Skip to content

feat: default to auto mode + advisor (opus); bypass becomes opt-in#3

Merged
intech merged 1 commit into
mainfrom
feat/auto-mode-advisor
Jun 13, 2026
Merged

feat: default to auto mode + advisor (opus); bypass becomes opt-in#3
intech merged 1 commit into
mainfrom
feat/auto-mode-advisor

Conversation

@intech

@intech intech commented Jun 13, 2026

Copy link
Copy Markdown
Member

What changed

Surfaced from the runtime diagnostic that showed Remote Control disabled and a hard-wired
--dangerously-skip-permissions. This reworks the default permission posture and adds the advisor.

Permission mode: auto by default (bypass becomes opt-in)

  • Entrypoint no longer hard-wires --dangerously-skip-permissions. Default is now auto mode
    (permissions.defaultMode: "auto"): autonomous, but a background classifier vets actions and
    blocks dangerous ones (curl | bash, force-push, push to main, prod deploys, exfiltration).
  • CLAUDE_BYPASS_PERMISSIONS=1 re-adds --dangerously-skip-permissions (full bypass) for
    isolated/throwaway containers — mirrors the existing CLAUDE_REMOTE_CONTROL=1 opt-in.
  • settings.json (new) holds defaultMode: "auto" and is baked to ~/.claude/settings.json. Auto
    must be user-home — Claude Code (v2.1.142+) ignores defaultMode: "auto" at project scope.
  • claude-config.json is stripped of all mode/auto-accept-forcing keys so settings.json is the
    single source of mode. (The claude CLI normalizes ~/.claude.json during build anyway, dropping
    legacy permission keys — verified.)

Advisor

  • advisorModel: "opus" in settings.json — Claude consults Opus at decision points (Anthropic API
    only). No-op if the main model outranks Opus (e.g. --model fable, where an Opus advisor is
    rejected at runtime).

Docs

README / SECURITY / CLAUDE.md / .env.example updated: auto-mode default, bypass + RC opt-ins, the
advisor, and two by-design auto behaviors — blanket Bash(*)/Agent allow rules are dropped on
entering auto (classifier takes over), and in non-interactive -p runs repeated classifier blocks
abort the session.

Validation (local build, amd64) — what is verifiable headless

  • rendered start-claude.sh adds --dangerously-skip-permissions only under
    CLAUDE_BYPASS_PERMISSIONS=1; default exec claude carries no bypass
  • ~/.claude/settings.json: valid JSON, permissions.defaultMode: "auto" + advisorModel: "opus"
  • ~/.claude.json: no mode-forcing keys remain; MCP servers intact (4 ✓ Connected from earlier)
  • boot reaches claude init announcing permission mode: auto, no "auto mode unavailable" line;
    CLAUDE_BYPASS_PERMISSIONS=1 announces bypass
  • ./build.sh → exit 0

NOT verifiable headless (by design — needs a live session)

Auto mode engagement cannot be observed from a headless build: if the account/model doesn't
support auto, Claude Code silently falls back to default (prompts) with no error. Confirm on the
first live claude-box: the status bar must read auto, not default.
This PR does not claim
auto is verified-engaged; if your account can't use auto, set CLAUDE_BYPASS_PERMISSIONS=1.

Notes

  • Part B (install.sh detecting host ~/.claude/{agents,commands,skills} and passing them through) is
    intentionally a separate PR, to be built on this known-good entrypoint after auto is confirmed
    live.

Drop the hard-wired --dangerously-skip-permissions from the entrypoint. Default
is now auto mode (permissions.defaultMode "auto" in ~/.claude/settings.json):
autonomous, but a background classifier vets actions. Full bypass is opt-in via
CLAUDE_BYPASS_PERMISSIONS=1 (mirrors the CLAUDE_REMOTE_CONTROL opt-in), for
isolated/throwaway containers.

- settings.json (NEW): { permissions.defaultMode: "auto", advisorModel: "opus" },
  baked to ~/.claude/settings.json. Auto MUST live in user-home settings.json —
  Claude Code (v2.1.142+) ignores defaultMode "auto" at project scope.
- advisorModel "opus": Claude consults Opus at decision points (Anthropic API
  only; no-op if the main model outranks Opus, e.g. Fable).
- claude-config.json: stripped of mode/auto-accept-forcing keys
  (dangerouslySkipPermissions, autoAcceptPermissions, defaultPermissionMode,
  project permissions.defaultMode, autoAccept*) so settings.json is the single
  source of mode. Trust/onboarding keys kept. (Note: claude CLI normalizes
  ~/.claude.json during build anyway, dropping legacy permission keys — verified.)
- entrypoint: `exec claude $EXTRA_ARGS` — flags added only when CLAUDE_BYPASS_PERMISSIONS=1
  and/or CLAUDE_REMOTE_CONTROL=1 are set.
- docs (README, SECURITY, CLAUDE.md, .env.example): auto-mode default, bypass
  opt-in, advisor; documented by-design auto behaviors (blanket Bash(*)/Agent
  allow rules dropped; -p repeated blocks abort the session) and the silent
  fallback to `default` when auto is unavailable.

Validated headless (amd64 build): rendered start-claude.sh adds bypass only under
CLAUDE_BYPASS_PERMISSIONS=1; ~/.claude/settings.json is valid JSON with
defaultMode "auto" + advisorModel "opus"; ~/.claude.json carries no mode-forcing
keys; boot reaches init announcing "permission mode: auto" with no "auto mode
unavailable", and bypass opt-in announces bypass.

NOT verifiable headless (by design): that auto mode is actually ENGAGED vs a
silent fallback to `default`. Confirm on first live `claude-box`: the status bar
must read `auto`, not `default`. Not claimed verified here.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@intech intech self-assigned this Jun 13, 2026
@intech intech merged commit 6681e3d into main Jun 13, 2026
3 checks passed
@intech intech deleted the feat/auto-mode-advisor branch June 13, 2026 13:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant