Claude Code Auto Mode: Safe Uninterrupted Development

If you've been waiting for Claude Code Auto Mode to exit beta, you missed the quiet announcement. There wasn't one.

Between March 24 and April 16, 2026, Anthropic shipped Auto Mode to Team, rolled it out to Enterprise and API, dropped the beta flag, and opened access to Max users. No "General Availability" post went up. The official permission-modes documentation still calls it a research preview. In practice, if you pay for Max, Team, or Enterprise, you have Auto Mode today, and the beta-era gatekeepers are gone.

This guide covers what Auto Mode actually is, what the AI classifier blocks versus allows, how to enable it without the deprecated flag, the exact system prompt Claude receives when Auto Mode is active, the open bugs worth knowing about, and how it compares to every other Claude Code autonomy feature.

The Problem Auto Mode Was Built For

Every Claude Code user hits the same wall. You're deep in a refactor, Claude needs to run npm test, and the permission prompt yanks you out of flow state. Click approve. Claude reads another file. Click approve. It writes a migration. Click approve. Thirty prompts later, you're rubber-stamping everything without reading it.

The alternative until early 2026 was --dangerously-skip-permissions, which removes every safety check. That works in a disposable container. On your actual machine with SSH keys, environment secrets, and git credentials? Not a reasonable option.

Auto Mode fills the gap. A background AI classifier evaluates each tool call before execution, blocking actions that look dangerous while letting safe operations proceed without prompting. Think of it as an AI security reviewer sitting between Claude and your system, making the approval decisions you would make, at machine speed.

The Quiet Rollout: Beta to Default

Auto Mode's path from research preview to default-available happened in four steps, none of them announced as formal GA:

The April 16 release is the moment most practitioners will remember. Before v2.1.111, you had to pass --enable-auto-mode at startup for Auto Mode to appear in the Shift+Tab cycle. After v2.1.111, it's in every session by default, the flag is deprecated, and Max users got access for the first time. That's functionally what going GA means. The docs just haven't caught up.

What's still gated: Auto Mode remains unavailable on Pro, Bedrock, Vertex, and Foundry. Haiku models are not supported. If you're on any of those, Auto Mode isn't available to you yet. Track Bedrock support at GitHub issue #41179.

What Auto Mode Actually Does

Auto Mode is a permission mode that sits between default (approve everything manually) and bypassPermissions (no checks at all). When enabled, Claude executes actions without showing permission prompts. Before each action runs, a separate classifier model reviews the conversation context and the pending action to decide whether it should proceed.

The classifier checks for three categories of risk:

1. Scope escalation: Is Claude doing something beyond what you asked for?
2. Untrusted infrastructure: Is the action targeting systems the classifier doesn't recognize?
3. Prompt injection: Does the action look like it was driven by hostile content Claude encountered in a file or web page?

Safe actions proceed automatically. Risky ones get blocked, and Claude receives the reason so it can try an alternative approach. You keep working. The classifier keeps watching.

How the Classifier Works

The classifier runs on Claude Sonnet 4.6, regardless of which model your main session uses. It receives your user messages and tool calls as input, with Claude's own text and tool results stripped out. The design is intentional: because tool results never reach the classifier, hostile content embedded in files or web pages cannot manipulate its decisions directly.

The classifier also receives your CLAUDE.md content, so project-specific instructions factor into its allow and block decisions. Unlike your static permission rules, which match tool names and argument patterns, the classifier reads prose descriptions. It reasons about each action in context rather than matching syntax.

The pipeline runs in two stages. Stage one is a fast single-token yes/no filter tuned to err toward blocking. Most actions clear it in milliseconds. Stage two is a chain-of-thought reasoning call that only triggers when stage one flags something. Anthropic's published false-positive rate on real internal traffic is 0.4% at the full pipeline. The false-negative rate on a hand-curated "overeager actions" test set is 17%. That number matters. It's not zero, and any honest guide has to say so.

The Decision Order

Each action follows a fixed evaluation sequence. The first matching step wins:

This means your existing permission rules still take priority. If you have Bash(npm test) in your allow list, it executes instantly without a classifier call. If you have Bash(rm -rf *) in your deny list, it gets blocked before the classifier sees it.

What Happens to Broad Allow Rules

Here is the detail most users miss: on entering Auto Mode, Claude Code drops broad allow rules that grant arbitrary code execution. Rules like Bash(*), Bash(python*), Bash(node*), and any Agent allow rule get temporarily removed.

