-use) and grant the required macOS permissions before Claude can control your screen.

136

137<Warning>

138 Unlike the [sandboxed Bash tool](/en/sandboxing), computer use runs on your actual desktop with access to whatever you approve. Claude checks each action and flags potential prompt injection from on-screen content, but the trust boundary is different. See the [computer use safety guide](https://support.claude.com/en/articles/14128542) for best practices.

139</Warning>

140

141### When computer use applies

142

143Claude has several ways to interact with an app or service, and computer use is the broadest and slowest. It tries the most precise tool first:

144

145* If you have a [connector](#connect-external-tools) for a service, Claude uses the connector.

146* If the task is a shell command, Claude uses Bash.

147* If the task is browser work and you have [Claude in Chrome](/en/chrome) set up, Claude uses that.

148* If none of those apply, Claude uses computer use.

149

150The [per-app access tiers](#app-permissions) reinforce this: browsers are capped at view-only, and terminals and IDEs at click-only, steering Claude toward the dedicated tool even when computer use is active. Screen control is reserved for things nothing else can reach, like native apps, hardware control panels, the iOS simulator, or proprietary tools without an API.

151

152### Enable computer use

153

154Computer use is off by default. If you ask Claude to do something that needs it while it's off, Claude tells you it could do the task if you enable computer use in Settings. To enable it, open **Settings > Desktop app > General** and toggle **Computer use** on. Before the toggle takes effect, you need to grant two macOS system permissions:

155

156* **Accessibility**: lets Claude click, type, and scroll

157* **Screen Recording**: lets Claude see what's on your screen

158

159The Settings page shows the current status of each permission. If either is denied, click the badge to open the relevant System Settings pane.

160

161### App permissions

162

163The first time Claude needs to use an app, a prompt appears in your session. Click **Allow for this session** or **Deny**. Approvals last for the current session, or 30 minutes in [Dispatch-spawned sessions](#sessions-from-dispatch).

164

165The prompt also shows what level of control Claude gets for that app. These tiers are fixed by app category and can't be changed:

166

167| Tier | What Claude can do | Applies to |

168| :----------- | :------------------------------------------------------- | :-------------------------- |

169| View only | See the app in screenshots | Browsers, trading platforms |

170| Click only | Click and scroll, but not type or use keyboard shortcuts | Terminals, IDEs |

171| Full control | Click, type, drag, and use keyboard shortcuts | Everything else |

172

173Apps with broad reach like Terminal, Finder, and System Settings show an extra warning in the prompt so you know what approving them grants.

174

175You can configure two settings in **Settings > Desktop app > General**:

176

177* **Denied apps**: add apps here to reject them without prompting. Claude may still affect a denied app indirectly through actions in an allowed app, but it can't interact with the denied app directly.

178* **Unhide apps when Claude finishes**: while Claude is working, your other windows are hidden so it interacts with only the approved app. When Claude finishes, hidden windows are restored unless you turn this setting off.

179

124## Manage sessions180## Manage sessions

125 181

126Each session is an independent conversation with its own context and changes. You can run multiple sessions in parallel or send work to the cloud.182Each session is an independent conversation with its own context and changes. You can run multiple sessions in parallel, send work to the cloud, or let Dispatch start sessions for you from your phone.

127 183

128### Work in parallel with sessions184### Work in parallel with sessions

129 185

152* **Claude Code on the Web**: sends your local session to continue running remotely. Desktop pushes your branch, generates a summary of the conversation, and creates a new remote session with the full context. You can then choose to archive the local session or keep it. This requires a clean working tree, and is not available for SSH sessions.208* **Claude Code on the Web**: sends your local session to continue running remotely. Desktop pushes your branch, generates a summary of the conversation, and creates a new remote session with the full context. You can then choose to archive the local session or keep it. This requires a clean working tree, and is not available for SSH sessions.

153* **Your IDE**: opens your project in a supported IDE at the current working directory.209* **Your IDE**: opens your project in a supported IDE at the current working directory.

154 210

211### Sessions from Dispatch

212

213[Dispatch](https://support.claude.com/en/articles/13947068) is a persistent conversation with Claude that lives in the [Cowork](https://claude.com/product/cowork#dispatch-and-computer-use) tab. You message Dispatch a task, and it decides how to handle it.

214

215A task can end up as a Code session in two ways: you ask for one directly, such as "open a Claude Code session and fix the login bug", or Dispatch decides the task is development work and spawns one on its own. Tasks that typically route to Code include fixing bugs, updating dependencies, running tests, or opening pull requests. Research, document editing, and spreadsheet work stay in Cowork.

216

217Either way, the Code session appears in the Code tab's sidebar with a **Dispatch** badge. You get a push notification on your phone when it finishes or needs your approval.

218

219If you have [computer use](#let-claude-use-your-computer) enabled, Dispatch-spawned Code sessions can use it too. App approvals in those sessions expire after 30 minutes and re-prompt, rather than lasting the full session like regular Code sessions.

220

221For setup, pairing, and Dispatch settings, see the [Dispatch help article](https://support.claude.com/en/articles/13947068). Dispatch requires a Pro or Max plan and is not available on Team or Enterprise plans.

222

223Dispatch is one of several ways to work with Claude when you're away from your terminal. See [Platforms and integrations](/en/platforms#work-when-you-are-away-from-your-terminal) to compare it with Remote Control, Channels, Slack, and scheduled tasks.

224

155## Extend Claude Code225## Extend Claude Code

156 226

157Connect external services, add reusable workflows, customize Claude's behavior, and configure preview servers.227Connect external services, add reusable workflows, customize Claude's behavior, and configure preview servers.

325 395

326### Compare scheduling options396### Compare scheduling options

327 397

328<Snippet file="scheduling-comparison.mdx" />398Claude Code offers three ways to schedule recurring work:

399

401| :------------------------- | :------------------------------- | :---------------------------------------------- | :----------------------------- |

403| Requires machine on | No | Yes | Yes |

404| Requires open session | No | No | Yes |

405| Persistent across restarts | Yes | Yes | No (session-scoped) |

406| Access to local files | No (fresh clone) | Yes | Yes |

409| Customizable schedule | Via `/schedule` in the CLI | Yes | Yes |

411

412<Tip>

413 Use **cloud tasks** for work that should run reliably without your machine. Use **Desktop tasks** when you need access to local files and tools. Use **`/loop`** for quick polling during a session.

414</Tip>

329 415

330The Schedule page supports two kinds of tasks:416The Schedule page supports two kinds of tasks:

331 417

449Managed settings override project and user settings and apply when Desktop spawns CLI sessions. You can set these keys in your organization's [managed settings](/en/settings#settings-precedence) file or push them remotely through the admin console.535Managed settings override project and user settings and apply when Desktop spawns CLI sessions. You can set these keys in your organization's [managed settings](/en/settings#settings-precedence) file or push them remotely through the admin console.

450 536

451| Key | Description |537| Key | Description |

452| ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------- |538| ------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

453| `disableBypassPermissionsMode` | set to `"disable"` to prevent users from enabling Bypass permissions mode. See [managed settings](/en/permissions#managed-only-settings). |539| `permissions.disableBypassPermissionsMode` | set to `"disable"` to prevent users from enabling Bypass permissions mode. |

540| `disableAutoMode` | set to `"disable"` to prevent users from enabling [Auto](/en/permission-modes#eliminate-prompts-with-auto-mode) mode. Removes Auto from the mode selector. Also accepted under `permissions`. |

541| `autoMode` | customize what the auto mode classifier trusts and blocks across your organization. See [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier). |

454 542

455For the complete list of managed-only settings including `allowManagedPermissionRulesOnly` and `allowManagedHooksOnly`, see [managed-only settings](/en/permissions#managed-only-settings).543`permissions.disableBypassPermissionsMode` and `disableAutoMode` also work in user and project settings, but placing them in managed settings prevents users from overriding them. `autoMode` is read from user settings, `.claude/settings.local.json`, and managed settings, but not from the checked-in `.claude/settings.json`: a cloned repo cannot inject its own classifier rules. For the complete list of managed-only settings including `allowManagedPermissionRulesOnly` and `allowManagedHooksOnly`, see [managed-only settings](/en/permissions#managed-only-settings).

456 544

457Remote managed settings uploaded through the admin console currently apply to CLI and IDE sessions only. For Desktop-specific restrictions, use the admin console controls above.545Remote managed settings uploaded through the admin console currently apply to CLI and IDE sessions only. For Desktop-specific restrictions, use the admin console controls above.

