Enhancement - auto appends

Resolved 💬 2 comments Opened May 3, 2026 by mikemitson Closed Jun 3, 2026

Preflight Checklist

  • [x] I have searched existing requests and this feature hasn't been requested yet
  • [x] This is a single feature request (not multiple features)

Problem Statement

The current permission system treats all operations equally. Reading a file in my own project folder triggers the same approval flow as making a network call or modifying system files. For users running long unattended tasks within a defined workspace, this creates constant interruptions that defeat the purpose of agentic workflows.

Real-world impact: On a 30-minute unattended Python/SQLite pipeline run within my own project folder, I get 4-6 security prompts on routine internal file operations. Each one halts execution until I manually return to the screen, read context, hit Yes, and wait for the next interruption. A task I should be able to walk away from for 30 minutes instead requires me to stay parked at my screen or accept 15+ minutes of dead idle time. This completely defeats the value of an agentic coding tool.

The "newline followed by # inside a quoted argument" security warnings are the worst offender — they cannot be suppressed even with a fully configured .claude/settings.json allowlist, and they fire on routine Python scripts that contain comments. Every Python developer uses comments. These should not require manual approval on internal workspace files.

The workspace directory boundary is a natural trust boundary. If I've pointed Claude Code at my project folder and given it a task, operations within that folder are inherently low-risk. The real safety value is in gating external operations — network c

Proposed Solution

Two-tier permission model based on WHERE the operation happens, not WHAT the operation is:

TIER 1 — AUTO-APPROVE (no prompt, no interruption):

  • All reads/writes/executes within the defined workspace directory tree
  • Python/bash/PowerShell execution on files within workspace
  • SQLite operations on databases within workspace
  • File moves, copies, deletions within workspace
  • Security-class warnings (like "newline followed by #") on workspace-internal operations

TIER 2 — PROMPT FOR APPROVAL (current behavior, keep as-is):

  • Network calls / HTTP requests / API calls
  • Writes outside the workspace directory
  • System file modifications (registry, system32, PATH, etc.)
  • Git push / remote operations
  • Package installations that modify global state
  • Any operation touching external services

Additionally, Claude Code should provide an ETA on every task. When a user knows a task will take 20 minutes and all operations are internal (Tier 1), they should be able to minimize the terminal, do other work, and come back to a completed task. This is impossible today because any internal security prompt halts execution indefinitely. With Tier 1 auto-approve, ETAs become actionable — the user can actually walk away for the estimated time and return to results.

This would be a significant differentiator versus other AI coding tools. No other tool currently offers intelligent permission tiering that maximizes both safety AND unattended productivity. The time savings for users running data pipelines, ETL workflows, build scripts, or any multi-step automation within their own codebase would be substantial.

Alternative Solutions

At minimum, three smaller fixes would capture most of the value:

  1. Suppress security-class warnings on workspace-internal operations. The "newline followed by # inside a quoted argument" warning adds zero safety value when the script being executed is inside the user's own project folder. Allow .claude/settings.json to suppress these for defined workspace paths, just like it already suppresses basic permission prompts.
  1. Add a --workspace-trusted flag (or settings.json equivalent) that auto-approves all operations within a specified directory tree while maintaining full prompting for everything outside it. This is the middle ground between the current "prompt on everything" and the nuclear "--dangerously-skip-permissions" option. The directory boundary IS the safety model.
  1. Queue non-blocking approvals. Instead of halting execution entirely when a prompt fires, queue the approval request and continue executing subsequent independent steps. Present all queued approvals together when the user returns. This alone would eliminate most idle time even without changing the permission model itself.

Any one of these would meaningfully improve the unattended workflow experience. All three together would make Claude Code the clear leader for production automation use cases.

Priority

Critical - Blocking my work

Feature Category

CLI commands and flags

Use Case Example

I build a commercial data pipeline using Python and SQLite, processing ~22,000 records through a 14-phase enrichment pipeline. Each phase reads from the database, runs matching/scoring logic, writes results back, and generates diagnostic reports — all within C:\Workspace\HOA_Data\.

A typical unattended run:

  1. I paste a task prompt with an ETA of 30-35 minutes
  2. Claude Code begins executing — reading files, running Python scripts, querying SQLite, writing output spreadsheets
  3. At minute 3: HALTED — "Newline followed by # inside a quoted argument. Do you want to proceed?"
  4. I hit Yes
  5. At minute 7: HALTED — same warning, different script
  6. I hit Yes
  7. At minute 14: HALTED again
  8. At minute 22: HALTED again

Every one of these prompts fired on a Python script inside my own project folder reading my own database. Zero network calls, zero system modifications, zero external risk. The task that should have completed unattended in 35 minutes took 50+ minutes and required me to check my screen 4-6 times. If I step away, what should have been done hast to be prompted again. the lost time is betwwen the stop and the finish time, evertie there is a prompt I miss when doing other tasks in the interim. Time lost is immense!

With Tier 1 auto-approve: I paste the prompt, walk away, come back in 35 minutes to a completed report. That's the product experience Claude Code should deliver for internal workspace operations.

With current behavior: I'm either babysitting a terminal or accepting 40-50% time overhead on every run. Multiply that across a full workday of pipeline runs and it's hours of lost productivity.

Additional Context

I'm a non-developer building a real commercial product entirely with Claude Code as my primary development tool. I have .claude/settings.json configured with a comprehensive allowlist covering all workspace operations. This eliminates basic permission prompts but does NOT suppress security-class warnings, which are the remaining pain point.

Current workarounds I've tried:

  • .claude/settings.json allowlist: Helps with basic prompts, cannot suppress security warnings
  • --dangerously-skip-permissions: Too nuclear, disables ALL safety including external operations I genuinely want gated
  • Session-opener pre-authorization text: Inconsistent, doesn't carry across Claude Code restarts
  • "Yes, don't ask again" at each prompt: Doesn't persist for security-class warnings

The irony: I WANT Claude Code to prompt me on external operations. If it's about to make a network call or write outside my workspace, absolutely ask. That's real safety value. But prompting me to approve reading my own Python file that contains a # comment is not safety — it's friction. The permission system needs to distinguish between these two fundamentally different risk profiles.

I use Claude Code 8+ hours daily in a production workflow. This is not a theoretical concern — it's the single biggest productivity bottleneck in an otherwise excellent tool. Getting this right would make Claude Code definitively best-in-class for users running substantive, long-duration agentic tasks.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