4 4
5# Choose a permission mode5# Choose a permission mode
6 6
7> Switch between supervised editing, read-only planning, and auto mode where a background classifier replaces manual permission prompts. Cycle modes with Shift+Tab in the CLI or use the mode selector in VS Code, Desktop, and claude.ai.7> Control whether Claude asks before editing files or running commands. Cycle modes with Shift+Tab in the CLI or use the mode selector in VS Code, Desktop, and claude.ai.
8 8
9Permission modes control whether Claude asks before acting. Different tasks call for different levels of autonomy: you might want full oversight for sensitive work, minimal interruptions for a long refactor, or read-only access while exploring a codebase.9When Claude wants to edit a file, run a shell command, or make a network request, it pauses and asks you to approve the action. Permission modes control how often that pause happens. The mode you pick shapes the flow of a session: default mode has you review each action as it comes, while looser modes let Claude work in longer uninterrupted stretches and report back when done. Pick more oversight for sensitive work, or fewer interruptions when you trust the direction.
10 10
11This page covers how to:11## Available modes
12
13Each mode makes a different tradeoff between convenience and oversight. The table below shows what Claude can do without a permission prompt in each mode.
14
15| Mode | What runs without asking | Best for |
16| :------------------------------------------------------------------ | :---------------------------------------- | :-------------------------------------- |
17| `default` | Reads only | Getting started, sensitive work |
18| [`acceptEdits`](#auto-approve-file-edits-with-acceptedits-mode) | Reads and file edits | Iterating on code you're reviewing |
19| [`plan`](#analyze-before-you-edit-with-plan-mode) | Reads only | Exploring a codebase before changing it |
20| [`auto`](#eliminate-prompts-with-auto-mode) | Everything, with background safety checks | Long tasks, reducing prompt fatigue |
21| [`dontAsk`](#allow-only-pre-approved-tools-with-dontask-mode) | Only pre-approved tools | Locked-down CI and scripts |
22| [`bypassPermissions`](#skip-all-checks-with-bypasspermissions-mode) | Everything except protected paths | Isolated containers and VMs only |
23
24Regardless of mode, writes to [protected paths](#protected-paths) are never auto-approved, guarding repository state and Claude's own configuration against accidental corruption.
12 25
13* [Switch modes](#switch-permission-modes) during a session, at startup, or as a default26Modes set the baseline. Layer [permission rules](/en/permissions#manage-permissions) on top to pre-approve or block specific tools in any mode except `bypassPermissions`, which skips the permission layer entirely.
14* [Choose a mode](#available-modes) based on what Claude should be able to do without asking
15* [Run auto mode](#eliminate-prompts-with-auto-mode) with background safety checks, and see what it [blocks by default](#what-the-classifier-blocks-by-default)
16* [Plan changes read-only](#analyze-before-you-edit-with-plan-mode) before approving edits
17* [Restrict Claude to pre-approved tools](#allow-only-pre-approved-tools-with-dontask-mode) for locked-down environments
18* [Skip checks entirely](#skip-all-checks-with-bypasspermissions-mode) in isolated environments
19 27
20## Switch permission modes28## Switch permission modes
21 29
22You can switch modes at any time during a session, at startup, or as a persistent default. The mechanism depends on where you're running Claude Code.30You can switch modes mid-session, at startup, or as a persistent default. The mode is set through these controls, not by asking Claude in chat. Select your interface below to see how to change it.
23 31
24<Tabs>32<Tabs>
25 <Tab title="CLI">33 <Tab title="CLI">
26 **During a session**: press `Shift+Tab` to cycle through `default` → `acceptEdits` → `plan` → `auto`. The current mode appears in the status bar. `auto` does not appear in the cycle until you pass `--enable-auto-mode` at startup. Auto also requires a Team, Enterprise, or API plan and Claude Sonnet 4.6 or Opus 4.6, so the option may remain unavailable even with the flag. If `bypassPermissions` is also enabled, it appears in the cycle between `plan` and `auto`.34 **During a session**: press `Shift+Tab` to cycle `default` → `acceptEdits` → `plan`. The current mode appears in the status bar. Not every mode is in the default cycle:
27 35
28 **At startup**: pass the mode as a CLI flag:36 * `auto`: appears after you opt in with `--enable-auto-mode` or the persisted equivalent in settings
37 * `bypassPermissions`: appears after you start with `--permission-mode bypassPermissions`, `--dangerously-skip-permissions`, or `--allow-dangerously-skip-permissions`; the `--allow-` variant adds the mode to the cycle without activating it
38 * `dontAsk`: never appears in the cycle; set it with `--permission-mode dontAsk`
39
40 Enabled optional modes slot in after `plan`, with `bypassPermissions` first and `auto` last. If you have both enabled, you will cycle through `bypassPermissions` on the way to `auto`.
