Claude Code has different modes, like "plan mode" or "accept edits".
A recent addition is the "auto mode" which we'll focus on here.
You probably encountered permission dialogs in Claude Code where you have to confirm read or write access, or when Claude Code wants to execute commands.
You can control them through allowlist entries like "Bash(bin/rspec *)", but it's a fairly tedious task to do that to an extent where you encounter permission dialogs only rarely.
Before you reach a point where you mindlessly confirm any permission check, you should try "auto mode".
What is it?
Auto mode is an AI-mediated permission approach.
It is a middle ground between manually babysitting Claude Code (default mode) and giving the LLM a loaded gun (bypassPermissions / --dangerously-skip-permissions).
When the agent proposes a tool call that requires confirmation, a secondary Claude instance receives it to decide whether to confirm or deny:
- Generally speaking, reversible, reading commands like
git diffare allowed while irreversible commands like anrm -rfare prevented. - Auto mode will ask before installing new gems or npm packages.
- Accessing any credentials(-like) file is also prevented, e.g. any key files in your project or system configuration in
/etc. - Auto mode should also prevent installing anything through means that don't match your project (like a
pip installwhen your project uses only Ruby and NodeJS).
How to enable it
In Claude Code, press Shift + Tab to cycle through permission modes until you reach auto mode.
When auto mode is enabled, Claude Code will also render "auto mode on".
To enable it as a default, add to your ~/.claude/settings.json:
{
"permissions": {
"defaultMode": "auto"
}
}
Note that Claude Code does not accept this from a per-project configuration (in your project's .claude/settings.local.json).
How safe is it?
Because Auto Mode relies on a non-deterministic LLM classifier, it cannot be as safe as thoroughly inspecting any permission check manually.
However, humans tend to (a) be slow at that and (b) are prone to blind click-throughs ("Alert Fatigue").
Auto mode keeps your agent at a quick pace through long sessions. We consider it to be overall superior to other auto-approval modes we've encountered in e.g. Cursor or keeping a curated allowlist.
We recommend also enabling Claude Code's sandbox and restricting it further for an extra layer of security.