458 546

498 586

499| CLI | Desktop equivalent |587| CLI | Desktop equivalent |

500| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |588| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |

504| `--dangerously-skip-permissions` | Bypass permissions mode. Enable in Settings → Claude Code → "Allow bypass permissions mode". Enterprise admins can disable this setting. |592| `--dangerously-skip-permissions` | Bypass permissions mode. Enable in Settings → Claude Code → "Allow bypass permissions mode". Enterprise admins can disable this setting. |

507| `--verbose` | not available. Check system logs: Console.app on macOS, Event Viewer → Windows Logs → Application on Windows |595| `--verbose` | Not available. Check system logs: Console.app on macOS, Event Viewer → Windows Logs → Application on Windows |

510| `MAX_THINKING_TOKENS` env var | set in shell profile; applies to local sessions. See [environment configuration](#environment-configuration). |598| `MAX_THINKING_TOKENS` env var | Set in shell profile; applies to local sessions. See [environment configuration](#environment-configuration). |

511 599

512### Shared configuration600### Shared configuration

513 601

529 617

530| Feature | CLI | Desktop |618| Feature | CLI | Desktop |

531| ----------------------------------------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------------------------- |619| ----------------------------------------------------- | --------------------------------------------------------- | ------------------------------------------------------------------------------------------- |

631| Dispatch integration | Not available | [Dispatch sessions](#sessions-from-dispatch) in the sidebar |

632| Scripting and automation | [`--print`](/en/cli-reference), [Agent SDK](/en/headless) | Not available |

543 633

544### What's not available in Desktop634### What's not available in Desktop

545 635

hooks.md +2 −2

Details

448Hook events receive these fields as JSON, in addition to event-specific fields documented in each [hook event](#hook-events) section. For command hooks, this JSON arrives via stdin. For HTTP hooks, it arrives as the POST request body.448Hook events receive these fields as JSON, in addition to event-specific fields documented in each [hook event](#hook-events) section. For command hooks, this JSON arrives via stdin. For HTTP hooks, it arrives as the POST request body.

449 449

450| Field | Description |450| Field | Description |

451| :---------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |451| :---------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |

454| `cwd` | Current working directory when the hook is invoked |454| `cwd` | Current working directory when the hook is invoked |

455| `permission_mode` | Current [permission mode](/en/permissions#permission-modes): `"default"`, `"plan"`, `"acceptEdits"`, `"dontAsk"`, or `"bypassPermissions"`. Not all events receive this field: see each event's JSON example below to check |455| `permission_mode` | Current [permission mode](/en/permissions#permission-modes): `"default"`, `"plan"`, `"acceptEdits"`, `"auto"`, `"dontAsk"`, or `"bypassPermissions"`. Not all events receive this field: see each event's JSON example below to check |

457 457

458When running with `--agent` or inside a subagent, two additional fields are included:458When running with `--agent` or inside a subagent, two additional fields are included:

how-claude-code-works.md +1 −0

Details

161* **Default**: Claude asks before file edits and shell commands161* **Default**: Claude asks before file edits and shell commands

162* **Auto-accept edits**: Claude edits files without asking, still asks for commands162* **Auto-accept edits**: Claude edits files without asking, still asks for commands

163* **Plan mode**: Claude uses read-only tools only, creating a plan you can approve before execution163* **Plan mode**: Claude uses read-only tools only, creating a plan you can approve before execution

164* **Auto mode**: Claude evaluates all actions with background safety checks. Currently a research preview

164 165

165You can also allow specific commands in `.claude/settings.json` so Claude doesn't ask each time. This is useful for trusted commands like `npm test` or `git status`. Settings can be scoped from organization-wide policies down to personal preferences. See [Permissions](/en/permissions) for details.166You can also allow specific commands in `.claude/settings.json` so Claude doesn't ask each time. This is useful for trusted commands like `npm test` or `git status`. Settings can be scoped from organization-wide policies down to personal preferences. See [Permissions](/en/permissions) for details.

166 167

interactive-mode.md +2 −2

Details

23### General controls23### General controls

24 24

26| :------------------------------------------------ | :------------------------------------------------------------------ | :----------------------------------------------------------------------------------------------------------------------------------------------- |26| :------------------------------------------------ | :------------------------------------------------------------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

40| `Shift+Tab` or `Alt+M` (some configurations) | Toggle permission modes | Switch between Auto-Accept Mode, Plan Mode, and normal mode. |40| `Shift+Tab` or `Alt+M` (some configurations) | Cycle permission modes | Cycle through `default`, `acceptEdits`, `plan`, and any modes you have enabled, such as `auto` or `bypassPermissions`. See [permission modes](/en/permission-modes). |

42| `Option+T` (macOS) or `Alt+T` (Windows/Linux) | Toggle extended thinking | Enable or disable extended thinking mode. Run `/terminal-setup` first to enable this shortcut |42| `Option+T` (macOS) or `Alt+T` (Windows/Linux) | Toggle extended thinking | Enable or disable extended thinking mode. Run `/terminal-setup` first to enable this shortcut |

43 43

llm-gateway.md +8 −2

Details

47 47

48## LiteLLM configuration48## LiteLLM configuration

49 49

~~50<Note>~~50<Warning>

51 LiteLLM PyPI versions 1.82.7 and 1.82.8 were compromised with credential-stealing malware. Do not install these versions. If you have already installed them:

53 * Remove the package

54 * Rotate all credentials on affected systems

55 * Follow the remediation steps in [BerriAI/litellm#24518](https://github.com/BerriAI/litellm/issues/24518)

51 LiteLLM is a third-party proxy service. Anthropic doesn't endorse, maintain, or audit LiteLLM's security or functionality. This guide is provided for informational purposes and may become outdated. Use at your own discretion.57 LiteLLM is a third-party proxy service. Anthropic doesn't endorse, maintain, or audit LiteLLM's security or functionality. This guide is provided for informational purposes and may become outdated. Use at your own discretion.

~~52</Note>~~58</Warning>

53 59

54### Prerequisites60### Prerequisites

55 61

overview.md +3 −2

Details

198 Sessions aren't tied to a single surface. Move work between environments as your context changes:198 Sessions aren't tied to a single surface. Move work between environments as your context changes:

199 199

200 * Step away from your desk and keep working from your phone or any browser with [Remote Control](/en/remote-control)200 * Step away from your desk and keep working from your phone or any browser with [Remote Control](/en/remote-control)

201 * Message [Dispatch](/en/desktop#sessions-from-dispatch) a task from your phone and open the Desktop session it creates

201 * Kick off a long-running task on the [web](/en/claude-code-on-the-web) or [iOS app](https://apps.apple.com/app/claude-by-anthropic/id6473753684), then pull it into your terminal with `/teleport`202 * Kick off a long-running task on the [web](/en/claude-code-on-the-web) or [iOS app](https://apps.apple.com/app/claude-by-anthropic/id6473753684), then pull it into your terminal with `/teleport`

202 * Hand off a terminal session to the [Desktop app](/en/desktop) with `/desktop` for visual diff review203 * Hand off a terminal session to the [Desktop app](/en/desktop) with `/desktop` for visual diff review

203 * Route tasks from team chat: mention `@Claude` in [Slack](/en/slack) with a bug report and get a pull request back204 * Route tasks from team chat: mention `@Claude` in [Slack](/en/slack) with a bug report and get a pull request back

211Beyond the [Terminal](/en/quickstart), [VS Code](/en/vs-code), [JetBrains](/en/jetbrains), [Desktop](/en/desktop), and [Web](/en/claude-code-on-the-web) environments above, Claude Code integrates with CI/CD, chat, and browser workflows:212Beyond the [Terminal](/en/quickstart), [VS Code](/en/vs-code), [JetBrains](/en/jetbrains), [Desktop](/en/desktop), and [Web](/en/claude-code-on-the-web) environments above, Claude Code integrates with CI/CD, chat, and browser workflows:

212 213

213| I want to... | Best option |214| I want to... | Best option |

214| --------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |215| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------- |

215| Continue a local session from my phone or another device | [Remote Control](/en/remote-control) |216| Continue a local session from my phone or another device | [Remote Control](/en/remote-control) |

216| Push events from Telegram, Discord, or my own webhooks into a session | [Channels](/en/channels) |217| Push events from Telegram, Discord, iMessage, or my own webhooks into a session | [Channels](/en/channels) |

217| Start a task locally, continue on mobile | [Web](/en/claude-code-on-the-web) or [Claude iOS app](https://apps.apple.com/app/claude-by-anthropic/id6473753684) |218| Start a task locally, continue on mobile | [Web](/en/claude-code-on-the-web) or [Claude iOS app](https://apps.apple.com/app/claude-by-anthropic/id6473753684) |

218| Run Claude on a recurring schedule | [Cloud scheduled tasks](/en/web-scheduled-tasks) or [Desktop scheduled tasks](/en/desktop#schedule-recurring-tasks) |219| Run Claude on a recurring schedule | [Cloud scheduled tasks](/en/web-scheduled-tasks) or [Desktop scheduled tasks](/en/desktop#schedule-recurring-tasks) |

219| Automate PR reviews and issue triage | [GitHub Actions](/en/github-actions) or [GitLab CI/CD](/en/gitlab-ci-cd) |220| Automate PR reviews and issue triage | [GitHub Actions](/en/github-actions) or [GitLab CI/CD](/en/gitlab-ci-cd) |

permission-modes.md +290 −0 created

Details

1> ## Documentation Index

2> Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt

3> Use this file to discover all available pages before exploring further.

