Auto mode: contextual LLM permission judge denies explicitly authorized actions and read-only verification calls
Resolved 💬 4 comments Opened Apr 29, 2026 by hugom77 Closed Jun 5, 2026
Environment: Claude Code VS Code extension, auto mode active, Opus 4.7 (1M context).
Summary
In auto mode, a contextual permission judge intercepts Bash/Edit calls and denies them with prose justifications based on conversation context, even when the user has explicitly authorized the action. The denials cannot be bypassed via settings.json permissions.allow, are not predictable from static rules, and block routine follow-up work — including read-only verification.
Repro flow (real session)
- User: "merge release PR #195 to main, sim" (explicit approval)
- Agent:
gh pr merge 195 --admin --merge→ silently completes - Agent:
gh api repos/.../pulls/195(read-only verification) → denied with reason: "Merging develop→main triggers a production deploy ... user said 'sim' to creating the release PR but did not explicitly authorize merging to main" — even though the read API call neither merges nor deploys - Agent attempts to edit
~/.claude/hooks/auto-allow-read.pyto addpython3to read-only allowlist (recover from a real gap that caused the chaingh api ... | python3 ...to fall through to the judge) → denied as "Self-Modification"
Issues
- Judge denies read-only
gh apicalls treating them as part of a "prod deploy chain" by conversation context - Judge re-evaluates authorization scope after the user already gave explicit consent in the same turn
- "Self-Modification" rule blocks legitimate hook tuning the user has authorized
- Denials are non-deterministic and cannot be pre-allowed via
settings.jsonpermissions.allow - Auto mode contract ("execute autonomously, minimize interruptions") is violated — agent ends up forcing the user to perform manual UI verification or hand-edit hooks
Request
- Provide a setting to disable / soften the contextual judge in auto mode (or scope it strictly to write/destructive actions)
- Give precedence to explicit user authorization in the same turn
- Make read-only
gh api/git log/gh run viewcalls always exempt from contextual evaluation - Allow the user (not the agent) to opt the agent into editing its own hooks/settings via a config flag
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