How can you run Claude Code unattended on long task lists without getting stuck on approval prompts?

Status: active

Config: journals/quests/config/permission-friction-in-claude-code.yaml

The Answer So Far #

Last updated: 2026-06-26

Update from ninth gather cycle (2026-06-26): Two additions.

/rewind — session-level rollback for tool calls (v2.1.191, June 25, 2026). Claude Code now automatically snapshots all modified files after each response. /rewind restores file state and conversation history to any earlier checkpoint — allowing “fork” restarts from a prior turn. Limitation: cannot undo external effects (npm install, git push, API calls). Assessment: incremental, but meaningfully changes the risk profile of unattended runs. Previously a bad tool call required either accepting the damage or manually reversing it; now the session can recover to a clean state without discarding the entire conversation. Changes the correct mindset for unattended runs from “prevent bad tool calls” to “detect and rewind bad tool calls.”

Sandboxed Bash Tool — directory and network isolation closes the write-scope gap. The Anthropic engineering blog (October 2025) describes a Sandboxed Bash Tool runtime: “let you define exactly which directories and network hosts your agent can access.” Internal testing shows 84% reduction in permission prompts. This is the directory-scoped write permission capability the quest has been tracking as a remaining gap since the seed snapshot. Assessment: significant — the directory-scoped write permissions gap is now at least partially addressable via the sandboxed runtime. Caveat: the sandboxed Bash Tool may require additional configuration beyond the standard Claude Code CLI and may impose performance overhead; practical adoption for general unattended runs is not yet confirmed.

Remaining gaps updated: Directory-scoped write permissions now addressable via Sandboxed Bash Tool (though not the default CLI configuration). Other gaps unchanged: MCP VS Code bypass (GitHub Issue #10801), Routines no mid-run HITL, Auto Mode not on Pro/Bedrock/Vertex/Foundry, audit log gap for EU AI Act high-risk compliance.

Update from eighth gather cycle (2026-06-19): Three incremental additions.

dontAsk mode formally documented. A sixth permission mode now exists: dontAsk auto-denies every tool call that would otherwise prompt, allowing only actions matching permissions.allow rules and read-only Bash commands. This is the CI/locked-down mode — fully non-interactive, no YOLO. Set with --permission-mode dontAsk. Cloud sessions on claude.ai ignore defaultMode: "dontAsk" from settings. Assessment: closes the “headless + allowedTools is the best we have for CI” gap. dontAsk is a cleaner formulation: declare what’s allowed, deny everything else, fully non-interactive.

Auto mode subagent pre-spawn check (v2.1.178+). The classifier now evaluates the delegated task description before a subagent starts — a dangerous-looking task is blocked at spawn time, before it executes. Previous versions only checked during and after execution. Assessment: incremental safety improvement; doesn’t change the permission model structure but closes a window where subagents could be spawned for dangerous tasks before any classifier check ran.

Auto mode conversational boundaries enforced by classifier. Statements you make in conversation (“don’t push”, “wait until I review before deploying”) are now treated as block signals by the classifier — matching actions are blocked even when default rules would allow them. The boundary persists until explicitly lifted. Caveat: boundaries can be lost if context compaction removes the message that stated them; use deny rules for hard guarantees. Assessment: incremental; useful for unattended runs where you want to constrain scope without editing settings.

Auto mode repository self-grant blocked (v2.1.142+). .claude/settings.json (project-level) can no longer set defaultMode: "auto" — Claude Code ignores it from those files to prevent a repository from granting itself auto mode. Must be set in ~/.claude/settings.json. Assessment: security hardening; no change to individual developer workflow.

Update from seventh gather cycle (2026-06-11): Two incremental platform changes: (1) Fable 5 is now the default model in Claude Code — all unattended runs default to the higher-capability model; the permission architecture is unchanged, but the model routing means higher-quality outputs for the same permission configuration; (2) Rate limits doubled — the API-call ceiling that previously constrained large Dynamic Workflows runs has been raised; for unattended runs at scale (100+ subagents), the practical throughput limit is now higher. Neither change alters the fundamental permission model; both improve the unattended-run experience at the edges.

