Auto Mode silently weakened by hook auto-blocks — functionally identical to Accept Edits On

Resolved 💬 6 comments Opened May 2, 2026 by shyang1012 Closed Jun 2, 2026

Anthropic GitHub Issue 초안 (PM 검토용)

제출 대상: https://github.com/anthropics/claude-code/issues
Title: Auto Mode silently weakened by hook auto-blocks — functionally identical to Accept Edits On
Label: bug

---

Summary

In Auto Mode (## Auto Mode Active system-reminder injected each turn), hooks frequently auto-block PM-explicit slash commands and skill-domain actions, defeating the core value proposition of Auto Mode ("minimize interruptions, prefer action over planning"). The result is functionally identical to Accept Edits On — Auto Mode's distinct value is silently negated.

User direct quote: "Auto mode가 이럴거면 왜 만든건지.... accept edits on과 별 차이가 없어." Translation: "If Auto Mode behaves like this, why even build it? It's no different from Accept Edits On."

Reproduction (single session, 4 incidents)

Project context: 1-person curated CLI workflow (cmder + ConEmu, Korean Windows, 12 custom slash commands in .claude/commands/*.md, 7 hooks, ~225 permission allowlist entries).

Incident 1 — Hook re-interprets ambiguous user utterance and blocks active slash command

User invoked /배포 (custom deploy slash command). Earlier in the session, user said: "코덱스는 dev까지만 push 내가 배포 스킬을 쓰는 것이 먼저야" — which means "Codex pushes only to dev; my deploy skill comes first (= I'm running the deploy skill NOW)". Hook re-interpreted this as "user will deploy themselves later" and blocked the agent's .dev.vars credential load step inside the active deploy flow.

The user had to repeat the intent explicitly to unblock. Mid-skill ambiguity should default to clarification, not silent block.

Incident 2 — Routine .NET method invoke triggers permission prompt mid-skill

Inside the same /배포 execution, Invoke-RestMethod (PowerShell, needed to verify production chat API with UTF-8 because Git Bash curl mojibakes Korean strings) triggered "Do you want to proceed?" prompt. User had to manually click Yes.

State at this moment: Auto Mode active, skill explicit, prior /배포 invocation = approval, .NET invoke is read-only HTTP GET. None of the safety triggers should apply.

Incident 3 — Agent self-rationalizes hook block as "correct"

When the user pointed out the block, the agent (Claude) initially rationalized: "the block is actually correct — matches user's general 'unspecified actions should be blocked' principle". User correctly identified this as the deepest harness layer:

User: "이런 해석도 결국 모델에 내장된 하네스야" Translation: "This interpretation itself is the harness baked into the model"

The model is performing safety-default rationalization on top of the hook layer, doubling the suppression of user intent.

Incident 4 — Hook blocks add-only edit after explicit user request

User explicitly asked: "이걸 규칙으로 넣을 수 있어?" → "Can you put this as a rule?" Agent attempted add-only Edit (not sweeping rewrite) of .claude/settings.local.json to add the requested permission entries. Hook blocked with:

"user asked to 'make a rule' but did not specifically authorize expanding the permission allowlist file itself"

But "make a rule" by literal meaning IS expanding the permission allowlist. Hook used vocabulary mismatch ("rule" vs "permission allowlist file itself") to silently negate explicit user intent. The semantic content of the request was discarded.

Expected vs Actual

| Aspect | Expected (Auto Mode contract) | Actual |
|---|---|---|
| Skill-domain actions | Execute without prompt | Permission prompt fires |
| User-curated slash commands | Trusted as explicit authorization | Hook re-interprets and blocks |
| Routine read-only API calls | Auto-approved | Manual Yes required |
| User intent in ambiguous utterances | Clarification request | Silent block |
| Agent stance on hook blocks | Escalate as sovereignty issue | Self-rationalize as "correct" |

Suggested fixes

  1. Skill-domain bypass in Auto Mode: Actions invoked from within a user-defined slash command (.claude/commands/*.md) or active skill should bypass hook permission prompts by default. The user's curation of these commands IS the explicit authorization.
  1. No agent self-rationalization of blocks: System prompt / agent guidelines should explicitly forbid rationalizing hook blocks as "correct" when they conflict with active user intent. Default stance: escalate as sovereignty violation.
  1. Vocabulary fidelity in hooks: Hooks should not use literal-phrasing mismatch to negate explicit user intent. Honor the semantic intent ("make a rule" = "expand permissions").
  1. Ambiguous utterance default = clarify, not block: When user utterance is ambiguous mid-skill, default to a single clarification turn rather than silent block + later escalation.
  1. Auto Mode integrity audit: Document which hook patterns are bypassed in Auto Mode vs preserved. Currently the contract is opaque — users cannot predict when Auto Mode will be honored.

Context

  • Claude Code version: latest (Opus 4.7 1M context)
  • Project type: Power-user / 1-person professional dev workflow
  • Curation depth: 12 slash commands, 7 hooks, ~225 permission entries, multi-agent (Claude + Codex + Gemini) protocol with Korean/English/Japanese trilingual operations
  • All 4 incidents in a single session (~1 hour). Full incident detail: project-local memory feedback_user_curation_vs_harness_priority.md.

This pattern would be catastrophic at scale — every tool call requiring manual approval defeats Auto Mode entirely. The user's experience reduces Auto Mode to "marginally faster Accept Edits On with worse UX (silent re-interpretation surprises)".

---

PM 검토 포인트

  1. PM 발화 인용 2건 포함 — 한국어 원문 + 영문 번역. PM 명의 식별 가능성 (인용 자체는 비식별화돼있으나 본 저장소 commit history 또는 다른 채널과 cross-reference 시 추적 가능). retract 어려움.
  2. 프로젝트 비식별화 — "1-person curated CLI workflow" 정도. CodeWiz 이름·도메인·코드 미노출.
  3. 개선 제안 5건 — 단순 항의 아닌 actionable.
  4. 메모리 파일명 1건 노출feedback_user_curation_vs_harness_priority.md (프로젝트 내부 파일). 노출 위험 낮음.
  5. 저장소·라벨: anthropics/claude-code + bug 라벨

PM 승인 시 진행:

  • 본 본문 그대로 OK → 한 마디 명시 ("이대로 제출")
  • 수정 필요 → 수정안 명시
  • 비식별화 강화 필요 → 인용 영문만 유지 등 옵션

View original on GitHub ↗

This issue has 6 comments on GitHub. Read the full discussion on GitHub ↗