News
Anthropic Makes Manual Approval the Default Mode in Claude Code
Anthropic has switched Claude Code's default permission mode to Manual across all of the tool's interfaces, rolling back automatic approval of agent actions in favor of explicit user control.
Anthropic has changed Claude Code's default permission setting from what was previously the default mode to Manual, which requires explicit approval of agent actions. The change applies simultaneously to the command-line interface, the help documentation, the VS Code extension, and the JetBrains plugin.
Until recently, Claude Code's default mode let the agent carry out some actions without asking for approval every time, which, given hundreds of commands a day, led to what Anthropic itself called approval fatigue. The company acknowledged that users clicked approve in 93 percent of cases, often without reading the prompt. The new default Manual mode reverses that mechanism and forces a deliberate confirmation for every significant operation, unless the user explicitly switches to Auto mode.
Why the change
The reason isn't just convenience, it's security. Tools like Claude Code read files from repositories, dependency documentation, and command output, and each of those channels can carry hidden instructions injected by an attacker. A single malicious README file in a dependency tree can redirect the agent mid-task if the default configuration allows it. In recent weeks the industry has seen a rise in such attacks, including a case reported by Dark Reading in which fake bug reports were used to hijack coding agents en masse.
How Auto mode works
Introduced in March 2026, Auto mode was meant to address frustration with constantly confirming simple actions, without reverting to a mode that skips permissions entirely. Instead of asking the user about every operation, Auto relies on a two-layer, model-based classifier system: an input-level probe scans tool outputs for injected instructions, while a transcript classifier evaluates the planned action right before it executes. The system deliberately denies the classifier access to text generated by the agent itself, to prevent the model from producing a convincing justification for a dangerous action.
Claude Code users approve 93% of permission prompts - from Anthropic's description of the Auto Mode mechanism
What it means for developers
For teams using Claude Code in Poland, it means that after updating, the tool's default installation will ask for approval on file modifications, shell commands, and network operations more often than they may be used to. Companies that want to keep a higher level of automation have to deliberately switch to Auto mode, accepting the trade-off Anthropic describes: fewer interruptions in exchange for a share of overreaching actions being wrongly waved through.
The Claude Code release that introduced the change also includes fixes for background agents, including a bug that caused sessions to silently stall mid-task after a computer woke from sleep. It also adds improvements for people using screen readers and voice dictation.
Broader industry context
Anthropic's decision fits into a broader trend of tightening default safeguards for coding agents following a series of security incidents in 2026. Anthropic had earlier joined Amazon, Microsoft, and Google in publishing a shared severity scale for AI jailbreaks, while Alibaba decided to ban its employees from using Claude Code entirely, effective July 10. The growing number of attacks exploiting agent permissions is forcing AI-based developer tool vendors to rebalance convenience against the risk of losing control over company code.
Sources: Releasebot Claude Code Updates (releasebot.io), How We Built Claude Code Auto Mode (anthropic.com)


