# Permission Modes Claude Code has four permission modes that control how much autonomy the agent has. This is the first line of defense. ## The three modes ### 1. Default mode (recommended for learning) Claude Code asks permission before every potentially dangerous action: writing files, running shell commands, making web requests. You approve or deny each one. ``` Claude wants to run: npm install express Allow? [y/n/always] ``` **OpenClaw equivalent:** DM pairing with exec approvals enabled. ### 2. Auto-edit mode (`--allowedTools`) You pre-approve specific tools and patterns. Claude Code runs those without asking but still prompts for everything else. Configured in `.claude/settings.json`: ```json { "permissions": { "allow": [ "Read", "Write", "Bash(npm test)", "Bash(ls:*)" ] } } ``` **OpenClaw equivalent:** Tool allowlists per agent/session. ### 3. Auto Mode (`--enable-auto-mode`) An AI safety classifier (Sonnet 4.6) reviews every tool call before execution. Safe actions proceed automatically. Risky actions are blocked and Claude is redirected. ```bash claude --enable-auto-mode # Or press Shift+Tab in a session to cycle to Auto Mode ``` Performance: 0.4% false positive rate, 5.7% false negative rate. **Best for:** - Autonomous coding workflows - Test-fix-test loops - Any task where constant approvals break flow **OpenClaw equivalent:** Default autonomous mode with Docker sandbox. Different philosophy: Auto Mode prevents dangerous actions before execution. OpenClaw's sandbox contains damage after execution. See `auto-mode-explained.md` for the full deep-dive. ### 4. Bypass mode (`--dangerously-skip-permissions`) No permission checks at all. Claude Code executes everything. **Never use this for:** - Untrusted code or repos - Automated pipelines without hooks - Any environment with sensitive data **Only appropriate for:** - Isolated sandbox environments - Testing with expendable data - CI/CD with compensating controls (hooks) **OpenClaw equivalent:** Elevated mode with Docker sandbox. ## How permission modes interact with hooks Hooks run regardless of permission mode. Even in bypass mode, a PreToolUse hook can block dangerous commands. This is your safety net. ``` Permission mode: decides IF Claude Code can use a tool Hooks: decide HOW the tool can be used Settings deny list: decides WHICH tools exist at all ``` ## Recommendation Start with default mode. Move to auto-edit once you understand which operations you trust. Graduate to Auto Mode when you want autonomous execution with AI safety. Never use bypass mode outside of sandboxes.