Source: ai-research/claude-blog-auto-mode.md — Anthropic first-party blog post, claude.com/blog/auto-mode, originally published as a research-preview announcement around 2026-03-24 (dated via Week 13 release notes and the post’s own “works with Claude Sonnet 4.6 and Opus 4.6” line — that model pairing places it squarely in the pre-Fable-5, pre-Opus-4.8 era), carrying a 2026-07-10 update banner confirming general availability for all users. Surfaced via claude-ai/_research-agenda.md: cited by 3 articles from the 2026-07-16 backlog-clear batch but never fetched as a primary source, despite “auto mode” being one of the wiki’s most heavily-referenced terms (45+ files mention it, with no dedicated hub article until now).
Claude Code’s default permissions ask for approval on every file write and bash command — safe, but it means a large task can’t run unattended. --dangerously-skip-permissions removes that friction entirely, at real risk if used outside an isolated environment. Auto mode is Anthropic’s middle path: a classifier reviews each tool call before it runs, letting safe actions through automatically and blocking/redirecting risky ones, with a permission prompt as the last resort. This article gives the term’s origin and mechanism from the first-party source, then consolidates a rollout timeline the wiki already had scattered across the CLI reference, the guardrails deep-dive, and seven weekly release digests.
Key Takeaways
- Auto mode is a middle path, not a binary toggle. A classifier reviews each tool call before execution, checking specifically for destructive actions — mass file deletion, sensitive data exfiltration, malicious code execution.
- Three possible outcomes per tool call: the classifier lets safe actions through automatically; it blocks risky ones and redirects Claude to a different approach; if Claude keeps hitting blocks on an action it insists on, it eventually surfaces a permission prompt to the human rather than looping forever.
- Anthropic is explicit that this reduces risk, not eliminates it. Direct from the post: the classifier “may still allow some risky actions” under ambiguous user intent or insufficient environmental context, “may also occasionally block benign actions,” and isolated environments remain the standing recommendation regardless of permission mode. Auto mode also carries a small token/cost/latency overhead per tool call.
- From opt-in research preview to general availability in under 4 months. Shipped March 24, 2026 as a Team-plan-only research preview (Sonnet 4.6 / Opus 4.6) → extended to Max plan → became default behavior for new sessions → extended to block irreversible actions by default → reached general availability for all users July 10, 2026 → extended to Bedrock/Vertex AI/Foundry the very next day.
- The empirical case for building it at all: Anthropic’s containment-engineering research found 93% of Claude Code permission prompts get approved — the more dialogs a user sees, the less scrutiny each one gets. Auto mode’s classifier is Anthropic’s fix for a permission system that technically fires every time but had stopped functioning as a real defense.
- The classifier’s own tradeoff, in numbers: per Agent Guardrails, Anthropic explicitly accepted blocking ~0.4% of benign commands to catch a meaningful share of a ~17% overeager-action rate — framed as defense-in-depth inside a sandbox, never a substitute for one.
- Two settings sharpen the default classifier:
autoMode.hard_denyblocks matching actions unconditionally even under broader allow rules;autoMode.classifyAllShellroutes every Bash/PowerShell command through the classifier instead of only arbitrary-code-execution patterns. Both documented in the CLI reference. - Auto mode is one press of a two-press toggle.
Shift+Tabcycles permission modes — the first press lands in auto mode, the second in Plan Mode.
How the Classifier Works
Claude Code’s default permissions are deliberately conservative — every file write and bash command asks for approval, which is safe but means a large task can’t run unattended, since Claude requests frequent human approvals along the way. Bypassing that with --dangerously-skip-permissions removes the friction entirely, at the cost of real risk if used outside an isolated environment.
Auto mode sits between the two. Before each tool call runs, a classifier checks it for potentially destructive actions — mass deleting files, sensitive data exfiltration, malicious code execution. Actions the classifier deems safe proceed automatically; risky ones get blocked, redirecting Claude to take a different approach. If Claude insists on an action that keeps getting blocked, it eventually triggers a permission prompt to the user rather than looping indefinitely.
Anthropic states the caveats directly rather than burying them: the classifier may still allow some risky actions through — when user intent is ambiguous, or when Claude doesn’t have enough context about the environment to recognize an action carries added risk — and it may occasionally block actions that were actually benign. The framing throughout is risk reduction, not risk elimination; isolated environments remain the recommended baseline no matter which permission mode is active.