41
42 **At startup**: pass the mode as a flag.
29 43
30 ```bash theme={null}44 ```bash theme={null}
31 claude --permission-mode plan45 claude --permission-mode plan
32 ```46 ```
33 47
34 **As a default**: set `defaultMode` in your [settings file](/en/settings#settings-files):48 **As a default**: set `defaultMode` in [settings](/en/settings#settings-files).
35 49
36 ```json theme={null}50 ```json theme={null}
37 {51 {
41 }55 }
42 ```56 ```
43 57
44 **Non-interactively**: the same flag works with `-p` for scripted runs:58 The same `--permission-mode` flag works with `-p` for [non-interactive runs](/en/headless).
45
46 ```bash theme={null}
47 claude -p "refactor auth" --permission-mode acceptEdits
48 ```
49
50 `dontAsk` is never in the `Shift+Tab` cycle. `bypassPermissions` appears in the cycle only if you started the session with `--permission-mode bypassPermissions`, `--dangerously-skip-permissions`, or `--allow-dangerously-skip-permissions`. The third flag adds the mode to the cycle without activating it, so you can compose it with a different starting mode like `--permission-mode plan`. Set any of these at startup or in your settings file.
51 </Tab>
52
53 <Tab title="JetBrains">
54 The JetBrains plugin launches Claude Code in the IDE terminal, so switching modes works the same as in the CLI: press `Shift+Tab` to cycle, or pass `--permission-mode` when launching.
55 </Tab>59 </Tab>
56 60
57 <Tab title="VS Code">61 <Tab title="VS Code">
58 **During a session**: click the mode indicator at the bottom of the prompt box to switch modes.62 **During a session**: click the mode indicator at the bottom of the prompt box.
59 63
60 **As a default**: set `claudeCode.initialPermissionMode` in VS Code settings, or use the Claude Code extension settings panel.64 **As a default**: set `claudeCode.initialPermissionMode` in VS Code settings, or use the Claude Code extension settings panel.
61 65
62 The VS Code UI uses friendly labels that map to the settings keys below:66 The mode indicator shows these labels, mapped to the mode each one applies:
63 67
64 | UI label | Settings key |68 | UI label | Mode |
65 | :----------------- | :------------------ |69 | :----------------- | :------------------ |
66 | Ask permissions | `default` |70 | Ask before edits | `default` |
67 | Auto accept edits | `acceptEdits` |71 | Edit automatically | `acceptEdits` |
68 | Plan mode | `plan` |72 | Plan mode | `plan` |
69 | Auto | `auto` |73 | Auto mode | `auto` |
70 | Bypass permissions | `bypassPermissions` |74 | Bypass permissions | `bypassPermissions` |
71 75
72 Auto and Bypass permissions appear only after you enable **Allow dangerously skip permissions** in the extension settings. Auto also requires a Team, Enterprise, or API plan and Claude Sonnet 4.6 or Opus 4.6, so the option may remain unavailable even with the toggle on.76 Auto mode appears in the mode indicator after you enable **Allow dangerously skip permissions** in the extension settings, but it stays unavailable until your account meets every requirement listed in the [auto mode section](#eliminate-prompts-with-auto-mode). The `claudeCode.initialPermissionMode` setting does not accept `auto`; to start in auto mode by default, set `defaultMode` in your Claude Code [`settings.json`](/en/settings#settings-files) instead.
77
78 Bypass permissions also requires the **Allow dangerously skip permissions** toggle before it appears in the mode indicator.
73 79
74 See the [VS Code guide](/en/vs-code) for extension-specific details.80 See the [VS Code guide](/en/vs-code) for extension-specific details.
