The paper introduces "Auto mode" for Claude Code, a novel permissions management system designed to offer a crucial balance between the highly conservative default permissions and the unconstrained, high-risk --dangerously-skip-permissions option. Its primary objective is to enable the execution of complex, long-running computational tasks by significantly reducing the frequency of human approval prompts, concurrently mitigating the inherent security risks associated with completely bypassing permission checks.

Traditionally, Claude Code's default operational mode mandates explicit human approval for critical tool calls, including file write operations and arbitrary bash command executions. While inherently secure, this design leads to frequent interruptions, making it impractical for multi-step or extended processes. Conversely, the --dangerously-skip-permissions flag, while allowing uninterrupted execution, poses substantial security liabilities, rendering it unsuitable for production or sensitive environments due to the potential for destructive outcomes, sensitive data exfiltration, or malicious code execution.

Auto mode addresses this dilemma by implementing a sophisticated, automated permission decision-making methodology. The core mechanism is a classifier, a specialized machine learning model or rule-based system, which is invoked immediately before each prospective tool call is executed. This classifier's function is to perform a real-time risk assessment of the proposed action. Specifically, it analyzes the intended operation for indicators of "potentially destructive actions," which are categorized to include, but are not limited to:
\begin{itemize}
\item \textbf{Mass deletion of files:} Identifying operations that could lead to widespread data loss.
\item \textbf{Sensitive data exfiltration:} Detecting attempts to transfer confidential information outside the secure environment.
\item \textbf{Malicious code execution:} Recognizing patterns indicative of harmful or unauthorized program execution.
\end{itemize}

Based on this assessment, the classifier dictates the subsequent system behavior:
\begin{enumerate}
\item \textbf{Safe Actions:} If the classifier determines the action is "safe" or benign, it is permitted to proceed automatically without requiring user intervention.
\item \textbf{Risky Actions:} If the classifier identifies the action as "risky," it is immediately blocked. In such instances, Claude is not allowed to perform the action and is instead redirected to reformulate its approach, seeking an alternative, safer method to achieve the desired outcome.
\item \textbf{Persistent Blocking and User Recourse:} A crucial safeguard is implemented for scenarios where Claude repeatedly insists on attempting actions that are continuously blocked by the classifier. In such cases of persistent non-compliance or inability to find a safe alternative, the system ultimately triggers a manual permission prompt, reverting control back to the user for explicit approval or rejection.
\end{enumerate}

While Auto mode significantly reduces risk compared to completely skipping permissions, it does not entirely eliminate it. The classifier's efficacy can be limited by ambiguities in user intent or insufficient contextual information about the operating environment, potentially allowing some risky actions to proceed or inadvertently blocking benign ones. The system may also incur a minor impact on token consumption, computational cost, and latency for individual tool calls.

Auto mode is available as a research preview for Claude Team plan users, with subsequent rollout planned for Enterprise plan and API users. It supports Claude Sonnet 4.6 and Opus 4.6. Administrators can manage its availability via managed settings (e.g., disableAutoMode for CLI/VS Code) and Organization Settings for the desktop application, where it is disabled by default. Developers can enable it programmatically via claude --enable-auto-mode in the CLI or through settings in the desktop and VS Code extensions.