In its third major release of the week, Anthropic has launched “Auto Mode” for Claude Code, a new permissions layer designed to bridge the gap between “conservative safety” and “autonomous speed.”
The feature, which entered research preview yesterday, allows Claude to make its own decisions about which commands to run—effectively acting as a “middle path” for developers who are tired of manually approving every single file write or bash command.
1. The Three-Tier Permission Model
With the addition of Auto Mode, Claude Code now offers three distinct ways to handle the “agentic loop.”
| Mode | Behavior | Best For |
| Default | Requires human approval for every write/bash command. | Sensitive production code; new users. |
| Auto Mode | Claude decides. Safe actions proceed; risky ones are blocked. | Long tasks; reducing “prompt fatigue.” |
| Bypass | Zero prompts. No safety checks; total autonomy. | Isolated sandboxes & containers only. |
How the “Auto” Brain Works
Auto Mode isn’t just an “all-access” pass. Before every action, a specialized classifier model (running on Claude Sonnet 4.6) reviews the proposed command:
- Safe Actions: Minor file edits, standard
gitcommands, and local tests proceed automatically. - Risky Actions: Mass file deletions, sensitive data exfiltration attempts, or “scope escalation” (trying to wander outside the project folder) are immediately blocked.
- The Fail-Safe: If Claude insists on a blocked action, it will eventually trigger a standard permission prompt to the user.
2. Setup & Compatibility
The feature is currently restricted to high-tier users and specific models.
- Eligibility: Available to Claude Team plan users (Research Preview). Enterprise and API access is expected by next week.
- Models: Compatible with both Sonnet 4.6 and the newly released Opus 4.6.
- Activation: * CLI: Run
claude --enable-auto-mode, then useShift + Tabto toggle between modes during a session.- VS Code / Desktop: Toggle “Auto Mode” in Settings > Claude Code, then select it from the dropdown in your chat.
3. Risks & “Guardrail” Realities
Anthropic has been remarkably candid about the limitations of this “middle path.”
- The “Non-Deterministic” Risk: Because the safety check is performed by another AI (the classifier), it is not foolproof. It can occasionally allow a risky action if the user’s intent is ambiguous.
- Performance Impact: Each “Auto” check adds a small amount of latency and increases token consumption, as the transcript must be sent to the classifier before each tool call.
- The “LiteLLM” Warning: Critics like Simon Willison have noted that because Auto Mode allows
pip installby default, it remains vulnerable to supply chain attacks (malicious code inside a trusted package name).
“Auto Mode is about reducing friction, not eliminating risk,” noted an Anthropic spokesperson. “We still strongly recommend running these autonomous sessions in isolated environments or containers.”
