Home › Concepts › Permission and Trust Model

Permission and Trust Model

Claude Code's permission system is a four-layer decision stack that balances safety against the 93% friction problem — users approved 93% of permission prompts, conditioning themselves to rubber-stamp everything.

The Four Layers

  1. Check existing permission rules — glob/regex patterns against tool inputs. If matched → allow/deny immediately.
  2. Simulate acceptEdits mode — if the tool call would be approved in file-edit mode, skip the ML classifier (low risk signal).
  3. Check read-only tool whitelist — Read, Grep, Glob, LSP, WebSearch modify no state → unconditionally allow.
  4. ML safety classifier — only reached if all three above are inconclusive → Claude Sonnet evaluates risk.

The classifier covers 22 interception categories (force push to main, downloading and executing external code, production deployment, credential leaks) and seven exception categories (hardcoded test keys, local file operations, read-only GET requests).

The 93% Problem

Anthropic's published figure: users approved 93% of permission prompts. This means the manual permission model was generating a 7% friction rate with the vast majority being rubber-stamp approvals. Auto mode's design goal was friction removal, not security improvement — handle the 93% automatically, leave the genuinely dangerous 7% for explicit approval.

The irony: 2.6% of users who granted bash:* access were likely conditioned by hundreds of low-risk approval prompts.

Circuit Breaker

After 3 consecutive rejections OR 20 total rejections, the system downgrades to manual confirmation. In headless/CI mode, 3+ rejections abort the agent entirely.

Known Vulnerabilities