Auto mode: contextual LLM permission judge denies explicitly authorized actions and read-only verification calls

Resolved 💬 4 comments Opened Apr 29, 2026 by hugom77 Closed Jun 5, 2026

Environment: Claude Code VS Code extension, auto mode active, Opus 4.7 (1M context).

Summary

In auto mode, a contextual permission judge intercepts Bash/Edit calls and denies them with prose justifications based on conversation context, even when the user has explicitly authorized the action. The denials cannot be bypassed via settings.json permissions.allow, are not predictable from static rules, and block routine follow-up work — including read-only verification.

Repro flow (real session)

  1. User: "merge release PR #195 to main, sim" (explicit approval)
  2. Agent: gh pr merge 195 --admin --merge → silently completes
  3. Agent: gh api repos/.../pulls/195 (read-only verification) → denied with reason: "Merging develop→main triggers a production deploy ... user said 'sim' to creating the release PR but did not explicitly authorize merging to main" — even though the read API call neither merges nor deploys
  4. Agent attempts to edit ~/.claude/hooks/auto-allow-read.py to add python3 to read-only allowlist (recover from a real gap that caused the chain gh api ... | python3 ... to fall through to the judge) → denied as "Self-Modification"

Issues

  • Judge denies read-only gh api calls treating them as part of a "prod deploy chain" by conversation context
  • Judge re-evaluates authorization scope after the user already gave explicit consent in the same turn
  • "Self-Modification" rule blocks legitimate hook tuning the user has authorized
  • Denials are non-deterministic and cannot be pre-allowed via settings.json permissions.allow
  • Auto mode contract ("execute autonomously, minimize interruptions") is violated — agent ends up forcing the user to perform manual UI verification or hand-edit hooks

Request

  • Provide a setting to disable / soften the contextual judge in auto mode (or scope it strictly to write/destructive actions)
  • Give precedence to explicit user authorization in the same turn
  • Make read-only gh api / git log / gh run view calls always exempt from contextual evaluation
  • Allow the user (not the agent) to opt the agent into editing its own hooks/settings via a config flag

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