75 </Tab>81 </Tab>
76 82
77 <Tab title="Desktop">83 <Tab title="JetBrains">
78 **During a session**: use the mode selector next to the send button. You can change it before or during a session.84 The JetBrains plugin runs Claude Code in the IDE terminal, so switching modes works the same as in the CLI: press `Shift+Tab` to cycle, or pass `--permission-mode` when launching.
79 85 </Tab>
80 The Desktop UI uses friendly labels that map to the settings keys below:
81
82 | UI label | Settings key |
83 | :----------------- | :------------------ |
84 | Ask permissions | `default` |
85 | Auto accept edits | `acceptEdits` |
86 | Plan mode | `plan` |
87 | Auto | `auto` |
88 | Bypass permissions | `bypassPermissions` |
89 86
90 Auto and Bypass permissions appear in the selector only after you enable them in Desktop settings. See the [Desktop guide](/en/desktop#choose-a-permission-mode) for details.87 <Tab title="Desktop">
88 Use the mode selector next to the send button. Auto and Bypass permissions appear only after you enable them in Desktop settings. See the [Desktop guide](/en/desktop#choose-a-permission-mode).
91 </Tab>89 </Tab>
92 90
93 <Tab title="Web and mobile">91 <Tab title="Web and mobile">
94 **During a session**: use the mode dropdown next to the prompt box on [claude.ai/code](https://claude.ai/code) or in the Claude mobile app.92 Use the mode dropdown next to the prompt box on [claude.ai/code](https://claude.ai/code) or in the mobile app. Permission prompts appear in claude.ai for approval. Which modes appear depends on where the session runs:
95 93
96 For [Claude Code on the web](/en/claude-code-on-the-web) sessions running on Anthropic's cloud VMs, the dropdown offers Auto accept edits and Plan mode. Ask permissions and Auto are not available for cloud sessions.94 * **Cloud sessions** on [Claude Code on the web](/en/claude-code-on-the-web): Auto accept edits and Plan mode. Ask permissions, Auto, and Bypass permissions are not available.
95 * **[Remote Control](/en/remote-control) sessions** on your local machine: Ask permissions, Auto accept edits, and Plan mode. Auto and Bypass permissions are not available.
97 96
98 For [Remote Control](/en/remote-control) sessions running on your local machine, the dropdown offers Ask permissions, Auto accept edits, and Plan mode. You can also set the starting mode when you launch the local host:97 For Remote Control, you can also set the starting mode when launching the host:
99 98
100 ```bash theme={null}99 ```bash theme={null}
101 claude remote-control --permission-mode acceptEdits100 claude remote-control --permission-mode acceptEdits
102 ```101 ```
103
104 Permission prompts appear in claude.ai for approval.
105 </Tab>102 </Tab>
106</Tabs>103</Tabs>
107 104
108Permission modes are set through the UI, CLI flags, or settings files. Telling Claude "stop asking for permission" in the chat does not change the mode. See [Permissions](/en/permissions) for how modes interact with allow, ask, and deny rules.105## Auto-approve file edits with acceptEdits mode
109 106
110## Available modes107`acceptEdits` mode lets Claude create and edit files in your working directory without prompting. Writes to [protected paths](#protected-paths) and all non-edit actions still prompt the same as default mode. The status bar shows `⏵⏵ accept edits on` while this mode is active.
111 108
112Each mode makes a different tradeoff between convenience and oversight. Pick the one that matches your task.109Use `acceptEdits` when you want to review changes in your editor or via `git diff` after the fact rather than approving each edit inline. Press `Shift+Tab` once from default mode to enter it, or start with it directly:
113 110
114| Mode | What Claude can do without asking | Best for |111```bash theme={null}
115| :------------------------------------------------------------------ | :----------------------------------------- | :------------------------------------------ |112claude --permission-mode acceptEdits
116| `default` | Read files | Getting started, sensitive work |113```
117| `acceptEdits` | Read and edit files | Iterating on code you're reviewing |
118| [`plan`](#analyze-before-you-edit-with-plan-mode) | Read files | Exploring a codebase, planning a refactor |
119| [`auto`](#eliminate-prompts-with-auto-mode) | All actions, with background safety checks | Long-running tasks, reducing prompt fatigue |
120| [`bypassPermissions`](#skip-all-checks-with-bypasspermissions-mode) | All actions, no checks | Isolated containers and VMs only |
121| [`dontAsk`](#allow-only-pre-approved-tools-with-dontask-mode) | Only pre-approved tools | Locked-down environments |
122 114
123## Analyze before you edit with plan mode115## Analyze before you edit with plan mode
124 116
125Plan mode tells Claude to research and propose changes without making them. Claude reads files, runs shell commands to explore, asks clarifying questions, and writes a plan file, but does not edit your source code. Permission prompts work the same as default mode: you still approve Bash commands, network requests, and other actions that would normally prompt.117Plan mode tells Claude to research and propose changes without making them. Claude reads files, runs shell commands to explore, and writes a plan, but does not edit your source. Permission prompts still apply the same as default mode.
