Skip to content

Claude Code Complete Guide

Claude Code Auto Approve Guide (2026): Auto-Accept Edits, Auto Mode, and Guardrails

Target Audience

  • Intermediate Claude Code users who want a safe auto-approval workflow

Key Points

  1. Limit auto accept to low-risk chores
  2. Guard --dangerously-skip-permissions with shared rules
  3. Lock allow/deny lists

Verified Environment (Apr 2026)

This guide has been validated against the following stack.

ComponentVersion / Notes
Claude Codev2.1.80+ (Compaction, VS Code integration, Checkpoint, Auto mode)
Claude Opus 4.61M context (standard, no beta header required), 128K output, Agent Teams, Adaptive Thinking
Claude Sonnet 4.6Default coding model (successor to Sonnet 4.5)
HooksMultiple event types (PreToolUse / PostToolUse / SubagentStop / PermissionDenied / defer decisions)
auto mode2026-03-24 Research Preview (Team / Enterprise / API; Pro/Max not supported) → Details1

Quick Answer: Which Claude Code Auto-Approve Path Should You Pick?

  • Need fewer prompts for daily work

    Start with Step 1. Use acceptEdits plus Hooks and allow lists before touching full bypass.

  • Need broader unattended runs

    Prefer Claude Code Auto mode when Team / Enterprise access is available. It gives you classifier-based auto-approval without opening the whole sandbox.

  • Need the Codex CLI equivalent

    Compare team defaults with the Codex CLI No-Approval Guide before standardizing automation policy across tools.

Why It Matters Now

With Claude Code v2.0 expanding auto-approval capabilities and adoption growing, the risk of unintended command execution from misconfigured permissions has increased. A clear operational framework that balances speed with safety is essential.

Pair with the 90-second playbook

Step Overview

When Claude Code attempts to execute a command, it must pass through 3 gates in sequence. Use the simulator below to see how each command behaves.

Select a command to see gate flow

Step 1: Limit Auto Accept to Low-Risk Tasks

Auto-approval scope is determined by your mode. Use Shift+Tab to switch modes and select the right one for your task's risk level.

🔵
default
Standard mode — all operations require approval

Step 2: Standardize CLI Flag Usage

⚠️ Official warning: 'dangerously' is intentional

Anthropic intentionally uses the word 'dangerously' in this flag name as a safety signal—treat it as high risk and make sure you understand the implications before using it.

Keep it OFF by default and only enable in these scenarios:

  • Isolated CI/CD environments
  • Verified remediation tasks (lint fixes, test reruns)
  • Pipelines with established audit logging

Define scope, rollback, and logging, then let batch jobs or CI call the flag:

claude --dangerously-skip-permissions "Run eslint --fix and rerun tests"

Behavior change since v2.1.78: protected paths

Since v2.1.78, .git/ and .claude/ directories are designated as protected paths. Even with --dangerously-skip-permissions (bypassPermissions mode) enabled, write operations to these paths will still trigger an approval prompt.

  • v2.1.81 added .claude/skills/ to the protected list
  • VS Code extension may ignore settings.json permission configuration (CLI-only confirmed)
  • This constraint is likely to expand in the future

Impact: Automation pipelines that include skill file generation or .claude/ configuration changes can no longer run fully unattended with this flag alone.

PreToolUse Hook Inspection Flow
Select a command to see the inspection flow

Combine Hooks with settings.json allow/deny lists for defense in depth. See the Advanced Best Practices (2026 Edition) for details.

New Hook Capabilities (March 2026)

  • PermissionDenied hook: Fires after Auto mode's Classifier rejects an operation. Return {retry: true} to instruct the model to retry
  • defer decision (PreToolUse): Pause a tool call in headless sessions (-p mode) and re-evaluate the hook on resume via -p --resume

These features are designed for Auto mode integration, but also improve permission control granularity when using Hooks standalone.

New for Team/Enterprise: Auto mode (March 24, 2026)

Anthropic released Auto mode as a safer alternative to --dangerously-skip-permissions. A Sonnet 4.6-based Classifier evaluates risk per tool call, auto-approving safe operations and blocking dangerous ones (mass file deletion, data exfiltration, malicious code execution, etc.).

Supported plans (as of April 2026):

  • Team: Available (research preview)
  • Enterprise: Available
  • API: Available
  • Pro / Max (individual plans): Not supported

Activation:

claude --enable-auto-mode

Once enabled, auto is added to the Shift+Tab mode cycle.

Impact for individual plan users: Auto mode is currently unavailable on Pro/Max plans. The acceptEdits mode + Hooks + allow/deny list combination described in this guide remains the most practical auto-approval workflow for individual users.

Details: Auto mode for Claude Code (official blog) / Anthropic Engineering deep dive

Restricting Bypass at the Organization Level

In enterprise environments, Organization managed policies can restrict the use of --dangerously-skip-permissions. When administrators set the policy, it is automatically enforced across all member CLIs.

Limit the flag to chore-like remediation; deployments, credential access, and destructive work stay review-driven.

Step 3: Freeze Guardrails with Allow/Deny Lists

Define policy in settings.json so auto approval respects hard stops. Use the matcher below to see which rule each command hits.

✅ allow rules
🚫 deny rules
Select a command to check rule matching

Known Issue: deny rules may not work as expected

As reported in GitHub Issues #6631 and #6699, deny rules (especially for Read/Write operations) may not function correctly. Although these issues were closed, regressions have been reported in #12918 (v2.0.56) and #27040 (Feb 2026), meaning the problem remains unresolved as of February 2026. Do not rely on deny rules alone for security-critical restrictions.

Recommended mitigation: Combine deny rules with PreToolUse Hooks for reliable blocking. Hooks can exit with a non-zero code to reject tool calls, providing a defense-in-depth approach.

March 2026 update: The v2.1.80+ release fixed a bug where PreToolUse hooks returning allow could bypass deny rules (including enterprise managed settings). However, deny reliability is being improved incrementally, and the defense-in-depth approach remains recommended.

.claude/hooks.json
{
  "hooks": {
    "PreToolUse": [
      {
        "matcher": "Bash",
        "command": "python3 validate_command.py \"$TOOL_INPUT\"",
        "timeout": 5000
      }
    ]
  }
}

Restart Claude Code, test a denied command, and sync run logs to shared storage.

Compaction: Stabilizing Long-Running Auto-Approval Sessions

Claude Code's Compaction feature automatically compresses conversation when context approaches its limit, keeping your session alive.

25K / 200K12%
12%

Common Pitfalls and Fixes

SymptomCauseFix
Risky commands runNo deny rulesAdd high-risk patterns to settings.json
Production deploy sneaks inMode banner ignoredShift+Tab back to default mode and add a reviewer
Audit trail missingLogs stay localSync run logs to shared storage
Context lost in long sessionsCompaction not usedUpdate to Claude Code v2.0+ and use Checkpoint as safety net
--dangerously-skip-permissions still prompts for .git/ operationsProtected paths since v2.1.78Migrate to Auto mode (Team/Enterprise), or use Hooks to allow specific operations
Advanced Optimization - Wrap the command with alias `cca`, validate arguments, restrict callers. - Document the policy in `CLAUDE.md` and capture `git diff --stat` in CI for instant diffs. 
alias cca="claude --dangerously-skip-permissions"

Next Reads

  1. Anthropic, "Auto mode for Claude Code", 2026-03-24. https://claude.com/blog/auto-mode