Skip to content
agents.cli

Understand the default permission prompt

Today’s first job on the payments service is a boring one: rename chargeCard to capturePayment everywhere it appears — about two dozen files. Before you make the agent fly through it, it’s worth understanding the leash you’re starting from, because every looser setting in this chapter is defined by what it changes about this baseline. So watch what default mode actually does when you hand it the first edit.

Reads are free; actions stop and ask

Section titled “Reads are free; actions stop and ask”
> rename chargeCard to capturePayment across the codebase, updating every
  call site and the tests


  ⎿ Read src/charges.js, src/routes/payments.js, test/charges.test.js  (3 files)


  ⏵ Edit src/charges.js
    - export function chargeCard(amount, token) {
    + export function capturePayment(amount, token) {


  Apply this change? (y/n)

Notice the asymmetry. The agent read three files without asking you anything — reads are free in default mode, because reading can’t damage your repo. But the moment it wants to change a file, it stops dead and waits for your y. That’s the whole shape of default mode in one exchange: it can look all it likes, but it cannot alter your files, run a shell command, or reach the network without an explicit yes from you each time.

For a two-dozen-file rename that means two dozen prompts, which is the friction we’ll fix in the next lesson. But sit with why the friction exists before you remove it: in default mode there is no path by which the agent changes your world that you didn’t personally wave through. That’s an extremely strong safety property, and it’s the right one for unfamiliar code, anything touching money or data, or simply the first day with a new project.

Every prompt is an allow / ask / deny decision

Section titled “Every prompt is an allow / ask / deny decision”

The y/n prompt looks binary, but underneath it Claude Code is consulting a three-way rulebook for every action: is this allowed (run it silently), does it need an ask (prompt you — the default for anything not otherwise specified), or is it denied (refuse outright)? Default mode just means “ask about everything that isn’t a read.” The two big levers in this chapter are the two ends of that rulebook:

  • Allow rules push specific safe actions down to silent — “never ask me about npm test again.”
  • Deny rules push specific dangerous ones up to forbidden — “never let it read .env, even if I get sloppy.”

Everything else in this chapter is a way of moving actions between those three buckets, either in bulk (the modes, via Shift+Tab) or one rule at a time (allow/deny). You can see and edit the current rulebook anytime with /permissions. The exact rule syntax and how the buckets interact are spelled out in the permissions docs — worth a bookmark, since the syntax is the kind of thing that gains options over time.

You understand the baseline now: maximally cautious, every action waved through by hand. That’s perfect for the dangerous 10% of your day and miserable for the boring 90%. So for this rename — pure mechanical busywork, no stakes — let’s take the leash off the edits.