Choose a permission mode - Claude Code Docs

Detailed Analysis

Claude Code's permission mode system represents a deliberate architectural decision to give developers granular control over how autonomously the AI agent operates during coding sessions. The system offers six distinct modes — `default`, `acceptEdits`, `plan`, `auto`, `dontAsk`, and `bypassPermissions` — each calibrated to a different balance between human oversight and uninterrupted execution. In `default` mode, Claude pauses for approval before any action beyond reading files. `acceptEdits` extends auto-approval to file creation, editing, and common filesystem commands such as `mkdir`, `mv`, and `cp`, but only within the defined working directory. The `plan` mode restricts Claude to read-only analysis and proposal generation, making no modifications whatsoever. At the far end of the autonomy spectrum, `auto` applies background LLM-based safety checks to approve most actions without interruption, while `bypassPermissions` skips the permission layer entirely — a configuration explicitly scoped to isolated containers and virtual machines. The `dontAsk` mode inverts the usual logic, silently denying all tools that have not been explicitly pre-approved, making it suitable for locked-down CI/CD pipelines.

The permission system is designed with a layered architecture that separates baseline mode behavior from fine-grained rule customization. On top of any selected mode, users can define allow, ask, and deny rules that target specific tools, with denial taking precedence over asking, which in turn takes precedence over allowing. This tiered evaluation model — applied at user, project, or enterprise settings levels — allows organizations to enforce consistent policies across teams while still permitting individual developers to adjust behavior within those constraints. Notably, writes to protected paths are never auto-approved regardless of mode, providing a hard safeguard against accidental corruption of repository state or Claude's own configuration files. The one exception is `bypassPermissions`, which skips the permission layer entirely and is therefore explicitly restricted to sandboxed environments.

Mode switching is integrated into each supported interface with interface-appropriate affordances. In the CLI, `Shift+Tab` cycles through the core modes, with optional modes like `auto` and `bypassPermissions` appearing in the cycle only after explicit opt-in via flags or settings. VS Code and JetBrains expose mode selection through UI indicators and the extension settings panel, while the web and mobile interfaces offer a dropdown adjacent to the prompt input. Importantly, not all modes are available in all environments: cloud sessions on Claude.ai restrict users to `acceptEdits` and `plan`, while Remote Control sessions add `default` but still exclude `auto` and `bypassPermissions`. This differential availability reflects a deliberate risk management posture — more permissive modes require more controlled execution environments.

The permission mode framework reflects a broader trend in agentic AI tooling toward making autonomy configurable rather than fixed. As AI coding assistants move from single-turn suggestion tools toward multi-step autonomous agents capable of executing shell commands, modifying filesystems, and making network requests, the question of when and how to interrupt for human confirmation becomes a central design problem. The tension between reducing "prompt fatigue" — explicitly named as the primary use case for `auto` mode — and maintaining meaningful human oversight is not merely a UX concern but a substantive safety question. Anthropic's approach of shipping a spectrum of modes rather than a single default represents an acknowledgment that different workflows, risk tolerances, and trust contexts demand different oversight postures, and that no single setting can be appropriate across the full range of developer use cases.

The introduction of background LLM-based safety checks in `auto` mode is particularly significant as an architectural pattern. Rather than requiring synchronous human approval or offering unconditional execution, `auto` mode interposes a secondary AI evaluation step that verifies whether a proposed action aligns with the original request before proceeding. This "AI-as-oversight" pattern — using a model to guard another model's actions — is an emerging approach in agentic systems design and signals that Anthropic views fully autonomous operation not as an absence of checks, but as a shift in who or what performs those checks. The explicit labeling of `auto` mode as a "research preview" further indicates that this pattern is still being refined, and that the company is iterating on the balance between capability and safety in production agentic workflows.