feat: default to auto mode + advisor (opus); bypass becomes opt-in#3
Merged
Conversation
Drop the hard-wired --dangerously-skip-permissions from the entrypoint. Default
is now auto mode (permissions.defaultMode "auto" in ~/.claude/settings.json):
autonomous, but a background classifier vets actions. Full bypass is opt-in via
CLAUDE_BYPASS_PERMISSIONS=1 (mirrors the CLAUDE_REMOTE_CONTROL opt-in), for
isolated/throwaway containers.
- settings.json (NEW): { permissions.defaultMode: "auto", advisorModel: "opus" },
baked to ~/.claude/settings.json. Auto MUST live in user-home settings.json —
Claude Code (v2.1.142+) ignores defaultMode "auto" at project scope.
- advisorModel "opus": Claude consults Opus at decision points (Anthropic API
only; no-op if the main model outranks Opus, e.g. Fable).
- claude-config.json: stripped of mode/auto-accept-forcing keys
(dangerouslySkipPermissions, autoAcceptPermissions, defaultPermissionMode,
project permissions.defaultMode, autoAccept*) so settings.json is the single
source of mode. Trust/onboarding keys kept. (Note: claude CLI normalizes
~/.claude.json during build anyway, dropping legacy permission keys — verified.)
- entrypoint: `exec claude $EXTRA_ARGS` — flags added only when CLAUDE_BYPASS_PERMISSIONS=1
and/or CLAUDE_REMOTE_CONTROL=1 are set.
- docs (README, SECURITY, CLAUDE.md, .env.example): auto-mode default, bypass
opt-in, advisor; documented by-design auto behaviors (blanket Bash(*)/Agent
allow rules dropped; -p repeated blocks abort the session) and the silent
fallback to `default` when auto is unavailable.
Validated headless (amd64 build): rendered start-claude.sh adds bypass only under
CLAUDE_BYPASS_PERMISSIONS=1; ~/.claude/settings.json is valid JSON with
defaultMode "auto" + advisorModel "opus"; ~/.claude.json carries no mode-forcing
keys; boot reaches init announcing "permission mode: auto" with no "auto mode
unavailable", and bypass opt-in announces bypass.
NOT verifiable headless (by design): that auto mode is actually ENGAGED vs a
silent fallback to `default`. Confirm on first live `claude-box`: the status bar
must read `auto`, not `default`. Not claimed verified here.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Surfaced from the runtime diagnostic that showed Remote Control disabled and a hard-wired
--dangerously-skip-permissions. This reworks the default permission posture and adds the advisor.Permission mode: auto by default (bypass becomes opt-in)
--dangerously-skip-permissions. Default is now auto mode(
permissions.defaultMode: "auto"): autonomous, but a background classifier vets actions andblocks dangerous ones (
curl | bash, force-push, push tomain, prod deploys, exfiltration).CLAUDE_BYPASS_PERMISSIONS=1re-adds--dangerously-skip-permissions(full bypass) forisolated/throwaway containers — mirrors the existing
CLAUDE_REMOTE_CONTROL=1opt-in.settings.json(new) holdsdefaultMode: "auto"and is baked to~/.claude/settings.json. Automust be user-home — Claude Code (v2.1.142+) ignores
defaultMode: "auto"at project scope.claude-config.jsonis stripped of all mode/auto-accept-forcing keys sosettings.jsonis thesingle source of mode. (The claude CLI normalizes
~/.claude.jsonduring build anyway, droppinglegacy permission keys — verified.)
Advisor
advisorModel: "opus"insettings.json— Claude consults Opus at decision points (Anthropic APIonly). No-op if the main model outranks Opus (e.g.
--model fable, where an Opus advisor isrejected at runtime).
Docs
README / SECURITY / CLAUDE.md /
.env.exampleupdated: auto-mode default, bypass + RC opt-ins, theadvisor, and two by-design auto behaviors — blanket
Bash(*)/Agentallow rules are dropped onentering auto (classifier takes over), and in non-interactive
-pruns repeated classifier blocksabort the session.
Validation (local build, amd64) — what is verifiable headless
start-claude.shadds--dangerously-skip-permissionsonly underCLAUDE_BYPASS_PERMISSIONS=1; defaultexec claudecarries no bypass~/.claude/settings.json: valid JSON,permissions.defaultMode: "auto"+advisorModel: "opus"~/.claude.json: no mode-forcing keys remain; MCP servers intact (4 ✓ Connected from earlier)permission mode: auto, no "auto mode unavailable" line;CLAUDE_BYPASS_PERMISSIONS=1announces bypass./build.sh→ exit 0NOT verifiable headless (by design — needs a live session)
Auto mode engagement cannot be observed from a headless build: if the account/model doesn't
support auto, Claude Code silently falls back to
default(prompts) with no error. Confirm on thefirst live
claude-box: the status bar must readauto, notdefault. This PR does not claimauto is verified-engaged; if your account can't use auto, set
CLAUDE_BYPASS_PERMISSIONS=1.Notes
~/.claude/{agents,commands,skills}and passing them through) isintentionally a separate PR, to be built on this known-good entrypoint after auto is confirmed
live.