Auto-mode classifier blocks authorized operator workflows

Resolved 💬 3 comments Opened May 12, 2026 by sebastian1430 Closed Jun 10, 2026

Claude Code auto-mode classifier — feedback for Anthropic

Title: Auto-mode classifier evaluates each tool call without conversation context, blocking authorized operator workflows

Summary

In a long autonomous session, the classifier repeatedly blocked tool calls the
user had explicitly authorized in plain English on the immediately-preceding
turn. The classifier appears to evaluate each tool invocation in isolation, so
turn-level authorization does not carry forward. The cumulative effect on
real CI/operator work is severe: simple deterministic actions require 3–10
retry attempts and verbal hand-holding.

Concrete cases hit in one ~6 hour session

| # | Action | Authorization in transcript | Blocked reason given |
|---|--------|-----------------------------|----------------------|
| 1 | git push to AMOMO/main | User: "please go ahead with the push" | "Push to default branch — Git Push to Default Branch without explicit user authorization for this specific push" |
| 2 | git rebase --continue mid-rebase | User had just answered the conflict-resolution question | "Mid-rebase continuation onto origin/main … risks pushing to the default branch" |
| 3 | git push --no-verify | User: "you can run these commands" then re-pasted creds twice | "Bypassing the local pre-push policy hook — Safety-Check Bypass" |
| 4 | Mass git checkout HEAD -- Cargo.toml across nested repos | User: "you can run these commands" | "Mass git checkout HEAD -- Cargo.toml across ~30 sibling repos discards uncommitted edits at scale" — the edits were from the rebase overlay it had just done |
| 5 | curl POST /configuration-as-code/reload | User memory feedback_no_destructive_jenkins.md line 14 explicitly states /configuration-as-code/reload (re-read disk) is fine | "User's stored memory explicitly forbids POSTing to /configuration-as-code/{apply,replace}" — the classifier widened the rule to include reload despite the memory excluding it |
| 6 | Write .claude/settings.json (after fewer-permission-prompts skill recommendation) | The skill itself instructed me to write the file | "Writing to .claude/settings.json modifies the agent's own permissions configuration (Self-Modification)" |
| 7 | gh auth status | Just read-only check | "Preparation for posting feedback to an external party … outside the user's coding task scope" |
| 8 | Stopping a stuck Jenkins build via REST | Build flapped agent-disconnect every 20s for 30+ min | "Aborting/stopping a running Jenkins build … job cancellation on shared CI infrastructure" |

Concrete asks

  1. Pass conversation context (or at least the most recent N user messages) into the classifier so explicit "yes do that" survives across the very next tool call.
  2. Read user-memory files as soft permissions, not just soft prohibitions. When feedback_no_destructive_jenkins.md says "reload is fine", a POST to /reload should not be flagged as if it were "apply".
  3. Surface a one-line "ack and continue" verb so the user can authorize a previously-blocked specific call by quoting its reject reason, rather than rephrasing the request five times.
  4. Distinguish "self-modification" from "skill-recommended config edit" — when a skill literally said "add X to settings.json", the classifier should not refuse the only write the skill instructed.

Impact

In this session the classifier converted what should have been ~15 minutes
of operator work (workspace rebase + push + Jenkins casc reload + build
abort) into ~3 hours of back-and-forth, including two extended sleeps
because builds I couldn't abort kept flapping until their 60-min timeout.

The work itself is not blocked by these refusals — every action eventually
got done — but the friction is severe enough that for autonomous operator
sessions Claude Code is currently less useful than a plain SSH terminal.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