5# Choose a permission mode

7> Switch between supervised editing, read-only planning, and auto mode where a background classifier replaces manual permission prompts. Cycle modes with Shift+Tab in the CLI or use the mode selector in VS Code, Desktop, and claude.ai.

9Permission modes control whether Claude asks before acting. Different tasks call for different levels of autonomy: you might want full oversight for sensitive work, minimal interruptions for a long refactor, or read-only access while exploring a codebase.

11This page covers how to:

13* [Switch modes](#switch-permission-modes) during a session, at startup, or as a default

14* [Choose a mode](#available-modes) based on what Claude should be able to do without asking

15* [Run auto mode](#eliminate-prompts-with-auto-mode) with background safety checks, and see what it [blocks by default](#what-the-classifier-blocks-by-default)

16* [Plan changes read-only](#analyze-before-you-edit-with-plan-mode) before approving edits

17* [Restrict Claude to pre-approved tools](#allow-only-pre-approved-tools-with-dontask-mode) for locked-down environments

18* [Skip checks entirely](#skip-all-checks-with-bypasspermissions-mode) in isolated environments

20## Switch permission modes

22You can switch modes at any time during a session, at startup, or as a persistent default. The mechanism depends on where you're running Claude Code.

24<Tabs>

25 <Tab title="CLI">

26 **During a session**: press `Shift+Tab` to cycle through `default` → `acceptEdits` → `plan` → `auto`. The current mode appears in the status bar. `auto` does not appear in the cycle until you pass `--enable-auto-mode` at startup. Auto also requires a Team (or Enterprise/API once available) plan and Claude Sonnet 4.6 or Opus 4.6, so the option may remain unavailable even with the flag. If `bypassPermissions` is also enabled, it appears in the cycle between `plan` and `auto`.

28 **At startup**: pass the mode as a CLI flag:

30 ```bash theme={null}

31 claude --permission-mode plan

32 ```

34 **As a default**: set `defaultMode` in your [settings file](/en/settings#settings-files):

36 ```json theme={null}

37 {

38 "permissions": {

39 "defaultMode": "acceptEdits"

40 }

41 }

42 ```

44 **Non-interactively**: the same flag works with `-p` for scripted runs:

46 ```bash theme={null}

47 claude -p "refactor auth" --permission-mode acceptEdits

48 ```

50 `dontAsk` is never in the `Shift+Tab` cycle. `bypassPermissions` appears in the cycle only if you started the session with `--permission-mode bypassPermissions`, `--dangerously-skip-permissions`, or `--allow-dangerously-skip-permissions`. The third flag adds the mode to the cycle without activating it, so you can compose it with a different starting mode like `--permission-mode plan`. Set any of these at startup or in your settings file.

51 </Tab>

53 <Tab title="JetBrains">

54 The JetBrains plugin launches Claude Code in the IDE terminal, so switching modes works the same as in the CLI: press `Shift+Tab` to cycle, or pass `--permission-mode` when launching.

55 </Tab>

57 <Tab title="VS Code">

58 **During a session**: click the mode indicator at the bottom of the prompt box to switch modes.

60 **As a default**: set `claudeCode.initialPermissionMode` in VS Code settings, or use the Claude Code extension settings panel.

62 The VS Code UI uses friendly labels that map to the settings keys below:

64 | UI label | Settings key |

65 | :----------------- | :------------------ |

66 | Ask permissions | `default` |

67 | Auto accept edits | `acceptEdits` |

68 | Plan mode | `plan` |

69 | Auto | `auto` |

70 | Bypass permissions | `bypassPermissions` |

72 Auto and Bypass permissions appear only after you enable **Allow dangerously skip permissions** in the extension settings. Auto also requires a Team plan and Claude Sonnet 4.6 or Opus 4.6, so the option may remain unavailable even with the toggle on.

74 See the [VS Code guide](/en/vs-code) for extension-specific details.

75 </Tab>

77 <Tab title="Desktop">

78 **During a session**: use the mode selector next to the send button. You can change it before or during a session.

80 The Desktop UI uses friendly labels that map to the settings keys below:

82 | UI label | Settings key |

83 | :----------------- | :------------------ |

84 | Ask permissions | `default` |

85 | Auto accept edits | `acceptEdits` |

86 | Plan mode | `plan` |

87 | Auto | `auto` |

88 | Bypass permissions | `bypassPermissions` |

90 Auto and Bypass permissions appear in the selector only after you enable them in Desktop settings. See the [Desktop guide](/en/desktop#choose-a-permission-mode) for details.

91 </Tab>

93 <Tab title="Web and mobile">

94 **During a session**: use the mode dropdown next to the prompt box on [claude.ai/code](https://claude.ai/code) or in the Claude mobile app.

96 For [Claude Code on the web](/en/claude-code-on-the-web) sessions running on Anthropic's cloud VMs, the dropdown offers Auto accept edits and Plan mode. Ask permissions and Auto are not available for cloud sessions.

98 For [Remote Control](/en/remote-control) sessions running on your local machine, the dropdown offers Ask permissions, Auto accept edits, and Plan mode. You can also set the starting mode when you launch the local host:

100 ```bash theme={null}

101 claude remote-control --permission-mode acceptEdits

102 ```

103

104 Permission prompts appear in claude.ai for approval.

105 </Tab>

106</Tabs>

107

108Permission modes are set through the UI, CLI flags, or settings files. Telling Claude "stop asking for permission" in the chat does not change the mode. See [Permissions](/en/permissions) for how modes interact with allow, ask, and deny rules.

109

110## Available modes

111

112Each mode makes a different tradeoff between convenience and oversight. Pick the one that matches your task.

113

114| Mode | What Claude can do without asking | Best for |

115| :------------------------------------------------------------------ | :----------------------------------------- | :------------------------------------------ |

116| `default` | Read files | Getting started, sensitive work |

117| `acceptEdits` | Read and edit files | Iterating on code you're reviewing |

118| [`plan`](#analyze-before-you-edit-with-plan-mode) | Read files | Exploring a codebase, planning a refactor |

119| [`auto`](#eliminate-prompts-with-auto-mode) | All actions, with background safety checks | Long-running tasks, reducing prompt fatigue |

120| [`bypassPermissions`](#skip-all-checks-with-bypasspermissions-mode) | All actions, no checks | Isolated containers and VMs only |

121| [`dontAsk`](#allow-only-pre-approved-tools-with-dontask-mode) | Only pre-approved tools | Locked-down environments |

122

123## Analyze before you edit with plan mode

124

125Plan mode tells Claude to research and propose changes without making them. Claude reads files, runs shell commands to explore, asks clarifying questions, and writes a plan file, but does not edit your source code. Permission prompts work the same as default mode: you still approve Bash commands, network requests, and other actions that would normally prompt.

126

127### When to use plan mode

128

129Plan mode is useful when you want Claude to research and propose an approach before making changes:

130

131* **Multi-step implementation**: when a feature requires edits across many files

132* **Code exploration**: when you want to research the codebase before changing anything

133* **Interactive development**: when you want to iterate on the direction with Claude

134

135### Start and use plan mode

136

137Enter plan mode for a single request by prefixing your prompt with `/plan`, or switch the whole session into plan mode by pressing `Shift+Tab` to [cycle through permission modes](#switch-permission-modes). You can also start in plan mode from the CLI:

138

139```bash theme={null}

140claude --permission-mode plan

141```

142

143This example starts a planning session for a complex refactor:

144

145```text theme={null}

146I need to refactor our authentication system to use OAuth2. Create a detailed migration plan.

