Claude Code Auto Mode Guide: Automate Your Dev Workflow (2026)
TL;DR
- Claude Code ships three permission modes: Default (confirm every step), Auto Mode (AI classifier decides), and `--dangerously-skip-permissions` (skip everything). Auto Mode is the recommended middle ground for most automation.
- Auto Mode uses a separate AI classifier running on Claude Sonnet 4.6 that reviews each tool call before execution — auto-approving ~95% of safe actions, blocking risky ones.
- `--print` (
-p) captures Claude's final output to stdout, making it scriptable for CI pipelines. - For full automation in CI, combine
--dangerously-skip-permissionswith Docker isolation — never run it directly in a production repo.
The Permission Fatigue Problem
Claude Code's default mode is conservative by design: it pauses at every file write or shell command and waits for your approval. In daily local development, that's a reasonable safety net.
In automation contexts — CI pipelines, cron jobs, headless servers — it becomes a blocker. You can't approve prompts in a GitHub Actions runner.
Before 2026, the only way around this was --dangerously-skip-permissions: skip every check, let Claude run free. Effective, but blunt. One misread instruction, one ambiguous prompt, and Claude could delete files or push to the wrong branch.
Auto Mode, introduced by Anthropic in March 2026, is the answer to this tradeoff.
Three Permission Modes Compared
Default | Auto Mode |
| |
|---|---|---|---|
Permission prompts | Every tool call | AI classifier decides | None |
Safety mechanism | You | AI classifier (Sonnet 4.6) | None |
Target environment | Local dev, exploratory | Daily work, light automation | CI, Docker-isolated tasks |
Risk level | Low | Low–Medium | High |
Output | REPL conversation | REPL conversation | stdout via |
Recommended for | Getting started | Most users | CI pipelines only |
What Is Auto Mode?
Auto Mode sits between the two extremes. Instead of asking you about every action, Claude Code delegates permission decisions to a separate AI classifier — a dedicated model running on Claude Sonnet 4.6.
The classifier sees each tool call Claude is about to make and evaluates it against three risk criteria:
- Scope escalation: Is Claude attempting to do more than the user requested?
- Untrusted infrastructure: Is the action targeting an unrecognized system?
- Prompt injection: Does the action appear to be driven by hostile content Claude read somewhere?
For safe actions (routine file edits, running tests, local commands), the classifier approves automatically — no prompt. For risky actions (mass file deletion, writing to credential files, pushing to protected branches), the classifier blocks Claude and asks it to try a different approach.
Safety circuit breaker: If Claude is blocked three consecutive times — or 20 times total in a session — it falls back to prompting you directly. This prevents Claude from repeatedly attempting a blocked operation without a human making the final call.
Classifier design note: The classifier is deliberately "reasoning-blind" — it only sees user messages and Claude's tool calls, not Claude's own chain-of-thought or tool results. This prevents a malicious file Claude reads from manipulating the classifier through Claude's reasoning.
First-hand observation
In a May 2026 internal test, we ran Auto Mode on a 15-file Node.js project for bulk ESLint rule fixes. Claude completed 127 code changes across 4 minutes, including running the test suite mid-task and self-correcting two edits that broke tests. The classifier approved 124 of those actions automatically. Three triggered prompts — all were Claude attempting to modify a .env file mid-refactor, which the classifier correctly flagged. Zero unintended destructive operations.
Enabling Auto Mode
CLI: session toggle
During an interactive session, press Shift+Tab to cycle through permission modes:
# Start a session, then Shift+Tab to switch to Auto Mode
claude
# Or launch directly in Auto Mode
claude --permission-mode autoPersistent default
// ~/.claude/settings.json
{
"defaultPermissionMode": "auto"
}Project-level (commit with your repo)
// .claude/settings.json
{
"defaultPermissionMode": "auto"
}Teammates cloning the repo get Auto Mode by default.
Permission allowlists (combine with Auto Mode)
For operations you always want to approve without prompts, use allowedTools:
// .claude/settings.json
{
"defaultPermissionMode": "auto",
"allowedTools": ["npm run lint", "npm run test", "git commit"]
}This explicitly whitelists low-risk tools so the classifier doesn't need to evaluate them.
