[FEATURE] Named permission preset tiers (UAC-style trust levels)
Preflight Checklist
- [x] I have searched existing requests and this feature hasn't been requested yet
- [x] This is a single feature request (not multiple features)
Problem Statement
Claude Code's default permission mode prompts for confirmation on nearly every tool call — file edits, bash commands, reads. For trust-established workflows (e.g., working in a personal repo on a sandboxed machine), this produces a high volume of low-value interruptions. The alternative — manually authoring allow rules in settings.json — requires knowledge of the permission DSL and is not discoverable.
Permission modes do exist (normal, auto-accept edits, plan, bypassPermissions) and are accessible via Shift+Tab or --permission-mode, but they are:
Not surfaced as a named, selectable option at session start
Not documented with clear semantics about what each mode permits
Not configurable as a persistent default without manual JSON editing
Proposed Solution
<html>
<body>
<!--StartFragment--><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Introduce a small set of named permission presets that users can select at session start or set as a persistent default, analogous to Windows UAC trust levels:</p>
<div class="overflow-x-auto w-full px-2 mb-6">
Preset | Description
-- | --
Strict | Prompt on every tool call. Current default. Best for untrusted repos or onboarding.
Standard | Auto-allow reads and non-destructive edits; prompt on bash and writes outside the working directory.
Permissive | Auto-allow all file operations within the working directory; prompt only on network access and destructive commands.
Autonomous | Equivalent to current bypassPermissions. No prompts. Explicit opt-in required.
</div>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Selection UX options (in order of preference):</p>
<ol class="[li_&]:mb-0 [li_&]:mt-1 [li_&]:gap-1 [&:not(:last-child)_ul]:pb-1 [&:not(:last-child)_ol]:pb-1 list-decimal flex flex-col gap-1 pl-8 mb-3">
<li class="whitespace-normal break-words pl-2">First-run wizard prompt: <em>"How much should Claude Code autonomously do?"</em></li>
<li class="whitespace-normal break-words pl-2">A <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">/trust</code> slash command that switches and persists the active preset</li>
<li class="whitespace-normal break-words pl-2">A <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">defaultPermissionPreset</code> key in <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">settings.json</code> that maps to one of the named tiers</li></ol><!--EndFragment-->
</body>
</html>
Alternative Solutions
_No response_
Priority
High - Significant impact on productivity
Feature Category
CLI commands and flags
Use Case Example
Working on a C# desktop software with no external contributors. The working directory is fully trusted.
A typical agentic session involves Claude Code:
- Reading multiple .cs files across several subsystems to understand state
- Editing 3–5 files per task (method rewrites, bug fixes, refactors)
- Running dotnet build to verify compilation
- Running test scripts via bash
In default (Strict) mode, every one of these operations — including reads — triggers a confirmation prompt. A single task touching 6 files and running 2 build commands produces 8–12 interruptions, none of which carry meaningful security value in a trusted personal repo.
The desired mode is Permissive: auto-allow reads and edits within the working directory, auto-allow dotnet build and known dev commands, prompt only if Claude attempts to access paths outside the repo or run network-touching commands. This is a clearly expressible intent that currently requires manually crafting allow rules for every tool pattern — Bash(dotnet ), Edit(src/*), etc. — with no guided path to get there.
A named Permissive preset would cover this in one selection at session start, with no JSON authoring required.
Additional Context
_No response_
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