These rules would auto-approve the exact commands most capable of causing damage before the classifier ever evaluates them. If Bash(*) stayed active, every shell command would bypass the classifier entirely, defeating the purpose.

Narrow rules like Bash(npm test) or Bash(git status) carry over. The dropped rules restore when you leave Auto Mode.

The System Prompt Claude Receives in Auto Mode

Something no other guide publishes: when you switch to Auto Mode, the Claude Code harness injects a specific instruction block into every turn. The model sees it as a system reminder. It's the behavioral contract the harness gives to Claude. Captured verbatim from a live session:

Auto mode is active. The user chose continuous, autonomous execution. You should:

1. Execute immediately — Start implementing right away. Make reasonable assumptions and proceed on low-risk work.
2. Minimize interruptions — Prefer making reasonable assumptions over asking questions for routine decisions.
3. Prefer action over planning — Do not enter plan mode unless the user explicitly asks. When in doubt, start coding.
4. Expect course corrections — The user may provide suggestions or course corrections at any point; treat those as normal input.
5. Do not take overly destructive actions — Auto mode is not a license to destroy. Anything that deletes data or modifies shared or production systems still needs explicit user confirmation. If you reach such a decision point, ask and wait, or course correct to a safer method instead.
6. Avoid data exfiltration — Post even routine messages to chat platforms or work tickets only if the user has directed you to. You must not share secrets (e.g. credentials, internal documentation) unless the user has explicitly authorized both that specific secret and its destination.

Six mandates, and each has real implications:

"Execute immediately" means Claude will not ask for confirmation on routine work the way it does in default mode. It starts coding.

"Minimize interruptions" is why Auto Mode feels fast. The model is told to choose between multiple valid approaches rather than asking which one you want.

"Prefer action over planning" is the one most likely to surprise new Auto Mode users. If you're used to Claude writing a plan first, Auto Mode tells it to skip that and start building. You can still request a plan explicitly.

"Expect course corrections" is the safety valve. The harness knows you might interrupt mid-task. It tells Claude not to treat corrections as failures or defensive re-planning, but as normal input.

"Do not take overly destructive actions" is the hard floor the LLM enforces on itself, independent of the classifier. Even if the classifier would approve, the model is told to pause on anything that deletes data or modifies shared systems. This creates a two-layer safety net: the model self-censors on destructive paths, and the classifier blocks what the model still tries.

"Avoid data exfiltration" is the one most guides miss. Auto Mode actively instructs Claude not to send your secrets to chat platforms or work tickets, not to share credentials or internal docs unless you've explicitly authorized both the secret and the destination. This is a bigger deal than it sounds. The same model that's been told to "execute immediately" is also told to stop at secrets.

If you're deciding whether to trust Auto Mode: the behavioral contract is tight. It's not YOLO mode. It's a specific mandate to work fast, with named escape hatches for destructive operations and data leakage. The classifier enforces the hard boundary. The system prompt shapes the judgment calls in between.

What Gets Blocked vs. Allowed

The classifier operates on a trust boundary model. It trusts your local working directory and, if you're in a git repo, that repo's configured remotes. Everything else is treated as external until you tell it otherwise.

Blocked by Default

Allowed by Default

If the classifier blocks something routine for your team, like pushing to your org's repo or writing to a company storage bucket, that is because the classifier does not know those are trusted. Administrators can configure trusted infrastructure through the autoMode.environment setting. See the configuring the auto mode classifier docs for the full setup.

How to Enable Auto Mode

Prerequisites

Auto Mode requires:

• A Max, Team, Enterprise, or API plan. Not available on Pro, Bedrock, Vertex, or Foundry.
• Claude Sonnet 4.6, Opus 4.6, or Opus 4.7 (Max plan requires Opus 4.7). Haiku and claude-3 models are unsupported.
• Admin enablement for Team and Enterprise plans. An admin must enable Auto Mode in Claude Code admin settings before users can turn it on. Max and API users can enable it directly.

CLI

As of v2.1.111, Auto Mode is available in every session without a startup flag. Launch Claude Code and cycle to it:

claude

Press Shift+Tab to cycle through modes: default -> acceptEdits -> plan -> auto. The current mode appears in the status bar.

To start directly in Auto Mode:

claude --permission-mode auto

If you're on a script or shell alias that previously set --enable-auto-mode, remove it. The flag is deprecated and no longer appears in help output.

To make Auto Mode the default for a specific project, add this to .claude/settings.json:

{
  "permissions": {
    "defaultMode": "auto"
  }
}

Known issue: some users report that defaultMode: "auto" in settings.json is parsed but sessions don't actually start in Auto Mode. You may need to manually cycle to it with Shift+Tab. See GitHub issue #49273 for status.