The core answer remains Auto Mode + allowlists + hooks, with one structural addition: Dynamic Workflows introduces a new permission context for large-scale agentic runs that changes the question for users wanting to run 100+ concurrent tasks.

New: Dynamic Workflows permission model (2026-05-28)

Dynamic Workflows subagents run in acceptEdits mode — file edits are automatically approved without per-edit permission prompts. Shell commands and web fetches can still trigger approval prompts mid-run. In headless mode or via the Agent SDK (no interactive user), all tool calls follow configured permission rules without confirmation. The orchestration script itself (the JavaScript file Claude writes) inherits the user’s tool allowlist.

Practical implication: for use cases involving large-scale file modification (codebase audits, migrations, security hardening), Dynamic Workflows bypasses the permission model friction for file operations while retaining it for shell commands. This is the closest thing yet to “pre-approve the task plan, then run uninterrupted” — the ideal the quest seed snapshot identified as the missing capability.

v2.1.160 security tightening (2026-06-02)

acceptEdits mode now prompts before writing to shell startup files (.zshenv, .zlogin, .bash_login) and build-tool config files that grant code execution. This incrementally closes the surface where acceptEdits mode could be exploited — previously those files were auto-approved; now they require an explicit confirmation even in acceptEdits mode.

The current solution landscape:

Tier 1 — Recommended for unattended runs:

• Auto Mode with tiers (claude --auto-mode): now offers three granularity levels — permissive (approves most operations, surfaces only high-risk actions), balanced (default; approves safe operations, surfaces ambiguous ones), restrictive (surfaces more actions for human review). The classifier receives action type, target path/command, working directory, and active permission policy; returns approve/deny/escalate in milliseconds. Session backstop: 3 consecutive denials or 20 total triggers escalation to the human.
• /loop with Auto Mode: iterates autonomously until the task is complete without per-iteration approval.
• YOLO + worktrees: --dangerously-skip-permissions + -w/--worktree. Remains valid as legacy approach; safety via diff review.
• Headless mode with --allowedTools: claude -p "task" --allowedTools "Bash,Read,Edit". Tool-level allowlists for scripted/CI runs.

Tier 2 — Supplementary:

• Allowlists in settings.json: pre-approve specific command patterns. Note: if a tool is in permissions.allow, the PermissionRequest hook never fires — precedence matters.
• PermissionRequest hooks: return {"behavior": "allow"} for conditional auto-approval. More surgical than static allowlists.
• PermissionDenied hook (new): fires after the Auto Mode classifier rejects an operation — allows custom handling or logging of denials.
• defer decision for PreToolUse in headless: headless sessions can defer permission decisions rather than blocking, enabling partial-autonomy patterns.
• Approval Queue Pattern: agent runs, enqueues permission requests rather than blocking; human processes queue asynchronously. 24/7 operation without full YOLO.
• Containerized YOLO (github.com/con/yolo): rootless container isolation.

Tier 3 — Managed/cloud (now fully GA):

• Claude Code Routines: fully GA, runs on Anthropic’s cloud infrastructure — no local process required. Three trigger types: scheduled (hourly/daily/weekday/weekly, timezone-converted), GitHub events (webhook-triggered on push/PR), API triggers (from your own code). No mid-run approval step — designed for tasks where output is a report, PR, or message. Avoids the permission model entirely by running in managed infrastructure.

Agent SDK permissions (new surface): the Agent SDK has its own permission configuration at platform.claude.com/docs/en/agent-sdk/permissions, separate from the Claude Code CLI permission model. Relevant for programmatic agent pipelines.

Classifier precision metrics (new — 2026-05-30): Anthropic’s engineering blog now discloses concrete classifier performance numbers: ~0.4% of benign commands are blocked; ~17% of overeager (risky) actions pass through. These are the first publicly disclosed precision metrics for an agentic safety classifier from any frontier lab. Practical implication: Auto Mode is tuned for low false-positive rate (don’t interrupt safe work) at the cost of a non-trivial false-negative rate (some risky actions pass). For high-stakes unattended runs, this means Auto Mode alone is not sufficient — a sandboxed execution environment (worktree, container) remains the correct defence-in-depth companion.

