Claude Code Auto Mode Eliminates Manual Approvals – How It Works

What problem does Auto Mode solve?

Previously Claude Code’s permission model had two extremes: the default mode required manual confirmation for every file write or shell command, which was safe but painfully slow, and the --dangerously-skip-permissions flag skipped all safety checks, which was fast but risky.

Auto Mode balances these extremes by adding an independent classifier model that judges each operation before execution: is it within the user’s intent, does it stray from the task, or is it being steered by malicious file content?

How does the classifier work?

The classifier runs Claude Sonnet 4.6 (the same model used for the main session when Opus 4.6 is selected). It receives the user’s message and the pending tool call, then evaluates three criteria:

Is the operation within the user‑requested scope?

Does it deviate from the user’s intent?

Is there evidence of injection from a file or web page?

A key safety design is that the tool’s execution result is never sent to the classifier, so even a crafted malicious file cannot influence the classifier’s judgment.

The evaluation follows a fixed order:

Check any pre‑configured allow/deny rules.

Read‑only operations and edits inside the working directory are allowed outright.

All other operations are handed to the classifier.

If blocked, Claude receives the reason and attempts an alternative approach.

Default allow and block boundaries

Operations that are allowed by default include:

Local file operations inside the working directory.

Installing dependencies declared in a lock file.

Reading .env and sending credentials to the corresponding API.

Read‑only HTTP requests.

Pushing to the current branch or a newly created Claude branch.

Operations that are blocked by default include:

Downloading and executing code (e.g., curl | bash).

Sending sensitive data to external endpoints.

Production deployments and database migrations.

Bulk deletion in cloud storage.

IAM permission changes.

Force‑pushing or pushing directly to the main branch.

Irreversible deletion of files that existed before the session started.

If the classifier blocks an operation that your team regularly performs, administrators can whitelist it via the autoMode.environment setting.

Sub‑agents also undergo review

Claude Code’s sub‑agent mechanism spawns parallel agents for tasks. Auto Mode protects sub‑agents in three layers:

Pre‑launch review: The classifier evaluates the sub‑agent’s task description and blocks obviously dangerous tasks before they start.

Runtime monitoring: Every tool call inside a sub‑agent is evaluated with the same rules as the main session.

Post‑run review: After a sub‑agent finishes, the classifier reviews its full operation history; if a previously benign sub‑agent was diverted by malicious content, a security warning is attached to the result.

Fault tolerance: no deadlock on false positives

Auto Mode includes a degradation strategy: if the classifier blocks three consecutive operations or reaches twenty blocks in a single session, it pauses and falls back to manual confirmation. A single manual approval resets the counter, allowing Auto Mode to continue. In non‑interactive mode (the -p flag), a degradation trigger terminates the session because no user is available to approve.

How to enable?

Auto Mode is currently a Research Preview. Team plan users can enable it in the Claude Code admin console; Enterprise and API access will roll out later.

To activate it from the CLI, run: claude --enable-auto-mode Then toggle to Auto Mode inside a session with Shift+Tab. In VS Code or the desktop app, enable it in settings and switch via the mode selector.

Auto Mode requires Claude Sonnet 4.6 or Opus 4.6 as the base model; it does not support Haiku or third‑party providers such as Bedrock or Vertex.

Additional cost and latency

The classifier’s calls count toward your token usage and are billed the same way as the main session. Only operations that trigger the classifier incur extra cost; read‑only actions and in‑directory file edits bypass it. The extra latency is a single round‑trip per check, which is negligible compared with manual approval for long‑running tasks.

Conclusion

Auto Mode addresses a broader industry question: as AI coding assistants become more capable, how can we balance efficiency with safety? By delegating security checks to an independent AI model, developers are freed from per‑action approvals while high‑risk actions remain guarded. The approach is still experimental—Anthropic labels it a Research Preview—but for developers who currently press “confirm” hundreds of times per session, it represents a highly anticipated improvement.