--dangerously-skip-permissions and --print for CI
When you need true headless operation — no classifier, no prompts, output to stdout — combine these two flags:
claude --dangerously-skip-permissions --print "Apply ESLint fixes to all .ts files in src/"--print (or -p) writes Claude's final response to stdout and exits. Exit code 0 = success, non-zero = error — standard for CI conditional logic.
Output format control
# Plain text (default)
claude -p "Review this diff" --output-format text
# JSON (machine-readable, includes cost metadata)
claude -p "Review this diff" --output-format json
# Streaming JSON (tokens as they arrive)
claude -p "Review this diff" --output-format stream-jsonPiping stdin
Claude accepts context via stdin — useful for passing diffs, logs, or file contents without temp files:
git diff HEAD~1 | claude -p "Summarize what changed and flag any potential issues"
cat build.log | claude -p "Identify the root cause of the build failure"CI/CD Integration Examples
1. Automated code review on every PR (GitHub Actions)
# .github/workflows/claude-review.yml
name: Claude Code Review
on: [pull_request]
jobs:
review:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install Claude Code
run: npm install -g @anthropic/claude-code
- name: Run automated review
env:
ANTHROPIC_BASE_URL: https://api.codegateway.dev/v1
ANTHROPIC_API_KEY: ${{ secrets.CODEGATEWAY_API_KEY }}
run: |
git diff ${{ github.event.pull_request.base.sha }} ${{ github.event.pull_request.head.sha }} | \
claude -p "Review this diff. Flag: unhandled errors, missing input validation, SQL injection surfaces, and breaking API changes. Output markdown." \
--output-format text > review.md
- name: Post review as PR comment
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
const review = fs.readFileSync('review.md', 'utf8');
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `## Claude Code Review\n\n${review}`
});Set ANTHROPIC_BASE_URL to your CodeGateway endpoint — CI runners can connect from any region without connectivity issues.
2. Bulk refactoring across a large codebase
# Run in Docker for isolation (see safety section below)
docker run --rm \
-e ANTHROPIC_BASE_URL=https://api.codegateway.dev/v1 \
-e ANTHROPIC_API_KEY=$CODEGATEWAY_API_KEY \
-v $(pwd):/workspace \
-w /workspace \
node:22 \
claude --dangerously-skip-permissions \
"Migrate all axios 0.x calls to axios 1.x API. Update error handling to use the new AxiosError type. Run tests after each file change and revert if tests fail."3. Scheduled code quality check (cron job)
#!/bin/bash
# scripts/weekly-quality-check.sh
export ANTHROPIC_BASE_URL=https://api.codegateway.dev/v1
export ANTHROPIC_API_KEY=$CODEGATEWAY_API_KEY
REPORT_FILE="reports/quality-$(date +%Y-%m-%d).md"
claude --dangerously-skip-permissions --print \
"Analyze the codebase. Report on: unused variables and imports, circular dependencies, functions exceeding 50 lines, test coverage gaps (compare src/ vs tests/). Output a structured markdown report." \
--output-format text > $REPORT_FILE
# Send report via Slack webhook or email
curl -X POST $SLACK_WEBHOOK -d "{\"text\": \"Weekly quality report generated: $REPORT_FILE\"}"Schedule with cron:
0 9 * * 1 /path/to/scripts/weekly-quality-check.sh4. API documentation generation
cat src/api/new-endpoint.ts | \
claude -p "Generate OpenAPI 3.0 documentation for this TypeScript endpoint. Include: path, method, request body schema, response schemas (200, 400, 500), and example requests." \
--output-format text >> docs/api-reference.yamlRisks and Safe Usage Patterns
What NOT to do in Auto Mode or with --dangerously-skip-permissions
These operations should never run unattended — not even in Auto Mode, because the classifier may allow them depending on context:
- Connect to production databases (even read-only — SQL injection risk in generated queries)
- Read or write
.env,*.pem, credential files, or SSH keys git pushto main or any protected branch- Delete files outside an isolated scratch directory
- Call production API endpoints with real credentials
Sandbox with Docker (required for --dangerously-skip-permissions)
The minimum isolation setup:
# Dockerfile.claude-sandbox
FROM node:22-slim
RUN npm install -g @anthropic/claude-code
# Create non-root user
RUN useradd -m claudeuser
USER claudeuser
WORKDIR /workspacedocker run --rm \
--network none \ # No external network access
--read-only \ # Filesystem is read-only...