147```

148

149Claude analyzes the current implementation and creates a plan. Refine with follow-ups:

150

151```text theme={null}

152What about backward compatibility?

153How should we handle database migration?

154```

155

156When the plan is ready, Claude presents it and asks how to proceed. From that prompt you can:

157

158* Approve and start in auto mode

159* Approve and accept edits

160* Approve and manually review each edit

161* Keep planning, which sends your feedback back to Claude for another round

162

163Each approve option also offers to clear the planning context first.

164

165## Eliminate prompts with auto mode

166

167Auto mode is available on Team plans, with Enterprise and API support rolling out shortly. On Team and Enterprise, an admin must enable it in [Claude Code admin settings](https://claude.ai/admin-settings/claude-code) before users can turn it on. It requires Claude Sonnet 4.6 or Claude Opus 4.6, and is not available on Haiku, claude-3 models, or third-party providers (Bedrock, Vertex, Foundry).

168

169Auto mode lets Claude execute actions without showing permission prompts. Before each action runs, a separate classifier model reviews the conversation and decides whether the action matches what you asked for: it blocks actions that escalate beyond the task scope, target infrastructure the classifier doesn't recognize as trusted, or appear to be driven by hostile content encountered in a file or web page. For a deeper look at how the classifier is designed, see the [auto mode announcement](https://claude.com/blog/auto-mode).

170

171<Warning>

172 Auto mode is a research preview. It reduces prompts but does not guarantee safety. It provides more protection than `bypassPermissions` but is not as thorough as manually reviewing each action. Use it for tasks where you trust the general direction, not as a replacement for review on sensitive operations.

173</Warning>

174

175**Model**: the classifier runs on Claude Sonnet 4.6, even if your main session uses a different model.

176

177**Cost**: classifier calls count toward your token usage the same as main-session calls. Each checked action sends a portion of the conversation transcript plus the pending action to the classifier. The extra cost comes mainly from shell commands and network operations, since read-only actions and file edits in your working directory don't trigger a classifier call.

178

179**Latency**: each classifier check adds a round-trip before the action executes.

180

181### How actions are evaluated

182

183Each action goes through a fixed decision order. The first matching step wins:

184

1851. Actions matching your [allow or deny rules](/en/permissions#manage-permissions) resolve immediately

1862. Read-only actions and file edits in your working directory are auto-approved

1873. Everything else goes to the classifier

1884. If the classifier blocks, Claude receives the reason and attempts an alternative approach

189

190On entering auto mode, Claude Code drops any allow rule that is known to grant arbitrary code execution: blanket shell access like `Bash(*)`, wildcarded script interpreters like `Bash(python*)` or `Bash(node*)`, package-manager run commands, and any `Agent` allow rule. These rules would auto-approve the commands and subagent delegations most capable of causing damage before the classifier ever sees them. Narrow rules like `Bash(npm test)` carry over. The dropped rules are restored when you leave auto mode.

191

192The classifier receives user messages and tool calls as input, with Claude's own text and tool results stripped out. It also receives your CLAUDE.md content, so actions described in your project instructions are factored into allow and block decisions. Because tool results never reach the classifier, hostile content in a file or web page cannot manipulate it directly. The classifier evaluates the pending action against a customizable set of block and allow rules, checking whether the action is an overeager escalation beyond what you asked for, a mistake about what's safe to touch, or a sudden departure from your stated intent that suggests Claude may have been steered by something it read.

193

194Unlike your permission rules, which match tool names and argument patterns, the classifier reads prose descriptions of what to block and allow: it reasons about the action in context rather than matching syntax.

195

196### How auto mode handles subagents

197

198When Claude spawns a [subagent](/en/sub-agents), the classifier evaluates the delegated task before the subagent starts. A task description that looks dangerous on its own, like "delete all remote branches matching this pattern", is blocked at spawn time.

199

200Inside the subagent, auto mode runs with the same block and allow rules as the parent session. Any `permissionMode` the subagent defines in its own frontmatter is ignored. The subagent's own tool calls go through the classifier independently.

201

202When the subagent finishes, the classifier reviews its full action history. A subagent that was benign at spawn could have been compromised mid-run by content it read. If the return check flags a concern, a security warning is prepended to the subagent's results so the main agent can decide how to proceed.

203

204### What the classifier blocks by default

205

206Out of the box, the classifier trusts your working directory and, if you're in a git repo, that repo's configured remotes. Everything else is treated as external: your company's source control orgs, cloud buckets, and internal services are unknown until you tell the classifier about them.

207

208**Blocked by default**:

209

210* Downloading and executing code, like `curl | bash` or scripts from cloned repos

211* Sending sensitive data to external endpoints

212* Production deploys and migrations

213* Mass deletion on cloud storage

214* Granting IAM or repo permissions

215* Modifying shared infrastructure

216* Irreversibly destroying files that existed before the session started

217* Destructive source control operations like force push or pushing directly to `main`

218

219**Allowed by default**:

220

221* Local file operations in your working directory

222* Installing dependencies already declared in your lock files or manifests

223* Reading `.env` and sending credentials to their matching API

224* Read-only HTTP requests

225* Pushing to the branch you started on or one Claude created

226

227To see the full default rule lists as the classifier receives them, run `claude auto-mode defaults`.

228

229If auto mode blocks something routine for your team, like pushing to your own org's repo or writing to a company bucket, it's because the classifier doesn't know those are trusted. Administrators can add trusted repos, buckets, and internal services via the `autoMode.environment` setting: see [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier) for the full configuration guide.

230

231### When auto mode falls back

232

233The fallback design keeps false positives from derailing a session: a mistaken block costs Claude a retry, not your progress. If the classifier blocks an action 3 times in a row or 20 times total in one session, auto mode pauses and Claude Code resumes prompting for each action. These thresholds are not configurable.

234

235* **CLI**: you see a notification in the status area. Approving the prompted action resets the denial counters, so you can continue in auto mode

236* **Non-interactive mode** with the `-p` flag: aborts the session, since there is no user to prompt

237

238Repeated blocks usually mean one of two things: the task genuinely requires actions the classifier is built to stop, or the classifier is missing context about your trusted infrastructure and treating safe actions as risky. If the blocks look like false positives, or if the classifier misses something it should have caught, use `/feedback` to report it. If blocks are happening because the classifier doesn't recognize your repos or services as trusted, have an administrator [configure trusted infrastructure](/en/permissions#configure-the-auto-mode-classifier) in managed settings.

239

240## Allow only pre-approved tools with dontAsk mode

241

242`dontAsk` mode auto-denies every tool that is not explicitly allowed. Only actions matching your `/permissions` allow rules or `permissions.allow` settings can execute. If a tool has an explicit `ask` rule, the action is also denied rather than prompting. This makes the mode fully non-interactive, suitable for CI pipelines or restricted environments where you pre-define exactly what Claude is permitted to do.

243

244```bash theme={null}

245claude --permission-mode dontAsk

246```

247

248## Skip all checks with bypassPermissions mode

249

250`bypassPermissions` mode disables all permission prompts and safety checks. Every tool call executes immediately without any verification. Only use this in isolated environments like containers, VMs, or devcontainers without internet access, where Claude Code cannot cause damage to your host system.

251

252```bash theme={null}

253claude --permission-mode bypassPermissions

254```

255

256The `--dangerously-skip-permissions` flag is equivalent to `--permission-mode bypassPermissions`:

257

258```bash theme={null}

259claude -p "refactor the auth module" --dangerously-skip-permissions

260```

261

262<Warning>

263 `bypassPermissions` mode offers no protection against prompt injection or unintended actions. For a safer alternative that still maintains background safety checks, use [auto mode](#eliminate-prompts-with-auto-mode). Administrators can block this mode by setting `permissions.disableBypassPermissionsMode` to `"disable"` in [managed settings](/en/permissions#managed-settings).

264</Warning>

265

266## Compare permission approaches

267

268The table below summarizes the key differences in how each mode handles approvals. `plan` is omitted since it restricts what Claude can do rather than how approvals work.

269

271| :----------------- | :---------------------- | :------------------ | :---------------------------- | :------------------------------- | :------------------ |

275

276## Customize permissions further

277

278Permission modes set the baseline approval behavior. For control over individual tools or commands, layer additional configuration on top of the active mode.