VS Code

1. Open the Claude Code extension settings
2. Enable Allow dangerously skip permissions (this unlocks Auto Mode in the UI)
3. Click the mode indicator at the bottom of the prompt box
4. Select Auto from the dropdown

Desktop App

1. Enable Auto Mode in Desktop settings
2. Use the mode selector next to the send button
3. Select Auto from the dropdown

Auto Mode is disabled by default on the Claude desktop app. You need to enable it explicitly in settings first.

Non-Interactive Mode

Auto Mode works with the -p flag for scripted runs:

claude -p "refactor the auth module" --permission-mode auto

If the classifier triggers a fallback (see below), non-interactive mode aborts the session since there is no user to prompt.

How Auto Mode Handles Subagents

For teams using autonomous agent loops or multi-agent architectures, subagent handling matters. Auto Mode evaluates subagents at three points:

At spawn: The classifier evaluates the delegated task description before the subagent starts. A task like "delete all remote branches matching this pattern" gets blocked before the subagent ever executes.

During execution: Inside the subagent, Auto Mode runs with the same block and allow rules as the parent session. Any permissionMode the subagent defines in its own frontmatter is ignored. Each tool call goes through the classifier independently.

On return: When the subagent finishes, the classifier reviews its full action history. A subagent that looked benign at spawn could have been compromised mid-run by content it read. If the return check flags a concern, a security warning gets prepended to the subagent's results so the main agent can decide how to proceed.

This three-checkpoint approach means you do not need to trust subagents implicitly. The classifier watches them the same way it watches the main session.

Auto Mode vs. Every Other Claude Code Autonomy Feature

Most guides blur Auto Mode together with --dangerously-skip-permissions, Routines, and Plan Mode. They're different things.

Permission modes control how every action in a session gets approved or denied:

Scheduling features run Claude Code automatically on a cron or in a loop, and they run inside whatever permission mode you set. They're orthogonal to Auto Mode:

• Scheduled tasks run Claude on a cron schedule.
• Routines are recurring remote agent runs.
• Autonomous agent loops run prompts repeatedly until a condition is met.

All three of these can run under Auto Mode, under bypassPermissions in a container, or under any other permission mode. Choose the permission mode based on trust boundaries. Choose the scheduling feature based on cadence.

The key tradeoff Auto Mode makes: it costs more tokens and adds latency per checked action, but eliminates the flow-destroying permission prompts that make default mode painful for extended sessions.

When to Use Auto Mode

Use Auto Mode when:

• You're running long tasks where constant approval prompts break your concentration
• You trust the general direction of the work but want a safety net against mistakes
• You're using agent loops where no human is available to approve every step
• You want something safer than bypassPermissions for non-containerized development

Do not use Auto Mode when:

• You're making changes to production infrastructure (the classifier blocks these by default, and for good reason)
• You're working on unfamiliar code where you want to review every action
• You need deterministic, auditable permission control (use dontAsk with explicit allow rules instead)
• You're extremely cost-sensitive (classifier calls add token usage)

When Auto Mode Falls Back

The fallback design prevents false positives from derailing your session. If the classifier blocks an action 3 times in a row or 20 times total in one session, Auto Mode pauses and Claude Code resumes prompting for each action manually.

These thresholds are not configurable.

When the fallback triggers:

• CLI: A notification appears in the status area. Approving the prompted action resets the denial counters, so you can continue in Auto Mode afterward.
• Non-interactive mode (-p flag): The session aborts, since there is no user to prompt.

Repeated blocks usually mean one of two things: the task genuinely requires actions the classifier is designed to stop, or the classifier is missing context about your trusted infrastructure. If blocks look like false positives, use /feedback to report them. If the classifier does not recognize your repos or services, have an administrator configure trusted infrastructure in managed settings.

Known Issues Worth Flagging

Auto Mode shipped with real bugs, and several remain open as of April 2026. A complete guide names them:

Classifier using the wrong model (#49837). Docs state the classifier runs on Sonnet 4.6 regardless of your session model. Users report seeing it call Opus 4.7 instead, which changes cost and latency characteristics. Status: open.

defaultMode: "auto" ignored (#49273). Setting Auto Mode as the default in settings.json is parsed but not honored on session start. You need to Shift+Tab each session. Workaround: use --permission-mode auto in a shell alias.

Explicit user boundaries occasionally bypassed (#51689). If you tell Claude "don't push yet" in chat, the classifier is supposed to enforce that boundary. Users report cases where it doesn't, especially after context compaction clears the earlier message. For hard guarantees, add a deny rule instead of relying on a natural-language boundary.

