[FEATURE] Named permission preset tiers (UAC-style trust levels)

Resolved 💬 2 comments Opened Apr 14, 2026 by yiliangs-som Closed May 23, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

Claude Code's default permission mode prompts for confirmation on nearly every tool call — file edits, bash commands, reads. For trust-established workflows (e.g., working in a personal repo on a sandboxed machine), this produces a high volume of low-value interruptions. The alternative — manually authoring allow rules in settings.json — requires knowledge of the permission DSL and is not discoverable.
Permission modes do exist (normal, auto-accept edits, plan, bypassPermissions) and are accessible via Shift+Tab or --permission-mode, but they are:

Not surfaced as a named, selectable option at session start
Not documented with clear semantics about what each mode permits
Not configurable as a persistent default without manual JSON editing

Proposed Solution

<html>
<body>
<!--StartFragment--><p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Introduce a small set of named permission presets that users can select at session start or set as a persistent default, analogous to Windows UAC trust levels:</p>
<div class="overflow-x-auto w-full px-2 mb-6">
Preset | Description
-- | --
Strict | Prompt on every tool call. Current default. Best for untrusted repos or onboarding.
Standard | Auto-allow reads and non-destructive edits; prompt on bash and writes outside the working directory.
Permissive | Auto-allow all file operations within the working directory; prompt only on network access and destructive commands.
Autonomous | Equivalent to current bypassPermissions. No prompts. Explicit opt-in required.

</div>
<p class="font-claude-response-body break-words whitespace-normal leading-[1.7]">Selection UX options (in order of preference):</p>
<ol class="[li_&amp;]:mb-0 [li_&amp;]:mt-1 [li_&amp;]:gap-1 [&amp;:not(:last-child)_ul]:pb-1 [&amp;:not(:last-child)_ol]:pb-1 list-decimal flex flex-col gap-1 pl-8 mb-3">
<li class="whitespace-normal break-words pl-2">First-run wizard prompt: <em>"How much should Claude Code autonomously do?"</em></li>
<li class="whitespace-normal break-words pl-2">A <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">/trust</code> slash command that switches and persists the active preset</li>
<li class="whitespace-normal break-words pl-2">A <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">defaultPermissionPreset</code> key in <code class="bg-text-200/5 border border-0.5 border-border-300 text-danger-000 whitespace-pre-wrap rounded-[0.4rem] px-1 py-px text-[0.9rem]">settings.json</code> that maps to one of the named tiers</li></ol><!--EndFragment-->
</body>
</html>

Alternative Solutions

_No response_

Priority

High - Significant impact on productivity

Feature Category

CLI commands and flags

Use Case Example

Working on a C# desktop software with no external contributors. The working directory is fully trusted.
A typical agentic session involves Claude Code:

  • Reading multiple .cs files across several subsystems to understand state
  • Editing 3–5 files per task (method rewrites, bug fixes, refactors)
  • Running dotnet build to verify compilation
  • Running test scripts via bash

In default (Strict) mode, every one of these operations — including reads — triggers a confirmation prompt. A single task touching 6 files and running 2 build commands produces 8–12 interruptions, none of which carry meaningful security value in a trusted personal repo.
The desired mode is Permissive: auto-allow reads and edits within the working directory, auto-allow dotnet build and known dev commands, prompt only if Claude attempts to access paths outside the repo or run network-touching commands. This is a clearly expressible intent that currently requires manually crafting allow rules for every tool pattern — Bash(dotnet ), Edit(src/*), etc. — with no guided path to get there.
A named Permissive preset would cover this in one selection at session start, with no JSON authoring required.

Additional Context

_No response_

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