279

280**Permission rules** are the first stop. Add `allow`, `ask`, or `deny` entries to your settings file to pre-approve safe commands, force a prompt for risky ones, or block specific tools entirely. Rules apply in every mode except `bypassPermissions`, which skips the permission layer entirely, and are matched by tool name and argument pattern. See [Manage permissions](/en/permissions#manage-permissions) for syntax and examples.

281

282**Hooks** cover logic that pattern-matching rules can't express. A [`PreToolUse` hook](/en/hooks#pretooluse-decision-control) runs before every tool call and can allow, deny, or escalate based on command content, file paths, time of day, or a response from an external policy service. A [`PermissionRequest` hook](/en/hooks#permissionrequest) intercepts the permission dialog itself and answers on your behalf. See [Hooks](/en/hooks) for configuration.

283

284## See also

285

286* [Permissions](/en/permissions): permission rules, syntax, managed policies

287* [Hooks](/en/hooks): custom permission logic, lifecycle scripting

288* [Security](/en/security): security safeguards and best practices

289* [Sandboxing](/en/sandboxing): filesystem and network isolation for Bash commands

290* [Non-interactive mode](/en/headless): run Claude Code programmatically with the `-p` flag

permissions.md +112 −3

Details

30 30

31## Permission modes31## Permission modes

32 32

~~33Claude Code supports several permission modes that control how tools are approved. Set the `defaultMode` in your [settings files](/en/settings#settings-files):~~33Claude Code supports several permission modes that control how tools are approved. See [Permission modes](/en/permission-modes) for when to use each one. Set the `defaultMode` in your [settings files](/en/settings#settings-files):

34 34

35| Mode | Description |35| Mode | Description |

~~36| :------------------ | :-------------------------------------------------------------------------------------- |~~36| :------------------ | :------------------------------------------------------------------------------------------------------------------------------- |

37| `default` | Standard behavior: prompts for permission on first use of each tool |37| `default` | Standard behavior: prompts for permission on first use of each tool |

38| `acceptEdits` | Automatically accepts file edit permissions for the session |38| `acceptEdits` | Automatically accepts file edit permissions for the session |

39| `plan` | Plan Mode: Claude can analyze but not modify files or execute commands |39| `plan` | Plan Mode: Claude can analyze but not modify files or execute commands |

40| `auto` | Auto-approves tool calls with background safety checks that verify actions align with your request. Currently a research preview |

40| `dontAsk` | Auto-denies tools unless pre-approved via `/permissions` or `permissions.allow` rules |41| `dontAsk` | Auto-denies tools unless pre-approved via `/permissions` or `permissions.allow` rules |

41| `bypassPermissions` | Skips permission prompts except for writes to protected directories (see warning below) |42| `bypassPermissions` | Skips permission prompts except for writes to protected directories (see warning below) |

42 43

44 `bypassPermissions` mode skips permission prompts. Writes to `.git`, `.claude`, `.vscode`, and `.idea` directories still prompt for confirmation to prevent accidental corruption of repository state and local configuration. Writes to `.claude/commands`, `.claude/agents`, and `.claude/skills` are exempt and do not prompt, because Claude routinely writes there when creating skills, subagents, and commands. Only use this mode in isolated environments like containers or VMs where Claude Code cannot cause damage. Administrators can prevent this mode by setting `disableBypassPermissionsMode` to `"disable"` in [managed settings](#managed-settings).45 `bypassPermissions` mode skips permission prompts. Writes to `.git`, `.claude`, `.vscode`, and `.idea` directories still prompt for confirmation to prevent accidental corruption of repository state and local configuration. Writes to `.claude/commands`, `.claude/agents`, and `.claude/skills` are exempt and do not prompt, because Claude routinely writes there when creating skills, subagents, and commands. Only use this mode in isolated environments like containers or VMs where Claude Code cannot cause damage. Administrators can prevent this mode by setting `disableBypassPermissionsMode` to `"disable"` in [managed settings](#managed-settings).

45</Warning>46</Warning>

46 47

48To prevent `bypassPermissions` or `auto` mode from being used, set `permissions.disableBypassPermissionsMode` or `disableAutoMode` to `"disable"` in any [settings file](/en/settings#settings-files). These are most useful in [managed settings](#managed-settings) where they cannot be overridden.

47## Permission rule syntax50## Permission rule syntax

48 51

49Permission rules follow the format `Tool` or `Tool(specifier)`.52Permission rules follow the format `Tool` or `Tool(specifier)`.

235 238

236| Setting | Description |239| Setting | Description |

237| :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |240| :--------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

238| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode and the `--dangerously-skip-permissions` flag |

239| `allowManagedPermissionRulesOnly` | When `true`, prevents user and project settings from defining `allow`, `ask`, or `deny` permission rules. Only rules in managed settings apply |241| `allowManagedPermissionRulesOnly` | When `true`, prevents user and project settings from defining `allow`, `ask`, or `deny` permission rules. Only rules in managed settings apply |

240| `allowManagedHooksOnly` | When `true`, prevents loading of user, project, and plugin hooks. Only managed hooks and SDK hooks are allowed |242| `allowManagedHooksOnly` | When `true`, prevents loading of user, project, and plugin hooks. Only managed hooks and SDK hooks are allowed |

241| `allowManagedMcpServersOnly` | When `true`, only `allowedMcpServers` from managed settings are respected. `deniedMcpServers` still merges from all sources. See [Managed MCP configuration](/en/mcp#managed-mcp-configuration) |243| `allowManagedMcpServersOnly` | When `true`, only `allowedMcpServers` from managed settings are respected. `deniedMcpServers` still merges from all sources. See [Managed MCP configuration](/en/mcp#managed-mcp-configuration) |

248 Access to [Remote Control](/en/remote-control) and [web sessions](/en/claude-code-on-the-web) is not controlled by a managed settings key. On Team and Enterprise plans, an admin enables or disables these features in [Claude Code admin settings](https://claude.ai/admin-settings/claude-code).250 Access to [Remote Control](/en/remote-control) and [web sessions](/en/claude-code-on-the-web) is not controlled by a managed settings key. On Team and Enterprise plans, an admin enables or disables these features in [Claude Code admin settings](https://claude.ai/admin-settings/claude-code).

249</Note>251</Note>

250 252

253## Configure the auto mode classifier

254

255[Auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) uses a classifier model to decide whether each action is safe to run without prompting. Out of the box it trusts only the working directory and, if present, the current repo's remotes. Actions like pushing to your company's source control org or writing to a team cloud bucket will be blocked as potential data exfiltration. The `autoMode` settings block lets you tell the classifier which infrastructure your organization trusts.

256

257The classifier reads `autoMode` from user settings, `.claude/settings.local.json`, and managed settings. It does not read from shared project settings in `.claude/settings.json`, because a checked-in repo could otherwise inject its own allow rules.

258

259| Scope | File | Use for |

260| :------------------------- | :---------------------------- | :-------------------------------------------------- |

261| One developer | `~/.claude/settings.json` | Personal trusted infrastructure |

262| One project, one developer | `.claude/settings.local.json` | Per-project trusted buckets or services, gitignored |

263| Organization-wide | Managed settings | Trusted infrastructure enforced for all developers |

264

265Entries from each scope are combined. A developer can extend `environment`, `allow`, and `soft_deny` with personal entries but cannot remove entries that managed settings provide. Because allow rules act as exceptions to block rules inside the classifier, a developer-added `allow` entry can override an organization `soft_deny` entry: the combination is additive, not a hard policy boundary. If you need a rule that developers cannot work around, use `permissions.deny` in managed settings instead, which blocks actions before the classifier is consulted.

266

267### Define trusted infrastructure

268

269For most organizations, `autoMode.environment` is the only field you need to set. It tells the classifier which repos, buckets, and domains are trusted, without touching the built-in block and allow rules. The classifier uses `environment` to decide what "external" means: any destination not listed is a potential exfiltration target.

