VividKit Crystal clear AI coding
VI
What is ClaudeKit? ClaudeKit CLI Guide Commands Cheat Sheet Command Finder Workflow Recipes Accounts Switcher Mobile Coding IDE Config Session Recovery UI/UX Guide Permission Modes Custom Hooks Fix from Logs Promotions

Permission Modes

Configure how Claude Code asks for approval — from full oversight to autonomous execution with background safety checks.

Power User Feature
These settings control how much autonomy Claude has on your machine. Choose the mode that matches your risk tolerance and environment.

Available Permission Modes

Press Shift+Tab in the CLI to cycle through modes. Set defaultMode in settings for persistence.

Mode Auto-approved Best for
default
Read files only Getting started, sensitive work
acceptEdits
Read + edit files Iterating on code you're reviewing
plan
Read files only (no edits) Exploring codebase, planning refactors
auto NEW
All actions (classifier checks) Long tasks, reducing prompt fatigue
dontAsk
Only pre-approved tools CI pipelines, locked-down environments
bypassPermissions DANGEROUS
Everything, no checks Isolated containers/VMs only

Auto Mode (Recommended for Team Users)

NEW

A background classifier reviews each action before execution — blocks dangerous operations while allowing safe ones to proceed without prompts.

How it works
  • A separate Sonnet 4.6 classifier model evaluates every action before it runs
  • Your allow/deny rules are checked first — classifier only handles the rest
  • Read-only actions and file edits in your working directory are auto-approved
  • Falls back to manual prompts after 3 consecutive blocks or 20 total blocks per session
Blocked by default

curl | bash, force push, mass delete, production deploys, sending data to external endpoints, granting IAM/repo permissions, modifying shared infrastructure

Allowed by default

Local file operations, installing deps from lockfiles, reading .env and sending creds to matching API, read-only HTTP, pushing to current branch

Option A: CLI flag (adds auto to Shift+Tab cycle) 
claude --enable-auto-mode
Option B: Settings file (persistent default) 
{
  "$schema": "https://claudekit.cc/schemas/ck-config.schema.json",
  "permissions": {
    "defaultMode": "auto"
  }
}

Requirements: Team plan (Enterprise/API coming soon) · Claude Sonnet 4.6 or Opus 4.6 · Admin must enable in Claude Code admin settings.

Customize the classifier

Tell the classifier which infrastructure you trust via the autoMode setting. Not read from shared project settings.

{
  "$schema": "https://claudekit.cc/schemas/ck-config.schema.json",
  "autoMode": {
    "environment": [
      "Source control: github.com/your-org and all repos under it",
      "Trusted internal domains: *.internal.example.com",
      "Key services: Jenkins at ci.example.com"
    ]
  }
}
Inspect & debug
claude auto-mode defaults  # built-in rules
claude auto-mode config    # effective config
claude auto-mode critique  # AI feedback on custom rules

Research Preview: Auto mode reduces prompts but does not guarantee safety. More protection than bypassPermissions, but not as thorough as manual review.

Full Bypass (bypassPermissions)

Skips all permission prompts. You only need one of the two methods below — CLI flag for a single session, or settings file to make it the default.

Option A: CLI flag (single session) 
claude --dangerously-skip-permissions
or
claude --permission-mode bypassPermissions
Option B: Settings file (persistent default)
File:
<project>/.claude/settings.local.json (project-local, gitignored) 
{
  "$schema": "https://claudekit.cc/schemas/ck-config.schema.json",
  "permissions": {
    "defaultMode": "bypassPermissions"
  }
}
CRITICAL WARNING

No safety checks at all. In rare cases, Claude could run destructive commands like rm -rf ... if it hallucinates. Only use in isolated containers/VMs. Prefer auto mode for a safer alternative.

Granular Allow/Deny Rules

Fine-grained control: allow safe commands, prompt for risky ones, block dangerous operations.

File:
<project>/.claude/settings.local.json (project-local, gitignored) 
{
  "$schema": "https://claudekit.cc/schemas/ck-config.schema.json",
  "permissions": {
    "allow": [
      "Bash(npm run *)",
      "Bash(git commit *)",
      "Bash(git diff *)"
    ],
    "ask": [
      "Bash(git push *)",
      "Bash(docker *)"
    ],
    "deny": [
      "Bash(rm ~/)",
      "Bash(rm /)",
      "Bash(rm -rf /:*)",
      "Bash(rm -rf ~:*)",
      "Bash(sudo rm -rf :*::*)",
      "Bash(git reset --hard:*)",
      "Bash(git clean -fdx:*)",
      "Bash(git push --force:*)",
      "Bash(prisma db push)",
      "Bash(prisma migrate reset:*)",
      "Bash(docker system prune -af:*)",
      "Read(./.env)",
      "Read(./.env.*)",
      "Read(./secrets/**)"
    ]
  }
}

The deny list blocks destructive commands (database drops, force pushes, system modifications). Rules are evaluated in order: deny → ask → allow.

Ask rules: Use ask to force a confirmation prompt for specific commands, even if they'd otherwise be allowed.

Tip: settings.json supports a "$schema" field for IDE autocompletion. Add "$schema": "https://claudekit.cc/schemas/ck-config.schema.json"

Permission Rule Syntax

Rules follow the format Tool or Tool(specifier). Evaluated in order: deny → ask → allow.

Rule Effect
Bash All Bash commands
Bash(npm run *) Commands starting with npm run
Read(./.env) Reading .env in project root
Read(./secrets/**) Reading any file under secrets/
Edit(/src/**/*.ts) Editing .ts files in src/
WebFetch(domain:example.com) Fetch requests to example.com
mcp__server__tool Specific MCP tool
Agent(Explore) The Explore subagent

For comprehensive documentation on permission scopes and syntax, visit the Official Claude Code Documentation