126
127### When to use plan mode
128 118
129Plan mode is useful when you want Claude to research and propose an approach before making changes:119Enter plan mode by pressing `Shift+Tab` or prefixing a single prompt with `/plan`. You can also start in plan mode from the CLI:
130
131* **Multi-step implementation**: when a feature requires edits across many files
132* **Code exploration**: when you want to research the codebase before changing anything
133* **Interactive development**: when you want to iterate on the direction with Claude
134
135### Start and use plan mode
136
137Enter plan mode for a single request by prefixing your prompt with `/plan`, or switch the whole session into plan mode by pressing `Shift+Tab` to [cycle through permission modes](#switch-permission-modes). You can also start in plan mode from the CLI:
138 120
139```bash theme={null}121```bash theme={null}
140claude --permission-mode plan122claude --permission-mode plan
141```123```
142 124
143This example starts a planning session for a complex refactor:125Press `Shift+Tab` again to leave plan mode without approving a plan.
144
145```text theme={null}
146I need to refactor our authentication system to use OAuth2. Create a detailed migration plan.
147```
148
149Claude analyzes the current implementation and creates a plan. Refine with follow-ups:
150
151```text theme={null}
152What about backward compatibility?
153How should we handle database migration?
154```
155 126
156When the plan is ready, Claude presents it and asks how to proceed. From that prompt you can:127When the plan is ready, Claude presents it and asks how to proceed. From that prompt you can:
157 128
158* Approve and start in auto mode129* Approve and start in auto mode
159* Approve and accept edits130* Approve and accept edits
160* Approve and manually review each edit131* Approve and review each edit manually
161* Keep planning, which sends your feedback back to Claude for another round132* Keep planning with feedback
133* Refine with [Ultraplan](/en/ultraplan) for browser-based review
162 134
163Each approve option also offers to clear the planning context first.135Each approve option also offers to clear the planning context first.
164 136
165## Eliminate prompts with auto mode137## Eliminate prompts with auto mode
166 138
167Auto mode is available on Team, Enterprise, and API plans. On Team and Enterprise, an admin must enable it in [Claude Code admin settings](https://claude.ai/admin-settings/claude-code) before users can turn it on. It requires Claude Sonnet 4.6 or Claude Opus 4.6, and is not available on Haiku, claude-3 models, or third-party providers (Bedrock, Vertex, Foundry).139<Note>
140 Auto mode requires Claude Code v2.1.83 or later.
141</Note>
168 142
169Auto mode lets Claude execute actions without showing permission prompts. Before each action runs, a separate classifier model reviews the conversation and decides whether the action matches what you asked for. It blocks actions that escalate beyond the task scope, target infrastructure the classifier doesn't recognize as trusted, or appear to be driven by prompt injection: hostile instructions embedded in a file, web page, or tool result that attempt to redirect Claude toward actions you never asked for. The defense is layered: a server-side probe scans incoming tool results and flags suspicious content before Claude reads it, while the classifier itself is never shown tool results, so injected instructions cannot influence its approval decisions. For a deeper look at how these layers work together, see the [auto mode announcement](https://claude.com/blog/auto-mode) and the [engineering deep dive](https://www.anthropic.com/engineering/claude-code-auto-mode).143Auto mode lets Claude execute without permission prompts. A separate classifier model reviews actions before they run, blocking anything that escalates beyond your request, targets unrecognized infrastructure, or appears driven by hostile content Claude read.