Rollout Timeline
The wiki’s existing coverage (cli-reference.md, agent-guardrails.md, seven whats-new weekly digests) already tracked auto mode’s evolution piecemeal; consolidated here for the first time, every row traceable to a specific dated source:
| Date / Version | Milestone |
|---|---|
| ~Mar 24, 2026 (Week 13) | Ships as an opt-in research preview for Claude Team plan users, working with Claude Sonnet 4.6 and Opus 4.6 |
| Week 14 | PermissionDenied hook added — fires when the classifier denies a tool call; retry: true lets Claude try a different approach |
| Week 16 | Extended to Max plan on Opus 4.7 — --enable-auto-mode flag no longer required for that tier |
| Week 17 | $defaults support added — custom rules can supplement the built-in classifier list instead of replacing it |
| v2.1.111 | --enable-auto-mode flag removed entirely — auto mode joins the default Shift+Tab permission-mode cycle for everyone |
| Week 19, v2.1.136 | settings.autoMode.hard_deny added — blocks matching actions unconditionally regardless of allow exceptions |
| Week 22 / Week 26 | Per [[claude-ai/agent-guardrails |
| v2.1.193 | autoMode.classifyAllShell added — routes all Bash/PowerShell commands through the classifier, not just arbitrary-code-execution patterns; denial reasons now surface in the transcript, the denial toast, and /permissions recent denials |
| v2.1.205 (July 8) | Auto-mode transcript-tamper guard — a new built-in rule blocks commands that would tamper with session transcript files |
| Jul 10, 2026 | General availability for all users (this post’s own update banner) |
| v2.1.207 (July 11) | Extended to Bedrock, Vertex AI, and Foundry — no longer gated behind the CLAUDE_CODE_ENABLE_AUTO_MODE opt-in on those platforms; disableAutoMode setting added for opt-out |
| v2.1.208 | claude auto-mode defaults --label <prefix> — prints only the built-in classifier rules whose label matches a given prefix |
Try It
- Turn it on for a bounded task first, not your whole workflow.
Shift+Tabonce to enter auto mode, or launch with--permission-mode auto. Try it on a task with clear scope (a refactor, a test-writing pass) before trusting it with something open-ended. - Layer it, don’t rely on it alone. Per Agent Guardrails’s three-layer framing, auto mode is the permissions layer — pair it with sandboxing (an isolated environment or container) for anything touching real credentials or production systems. Anthropic’s own line applies here too: it reduces risk, it doesn’t eliminate it.
- Check
claude auto-mode defaults --label <prefix>(v2.1.208+) to see exactly which built-in classifier rules are active before turning it on for the first time. - On Bedrock, Vertex AI, or Foundry, auto mode is already default-available — check the
disableAutoModesetting if you specifically want the old prompt-every-time behavior back. - Set
autoMode.hard_denyfor anything that should never run automatically, even under broader allow rules — the escape hatch for “no, not even auto mode should do this.”
Open Questions
- Anthropic’s own walkthrough elsewhere in the wiki describes the classifier as checking two axes per tool call — “is the action destructive?” and “does it look like prompt injection?” — but this post’s own text only describes the destructive-action check explicitly. Worth confirming directly against the current docs (
code.claude.com/docs/en/permission-modes) whether prompt-injection detection is part of the same classifier or a separate mechanism. - “Making Claude Cowork ready for enterprise” is the one post from this article’s own “Related posts” carousel not yet fetched — tracked in
claude-ai/_research-agenda.md. - Anthropic’s containment-engineering article cites a different URL for auto mode —
anthropic.com/engineering/claude-code-auto-mode— distinct from this article’sclaude.com/blog/auto-modeprimary source. That engineering-blog URL reads like a deeper technical write-up (vs. this product-announcement post) and has not been fetched or ingested. Tracked as a new item inclaude-ai/_research-agenda.md.
Related
- Agent Guardrails — Hooks, Permissions, and Sandboxing — the deepest existing treatment of the classifier’s mechanics, the 93%-approval-rate origin story, and the three-layer containment framing this article’s Key Takeaways draw from.
- CLI Reference — every auto-mode setting and flag (
autoMode.hard_deny,autoMode.classifyAllShell,--label,$defaults,disableAutoMode) with version numbers. - Plan Mode — the other half of the
Shift+Tab Shift+Tabtoggle; auto mode is the first press, Plan Mode the second. - Anthropic Engineering — How We Contain Claude — the 93%-permission-approval-rate research that motivated building a classifier in the first place.
- Claude Mythos Preview — the system card’s own line on auto mode substantially reducing (not eliminating) sandbox-escape and credential-exfiltration risk during red-teaming.
- Dynamic Workflows and Loop Engineering — Getting Started with Loops — long-running, unattended work that depends on auto mode (or a sandbox) to avoid constant approval interruptions.
- Measuring AI Agent Autonomy in Practice — Anthropic’s broader research on autonomous-action risk that auto mode operationalizes at the tool-call level.
- Model vs. Effort and Claude for Government — two of this post’s own “Related posts” carousel links, both already in the wiki.