Permission System

Claude Code has 6 permission modes that control how tool calls are approved or denied. Auto mode uses a 2-stage AI classifier called the YOLO classifier to decide without asking the user.

6 permission modes 2 classifier stages 64 tokens: stage 1 limit 4096 tokens: stage 2 limit

Permission modes

default low risk

Asks the user on sensitive operations. The standard mode for most sessions.

acceptEdits low risk

Auto-approves all file read/write/edit operations. Shell and network still prompt.

bypassPermissions high risk

Auto-approves every single tool call, including destructive ones. No safety checks.

dontAsk low risk

Instead of asking, automatically denies any tool call that would normally prompt. Used by the Claude Code Guide agent.

auto medium risk

An AI classifier decides allow/block without asking. Uses a 2-stage pipeline. Dangerous patterns are always blocked.

plan low risk

Special planning mode with restricted tool access. The classifier runs if active, else falls back to normal mode.

YOLO classifier (auto mode)

When auto mode is active, every tool call goes through a 2-stage XML classifier that decides allow or block without involving the user.

Stage 1: Fast decision 64 tokens

64 tokens max. Immediate yes/no. If the answer is clearly "allow", it passes instantly. No chain-of-thought.

Stage 2: Deep reasoning 4096 tokens

Only runs if Stage 1 blocks. Up to 4096 tokens of chain-of-thought reasoning before reaching a verdict.

Output: <block>no</block>

Tool call is allowed. No output shown to user.

Output: <block>yes</block><reason>…</reason>

Tool call is blocked. One-sentence reason is shown. Claude receives denial tracking increment.

Fallback: interactive mode

If denial threshold is exceeded (too many consecutive blocks), auto mode falls back to asking the user. Resets on any successful tool use.

Patterns blocked in auto mode

These command patterns are classified as high-risk and are blocked by the YOLO classifier in auto mode. You must approve them manually.

Interpreters

pythonnodedenorubyperlphplua

Package runners

npxbunxnpm runyarn runbun run

Shells

bashshssh

Eval / exec

evalexecsudo

Network

curlwget

Cloud CLIs

kubectlawsgcloudgsutil

Git

git (hooks risk)

GitHub

ghgh api

How a tool call gets decided

Tool matched by allow rules?

→ Allow immediately

Tool matched by deny rules?

→ Deny immediately

Tool's checkPermissions() method

Each tool can return allow / ask / deny directly.

Mode handling

bypassPermissions → allow all. dontAsk → convert ask→deny. auto → run classifier. acceptEdits → fast-path for safe ops.

Fallback: interactive prompt

Ask the user if no rule matched and mode allows it.

× bypassPermissions skips everything

In bypassPermissions mode there are no safety checks at all: no classifier, no deny rules, no interactive prompts. Every tool call is auto-approved including destructive operations. Only use this mode in fully trusted, isolated environments.