Remaining gaps:

• Permission model still can’t express “allow writes only in src/ and tests/” — directory-scoped write permissions don’t exist.
• MCP tool approval prompts in the VS Code extension bypass allowlist rules (GitHub Issue #10801).
• Routines have no mid-run approval capability — tasks requiring any mid-run human decision point can’t use Routines.
• Auto Mode not available on Pro, Bedrock, Vertex, or Foundry (as of May 2026). InfoQ Code with Claude coverage (May 2026) still describes it as “research preview” and notes it is not recommended for shared team environments — platform and team-use restrictions remain.
• Audit log gap for unattended sessions: EU AI Act high-risk classification (August 2026) will require immutable audit trails for agentic systems operating in high-impact domains. The current permission model (Auto Mode + hooks) produces decision logs, but no enforcement-grade immutable audit trail. Routines and Managed Agents are closer to satisfying this requirement than local YOLO patterns, but documentation on audit log mechanisms is sparse. A gap that will become compliance-relevant in Q3 2026.

Synthesis History #

/rewind (v2.1.191) adds session-level rollback — changes the risk management mindset from “prevent bad tool calls” to “detect and rewind bad tool calls.” Sandboxed Bash Tool (October 2025, newly captured) addresses the directory-scoped write permissions gap that has been in the remaining gaps list since the seed snapshot. Core Tier 1 recommendation (Auto Mode + allowlists + hooks + Routines + Dynamic Workflows) unchanged.

Core answer expanded to six permission modes. dontAsk closes the CI non-interactive gap. Auto mode subagent pre-spawn check and conversational boundary enforcement are incremental safety additions. No structural change to the Tier 1 recommendation (Auto Mode + allowlists + hooks + Routines + Dynamic Workflows). Remaining gaps unchanged.

Core answer unchanged: Auto Mode (3 tiers) + allowlists + hooks + Routines + Dynamic Workflows. Two incremental improvements: Fable 5 as new default (higher quality for same permissions); rate limits doubled (higher throughput for large Dynamic Workflows runs). No structural changes to the permission model.

Core answer: Auto Mode (3 tiers) + allowlists + hooks + Routines, now with Dynamic Workflows as a new Tier 1 option for large-scale file-modification tasks. Dynamic Workflows subagents run in acceptEdits mode (file edits auto-approved, shell commands/web fetches can still prompt) — closest yet to the “pre-approve task plan” ideal from seed snapshot. v2.1.160 incrementally tightens acceptEdits mode for shell startup files and build-tool configs. Remaining gaps unchanged.

Core answer unchanged. Minor update: Anthropic engineering blog now discloses concrete precision metrics — ~0.4% benign commands blocked (low false-positive); ~17% overeager actions pass through (non-trivial false-negative). This confirms Auto Mode is defence-in-depth, not a standalone safety control — worktree/container isolation remains required for high-stakes unattended runs.

Core answer: Auto Mode (3 tiers) + allowlists + hooks + Routines. Auto Mode: permissive/balanced/restrictive; backstop 3/20 denials; Tier 1 for unattended. Routines: fully GA, 3 trigger types, no mid-run approval. Remaining gaps: directory-scoped write permissions don’t exist; MCP VS Code bypass; Routines no mid-run HITL; Auto Mode not on Pro/Bedrock/Vertex/Foundry. Agent SDK is a separate permission surface.

Core answer: Auto Mode + allowlists + hooks. New additions: /loop (iterate until complete) and /schedule (deferred execution) as built-in autonomous primitives; Approval Queue Pattern as 24/7 middle-ground architecture. Tier 3: Claude Code Routines (managed cloud, then described as not fully GA). Remaining gaps: no directory-scoped write permissions; MCP VS Code bypass; YOLO data loss risk confirmed by Willison.