170 144
171<Warning>145<Warning>
172 Auto mode is a research preview. It reduces prompts but does not guarantee safety. It provides more protection than `bypassPermissions` but is not as thorough as manually reviewing each action. Use it for tasks where you trust the general direction, not as a replacement for review on sensitive operations.146 Auto mode is a research preview. It reduces prompts but does not guarantee safety. Use it for tasks where you trust the general direction, not as a replacement for review on sensitive operations.
173</Warning>147</Warning>
174 148
175**Model**: the classifier runs on Claude Sonnet 4.6, even if your main session uses a different model.149Auto mode is available only when your account meets all of these requirements:
176
177**Cost**: classifier calls count toward your token usage the same as main-session calls. Each checked action sends a portion of the conversation transcript plus the pending action to the classifier. The extra cost comes mainly from shell commands and network operations, since read-only actions and file edits in your working directory don't trigger a classifier call.
178
179**Latency**: each classifier check adds a round-trip before the action executes.
180
181### How actions are evaluated
182
183Each action goes through a fixed decision order. The first matching step wins:
184 150
1851. Actions matching your [allow or deny rules](/en/permissions#manage-permissions) resolve immediately151* **Plan**: Team, Enterprise, or API. Not available on Pro or Max.
1862. Read-only actions and file edits in your working directory are auto-approved152* **Admin**: on Team and Enterprise, an admin must enable it in [Claude Code admin settings](https://claude.ai/admin-settings/claude-code) before users can turn it on. Admins can also lock it off by setting `permissions.disableAutoMode` to `"disable"` in [managed settings](/en/permissions#managed-settings).
1873. Everything else goes to the classifier153* **Model**: Claude Sonnet 4.6 or Opus 4.6. Not available on Haiku or claude-3 models.
1884. If the classifier blocks, Claude receives the reason and attempts an alternative approach154* **Provider**: Anthropic API only. Not available on Bedrock, Vertex, or Foundry.
189 155
190On entering auto mode, Claude Code drops any allow rule that is known to grant arbitrary code execution: blanket shell access like `Bash(*)`, wildcarded script interpreters like `Bash(python*)` or `Bash(node*)`, package-manager run commands, and any `Agent` allow rule. These rules would auto-approve the commands and subagent delegations most capable of causing damage before the classifier ever sees them. Narrow rules like `Bash(npm test)` carry over. The dropped rules are restored when you leave auto mode.156If Claude Code reports auto mode as unavailable, one of these requirements is unmet; this is not a transient outage.
191 157
192The classifier receives user messages and tool calls as input, with Claude's own text and tool results stripped out. It also receives your CLAUDE.md content, so actions described in your project instructions are factored into allow and block decisions. Because tool results never reach the classifier, hostile content in a file or web page cannot manipulate it directly. The classifier evaluates the pending action against a customizable set of block and allow rules, checking whether the action is an overeager escalation beyond what you asked for, a mistake about what's safe to touch, or a sudden departure from your stated intent that suggests Claude may have been steered by something it read.158Once enabled, start with the flag and `auto` joins the `Shift+Tab` cycle:
193 159
194Unlike your permission rules, which match tool names and argument patterns, the classifier reads prose descriptions of what to block and allow: it reasons about the action in context rather than matching syntax.160```bash theme={null}
195 161claude --enable-auto-mode
196### How auto mode handles subagents162```
197
198When Claude spawns a [subagent](/en/sub-agents), the classifier evaluates the delegated task before the subagent starts. A task description that looks dangerous on its own, like "delete all remote branches matching this pattern", is blocked at spawn time.
199
200Inside the subagent, auto mode runs with the same block and allow rules as the parent session. Any `permissionMode` the subagent defines in its own frontmatter is ignored. The subagent's own tool calls go through the classifier independently.
201
202When the subagent finishes, the classifier reviews its full action history. A subagent that was benign at spawn could have been compromised mid-run by content it read. If the return check flags a concern, a security warning is prepended to the subagent's results so the main agent can decide how to proceed.
203 163
204### What the classifier blocks by default164### What the classifier blocks by default
205 165
206Out of the box, the classifier trusts your working directory and, if you're in a git repo, that repo's configured remotes. Everything else is treated as external: your company's source control orgs, cloud buckets, and internal services are unknown until you tell the classifier about them.166The classifier trusts your working directory and your repo's configured remotes. Everything else is treated as external until you [configure trusted infrastructure](/en/permissions#configure-the-auto-mode-classifier).
