yoloClassifier.ts
- Entity ID:
ent-20260409-22904afa656f - Type:
file - Scope:
shared - Status:
active - Aliases: YOLO classifier, auto-mode classifier
Description
yoloClassifier.ts is the auto-mode safety classifier that evaluates every tool invocation for risk when Claude Code is running in autonomous ("YOLO") mode. The file spans approximately 52,000 lines (though the core classification function itself may be around 1,495 lines, with the remainder consisting of rule tables, test fixtures, and supporting logic). It is one of the largest files in the codebase alongside queryengine-ts.
The classifier's purpose is to determine whether a tool call is safe to execute without human confirmation. When a user enables auto-mode (via --dangerously-skip-permissions or the "auto-accept" toggle), the classifier sits between the agent's intent and actual execution, applying heuristic rules to decide if the action is safe.
Classification Logic
The classifier categorizes each tool invocation into one of three outcomes:
| Decision | Meaning | Example |
|---|---|---|
| Allow | Safe to execute silently | Reading a file, running a grep search |
| Deny | Too dangerous even in auto mode | rm -rf /, writing to system files |
| Ask | Uncertain; fall back to user prompt | Running an unfamiliar bash command, writing to files outside the project |
Read-Only Tools Skip Classifier
Tools that are inherently read-only -- such as Read, Grep, Glob, and WebSearch -- bypass the classifier entirely and are always allowed in auto-mode. This optimization avoids unnecessary classification overhead for operations that cannot modify system state.
Fail-Open Design
A critical design choice: if the classifier encounters an error, throws an exception, or times out, it fails open by falling back to prompting the user rather than silently blocking the operation. This fail-open philosophy prioritizes workflow continuity over strict safety, under the reasoning that a human prompt is a safe fallback. The alternative -- fail-closed, where errors would block all tool use -- was rejected because it would make auto-mode unusable during classifier bugs or edge cases.
Rule Structure
The classifier's rules are organized as pattern-matching tables that inspect:
- Tool name -- Different tools have different base risk levels.
- Command content -- For Bash tool calls, the actual command string is parsed for dangerous patterns (e.g.,
rm,chmod,sudo, pipe tosh). - File paths -- Write operations are checked against allowlists and denylists based on file location and extension.
- Project scope -- Operations within the project directory are treated more permissively than operations outside it.
CVE: 50-Subcommand Deny-to-Ask Downgrade
A known vulnerability exists where bash commands with more than 50 subcommands (e.g., long pipeline chains) exceed the classifier's parsing capacity, causing it to downgrade from "deny" to "ask." This effectively allows a sufficiently complex malicious command to bypass the deny list and reach the user as a prompt, where social engineering could lead to approval. This is tracked as a Claude Code CVE.
Integration
The classifier is a core component of the permission-pipeline and the three-layer-verification system. It works alongside the auto-mode-classifier concept and is evaluated within queryengine-ts on every tool dispatch. The bash-security system provides additional Bash-specific safety checks that complement the classifier's rules. Feature flags from growthbook can modify classifier thresholds at runtime.
Key claims
- none yet
Relations
rel-20260409-ca3cd0a13a1b: ent-20260409-381bd95a1693 --[contains]--> ent-20260409-22904afa656f
Sources
src-20260409-6913a0b93c8b