# Permission Modes

Claude Code has three permission modes that control how much
autonomy the agent has. This is the first line of defense.

## The three modes

### 1. Default mode (recommended for learning)

Claude Code asks permission before every potentially dangerous
action: writing files, running shell commands, making web requests.
You approve or deny each one.

```
Claude wants to run: npm install express
Allow? [y/n/always]
```

**OpenClaw equivalent:** DM pairing with exec approvals enabled.

### 2. Auto-edit mode (`--allowedTools`)

You pre-approve specific tools and patterns. Claude Code runs
those without asking but still prompts for everything else.

Configured in `.claude/settings.json`:
```json
{
  "permissions": {
    "allow": [
      "Read",
      "Write",
      "Bash(npm test)",
      "Bash(ls:*)"
    ]
  }
}
```

**OpenClaw equivalent:** Tool allowlists per agent/session.

### 3. Bypass mode (`--dangerously-skip-permissions`)

No permission checks at all. Claude Code executes everything.

**Never use this for:**
- Untrusted code or repos
- Automated pipelines without hooks
- Any environment with sensitive data

**Only appropriate for:**
- Isolated sandbox environments
- Testing with expendable data
- CI/CD with compensating controls (hooks)

**OpenClaw equivalent:** Elevated mode with Docker sandbox.

## How permission modes interact with hooks

Hooks run regardless of permission mode. Even in bypass mode,
a PreToolUse hook can block dangerous commands. This is your
safety net.

```
Permission mode: decides IF Claude Code can use a tool
Hooks: decide HOW the tool can be used
Settings deny list: decides WHICH tools exist at all
```

## Recommendation

Start with default mode. Move to auto-edit mode once you
understand which operations you trust. Never use bypass mode
outside of sandboxes.