Auto Mode
Auto mode is a permission mode that uses a classifier model (Claude Sonnet 4.6) to evaluate each tool call before execution. Safe actions proceed automatically, risky ones get blocked. It sits between the default interactive mode (asks every time) and --dangerously-skip-permissions (no checks at all).
Auto mode is currently a research preview for Team plan users. Enterprise and API support is rolling out. It requires Claude Sonnet 4.6 or Opus 4.6 as the session model.
How to enable
CLI:
claude --enable-auto-mode
This adds auto to the permission mode cycle accessible via Shift+Tab (default → acceptEdits → plan → auto).
VS Code / Desktop app: Enable auto mode in Settings → Claude Code, then select it from the permission mode dropdown.
Team/Enterprise: An admin must enable auto mode in Claude Code admin settings before individual users can access it.
How it works
- Before each tool call, a classifier (always Claude Sonnet 4.6, regardless of your session model) reviews the conversation context and proposed action.
- Safe actions (file edits within the working directory, read-only operations) proceed automatically without prompting.
- Risky actions (mass file deletions, data exfiltration attempts, malicious code execution, prompt injection patterns) get blocked, and Claude tries a different approach.
- Read-only actions and file edits in the working directory do not trigger a classifier call. Shell commands and network operations do.
Circuit breaker
If the classifier blocks an action 3 times in a row or 20 times total in one session, auto mode pauses and Claude reverts to prompting for each action. These thresholds are not configurable.
Comparison with other permission modes
| Mode | Flag | Behavior |
|---|---|---|
| default | (none) | Asks for confirmation on every sensitive operation |
| acceptEdits | --permission-mode acceptEdits | Auto-approves file edits; bash commands still prompt |
| plan | --permission-mode plan | Read-only; Claude can analyze but not make changes |
| auto | --enable-auto-mode | Classifier auto-approves safe actions, blocks risky ones |
| bypassPermissions | --dangerously-skip-permissions | Auto-approves everything; no safety checks (hooks still run) |
| dontAsk | --permission-mode dontAsk | Converts any permission prompt into a denial; only pre-approved tools run |
Configuration
Auto mode behavior is customizable via three sections in your settings:
| Section | Purpose |
|---|---|
environment | Tells the classifier about your org: company name, source control orgs, cloud providers, trusted domains, compliance constraints |
allow | Actions the classifier should always permit (replaces defaults if set) |
soft_deny | Actions the classifier should block unless the user's message specifically and directly describes that exact action |
Configuration rules
- Setting
alloworsoft_denyreplaces the entire default list for that section. - Setting
environmentalone leaves defaults forallowandsoft_denyintact. - Evaluation order: deny → ask → allow (first match wins).
- If the user's message directly describes the exact action Claude is about to take, the classifier allows it even if a
soft_denyrule matches. General requests (like "clean up the repo") do not overridesoft_deny.
Example configuration
{
"autoMode": {
"environment": {
"company": "Acme Corp",
"sourceControlOrgs": ["acme-corp"],
"cloudProviders": ["aws"],
"trustedDomains": ["*.acme.internal"]
},
"allow": [
"Run npm and node commands",
"Read and write files in the project directory"
],
"soft_deny": [
"Delete more than 5 files at once",
"Run commands that access production databases"
]
}
}
CLI inspection commands
Use these subcommands to inspect and validate your auto mode configuration:
# Print built-in default rules
claude auto-mode defaults
# Show effective config (your settings where set, defaults otherwise)
claude auto-mode config
# Get AI feedback on your custom rules
claude auto-mode critique
Availability
| Requirement | Detail |
|---|---|
| Plans | Team (now), Enterprise and API rolling out |
| Models | Claude Sonnet 4.6 and Opus 4.6 only |
| Not available | Haiku, Claude 3 models, third-party providers (Bedrock, Vertex, Foundry) |
| Enterprise opt-out | Admins can disable with "disableAutoMode": "disable" in managed settings |
Caveats
- Token usage: Auto mode may slightly increase token consumption, cost, and latency due to classifier calls on shell and network operations.
- Not a hard sandbox: The classifier uses in-context reasoning. Anthropic recommends using auto mode in sandboxed environments to limit potential damage.
- Research preview: Behavior and configuration options may change before general availability.