270

271```json theme={null}

272{

273 "autoMode": {

274 "environment": [

275 "Source control: github.example.com/acme-corp and all repos under it",

276 "Trusted cloud buckets: s3://acme-build-artifacts, gs://acme-ml-datasets",

277 "Trusted internal domains: *.corp.example.com, api.internal.example.com",

278 "Key internal services: Jenkins at ci.example.com, Artifactory at artifacts.example.com"

279 ]

280 }

281}

282```

283

284Entries are prose, not regex or tool patterns. The classifier reads them as natural-language rules. Write them the way you would describe your infrastructure to a new engineer. A thorough environment section covers:

285

286* **Organization**: your company name and what Claude Code is primarily used for, like software development, infrastructure automation, or data engineering

287* **Source control**: every GitHub, GitLab, or Bitbucket org your developers push to

288* **Cloud providers and trusted buckets**: bucket names or prefixes that Claude should be able to read from and write to

289* **Trusted internal domains**: hostnames for APIs, dashboards, and services inside your network, like `*.internal.example.com`

290* **Key internal services**: CI, artifact registries, internal package indexes, incident tooling

291* **Additional context**: regulated-industry constraints, multi-tenant infrastructure, or compliance requirements that affect what the classifier should treat as risky

292

293A useful starting template: fill in the bracketed fields and remove any lines that don't apply:

294

295```json theme={null}

296{

297 "autoMode": {

298 "environment": [

299 "Organization: {COMPANY_NAME}. Primary use: {PRIMARY_USE_CASE, e.g. software development, infrastructure automation}",

300 "Source control: {SOURCE_CONTROL, e.g. GitHub org github.example.com/acme-corp}",

301 "Cloud provider(s): {CLOUD_PROVIDERS, e.g. AWS, GCP, Azure}",

302 "Trusted cloud buckets: {TRUSTED_BUCKETS, e.g. s3://acme-builds, gs://acme-datasets}",

303 "Trusted internal domains: {TRUSTED_DOMAINS, e.g. *.internal.example.com, api.example.com}",

304 "Key internal services: {SERVICES, e.g. Jenkins at ci.example.com, Artifactory at artifacts.example.com}",

305 "Additional context: {EXTRA, e.g. regulated industry, multi-tenant infrastructure, compliance requirements}"

306 ]

307 }

308}

309```

310

311The more specific context you give, the better the classifier can distinguish routine internal operations from exfiltration attempts.

312

313You don't need to fill everything in at once. A reasonable rollout: start with the defaults and add your source control org and key internal services, which resolves the most common false positives like pushing to your own repos. Add trusted domains and cloud buckets next. Fill the rest as blocks come up.

314

315### Override the block and allow rules

316

317Two additional fields let you replace the classifier's built-in rule lists: `autoMode.soft_deny` controls what gets blocked, and `autoMode.allow` controls which exceptions apply. Each is an array of prose descriptions, read as natural-language rules.

318

319Inside the classifier, the precedence is: `soft_deny` rules block first, then `allow` rules override as exceptions, then explicit user intent overrides both. If the user's message directly and specifically describes the exact action Claude is about to take, the classifier allows it even if a `soft_deny` rule matches. General requests don't count: asking Claude to "clean up the repo" does not authorize force-pushing, but asking Claude to "force-push this branch" does.

320

321To loosen: remove rules from `soft_deny` when the defaults block something your pipeline already guards against with PR review, CI, or staging environments, or add to `allow` when the classifier repeatedly flags a routine pattern the default exceptions don't cover. To tighten: add to `soft_deny` for risks specific to your environment that the defaults miss, or remove from `allow` to hold a default exception to the block rules. In all cases, run `claude auto-mode defaults` to get the full default lists, then copy and edit: never start from an empty list.

322

323```json theme={null}

324{

325 "autoMode": {

326 "environment": [

327 "Source control: github.example.com/acme-corp and all repos under it"

328 ],

329 "allow": [

330 "Deploying to the staging namespace is allowed: staging is isolated from production and resets nightly",

331 "Writing to s3://acme-scratch/ is allowed: ephemeral bucket with a 7-day lifecycle policy"

332 ],

333 "soft_deny": [

334 "Never run database migrations outside the migrations CLI, even against dev databases",

335 "Never modify files under infra/terraform/prod/: production infrastructure changes go through the review workflow",

336 "...copy full default soft_deny list here first, then add your rules..."

337 ]

338 }

339}

340```

341

342<Danger>

343 Setting `allow` or `soft_deny` replaces the entire default list for that section. If you set `soft_deny` with a single entry, every built-in block rule is discarded: force push, data exfiltration, `curl | bash`, production deploys, and all other default block rules become allowed. To customize safely, run `claude auto-mode defaults` to print the built-in rules, copy them into your settings file, then review each rule against your own pipeline and risk tolerance. Only remove rules for risks your infrastructure already mitigates.

344</Danger>

345

346The three sections are evaluated independently, so setting `environment` alone leaves the default `allow` and `soft_deny` lists intact.

347

348### Inspect the defaults and your effective config

349

350Because setting `allow` or `soft_deny` replaces the defaults, start any customization by copying the full default lists. Three CLI subcommands help you inspect and validate:

351

352```bash theme={null}

353claude auto-mode defaults # the built-in environment, allow, and soft_deny rules

354claude auto-mode config # what the classifier actually uses: your settings where set, defaults otherwise

355claude auto-mode critique # get AI feedback on your custom allow and soft_deny rules

356```

357

358Save the output of `claude auto-mode defaults` to a file, edit the lists to match your policy, and paste the result into your settings file. After saving, run `claude auto-mode config` to confirm the effective rules are what you expect. If you've written custom rules, `claude auto-mode critique` reviews them and flags entries that are ambiguous, redundant, or likely to cause false positives.

359

251## Settings precedence360## Settings precedence

252 361

253Permission rules follow the same [settings precedence](/en/settings#settings-precedence) as all other Claude Code settings:362Permission rules follow the same [settings precedence](/en/settings#settings-precedence) as all other Claude Code settings:

platforms.md +78 −0 created

Details

1> ## Documentation Index

2> Fetch the complete documentation index at: https://code.claude.com/docs/llms.txt

3> Use this file to discover all available pages before exploring further.

5# Platforms and integrations

7> Choose where to run Claude Code and what to connect it to. Compare the CLI, Desktop, VS Code, JetBrains, web, and integrations like Chrome, Slack, and CI/CD.

9Claude Code runs the same underlying engine everywhere, but each surface is tuned for a different way of working. This page helps you pick the right platform for your workflow and connect the tools you already use.

11## Where to run Claude Code

13Choose a platform based on how you like to work and where your project lives.

15| Platform | Best for | What you get |

16| :-------------------------------- | :------------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------- |

17| [CLI](/en/quickstart) | Terminal workflows, scripting, remote servers | Full feature set, [Agent SDK](/en/headless), third-party providers |

18| [Desktop](/en/desktop) | Visual review, parallel sessions, managed setup | Diff viewer, app preview, [computer use](/en/desktop#let-claude-use-your-computer) and [Dispatch](/en/desktop#sessions-from-dispatch) on Pro and Max |

19| [VS Code](/en/vs-code) | Working inside VS Code without switching to a terminal | Inline diffs, integrated terminal, file context |

20| [JetBrains](/en/jetbrains) | Working inside IntelliJ, PyCharm, WebStorm, or other JetBrains IDEs | Diff viewer, selection sharing, terminal session |

21| [Web](/en/claude-code-on-the-web) | Long-running tasks that don't need much steering, or work that should continue when you're offline | Anthropic-managed cloud, continues after you disconnect |

23The CLI is the most complete surface for terminal-native work: scripting, third-party providers, and the Agent SDK are CLI-only. Desktop and the IDE extensions trade some CLI-only features for visual review and tighter editor integration. The web runs in Anthropic's cloud, so tasks keep going after you disconnect.

25You can mix surfaces on the same project. Configuration, project memory, and MCP servers are shared across the local surfaces.

27## Connect your tools

29Integrations let Claude work with services outside your codebase.

31| Integration | What it does | Use it for |

32| :----------------------------------- | :------------------------------------------------- | :--------------------------------------------------------------- |

33| [Chrome](/en/chrome) | Controls your browser with your logged-in sessions | Testing web apps, filling forms, automating sites without an API |

34| [GitHub Actions](/en/github-actions) | Runs Claude in your CI pipeline | Automated PR reviews, issue triage, scheduled maintenance |

35| [GitLab CI/CD](/en/gitlab-ci-cd) | Same as GitHub Actions for GitLab | CI-driven automation on GitLab |

36| [Code Review](/en/code-review) | Reviews every PR automatically | Catching bugs before human review |

37| [Slack](/en/slack) | Responds to `@Claude` mentions in your channels | Turning bug reports into pull requests from team chat |

39For integrations not listed here, [MCP servers](/en/mcp) and [connectors](/en/desktop#connect-external-tools) let you connect almost anything: Linear, Notion, Google Drive, or your own internal APIs.

41## Work when you are away from your terminal

43Claude Code offers several ways to work when you're not at your terminal. They differ in what triggers the work, where Claude runs, and how much you need to set up.

