Skip to content
agents.cli

Run hands-off with auto mode, and when to reach for bypass

The last job today is a long one — migrate every route in the payments service to a new error-handling helper, dozens of files, lots of test runs — and you want to start it and go to a meeting. This is a genuinely different ask from everything so far. Accept-edits still assumed you were there, reviewing diffs as they landed. Now you want nobody in the room. The naive way to get there is to throw away all the prompts. The right way is to understand that “hands-off” and “no safety checks” are two different things, and to pick the mode that gives you the first without the second.

Auto mode: hands-off with a net

Section titled “Auto mode: hands-off with a net”

The mode built for exactly this is auto mode. It lets the agent execute without stopping to ask — edits, commands, the whole loop runs uninterrupted — but every action first passes a separate safety classifier that blocks anything dangerous before it runs. The classifier is tuned to catch the moves that turn an autonomous agent into an incident:

  • piping a download straight into a shell (curl … | bash)
  • sending your data to an unfamiliar endpoint
  • production deploys, migrations, or mass deletions
  • force-pushing, or pushing straight to main

Inside that fence, ordinary work — editing files in your project, running your declared tests, installing the dependencies your lockfile already names — flows without prompts. So your migration runs start to finish while you’re away, and the one time it reaches for something genuinely dangerous, it gets stopped instead of waved through by a blanket “yes to everything.” That’s the difference that matters: auto mode reduces interruptions without removing judgment — it just moves the judgment from you to a classifier for the duration.

Two things to know before you lean on it. First, it’s gated: auto mode is a research preview, available only on recent versions and models, on certain plans, and — on Team and Enterprise — only after an admin enables it. If it doesn’t appear, you don’t meet the bar; the permission-modes docs list the current requirements. Second, the net is good, not perfect — Anthropic is explicit that it reduces risk rather than guaranteeing safety, so it’s for work where you trust the general direction, not a licence to walk away from something irreversible.

A useful detail for the paranoid: a boundary you state in the conversation — “don’t deploy, don’t push to main” — is honored by the classifier as a block. But like any conversational instruction it can be lost to compaction, so for a boundary that absolutely must hold, back it with a deny rule from the last lesson. Belt and braces.

Bypass: the net removed — containers only

Section titled “Bypass: the net removed — containers only”

There is a mode that does simply turn everything off: bypassPermissions (the --dangerously-skip-permissions flag, often shortened to “YOLO mode” in the wild). It executes every action immediately, no prompts, no classifier, no protected-path guards. And the critical thing to understand is that this is not a faster auto mode — it’s auto mode with the safety removed. It offers no protection against prompt injection; a malicious instruction hidden in a file the agent reads can do whatever it likes with your machine.

So bypass has exactly one legitimate home: an isolated environment that can’t hurt anything — a container, a VM, or a dev container with no access to your real filesystem or network. Inside that blast radius, full speed with no prompts is fine, because the worst case is a wrecked throwaway box. Pointed at your actual working machine, it’s the single most dangerous setting in the tool. Claude Code itself tries to stop you from the worst version — it refuses to launch in bypass as root, and recommends the sandbox setup precisely so that “no prompts” and “no blast radius” go together.

The rule of thumb writes itself: auto mode to go hands-off on your real machine; bypass only inside a sandbox that doesn’t matter. Reaching for bypass to skip prompts on your laptop is choosing the one mode with no net, to save the few seconds auto mode would have cost you. (There’s also a stricter sibling, dontAsk, that runs only your pre-approved commands and denies everything else — built for locked-down CI pipelines where you want zero interactivity and zero surprises.)

The dial, end to end

Section titled “The dial, end to end”

Step back and look at the full range you covered today on one codebase: default mode reviewing every action by hand for the sensitive work; accept-edits flying through a mechanical rename; allow rules silencing your test loop; deny rules walling off secrets so no loosening could reach them; and auto mode running a long migration while you were in a meeting, with a classifier holding the line you couldn’t watch. That’s not five tricks — it’s one dial, set deliberately per task. The operators who get the most out of an agent aren’t the ones who trust it most or least; they’re the ones who set the leash to match the work in front of them, and change it without thinking the moment the work changes.

You skipped one rung on the way up: plan mode, the tight setting where the agent researches and proposes but changes nothing. It’s not a footnote — making the agent think before it builds is a discipline of its own, and it’s the whole of the next chapter.