207 167
208**Blocked by default**:168**Blocked by default**:
209 169
210* Downloading and executing code, like `curl | bash` or scripts from cloned repos170* Downloading and executing code, like `curl | bash`
211* Sending sensitive data to external endpoints171* Sending sensitive data to external endpoints
212* Production deploys and migrations172* Production deploys and migrations
213* Mass deletion on cloud storage173* Mass deletion on cloud storage
214* Granting IAM or repo permissions174* Granting IAM or repo permissions
215* Modifying shared infrastructure175* Modifying shared infrastructure
216* Irreversibly destroying files that existed before the session started176* Irreversibly destroying files that existed before the session
217* Destructive source control operations like force push or pushing directly to `main`177* Force push, or pushing directly to `main`
218 178
219**Allowed by default**:179**Allowed by default**:
220 180
221* Local file operations in your working directory181* Local file operations in your working directory
222* Installing dependencies already declared in your lock files or manifests182* Installing dependencies declared in your lock files or manifests
223* Reading `.env` and sending credentials to their matching API183* Reading `.env` and sending credentials to their matching API
224* Read-only HTTP requests184* Read-only HTTP requests
225* Pushing to the branch you started on or one Claude created185* Pushing to the branch you started on or one Claude created
226 186
227To see the full default rule lists as the classifier receives them, run `claude auto-mode defaults`.187Run `claude auto-mode defaults` to see the full rule lists. If routine actions get blocked, an administrator can add trusted repos, buckets, and services via the `autoMode.environment` setting: see [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier).
228
229If auto mode blocks something routine for your team, like pushing to your own org's repo or writing to a company bucket, it's because the classifier doesn't know those are trusted. Administrators can add trusted repos, buckets, and internal services via the `autoMode.environment` setting: see [Configure the auto mode classifier](/en/permissions#configure-the-auto-mode-classifier) for the full configuration guide.
230 188
231### When auto mode falls back189### When auto mode falls back
232 190
233The fallback design keeps false positives from derailing a session: a mistaken block costs Claude a retry, not your progress. If the classifier blocks an action 3 times in a row or 20 times total in one session, auto mode pauses and Claude Code resumes prompting for each action. These thresholds are not configurable.191Each denied action shows a notification and appears in `/permissions` under the Recently denied tab, where you can press `r` to retry it with a manual approval.
192
193If the classifier blocks an action 3 times in a row or 20 times total, auto mode pauses and Claude Code resumes prompting. Approving the prompted action resumes auto mode. These thresholds are not configurable. Any allowed action resets the consecutive counter, while the total counter persists for the session and resets only when its own limit triggers a fallback.
234 194
235* **CLI**: you see a notification in the status area, and the denied action appears in `/permissions` under the Recently denied tab. Approving the prompted action resets the denial counters, so you can continue in auto mode195In [non-interactive mode](/en/headless) with the `-p` flag, repeated blocks abort the session since there is no user to prompt.
236* **Non-interactive mode** with the `-p` flag: aborts the session, since there is no user to prompt
237 196
238Repeated blocks usually mean one of two things: the task genuinely requires actions the classifier is built to stop, or the classifier is missing context about your trusted infrastructure and treating safe actions as risky. If the blocks look like false positives, or if the classifier misses something it should have caught, use `/feedback` to report it. If blocks are happening because the classifier doesn't recognize your repos or services as trusted, have an administrator [configure trusted infrastructure](/en/permissions#configure-the-auto-mode-classifier) in managed settings.197Repeated blocks usually mean the classifier is missing context about your infrastructure. Use `/feedback` to report false positives, or have an administrator [configure trusted infrastructure](/en/permissions#configure-the-auto-mode-classifier).