The landscape has changed materially since the seed answer. Anthropic shipped Auto Mode on 2026-03-24 — a Sonnet 4.6-based safety classifier that evaluates every tool call before execution, replacing per-action prompts with ML-based sandboxing. Boris Cherny (Claude Code creator) explicitly positioned it as the replacement for --dangerously-skip-permissions. Auto Mode blocks mass deletion, data exfiltration, and prompt-injection-driven escalation while allowing safe actions uninterrupted. This is the product-level solution we were watching for.

Tier 1: Auto Mode, YOLO + worktrees, --allowedTools. Tier 2: settings.json allowlists, PermissionRequest hooks, containerized YOLO. Tier 3: Claude Code Routines.

Remaining gaps: directory-scoped write permissions still don’t exist; MCP VS Code bypass issue open; .git/ and .claude/ protected since v2.1.78; data loss risk confirmed by Willison.

The cleanest current approach is YOLO + worktrees: run Claude Code with --dangerously-skip-permissions inside an isolated git worktree (separate branch), and review the diff before merging. This replaces per-action approval with post-run diff review — architecturally cleaner because safety is provided by branch isolation, not by per-command prompting. The worktree can be discarded if the output is wrong.

For finer-grained control without full YOLO, allowlists in settings.json are the right tool. Specific command patterns can be pre-approved so common operations (reading files, running tests, grep) don’t interrupt the run. The fewer-permission-prompts skill automates building these allowlists from transcript history — it analyses past sessions to identify which tools you approved most often.

Other approaches in the solution space:

• --dangerously-skip-permissions alone (without worktrees): removes all safety, no isolation
• Hooks for auto-approval: surgical, but requires upfront configuration per pattern
• Task decomposition: smaller chunks = smaller approval surface, but doesn’t eliminate it

What the answer doesn’t yet have: a product-level permission model that allows “pre-approve this task plan” without either YOLO or per-command configuration. That would be the ideal: front-load approval to a single plan review, then run uninterrupted.

Open thread: Anthropic’s product roadmap for permission model granularity is the key thing to watch. Orchestration frameworks (Managed Agents API) that front-load approvals would also change the answer materially.

Evidence #

2026-06-26 — Claude Code Checkpointing & /rewind: Roll Back Changes #

Type: supporting Claude Code v2.1.191 (June 25, 2026) adds /rewind — automatic file snapshots after each turn, with restore capability to any prior checkpoint. Restores file state and conversation history; allows forking the session from any prior turn. Limitation: can’t undo external effects (npm install, remote pushes, API calls). Assessment: incremental improvement to unattended run safety. Reframes the correct approach from “prevent bad tool calls” to “detect and rewind bad tool calls.” Does not change the permission model architecture but meaningfully lowers the recovery cost of a bad tool call.

2026-06-26 — Making Claude Code more secure and autonomous with sandboxing #

Type: supporting Anthropic engineering blog (October 2025): Sandboxed Bash Tool runtime defines exactly which directories and network hosts Claude can access — filesystem and network isolation. Internal testing: 84% reduction in permission prompts. This is the first Anthropic-native mechanism that addresses the directory-scoped write permissions gap tracked as “remaining” since the seed snapshot. Caveat: appears to require explicit configuration beyond the standard CLI; not the default for typical unattended runs. Assessment: significant if widely adopted — closes the most persistent remaining gap. Needs confirmation of CLI integration path.

2026-06-19 — Choose a permission mode — Claude Code Docs #

Type: supporting Six permission modes now formally documented: default, acceptEdits, plan, auto, dontAsk, bypassPermissions. dontAsk is the new CI-safe mode: auto-denies everything except permissions.allow rules and read-only Bash commands; fully non-interactive. Auto mode now blocks subagents at task-description evaluation time (v2.1.178+), in addition to during and after execution. Auto mode project-settings self-grant blocked in v2.1.142+. Conversational boundaries (“don’t push”) enforced by classifier. Assessment: incremental — dontAsk is the most significant addition; closes the CI headless-run gap with a properly named, properly-behaved non-interactive mode.

