Anthropic Unveils Claude Code "Auto Mode": Sonnet 4.6-Powered Safeguards Replace Dangerous Permissions Skips
News/2026-03-25-anthropic-unveils-claude-code-auto-mode-sonnet-46-powered-safeguards-replace-dan
Developer AI Breaking NewsMar 25, 20265 min read
Verified·1 source

Anthropic Unveils Claude Code "Auto Mode": Sonnet 4.6-Powered Safeguards Replace Dangerous Permissions Skips

Featured:Anthropic

Practical focus

Ship with AI-assisted coding

Guideline angle

When to use an AI coding agent

Anthropic Unveils Claude Code "Auto Mode": Sonnet 4.6-Powered Safeguards Replace Dangerous Permissions Skips
  • What: Anthropic launched "auto mode" for Claude Code, an AI-driven permissions system.
  • Technology: Uses a dedicated Claude Sonnet 4.6 classifier model to monitor and approve actions.
  • Safety: Replaces the risky --dangerously-skip-permissions flag with governed autonomy.
  • Availability: Released March 24, 2026, for users of the Claude Code terminal interface.

Anthropic has officially launched "auto mode" for Claude Code, a major update designed to streamline developer workflows by allowing the AI to make autonomous permission decisions. Released on March 24, 2026, this new mode utilizes a specialized Claude Sonnet 4.6 classifier to monitor the AI's actions in real-time, providing a safer and more efficient alternative to the manual --dangerously-skip-permissions flag.

The introduction of auto mode marks a significant shift in how AI coding agents interact with local environments, moving away from constant user prompts toward a system of algorithmic governance. By delegating decision-making to a high-performance model specifically tuned for safety, Anthropic aims to reduce developer friction while maintaining strict boundaries around sensitive system operations.

The Sonnet 4.6 Guardrail: How it Works

At the heart of auto mode is a "classifier model" running on Claude Sonnet 4.6. According to official documentation, this classifier acts as a secondary layer of oversight that reviews every action before it executes, regardless of which model is powering the primary chat session.

The classifier is tasked with evaluating whether a proposed action—such as editing a file, running a terminal command, or making a network request—aligns with the user's explicit intent. It is specifically programmed to block actions that attempt to escalate privileges beyond the "project scope," target unrecognized or untrusted infrastructure, or appear to be influenced by "hostile content" found in external files or web pages.

Developers can inspect the specific logic governing these decisions by running the command claude auto-mode defaults in their terminal. This command reveals an extensive JSON manifest of filters and rules that the Sonnet 4.6 model uses to determine what is safe to execute.

Defining the "Project Scope"

One of the most critical safeguards in auto mode is the concept of "Project Scope." Anthropic defines this as the specific repository where the Claude Code session was initiated.

Under the "allow" list, the agent is permitted to perform local file operations and deletions—provided they remain within this defined directory. Any attempt to wander into system-level directories, such as ~/Library/, /etc, or even other local repositories, is flagged as "scope escalation" and strictly blocked. This prevent the AI from accidentally or maliciously modifying the broader operating system while it works on a specific coding task.

Other permitted actions include:

  • Read-Only Operations: GET requests and API calls that do not modify state or contain sensitive information in the URL.
  • Test Artifacts: Handling hardcoded test API keys or placeholder credentials within example files.
  • Declared Dependencies: Running standard installation commands (e.g., pip install -r requirements.txt, npm install) as long as the agent has not modified the manifest file during the current session.

Soft Denies and Security Restrictions

To prevent catastrophic errors, Anthropic has implemented a "soft_deny" category for actions that are generally considered too risky for autonomous execution. These actions require explicit user intervention and cannot be bypassed by auto mode.

Key restrictions include a ban on "Git Destructive" actions, such as force pushing (git push --force) or deleting remote branches. The AI is also restricted from pushing directly to a repository's default branch (main or master), a move intended to ensure all AI-generated code passes through a human-led pull request review process.

Furthermore, auto mode blocks the execution of code downloaded from external sources, such as curl | bash commands or deserializing data via risky formats like pickle or yaml.unsafe_load. The safeguards also extend to cloud infrastructure, preventing the mass deletion or modification of files on services like Amazon S3, Google Cloud Storage, or Azure Blob.

Impact on Developers and Industry

For developers, auto mode represents a massive leap in "agentic" productivity. By removing the need to manually approve every routine file read or local test run, Anthropic is enabling a more "hands-off" coding experience.

"This changes how developers will interact with terminal agents, shifting the burden of safety from constant manual clicks to a pre-defined, AI-monitored trust zone," according to technical analysis of the release.

However, the industry remains divided on the efficacy of AI-based security. Industry experts, including Simon Willison, have expressed skepticism regarding the non-deterministic nature of these protections. Willison noted in a blog post that prompt injection protections relying on AI can be unpredictable and may still allow risky actions if user intent is ambiguous.

"I still want my coding agents to run in a robust sandbox by default, one that restricts file access and network connections in a deterministic way," Willison wrote, suggesting that while auto mode is an improvement over skipping permissions entirely, it may not be a complete replacement for hardware-level sandboxing.

What’s Next for Claude Code

The release of auto mode is likely the first step in a broader push toward fully autonomous AI engineering agents. While the current implementation allows for a high degree of freedom within a project's repository, the system still faces challenges regarding supply chain attacks.

Specifically, the "allow" list for pip install -r requirements.txt could potentially be exploited if a project contains unpinned or compromised dependencies—a risk recently highlighted by security incidents involving the LiteLLM package. As Anthropic continues to refine Sonnet 4.6 and its classifier logic, the industry expects more granular controls and perhaps deeper integration with OS-level sandboxing tools to address these remaining vulnerabilities.

Sources

Original Source

simonwillison.net

Comments

No comments yet. Be the first to share your thoughts!