198
199<AccordionGroup>
200 <Accordion title="How the classifier evaluates actions">
201 Each action goes through a fixed decision order. The first matching step wins:
202
203 1. Actions matching your [allow or deny rules](/en/permissions#manage-permissions) resolve immediately
204 2. Read-only actions and file edits in your working directory are auto-approved, except writes to [protected paths](#protected-paths)
205 3. Everything else goes to the classifier
206 4. If the classifier blocks, Claude receives the reason and tries an alternative
207
208 On entering auto mode, broad allow rules that grant arbitrary code execution are dropped:
209
210 * Blanket `Bash(*)`
211 * Wildcarded interpreters like `Bash(python*)`
212 * Package-manager run commands
213 * `Agent` allow rules
214
215 Narrow rules like `Bash(npm test)` carry over. Dropped rules are restored when you leave auto mode.
216
217 The classifier sees user messages, tool calls, and your CLAUDE.md content. Tool results are stripped, so hostile content in a file or web page cannot manipulate it directly. A separate server-side probe scans incoming tool results and flags suspicious content before Claude reads it. For more on how these layers work together, see the [auto mode announcement](https://claude.com/blog/auto-mode) and the [engineering deep dive](https://www.anthropic.com/engineering/claude-code-auto-mode).
218 </Accordion>
219
220 <Accordion title="How auto mode handles subagents">
221 The classifier checks [subagent](/en/sub-agents) work at three points:
222
223 1. Before a subagent starts, the delegated task description is evaluated, so a dangerous-looking task is blocked at spawn time.
224 2. While the subagent runs, each of its actions goes through the classifier with the same rules as the parent session, and any `permissionMode` in the subagent's frontmatter is ignored.
225 3. When the subagent finishes, the classifier reviews its full action history; if that return check flags a concern, a security warning is prepended to the subagent's results.
226 </Accordion>
227
228 <Accordion title="Cost and latency">
229 The classifier currently runs on Claude Sonnet 4.6 regardless of your main session model. Classifier calls count toward your token usage. Each check sends a portion of the transcript plus the pending action, adding a round-trip before execution. Reads and working-directory edits outside protected paths skip the classifier, so the overhead comes mainly from shell commands and network operations.
230 </Accordion>
231</AccordionGroup>
239 232
240## Allow only pre-approved tools with dontAsk mode233## Allow only pre-approved tools with dontAsk mode
241 234
242`dontAsk` mode auto-denies every tool that is not explicitly allowed. Only actions matching your `/permissions` allow rules or `permissions.allow` settings can execute. If a tool has an explicit `ask` rule, the action is also denied rather than prompting. This makes the mode fully non-interactive, suitable for CI pipelines or restricted environments where you pre-define exactly what Claude is permitted to do.235`dontAsk` mode auto-denies every tool that is not explicitly allowed. Only actions matching your `permissions.allow` rules can execute; explicit `ask` rules are also denied rather than prompting. This makes the mode fully non-interactive for CI pipelines or restricted environments where you pre-define exactly what Claude may do.
236
237Set it at startup with the flag:
243 238
244```bash theme={null}239```bash theme={null}
245claude --permission-mode dontAsk240claude --permission-mode dontAsk
247 242
248## Skip all checks with bypassPermissions mode243## Skip all checks with bypassPermissions mode
249 244
250`bypassPermissions` mode disables permission prompts and safety checks. Tool calls execute immediately, except for writes to `.git`, `.vscode`, and `.idea`, which still prompt to prevent accidental corruption of repository state and local configuration. Writes to `.claude` also prompt, except for `.claude/commands`, `.claude/agents`, and `.claude/skills` where Claude routinely creates skills, subagents, and commands. Only use this mode in isolated environments like containers, VMs, or devcontainers without internet access, where Claude Code cannot cause damage to your host system.245`bypassPermissions` mode disables permission prompts and safety checks so tool calls execute immediately. Writes to [protected paths](#protected-paths) are the only actions that still prompt. Only use this mode in isolated environments like containers, VMs, or devcontainers without internet access, where Claude Code cannot damage your host system.
246
247You cannot enter `bypassPermissions` from a session that was started without one of the enabling flags; restart with one to enable it:
251 248
252```bash theme={null}249```bash theme={null}
253claude --permission-mode bypassPermissions250claude --permission-mode bypassPermissions
254```251```
255 252
256The `--dangerously-skip-permissions` flag is equivalent to `--permission-mode bypassPermissions`:253The `--dangerously-skip-permissions` flag is equivalent.