46| :--------------------------------------------- | :--------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------ |

53If you're not sure where to start, [install the CLI](/en/quickstart) and run it in a project directory. If you'd rather not use a terminal, [Desktop](/en/desktop-quickstart) gives you the same engine with a graphical interface.

55## Related resources

57### Platforms

59* [CLI quickstart](/en/quickstart): install and run your first command in the terminal

60* [Desktop](/en/desktop): visual diff review, parallel sessions, computer use, and Dispatch

61* [VS Code](/en/vs-code): the Claude Code extension inside your editor

62* [JetBrains](/en/jetbrains): the extension for IntelliJ, PyCharm, and other JetBrains IDEs

63* [Claude Code on the web](/en/claude-code-on-the-web): cloud sessions that keep running when you disconnect

65### Integrations

67* [Chrome](/en/chrome): automate browser tasks with your logged-in sessions

68* [GitHub Actions](/en/github-actions): run Claude in your CI pipeline

69* [GitLab CI/CD](/en/gitlab-ci-cd): the same for GitLab

70* [Code Review](/en/code-review): automatic review on every pull request

71* [Slack](/en/slack): send tasks from team chat, get PRs back

73### Remote access

75* [Dispatch](/en/desktop#sessions-from-dispatch): message a task from your phone and it can spawn a Desktop session

76* [Remote Control](/en/remote-control): drive a running session from your phone or browser

77* [Channels](/en/channels): push events from chat apps or your own servers into a session

78* [Scheduled tasks](/en/scheduled-tasks): run prompts on a recurring schedule

remote-control.md +14 −1

Details

168* Network or proxy issue: a firewall or proxy may be blocking the outbound HTTPS request. Remote Control requires access to the Anthropic API on port 443.168* Network or proxy issue: a firewall or proxy may be blocking the outbound HTTPS request. Remote Control requires access to the Anthropic API on port 443.

169* Session creation failed: if you also see `Session creation failed — see debug log`, the failure happened earlier in setup. Check that your subscription is active.169* Session creation failed: if you also see `Session creation failed — see debug log`, the failure happened earlier in setup. Check that your subscription is active.

170 170

171## Choose the right approach

172

173Claude Code offers several ways to work when you're not at your terminal. They differ in what triggers the work, where Claude runs, and how much you need to set up.

174

176| :--------------------------------------------- | :--------------------------------------------------------------------------------------------- | :--------------------------------------------------------------------------------------------------------------- | :----------------------------------------------------------------------------------------------------------------------------------- | :------------------------------------------------------------ |

182

171## Related resources183## Related resources

172 184

173* [Claude Code on the web](/en/claude-code-on-the-web): run sessions in Anthropic-managed cloud environments instead of on your machine185* [Claude Code on the web](/en/claude-code-on-the-web): run sessions in Anthropic-managed cloud environments instead of on your machine

174* [Channels](/en/channels): forward Telegram or Discord into a session so Claude reacts to messages while you're away186* [Channels](/en/channels): forward Telegram, Discord, or iMessage into a session so Claude reacts to messages while you're away

187* [Dispatch](/en/desktop#sessions-from-dispatch): message a task from your phone and it can spawn a Desktop session to handle it

175* [Authentication](/en/authentication): set up `/login` and manage credentials for claude.ai188* [Authentication](/en/authentication): set up `/login` and manage credentials for claude.ai

176* [CLI reference](/en/cli-reference): full list of flags and commands including `claude remote-control`189* [CLI reference](/en/cli-reference): full list of flags and commands including `claude remote-control`

177* [Security](/en/security): how Remote Control sessions fit into the Claude Code security model190* [Security](/en/security): how Remote Control sessions fit into the Claude Code security model

sandboxing.md +7 −0

Details

307* **Compatibility**: Some tools that require specific system access patterns may need configuration adjustments, or may even need to be run outside of the sandbox307* **Compatibility**: Some tools that require specific system access patterns may need configuration adjustments, or may even need to be run outside of the sandbox

308* **Platform support**: Supports macOS, Linux, and WSL2. WSL1 is not supported. Native Windows support is planned.308* **Platform support**: Supports macOS, Linux, and WSL2. WSL1 is not supported. Native Windows support is planned.

309 309

310## What sandboxing does not cover

311

312The sandbox isolates Bash subprocesses. Other tools operate under different boundaries:

313

314* **Built-in file tools**: Read, Edit, and Write use the permission system directly rather than running through the sandbox. See [permissions](/en/permissions).

315* **Computer use on Desktop**: when Claude opens apps and controls your screen on macOS, it runs on your actual desktop rather than in an isolated environment. Per-app permission prompts gate each application. See [computer use](/en/desktop#let-claude-use-your-computer).

316

310## See also317## See also

311 318

312* [Security](/en/security) - Comprehensive security features and best practices319* [Security](/en/security) - Comprehensive security features and best practices

scheduled-tasks.md +17 −1

Details

16 16

17## Compare scheduling options17## Compare scheduling options

18 18

~~19<Snippet file="scheduling-comparison.mdx" />~~19Claude Code offers three ways to schedule recurring work:

22| :------------------------- | :------------------------------- | :---------------------------------------------- | :----------------------------- |

24| Requires machine on | No | Yes | Yes |

25| Requires open session | No | No | Yes |

26| Persistent across restarts | Yes | Yes | No (session-scoped) |

27| Access to local files | No (fresh clone) | Yes | Yes |

30| Customizable schedule | Via `/schedule` in the CLI | Yes | Yes |

33<Tip>

34 Use **cloud tasks** for work that should run reliably without your machine. Use **Desktop tasks** when you need access to local files and tools. Use **`/loop`** for quick polling during a session.

35</Tip>

20 36

21## Schedule a recurring prompt with /loop37## Schedule a recurring prompt with /loop

22 38

server-managed-settings.md +16 −2

Details

41 </Step>41 </Step>

42 42

43 <Step title="Define your settings">43 <Step title="Define your settings">

44 Add your configuration as JSON. All [settings available in `settings.json`](/en/settings#available-settings) are supported, including [hooks](/en/hooks), [environment variables](/en/env-vars), and [managed-only settings](/en/permissions#managed-only-settings) like `disableBypassPermissionsMode`.44 Add your configuration as JSON. All [settings available in `settings.json`](/en/settings#available-settings) are supported, including [hooks](/en/hooks), [environment variables](/en/env-vars), and [managed-only settings](/en/permissions#managed-only-settings) like `allowManagedPermissionRulesOnly`.

45 45

46 This example enforces a permission deny list and prevents users from bypassing permissions:46 This example enforces a permission deny list and prevents users from bypassing permissions:

47 47

78 }78 }

79 ```79 ```

80 80

~~81 Because hooks execute shell commands, users see a [security approval dialog](#security-approval-dialogs) before they're applied.~~81 To configure the [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) classifier so it knows which repos, buckets, and domains your organization trusts:

83 ```json theme={null}

84 {

85 "autoMode": {

86 "environment": [

87 "Source control: github.example.com/acme-corp and all repos under it",

88 "Trusted cloud buckets: s3://acme-build-artifacts, gs://acme-ml-datasets",

89 "Trusted internal domains: *.corp.example.com"

90 ]

91 }

92 }

93 ```

95 Because hooks execute shell commands, users see a [security approval dialog](#security-approval-dialogs) before they're applied. See [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier) for how the `autoMode` entries affect what the classifier blocks and important warnings about the `allow` and `soft_deny` fields.