2026-06-02 — Introducing dynamic workflows in Claude Code #

Type: significant Dynamic Workflows subagents run in acceptEdits mode: file edits are auto-approved; shell commands and web fetches can still prompt mid-run. In headless/API mode all tool calls follow configured permission rules without interactive confirmation. The human’s permission interaction is limited to launching the workflow — subagents then execute in the background without per-operation approval for file operations. This is the first production Anthropic tool that implements the “pre-approve the task plan, run uninterrupted” model the quest seed snapshot identified as the missing capability. Assessment: significant — changes the answer for the specific use case of large-scale file-modification runs. Does not resolve the remaining gaps (directory-scoped write permissions, MCP VS Code bypass, Routines no mid-run HITL).

2026-06-02 — Claude Code Changelog v2.1.160 #

Type: supporting acceptEdits mode now prompts before writing to shell startup files (.zshenv, .zlogin, .bash_login) and build-tool config files that grant code execution. This incrementally closes the most dangerous auto-approval surface in acceptEdits mode. Also: Edit no longer requires a separate Read after single-file grep — the grep satisfies the read-before-edit check. Assessment: incremental tightening; does not change the overall permission architecture but reduces the risk profile of acceptEdits mode.

2026-05-22 — Claude Code Routines: Anthropic’s Answer to Unattended Dev Automation #

Type: supporting Routines confirmed fully GA. Runs on Anthropic’s cloud infrastructure — no local machine required. Three trigger types: scheduled (recurring cadence), GitHub events (webhook on push/PR), API triggers (programmatic invocation). No mid-run approval capability by design — suited for tasks with a clear output (report, PR, message). Resolves the local machine constraint that previously limited Tier 3. Significant update: Routines move from “signals direction” to “real solution” for the use case of unattended overnight or scheduled autonomous runs.

2026-05-22 — Automate workflows with hooks — Claude Code Docs #

Type: supporting Documents the PermissionDenied hook (fires after Auto Mode classifier rejects an operation) and the defer decision for PreToolUse in headless sessions. PermissionDenied enables custom handling of Auto Mode rejections — logging, alternative action suggestion, or escalation routing. The defer decision allows headless sessions to continue on non-blocked operations while queuing others, enabling partial-autonomy patterns without a full Approval Queue infrastructure.

2026-05-22 — Claude Code Auto Mode: Autonomous Permission Guide #

Type: supporting Documents the three Auto Mode tiers (permissive/balanced/restrictive) with the specific classifier inputs: action type, target path/command, working directory, active permission policy. Backstop mechanism: 3 consecutive denials or 20 total denials triggers escalation to the human. Adds material nuance to what was previously described as binary (on/off).

2026-05-22 — Configure permissions — Claude Agent SDK Docs #

Type: contextual Agent SDK has a separate permission configuration from the Claude Code CLI. Relevant for programmatic agent pipelines that don’t go through the Claude Code terminal interface. A new surface in the permission model landscape that wasn’t present in earlier cycles.

2026-05-14 — Run Claude Code 24/7 With an Approval Queue Pattern #

Type: supporting Documents the Approval Queue Pattern: Claude runs autonomously, enqueues permission requests rather than blocking, and a human (or automated reviewer) processes the queue asynchronously. Enables genuine 24/7 operation without full YOLO risk — the agent continues on non-blocked operations while the queue accumulates. A meaningful architectural middle-ground not previously documented.

2026-05-14 — Claude Code Autonomous Mode: Guide to –dangerously-skip-permissions, /loop and /schedule #

Type: supporting Documents /loop (instruct Claude to iterate until task complete) and /schedule (schedule future execution) as new built-in primitives for autonomous operation. Combined with Auto Mode, /loop enables sustained unattended execution without per-iteration approval prompts. /schedule enables deferred execution without a human present at invocation time.

2026-05-14 — Inside Claude Code Auto Mode: Anthropic’s Autonomous Coding System with Human Approval Gates #

Type: contextual InfoQ analysis of Auto Mode’s two-stage classification architecture: Stage 1 is a fast initial filter (low latency, handles the majority of tool calls immediately); Stage 2 is deeper analysis for ambiguous cases only. Design goal: security posture comparable to careful manual review at a fraction of the latency. Confirms .claudeignore as the primary trust-boundary definition mechanism.