257
258```bash theme={null}
259claude -p "refactor the auth module" --dangerously-skip-permissions
260```
261 254
262<Warning>255<Warning>
263 `bypassPermissions` mode offers no protection against prompt injection or unintended actions. For a safer alternative that still maintains background safety checks, use [auto mode](#eliminate-prompts-with-auto-mode). Administrators can block this mode by setting `permissions.disableBypassPermissionsMode` to `"disable"` in [managed settings](/en/permissions#managed-settings).256 `bypassPermissions` offers no protection against prompt injection or unintended actions. For background safety checks without prompts, use [auto mode](#eliminate-prompts-with-auto-mode) instead. Administrators can block this mode by setting `permissions.disableBypassPermissionsMode` to `"disable"` in [managed settings](/en/permissions#managed-settings).
264</Warning>257</Warning>
265 258
266## Compare permission approaches259## Protected paths
267
268The table below summarizes the key differences in how each mode handles approvals. `plan` is omitted since it restricts what Claude can do rather than how approvals work.
269 260
270| | `default` | `acceptEdits` | `auto` | `dontAsk` | `bypassPermissions` |261Writes to a small set of paths are never auto-approved, in every mode. This prevents accidental corruption of repository state and Claude's own configuration. In `default`, `acceptEdits`, `plan`, and `bypassPermissions` these writes prompt; in `auto` they route to the classifier; in `dontAsk` they are denied.
271| :----------------- | :---------------------- | :------------------ | :---------------------------- | :------------------------------- | :------------------ |
272| Permission prompts | File edits and commands | Commands only | None unless fallback triggers | None, blocked unless pre-allowed | None |
273| Safety checks | You review each action | You review commands | Classifier reviews commands | Your pre-approved rules only | None |
274| Token usage | Standard | Standard | Higher, from classifier calls | Standard | Standard |
275 262
276## Customize permissions further263Protected directories:
277 264
278Permission modes set the baseline approval behavior. For control over individual tools or commands, layer additional configuration on top of the active mode.265* `.git`
266* `.vscode`
267* `.idea`
268* `.husky`
269* `.claude`, except for `.claude/commands`, `.claude/agents`, `.claude/skills`, and `.claude/worktrees` where Claude routinely creates content
279 270
280**Permission rules** are the first stop. Add `allow`, `ask`, or `deny` entries to your settings file to pre-approve safe commands, force a prompt for risky ones, or block specific tools entirely. Rules apply in every mode except `bypassPermissions`, which skips the permission layer entirely, and are matched by tool name and argument pattern. See [Manage permissions](/en/permissions#manage-permissions) for syntax and examples.271Protected files:
281 272
282**Hooks** cover logic that pattern-matching rules can't express. A [`PreToolUse` hook](/en/hooks#pretooluse-decision-control) runs before every tool call and can allow, deny, or escalate based on command content, file paths, time of day, or a response from an external policy service. A [`PermissionRequest` hook](/en/hooks#permissionrequest) intercepts the permission dialog itself and answers on your behalf. See [Hooks](/en/hooks) for configuration.273* `.gitconfig`, `.gitmodules`
274* `.bashrc`, `.bash_profile`, `.zshrc`, `.zprofile`, `.profile`
275* `.ripgreprc`
276* `.mcp.json`, `.claude.json`
283 277
284## See also278## See also
285 279
286* [Permissions](/en/permissions): permission rules, syntax, managed policies280* [Permissions](/en/permissions): allow, ask, and deny rules; auto mode classifier configuration; managed policies
287* [Hooks](/en/hooks): custom permission logic, lifecycle scripting281* [Hooks](/en/hooks): custom permission logic via `PreToolUse` and `PermissionRequest` hooks
288* [Security](/en/security): security safeguards and best practices282* [Ultraplan](/en/ultraplan): run plan mode in a Claude Code on the web session with browser-based review
283* [Security](/en/security): safeguards and best practices
289* [Sandboxing](/en/sandboxing): filesystem and network isolation for Bash commands284* [Sandboxing](/en/sandboxing): filesystem and network isolation for Bash commands
290* [Non-interactive mode](/en/headless): run Claude Code programmatically with the `-p` flag285* [Non-interactive mode](/en/headless): run Claude Code with the `-p` flag
