# Auto Mode

Auto Mode (v2.1.86, March 24, 2026) is a new permission mode where
an AI safety classifier reviews every tool call before execution.
No manual approvals. Claude runs autonomously, with a safety net.

## How to enable

```bash
# From CLI launch:
claude --enable-auto-mode

# In active session:
# Press Shift+Tab to cycle through permission modes
```

## How the classifier works

Before each tool call, a classifier (running on Sonnet 4.6)
evaluates whether the action is safe:

1. **Fast filter:** Quick binary decision on the action category
2. **Chain-of-thought:** Detailed reasoning for borderline cases

Safe actions proceed automatically. Risky actions (mass deletion,
data exfiltration, malicious code) are blocked, and Claude is
redirected to an alternative approach.

## Performance numbers (Anthropic's internal testing)

| Metric | Value |
|--------|-------|
| False positive rate | 0.4% (safe actions incorrectly blocked) |
| False negative rate | 5.7% (risky actions not caught) |

The classifier runs on Sonnet 4.6 regardless of your session model.
This means even Opus sessions get fast, consistent safety screening.

## When to use Auto Mode

**Good for:**
- Code refactoring across many files
- Test-fix-test loops
- Research and summarization tasks
- Any workflow where constant approvals break your flow

**Not recommended for:**
- First time using Claude Code (learn default mode first)
- Sensitive environments with production data
- Multi-agent workflows where you want explicit control

## Comparison to OpenClaw security

| Aspect | OpenClaw | Auto Mode |
|--------|----------|-----------|
| Default behavior | Autonomous | Autonomous |
| Safety mechanism | Docker sandbox (containment) | AI classifier (prevention) |
| Unknown threats | Contained by sandbox | May slip through (5.7% FN) |
| Known threats | Depend on config | Caught by classifier |
| User intervention | /approve for flagged actions | Automatic redirect |
| Infrastructure | Requires Docker | No infrastructure |

## All four permission modes

| Mode | Behavior | Safety | OpenClaw equivalent |
|------|----------|--------|-------------------|
| Default | Ask for every action | Maximum control | DM pairing + exec approvals |
| Auto-edit | Pre-approved patterns | Selective | Tool allowlists |
| Auto Mode | AI classifier reviews | AI-enforced | Autonomous + sandbox |
| Bypass | No checks | Minimal | Elevated mode |

Auto Mode sits between auto-edit and bypass. It gives you the
autonomy of bypass with most of the safety of auto-edit.

## Availability

Research preview on Team plan (March 2026). Enterprise and API
coming soon.