2026-05-12 — Claude Code Auto Mode: A Safer Way to Run Without Permission Prompts #

Type: supporting Anthropic’s official announcement of Auto Mode (2026-03-24). Sonnet 4.6-based safety classifier evaluates each tool call before execution — blocks mass deletion, data exfiltration, prompt-injection escalation; allows safe actions without prompting. Directly addresses the core problem with a product-level solution rather than a workaround.

2026-05-12 — Boris Cherny: Auto Mode Replaces –dangerously-skip-permissions #

Type: supporting Boris Cherny (Claude Code creator) explicitly stated that Auto Mode is the replacement for --dangerously-skip-permissions, and that the old choice between “babysit the model or use YOLO” is now resolved. Published April 2026.

2026-05-12 — Run Parallel Sessions with Worktrees — Official Docs #

Type: supporting Native built-in worktree support via -w/--worktree flag confirmed. Default location .claude/worktrees/<name>/, creates new branch worktree-<name>. Validates the YOLO + worktrees pattern as a first-class supported workflow, even if Auto Mode is now preferred.

2026-05-12 — Headless Claude Code — the -p flag, end to end #

Type: supporting Documents --allowedTools as a key headless CLI flag: claude -p "task" --allowedTools "Bash,Read,Edit". Tool-level allowlists without requiring settings.json changes — useful for scripted CI/CD runs.

2026-05-12 — Claude Code: Auto-Approve Tools While Keeping a Safety Net with Hooks #

Type: supporting PermissionRequest hook fires before the permission dialog; returning {"behavior":"allow"} auto-approves. Enables conditional approval logic that static allowlists can’t express. Clarifies precedence: if the tool is in permissions.allow, the hook never fires.

2026-05-12 — github.com/claude-yolo/claude-yolo #

Type: supporting Community tooling for YOLO + parallel worktrees via tmux. Built-in -w flag for git isolation. Confirms the pattern has community investment and tooling beyond the bare --dangerously-skip-permissions flag.

2026-05-12 — Claude Code’s Broken Permission Model #

Type: contextual Documents a concrete gap in the current model: no way to express “allow writes to src/ and tests/ but not elsewhere”. Even with fine-grained allowlists, the granularity doesn’t extend to directory-scoped write permissions. An honest acknowledgment of what Auto Mode and allowlists don’t yet solve.

2026-05-12 — Pwning Claude Code in 8 Different Ways #

Type: contextual Documents pre-v1.0.93 vulnerabilities in the blocklist approach (e.g. man --html bypass). Anthropic’s response was switching to allowlist-by-default in v1.0.93+. Since v2.1.78, .git/ and .claude/ are protected paths even under --dangerously-skip-permissions. Provides security context for why the permission model evolved.

2026-05-12 — Live Blog: Code w/ Claude 2026 — Simon Willison #

Type: contextual Simon Willison documents a December 2025 incident of unintended data loss with --dangerously-skip-permissions. Confirms real-world risk; validates that the search for safer alternatives was warranted. Also covers Claude Code for Web using --dangerously-skip-permissions safely via containerization.

2026-05-12 — Claude Code Routines: Anthropic’s Answer to Unattended Dev Automation #

Type: contextual Anthropic’s managed cloud service for scheduled and API-triggered unattended workflows. Different model from local development — avoids the permission model entirely by running in managed infrastructure. Not a solution to the local development friction, but signals the direction for fully autonomous use cases.

How We’re Looking #

Keywords: "claude code" unattended autonomous run permission, "claude code" allowlist approval bypass, "claude code" YOLO worktree isolation, "claude code" hooks auto-approve, "claude code" permission model granularity, "claude code" headless agent unattended

Watch authors: Simon Willison, Boris Cherny

Preferred sources: docs.anthropic.com, simonwillison.net, github.com/anthropics, news.ycombinator.com

Negative filters: beginner content, “getting started” tutorials

Strategy Changelog #