82 </Step>96 </Step>

83 97

84 <Step title="Save and deploy">98 <Step title="Save and deploy">

settings.md +5 −3

Details

147`settings.json` supports a number of options:147`settings.json` supports a number of options:

148 148

149| Key | Description | Example |149| Key | Description | Example |

150| :-------------------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | :---------------------------------------------------------------------- |150| :-------------------------------- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | :---------------------------------------------------------------------- |

151| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |151| `apiKeyHelper` | Custom script, to be executed in `/bin/sh`, to generate an auth value. This value will be sent as `X-Api-Key` and `Authorization: Bearer` headers for model requests | `/bin/generate_temp_api_key.sh` |

152| `autoMemoryDirectory` | Custom directory for [auto memory](/en/memory#storage-location) storage. Accepts `~/`-expanded paths. Not accepted in project settings (`.claude/settings.json`) to prevent shared repos from redirecting memory writes to sensitive locations. Accepted from policy, local, and user settings | `"~/my-memory-dir"` |152| `autoMemoryDirectory` | Custom directory for [auto memory](/en/memory#storage-location) storage. Accepts `~/`-expanded paths. Not accepted in project settings (`.claude/settings.json`) to prevent shared repos from redirecting memory writes to sensitive locations. Accepted from policy, local, and user settings | `"~/my-memory-dir"` |

153| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup (default: 30 days).<br /><br />Setting to `0` deletes all existing transcripts at startup and disables session persistence entirely. No new `.jsonl` files are written, `/resume` shows no conversations, and hooks receive an empty `transcript_path`. | `20` |153| `cleanupPeriodDays` | Sessions inactive for longer than this period are deleted at startup (default: 30 days).<br /><br />Setting to `0` deletes all existing transcripts at startup and disables session persistence entirely. No new `.jsonl` files are written, `/resume` shows no conversations, and hooks receive an empty `transcript_path`. | `20` |

157| `includeCoAuthoredBy` | **Deprecated**: Use `attribution` instead. Whether to include the `co-authored-by Claude` byline in git commits and pull requests (default: `true`) | `false` |157| `includeCoAuthoredBy` | **Deprecated**: Use `attribution` instead. Whether to include the `co-authored-by Claude` byline in git commits and pull requests (default: `true`) | `false` |

158| `includeGitInstructions` | Include built-in commit and PR workflow instructions and the git status snapshot in Claude's system prompt (default: `true`). Set to `false` to remove both, for example when using your own git workflow skills. The `CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS` environment variable takes precedence over this setting when set | `false` |158| `includeGitInstructions` | Include built-in commit and PR workflow instructions and the git status snapshot in Claude's system prompt (default: `true`). Set to `false` to remove both, for example when using your own git workflow skills. The `CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS` environment variable takes precedence over this setting when set | `false` |

160| `autoMode` | Customize what the [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) classifier blocks and allows. Contains `environment`, `allow`, and `soft_deny` arrays of prose rules. See [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier). Not read from shared project settings | `{"environment": ["Trusted repo: github.example.com/acme"]}` |

161| `disableAutoMode` | Set to `"disable"` to prevent [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode) from being activated. Removes `auto` from the `Shift+Tab` cycle and rejects `--permission-mode auto` at startup. Most useful in [managed settings](/en/permissions#managed-settings) where users cannot override it | `"disable"` |

162| `allowManagedHooksOnly` | (Managed settings only) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |164| `allowManagedHooksOnly` | (Managed settings only) Prevent loading of user, project, and plugin hooks. Only allows managed hooks and SDK hooks. See [Hook configuration](#hook-configuration) | `true` |

230| `ask` | Array of permission rules to ask for confirmation upon tool use. See [Permission rule syntax](#permission-rule-syntax) below | `[ "Bash(git push *)" ]` |232| `ask` | Array of permission rules to ask for confirmation upon tool use. See [Permission rule syntax](#permission-rule-syntax) below | `[ "Bash(git push *)" ]` |

231| `deny` | Array of permission rules to deny tool use. Use this to exclude sensitive files from Claude Code access. See [Permission rule syntax](#permission-rule-syntax) and [Bash permission limitations](/en/permissions#tool-specific-permission-rules) | `[ "WebFetch", "Bash(curl *)", "Read(./.env)", "Read(./secrets/**)" ]` |233| `deny` | Array of permission rules to deny tool use. Use this to exclude sensitive files from Claude Code access. See [Permission rule syntax](#permission-rule-syntax) and [Bash permission limitations](/en/permissions#tool-specific-permission-rules) | `[ "WebFetch", "Bash(curl *)", "Read(./.env)", "Read(./secrets/**)" ]` |

234| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. This disables the `--dangerously-skip-permissions` command-line flag. See [managed settings](/en/permissions#managed-only-settings) | `"disable"` |236| `disableBypassPermissionsMode` | Set to `"disable"` to prevent `bypassPermissions` mode from being activated. Disables the `--dangerously-skip-permissions` flag. Most useful in [managed settings](/en/permissions#managed-settings) where users cannot override it | `"disable"` |

235 237

236### Permission rule syntax238### Permission rule syntax

237 239

sub-agents.md +3 −3

Details

327 327

328#### Permission modes328#### Permission modes

329 329

330The `permissionMode` field controls how the subagent handles permission prompts. Subagents inherit the permission context from the main conversation but can override the mode.330The `permissionMode` field controls how the subagent handles permission prompts. Subagents inherit the permission context from the main conversation and can override the mode, except when the parent mode takes precedence as described below.

331 331

332| Mode | Behavior |332| Mode | Behavior |

333| :------------------ | :----------------------------------------------------------------- |333| :------------------ | :----------------------------------------------------------------- |

339 339

340<Warning>340<Warning>

341 Use `bypassPermissions` with caution. It skips permission prompts, allowing the subagent to execute operations without approval. Writes to `.git`, `.claude`, `.vscode`, and `.idea` directories still prompt for confirmation, except for `.claude/commands`, `.claude/agents`, and `.claude/skills`. See [permission modes](/en/permissions#permission-modes) for details.341 Use `bypassPermissions` with caution. It skips permission prompts, allowing the subagent to execute operations without approval. Writes to `.git`, `.claude`, `.vscode`, and `.idea` directories still prompt for confirmation, except for `.claude/commands`, `.claude/agents`, and `.claude/skills`. See [permission modes](/en/permission-modes#skip-all-checks-with-bypasspermissions-mode) for details.

342</Warning>342</Warning>

343 343

344If the parent uses `bypassPermissions`, this takes precedence and cannot be overridden.344If the parent uses `bypassPermissions`, this takes precedence and cannot be overridden. If the parent uses [auto mode](/en/permission-modes#eliminate-prompts-with-auto-mode), the subagent inherits auto mode and any `permissionMode` in its frontmatter is ignored: the classifier evaluates the subagent's tool calls with the same block and allow rules as the parent session.

345 345

346#### Preload skills into subagents346#### Preload skills into subagents

347 347

vs-code.md +3 −3

Details

248### Extension settings248### Extension settings

249 249

251| --------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- |251| --------------------------------- | --------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |

254| `initialPermissionMode` | `default` | Controls approval prompts: `default` (ask each time), `plan`, `acceptEdits`, or `bypassPermissions` |254| `initialPermissionMode` | `default` | Controls approval prompts for new conversations: `default`, `plan`, `acceptEdits`, `auto`, or `bypassPermissions`. See [permission modes](/en/permission-modes). |

261| `environmentVariables` | `[]` | Set environment variables for the Claude process. Use Claude Code settings instead for shared config. |261| `environmentVariables` | `[]` | Set environment variables for the Claude process. Use Claude Code settings instead for shared config. |

263| `allowDangerouslySkipPermissions` | `false` | Bypass permission prompts. **Use with extreme caution.** See [permission modes](/en/permissions#permission-modes) |263| `allowDangerouslySkipPermissions` | `false` | Adds [Auto](/en/permission-modes#eliminate-prompts-with-auto-mode) and Bypass permissions to the mode selector. Auto requires a Team plan and Claude Sonnet 4.6 or Opus 4.6, so the option may remain unavailable even with this toggle on. Use Bypass permissions only in sandboxes with no internet access. |

264| `claudeProcessWrapper` | - | Executable path used to launch the Claude process |264| `claudeProcessWrapper` | - | Executable path used to launch the Claude process |

265 265

266## VS Code extension vs. Claude Code CLI266## VS Code extension vs. Claude Code CLI

web-scheduled-tasks.md +17 −1

Details

19 19

20## Compare scheduling options20## Compare scheduling options

21 21

~~22<Snippet file="scheduling-comparison.mdx" />~~22Claude Code offers three ways to schedule recurring work:

25| :------------------------- | :------------------------------- | :---------------------------------------------- | :----------------------------- |

27| Requires machine on | No | Yes | Yes |

28| Requires open session | No | No | Yes |

29| Persistent across restarts | Yes | Yes | No (session-scoped) |

30| Access to local files | No (fresh clone) | Yes | Yes |

33| Customizable schedule | Via `/schedule` in the CLI | Yes | Yes |

36<Tip>

37 Use **cloud tasks** for work that should run reliably without your machine. Use **Desktop tasks** when you need access to local files and tools. Use **`/loop`** for quick polling during a session.

38</Tip>

23 39

24## Create a scheduled task40## Create a scheduled task

25 41

Documentation 2026-03-23 21:08 UTC to 2026-03-24 18:15 UTC