Permission Pipeline
The auto-approval decision stack in claude-code. Every tool invocation passes through this pipeline to determine whether the action requires user confirmation, gets auto-approved, or gets blocked.
Reverse-engineered by Ant Group engineer Chen Cheng from v2.1.81, before the source map leak.
The Four Layers
The layers are evaluated in order. If any layer returns a definitive allow/deny, subsequent layers are skipped:
| Layer | Decision Logic | Cost |
|---|---|---|
| 1. Existing permission rules | Glob/regex patterns against tool inputs. If matched, allow/deny immediately | Zero — rule lookup |
2. acceptEdits simulation |
Would this tool call be approved in file-edit mode? If yes, skip the classifier | Zero — mode check |
| 3. Read-only whitelist | Read, Grep, Glob, LSP, WebSearch modify no state — unconditionally allow | Zero — list check |
| 4. ML safety classifier | Separate Claude Sonnet 4.6 inference call evaluates risk in context | High — full API call |
The ML classifier is the most expensive layer and is reached only when all three cheaper checks are inconclusive. This layered design means most tool calls never hit the classifier.
Five Permission Modes
| Mode | Behavior |
|---|---|
default |
Ask before writes, bash, MCP |
acceptEdits |
Auto-approve file edits, ask for bash |
dontAsk |
Approve everything without asking |
bypassPermissions |
Skip all checks (--dangerously-skip-permissions) |
auto |
Per-action ML classifier decision |
In auto mode, each tool call passes through a transcript classifier that reads recent conversation context. This is why auto mode can approve rm -rf dist/ when the user asked to "clean the build" but block the same command without that context. The cost: one extra Sonnet inference per tool call — 200 tool calls = 200 classifier inferences on top of the main conversation.
The Two-Stage Classifier (Auto Mode)
The auto-mode-classifier runs in two stages:
| Stage | Speed | Purpose | False Positive Rate | False Negative Rate |
|---|---|---|---|---|
| Stage 1 — Fast filter | Single token yes/no | Err toward blocking | 8.5% | — |
| Stage 2 — Chain-of-thought | Full reasoning | Reduce false positives | 0.4% | 17% on real overeager |
Stage 2 runs only when Stage 1 flags. Because both stages use the same prompt with only the final instruction changed, Stage 2 is almost entirely a prompt-cache hit from Stage 1.
Coverage
- 22 interception categories: force push to main, downloading/executing external code, production deployment, credential leaks, creating RCE surfaces, etc.
- 7 exception categories: hardcoded test keys, local file operations within working directory, read-only GET requests, installing declared dependencies
Circuit Breaker
- 3 consecutive rejections → downgrade to manual confirmation
- 20 total rejections → same downgrade
- In headless/CI mode → 3 rejections aborts the agent entirely
Deny-and-Continue Pattern
When the classifier blocks an action, it returns the denial as a tool result rather than killing the session. The agent receives the denial and can find a safer path. This enables safe retry patterns.
Multi-Agent Permission Inheritance
For teammate-tool agents, permissions scope through three modes: - ask: every tool use requires human confirmation - bubble: permission prompts float up to the team lead - allow: auto-approve, bounded by the lead's own permissions
Known bug: if the lead agent is in Delegate Mode, all spawned teammates inherit the restriction and lose file operation tools, even when mode: "bypassPermissions" is set.
Key Claims
clm-20260409-86fd8697ebce: 4 decision layers with ML classifier last
Sources
src-20260409-a14e9e98c3cd— Internals: Auto-Memory, Auto-Dream, and Agent Teamssrc-20260409-cbf9b6837f5f— Round 10: Quality Gap, CVE, Security