Auto mode injects undocumented behavioral system-reminder that steers beyond its documented permission-gate contract
Preflight
- [x] I have searched existing issues and this specific angle isn't reported
- [x] This is a single bug report
- [x] I am using the latest version of Claude Code
Summary
Auto mode is documented as a permission mode — "Claude execute[s] without permission prompts. A separate classifier model reviews actions before they run" (permission-modes). The documented contract is a permission gate plus an external classifier.
In addition to that, auto mode also injects a <system-reminder> into the model's context that contains behavioral steering instructions — not permission semantics. These instructions ("execute immediately", "prefer action over planning", "minimize interruptions", "when in doubt, start coding") are not mentioned anywhere in the permission-mode docs, change the model's consent-seeking and cadence behavior in ways that can override other instructions, and are the root cause of several open/closed bugs.
The injected system-reminder (verbatim)
## Auto Mode Active
Auto mode is active. The user chose continuous, autonomous execution. You should:
1. **Execute immediately** — Start implementing right away. Make reasonable assumptions and proceed on low-risk work.
2. **Minimize interruptions** — Prefer making reasonable assumptions over asking questions for routine decisions.
3. **Prefer action over planning** — Do not enter plan mode unless the user explicitly asks. When in doubt, start coding.
4. **Expect course corrections** — The user may provide suggestions or course corrections at any point; treat those as normal input.
5. **Do not take overly destructive actions** — Auto mode is not a license to destroy. Anything that deletes data or modifies shared or production systems still needs explicit user confirmation. If you reach such a decision point, ask and wait, or course correct to a safer method instead.
6. **Avoid data exfiltration** — Post even routine messages to chat platforms or work tickets only if the user has directed you to. You must not share secrets (e.g. credentials, internal documentation) unless the user has explicitly authorized both that specific secret and its destination.
Point 5 is the only one that tracks the documented permission-gate contract. Points 1–3 are behavioral steering that has no corresponding element in the docs.
The documented contract
From permission-modes:
Auto mode lets Claude execute without permission prompts. A separate classifier model reviews actions before they run, blocking anything that escalates beyond your request, targets unrecognized infrastructure, or appears driven by hostile content Claude read.
Nothing in the doc says the model itself should "execute immediately", "prefer action over planning", or "minimize interruptions". The doc describes a permission layer plus classifier — an external gate on what auto-approves. It does not describe (and by omission, does not authorize) a separate behavioral-steering layer.
Why this matters
Points 1–3 and point 5 pull in opposite directions, and point 5 is the narrow one:
- 1–3 say "execute, don't pause, don't ask"
- 5 says "but ask before touching shared or production systems"
In practice the weight of three points toward action vs one point toward caution biases the model toward over-action on exactly the kind of edits where the permission-mode doc's classifier also doesn't run (local files, files in additionalDirectories). The "execute immediately / prefer action" wording is then doing work that the permission gate was supposed to do — gating behavior, not just prompts.
Observed behavior
In a recent session I attempted to edit a shared config file without first asking for explicit consent, in response to a user question that was a request for a recommendation, not permission to make the change. A self-modification guard denied the edit, which forced reflection. Points 1–3 of the reminder had biased the weighting of "should I ask?" toward "no, act" — even though point 5 covered the case.
This matches the pattern in #42209 (auto mode ran git checkout -- and destroyed uncommitted work despite an ask rule) and #44318 (auto mode's reminder leaked into a plan-mode session and caused plan mode to be bypassed — the reporter's model self-identified the cause as "auto mode instructs 'execute immediately' and plan mode instructs 'do not execute,' the conflicting instructions caused me to follow auto mode behavior").
Related issues
- #44318 (open) — quotes the exact "execute immediately" wording from this reminder, shows cross-session bleed causing plan mode to be bypassed. Closest existing issue to this one, but framed as a session-isolation bug rather than a design issue with the behavioral layer itself.
- #42209 (closed) —
askpermission rules bypassed in auto mode, destructive git commands ran without confirmation. Closed, but the "why did the model skip the ask rule" question points at the same behavioral layer. - #42310 (open, docs) — cites the v2.1.90 changelog entry "Fixed auto mode not respecting explicit user boundaries (\"don't push\", \"wait for X before Y\") even when the action would otherwise be allowed" — confirming that the behavioral layer has already been caught overriding explicit user constraints once.
- #18560 — system-reminder instructing Claude Code not to follow CLAUDE.md instructions (same class: injected instructions overriding user/project configuration).
- #30730 — subagent dispatch extra notes conflicting with custom agent prompts (same class).
- #30634 — plan-mode system instructions overriding CLAUDE.md workflow directives (same class).
The pattern across all of these: Claude Code injects behavioral instructions via system-reminder that aren't reflected in documentation and can override other layers of user/project configuration, with no user-facing control.
Suggested approaches
Option A: Document the behavioral steering. Add the full text of the auto-mode system-reminder to permission-modes, and explain what each point does. Users and agents should be able to see what they've opted into when they enable the mode.
Option B: Scope the reminder narrowly to permission semantics. Auto mode's job is to let actions run without prompts, with the classifier handling safety. The reminder could be rewritten as a factual statement of what has changed ("Permission prompts are disabled for classifier-approved actions. Writes to shared or production systems still require explicit confirmation.") without the motivational layer ("execute immediately", "prefer action", "minimize interruptions").
Option C: Make it configurable. Allow users to opt out of the behavioral steering while keeping the permission-gate behavior, e.g. via a permissions.autoMode.behavioralSteer: false setting or a hook. This matches the existing pattern for overriding injected instructions in other areas (cf. #30730's Option B).
My preference is B, for two reasons: (1) the doc's framing of auto mode as a permission mode is cleaner and more accurate than the current implementation; (2) a narrower reminder is less likely to cascade into the kind of session-bleed, constraint-override, and over-action bugs listed above.
Environment
- Claude Code version: 2.1.114
- Model: claude-opus-4-7[1m]
- Platform: Anthropic API
- Operating System: macOS (Darwin 25.2.0)
This issue has 9 comments on GitHub. Read the full discussion on GitHub ↗