Auto Mode: Running Claude Without Interruptions
- Explain how the auto mode classifier evaluates tool calls independently from the main working model
- Identify which action categories are blocked by default in auto mode and the reasoning behind each boundary
- Configure trusted infrastructure using autoMode.environment to reduce false positives for your organization's internal services
The Problem with Trusting Claude's Own Judgment
When you run Claude Code in bypassPermissions mode, every tool call executes immediately. Claude decides it should push to the repository and it pushes. Claude decides a file should be deleted and it deletes. There are no guardrails. For an isolated throwaway environment, that's fine. For any real project, it's a trust model that one bad prompt or one piece of hostile content in a file could exploit.
Auto mode takes a different approach. Instead of trusting Claude's judgment entirely, it adds a separate classifier model that evaluates each tool call before execution. The classifier is not the model doing the work — it's an independent evaluator that applies a set of safety rules to decide whether the pending action looks safe. If yes, the action runs. If no, it's blocked and Claude receives the reason so it can try a different approach.
This architecture matters because it's resistant to prompt injection. The classifier strips tool results from what it sees — so hostile content in a file Claude reads can't trick the classifier into approving dangerous actions. The working model and the safety layer stay separate.
How the Classifier Works
Every time Claude wants to run a tool call that isn't a read or a file edit in your working directory, the request goes to the classifier. The classifier receives a portion of the conversation transcript and the pending action, applies its rule set, and returns a yes-or-no decision with a reason.
The classifier runs on a server-configured model independent of your /model selection. Switching to a faster or cheaper model doesn't change which model evaluates safety. Classifier calls count against your token usage, but the overhead is small because reads and working-directory edits skip the classifier entirely — only shell commands, network requests, and other higher-risk operations route through it.
The working model receives the classifier's reason when a call is blocked, allowing it to try a safer alternative. If the classifier blocks the same action three times in a row, or twenty times total in a session, auto mode pauses and Claude Code resumes prompting you — a safety valve that prevents runaway retry loops.
What the Classifier Blocks by Default
The default block list targets actions that are irreversible, could exfiltrate data, or could impact shared infrastructure. Key categories:
- Code execution from untrusted sources:
curl | bash, downloading and piping to a shell - Force operations:
git push --force,git reset --hardon commits you didn't create this session,git commit --amendon already-pushed commits - Infrastructure changes:
terraform destroy,pulumi destroy, applying IaC plans that destroy resources - Production deploys and migrations: deploys to production namespaces, database migrations
- Mass deletion: wildcard deletes on cloud storage, shared temp directory cleanups that would affect other users
- Credential exposure: printing live credentials or tokens into the transcript or files
- External exfiltration: sending repository contents to third-party code review APIs, sending sensitive data to unrecognized endpoints
The list is not static — Claude Code updates it with each release. Run claude auto-mode defaults to print the current built-in rules as JSON.
What Gets Allowed by Default
The classifier's allow side is equally important. By default, auto mode permits:
- All file operations in your working directory
- Installing dependencies declared in your lock files or manifests
- Reading
.envfiles and sending those credentials to their matching API - Read-only HTTP requests
- Pushing to the branch you started on or one Claude created this session
Narrow allow rules you've already defined (like Bash(npm test)) carry over into auto mode. Broad allow rules that grant arbitrary code execution — Bash(*), wildcarded interpreters, package manager run commands — are suspended while auto mode is active. They restore when you leave auto mode.
Configuring Trusted Infrastructure
The most common source of false positives in auto mode is the classifier not knowing what's "inside" your trust boundary. By default, it trusts only your working directory and the git remotes configured when the session started. Pushing to your company's internal GitHub org or writing to a team S3 bucket looks like an external operation until you tell the classifier otherwise.
Add trusted infrastructure in ~/.claude/settings.json under autoMode.environment:
{
"autoMode": {
"environment": [
"$defaults",
"Organization: Acme Corp. Primary use: software development",
"Source control: github.example.com/acme-corp and all repos under it",
"Trusted cloud buckets: s3://acme-build-artifacts, gs://acme-ml-datasets",
"Trusted internal domains: *.corp.example.com, api.internal.example.com"
]
}
}
The "$defaults" string splices in the built-in entries so you keep all default rules alongside your additions. Entries are natural-language prose, not regex — write them as you'd describe your infrastructure to a new engineer.
After saving, run claude auto-mode config to confirm the classifier sees your additions with "$defaults" expanded in place.
Inspecting and Adjusting the Rules
Three CLI subcommands help you work with the auto mode configuration:
claude auto-mode defaults— prints the built-in environment, allow, soft_deny, and hard_deny rules as JSONclaude auto-mode config— prints what the classifier actually uses with your settings appliedclaude auto-mode critique— gets AI feedback on your custom rules, flagging ambiguous or redundant entries
When a specific action keeps getting blocked, the denial reason appears next to the blocked tool call in the transcript. Look at the reason before adding an allow rule — sometimes the reason reveals a misconfigured rule or an unexpected trust boundary that a different fix addresses more cleanly.
For actions that must never run regardless of user intent, add them to autoMode.hard_deny. For destructive actions that explicit user intent should be able to override, add to autoMode.soft_deny. For exceptions to soft blocks, add to autoMode.allow. Always include "$defaults" in each list to avoid accidentally discarding built-in safety rules.
- The classifier is a separate model from the one doing the work — it evaluates each tool call independently and strips tool results so hostile file content cannot manipulate its decisions
- Default blocks target irreversibility and exfiltration — force push, curl|bash, terraform destroy, production deploys, and credential exposure all stop at the classifier before Claude can execute them
- autoMode.environment is the primary tuning lever — listing your org's repos, buckets, and internal domains tells the classifier where your trust boundary actually lies
- Three consecutive blocks pause auto mode — Claude Code resumes prompting after repeated denials, giving you a recovery path without having to restart the session
- claude auto-mode config shows your effective rules — run it after any settings change to confirm the classifier sees exactly the environment you intended