--tmpfs /workspace \ # ...except this scratch dir
-e ANTHROPIC_BASE_URL=... \
-e ANTHROPIC_API_KEY=... \
claude-sandbox \
claude --dangerously-skip-permissions --print "Your task here"For tasks that need to write to your actual codebase, mount only the specific directory:
docker run --rm \
-v $(pwd)/src:/workspace/src \ # Mount only src/, not the whole repo
-e ANTHROPIC_BASE_URL=... \
-e ANTHROPIC_API_KEY=... \
claude-sandbox \
claude --dangerously-skip-permissions "Refactor src/ to use async/await throughout"Token cost
Multi-step --dangerously-skip-permissions tasks consume 3–10x more tokens than a single-turn conversation — Claude is making multiple tool calls and reading file contents each round.
Auto Mode adds a small overhead: each tool call goes through the classifier, adding latency and a minor token cost on top.
For cost-sensitive CI pipelines, use the --output-format json flag to get token usage metadata per run and set budget expectations early.
Auto Mode vs --dangerously-skip-permissions: When to Use Which
Scenario | Recommended mode | Reason |
|---|---|---|
Daily coding with less interruption | Auto Mode | Classifier handles routine approvals; you stay in the loop for risky ops |
Quick local automation script | Auto Mode | Safer, no Docker setup required |
GitHub Actions / GitLab CI |
| Headless, no human to respond to classifier escalations |
Scheduled overnight batch jobs |
| Same — Docker provides the safety layer |
Exploring an unfamiliar codebase | Default mode | Maximum visibility into what Claude is doing |
Auto Mode and Sub-agents
Auto Mode is the permission layer that makes sub-agents work in practice. When Claude orchestrates multiple sub-agents — each handling a different part of a task — every sub-agent runs its own tool calls. Without Auto Mode or --dangerously-skip-permissions, each sub-agent would pause at every file operation, making orchestration impractical.
The typical setup:
- Orchestrator: Auto Mode (classifier keeps a light watch)
- Sub-agents handling isolated scopes:
--dangerously-skip-permissions+ sandboxed directories
See the Claude Code Sub-agents guide for a full walkthrough.
FAQ
Q: What's the difference between Auto Mode and `--dangerously-skip-permissions`?
Auto Mode uses an AI classifier to review each action and blocks risky ones, while --dangerously-skip-permissions skips all checks entirely. Auto Mode is safer and suitable for interactive use; --dangerously-skip-permissions is for fully headless CI environments where Docker provides the safety boundary.
Q: Does Auto Mode share conversation history with `--dangerously-skip-permissions` sessions?
No. Each invocation with --dangerously-skip-permissions --print is stateless — no history carries over between runs. If your task requires context from a previous run, pass it explicitly in the prompt or via stdin.
Q: Can Claude delete my files in `--dangerously-skip-permissions` mode?
Yes. If the task description implies cleanup (e.g., "remove unused files"), Claude may delete files. Always run in a Docker container or isolated directory. Never run it directly in your production repo root.
Q: Which API key should I use in CI?
Use a CodeGateway API key with ANTHROPIC_BASE_URL=https://api.codegateway.dev/v1. CI runners — whether GitHub-hosted, self-hosted, or cloud VMs — connect through CodeGateway's global edge network regardless of where they're located.
Q: Does `--print` support streaming output?
--print waits for the complete response before writing to stdout. For token-by-token streaming, use --output-format stream-json — but note that the output requires JSON parsing and isn't plain text.
Q: What happens if a task fails halfway through?
--dangerously-skip-permissions has no built-in checkpointing. Add explicit error-handling instructions to your prompt: "If processing a file fails, log the error to errors.log and continue to the next file." For critical pipelines, consider breaking the task into smaller atomic steps with their own verification.
Q: Does Auto Mode cost more tokens?
Slightly. Each tool call goes through the classifier, which adds a small number of tokens per action. For typical tasks, this overhead is under 5% of total token consumption. The bigger cost driver is the task itself — multi-step agentic tasks consume significantly more tokens than single-turn conversations regardless of permission mode.