--dangerously-skip-permissions silently downgraded (#51327). In some configurations, the flag gets downgraded to Auto Mode, which prompts users who expected no prompts at all. If you script Claude Code expecting bypassPermissions semantics, verify the flag is still honored in your version.

Haiku discoverability (#45199). Users on Haiku who try to enable Auto Mode get a generic "unavailable" error without the information that Haiku itself is unsupported. If you're on Haiku for cost reasons and want Auto Mode, switch to Sonnet 4.6 for that session.

None of these are dealbreakers for most workflows. But if you're about to trust Auto Mode with an overnight run or a CI pipeline, skim the open issues list first.

Defense in Depth: Auto Mode in Your Security Stack

Auto Mode is one layer. On its own, it provides more protection than bypassPermissions but less than manually reviewing each action. The strongest security posture combines multiple layers:

Layer 1: Permission rules. Your settings.json allow/deny rules resolve before the classifier runs. Use them for deterministic control over specific tools and commands.

Layer 2: Auto Mode classifier. Evaluates everything the permission rules do not catch. Reasons about context, not just pattern matching.

Layer 3: Hooks. PreToolUse hooks run custom logic before the permission system. The Permission Hook provides LLM-powered auto-approval with a three-tier system (fast approve, fast deny, LLM analysis). Hooks and Auto Mode coexist: hooks run first and can approve, deny, or escalate before the classifier sees the action.

Layer 4: Sandboxing. OS-level sandboxing restricts filesystem and network access at the kernel level. Even if the classifier misses something, the sandbox prevents Bash commands from reaching resources outside defined boundaries. This matters because the classifier evaluates intent, while the sandbox enforces hard boundaries.

Layer 5: Self-validating agents and stop hooks. These ensure agents complete tasks correctly and do not drift from their assigned scope, adding another verification layer on top of permission controls.

Each layer catches what the others miss. That is what defense in depth means in practice.

Limitations: What You Should Know

Auto Mode is no longer labeled "beta" in the CLI, but Anthropic's own documentation still calls it a "research preview." That's not just branding:

• It does not guarantee safety. Anthropic's engineering post reports a 0.4% false-positive rate on real internal traffic and a 17% false-negative rate against a hand-curated "overeager actions" test set. That's a significant upgrade over bypassPermissions (which has a 100% false-negative rate by definition), but 17% is not zero. The classifier can miss risky actions when user intent is ambiguous or when the model lacks environment context.

• It costs more. Classifier calls count toward your token usage. Each checked action sends a portion of the transcript plus the pending action to a Sonnet 4.6 call. Read-only actions and file edits in your working directory skip the classifier, so most of the overhead comes from shell commands and network operations.

• It adds latency. Each classifier check adds a round trip before the action executes. For rapid shell command sequences, this is noticeable.

• Natural-language boundaries decay with context compaction. When you tell Claude "don't deploy to production," the classifier enforces that only as long as your message stays in the transcript. Heavy context compaction can clear that message, and the boundary disappears. For hard guarantees, use deny rules in settings.json.

• Sandbox trust is all-or-nothing. Auto Mode trusts your working directory and configured git remotes, and treats everything else as external. If you work across multiple repos or cloud buckets, the classifier will block actions on repos it doesn't know about. Administrators can configure trusted infrastructure via the autoMode.environment setting.

• Not a replacement for review on sensitive operations. For anything touching production, credentials, or shared infrastructure, manual review remains the right choice.

Use /feedback to report false positives and missed blocks. Every report helps calibrate the system.

What's Next

Auto Mode ships as part of Claude Code by default on Max, Team, Enterprise, and API plans. The permission dilemma that forced you to choose between safety and speed has a middle path, and it's no longer hidden behind a beta flag.

To build a complete setup around it:

• Set up permission rules for deterministic control over specific tools
• Configure hooks for custom permission logic beyond what the classifier handles
• Enable sandboxing for OS-level enforcement as a hard backstop
• Review the settings reference for all permission-related configuration
• If you run Claude Code on a schedule or in long loops, pair Auto Mode with scheduled tasks or autonomous agent loops for hands-off execution

The permission prompt is no longer the bottleneck. The classifier is watching, the system prompt keeps Claude honest, and you can get back to building.

If you want a production-ready Claude Code setup with permission rules, hooks, and sandboxing already configured for Auto Mode, the ClaudeFast Complete Kit ships with all the layers above preconfigured.